PIPEDA: Guidelines for obtaining meaningful consent

 May 29, 2018 11:00 AM
by Derek Lackey

Overview

Meaningful consent is an essential element of Canadian private sector privacy legislation. Under privacy laws, organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information. However, advances in technology and the use of lengthy, legalistic privacy policies have too often served to make the control – and personal autonomy – that should be enabled by consent nothing more than illusory. Consent should remain central, but it is necessary to breathe life into the ways in which it is obtained.

Building on previous publications examining the current state of consent, including challenges and potential solutionsFootnote1, this document sets out practical and actionable guidance regarding what organizations should do to ensure that they obtain meaningful consent.

This document is being jointly issued by the Office of the Privacy Commissioner of Canada (“OPC”) and the Offices of the Information and Privacy Commissioner of Alberta (“OIPC-AB”) and British Columbia (“OIPC-BC”). It reflects the principles underlying the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and its substantially similar provincial counterparts: the Alberta Personal Information Protection Act; the British Columbia Personal Information Protection Act; and, the Quebec Act Respecting the Protection of Personal Information in the Private SectorFootnote2. While all of these Acts are based on the same underlying principles, some differences exist. Organizations are responsible for understanding their specific obligations under the legislation to which they are subject.Footnote3

Seven guiding principles for meaningful consent

During the OPC’s 2016 Consent Consultations, some suggested that regulators develop templates for privacy policies; we do not believe that should be our role. Rather, our view is that organizations are best placed to find innovative and creative solutions for developing a consent process that respects their specific regulatory obligations as well as the nature of their relationship with their customers. However, in designing such a process, we expect organizations to be guidedFootnote4 by the following principles:

1. Emphasize key elements

Information provided about the collection, use and disclosure of individuals’ personal information must be readily available in complete form – but to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent.

PIPEDA requires individuals to understand the nature, purpose and consequences of what they are consenting toFootnote5. In order for consent to be considered valid, or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable mannerFootnote6. This means that organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it in full.

However, the reality is that information buried in a privacy policy or terms of use serves no practical purpose to individuals with limited time and energy to devote to reviewing privacy information. To receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions right up front as they are considering using the service or product on offer, making the purchase, or downloading the app, etc. For this purpose, organizations must generally put additional emphasis on the following key elements:

What personal information is being collected

Organizations must identify for individuals what personal information is being, or may be, collected about them. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to.Footnote7

With which parties personal information is being shared

Individuals expect that the personal information they provide to one organization will not be shared with another without their knowledge and consent. As such, disclosures to third parties must be clearly explained, including the types of information being shared. Organizations should be as specific as possible in enumerating these third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should at the very least specify the types of third parties information is shared with and then use other means (such as layering) to be more specific. Particular attention should be paid to any disclosures to third parties that may use the information for their own purposes, as opposed to simply providing services for the first-party.

For what purposes personal information is collected, used or disclosed

Individuals should be made aware of all purposes for which information is collected, used or disclosed. At a minimum, they must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. These purposes must be described in meaningful language, avoiding vagueness like ‘service improvement’. Purposes that are integral to the provision of the service should be distinguished from those that are not, and any available options explained. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context.

Risk of harm and other consequences

Under PIPEDAFootnote8, for consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consentingFootnote9. One such consequence, about which individuals should be made clearly aware, is risk of harm – and, in particular, those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms. If there is a meaningful risk that such residual risk will materialize and will be significant, the OPC is of the view that it is a potential consequence about which individuals must be notified.

The OPC’s premise is that if an organization identifies potential harms that may arise from the collection, use or disclosure of personal information, PIPEDA’s accountability principle will require that the organization will seek to minimize this risk. In some cases, mitigation efforts will reduce the risk significantly. In other cases the risk will remain meaningful. Only meaningful residual risks of significant harm must be notified to individuals.

By meaningful risk, we mean a risk that falls below the balance of probabilities but is more than a minimal or mere possibility. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.Footnote10

Note that where there is a likely (probable) risk of significant harm, the intended collection, use or disclosure would generally be considered inappropriate under subsection 5(3) of PIPEDA and therefore should not be the subject of consent.

Risk of harm should be considered broadly, and in addition to harms which arise directly from the activity, can include reasonably foreseeable harms caused by bad actors or othersFootnote11 (e.g. unauthorized re-use of social media information intended for a limited audience).

At this time, there is no prescribed form in which the above elements should be highlighted so as to give them prominence. We encourage organizations to consider adopting standardized mechanisms, to the extent that best practices emerge in the future in different sectors. Organizations should also consider the principles which follow in this document in determining the most appropriate means of communicating these key elements, while keeping in mind the requirement for additional emphasis on this information.

2. Allow individuals to control the level of detail they get and when

Information must be provided to individuals in manageable and easily-accessible ways (potentially including layers) and individuals should be able to control how much more detail they wish to obtain, and when.

Beyond the four elements above, the level of detail required to make a consent decision will vary by individual, and by situation. One person may be comfortable with a quick review of summary information; another may want to do a deeper dive. One person may want to do a more in-depth review of an organization’s privacy practices up-front; another may look at information piece-meal, returning to it later when they have more time or depending on what services they are using and when. Individuals may also want the opportunity to review in detail the information that they ‘clicked-through’ when they signed up for the service originally. All approaches to seeking privacy information should be respected and supported by organizations.

Presenting information in a layered-formatFootnote12, or by another means that supports user-control over the level of detail provided to them, helps make better sense of lengthy, complex information by offering a summary of the key highlights up front. Moreover, this information should remain available to individuals as they engage with the organization. Consent choices are not made just once; at any time, individuals should be able to re-consider whether they wish to maintain or withdraw their consent, and full information should be available to them as they make those decisions.

3. Provide individuals with clear options to say ‘yes’ or ‘no’

Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service – they must be given a choice. These choices must be explained clearly and made easily accessible. Whether each choice is most appropriately ‘opt-in’ or ‘opt-out’ will depend on factors discussed in the “Form of Consent” section of this document.

Collections, uses or disclosures of personal information over which the individual cannot assert any control (other than to not use a product or service) are called conditions of service. For a collection, use, or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. Organizations should be transparent and prepared to explain why any given collection, use or disclosure is a condition of service, particularly if it is not obvious.

Otherwise, for all other collections, uses and disclosures, individuals must be given a choice (unless an exception to the general consent requirement applies).

4. Be innovative and creative

Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.

When seeking consent online, organizations should do more than simply transpose in digital form, their paper-based policies from the offline environment. The digital environment is dynamic in nature, and its capabilities should be considered and taken advantage of. Organizations are encouraged to use a variety of communications strategies – including “just-in-time” notices, interactive tools and customized mobile interfaces – to explain their privacy practices, including the following:

“Just-in-time” notices

An important consideration in obtaining meaningful consent in the online environment is the speed with which transactions take place. In wanting to quickly access information and services, users often feel a sense of urgency in making decisions about sharing their information. It is therefore important for organizations to bring relevant privacy information to the forefront where it is conspicuous, quick to access, and intuitive. For example, if a user’s age is being requested to register for an online service, a just-in-time notice explaining why this information is needed should appear near the space where the user would input the information. As another example, if a user’s location is required to enable a certain feature of a service, a just-in-time notice explaining this and requesting access can be made when that user first accesses the feature, rather than only when signing up for the service originally.

Interactive tools

Organizations have also been using the interactive properties of the Internet to aid in the presentation of privacy information. We have seen examples in which organizations create interactive walkthroughs of their privacy settings (presenting them to users at initial sign-up, and then again periodically as ‘refreshers’), videos explaining key concepts, and/or infographics and similar visual tools.

Customized mobile interfaces

Mobile devices present an amplified communication challenge. Individuals’ time and attention are at a premium, and the medium does not lend itself to lengthy explanations. As such, organizations need to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention and need guidance the most. In that context, privacy information needs to be optimized to be effective in spite of the physical limitations of screen size. Our mobile apps guidance is a good resource when designing the mobile consent experience.

5. Consider the consumer’s perspective

Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s).

Consent is only valid where the individual can understand that to which they are consenting.Footnote13Organizations put significant resources into the design of user experiences and interactions; surely, they can put similar efforts toward ensuring that their consent process is understandable, user-friendly and customized to the nature of the product or service they are offering as well as their target audiences.

Organizations should consider both the content of privacy communications and their accessibility from the perspective of their users. This includes using clear explanations, a level of language suitable to a diverse audience, and a comprehensible means of displaying and/or communicating information. Organizations should also ensure that privacy policies and notices are easily accessible from all devices members of their target audience(s)may be using, including digital health technologies, smart phones, tablets, gaming devices, as well as more traditional PCs or laptops. If the practices being described are complex and involve multiple parties, the organization should make a concerted effort to ensure that users can easily access and understand all of the key elements.

In order to do all of this effectively, organizations may consider:

  • Consulting with users and seeking their input when designing a consent process;
  • Pilot testing or using focus groups to ensure individuals understand what they are consenting to;
  • Involving user interaction/user experience (UI/UX) designers in the development of the consent process;
  • Consulting with privacy experts and/or regulators when designing a consent process; and/or,
  • Following an established ‘best practice,’ standard or other guideline in developing a consent process.

The suggestions above are non-exhaustive, and are intended to be scalable depending on the size of organizations and the amount and type of personal information they collect, use or disclose.

6. Make consent a dynamic and ongoing process

Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process.

Ensuring the effectiveness of individual consent is a dynamic process that does not end with the posting of a privacy policy or notice, but rather, continues as organizations innovate, grow and evolve. When information flows are complex, as they often are, organizations should provide some interactive and dynamic way to anticipate and answer users’ questions if the information provided is not clear or gives rise to follow-up questions. While providing 1-800 numbers may not be feasible or practical in a fast-paced online environment, there are myriad other ways organizations can do this, such as, developing and regularly updating FAQs, using new smart technologies, chatbots, etc.

When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. Significant changes include using personal information for a new purpose not anticipated originally or a new disclosure of personal information to a third party for a purpose other than processing that is integral to the delivery of a service.

Organizations should also consider periodically reminding individuals about their privacy options and inviting them to review these.

Lastly, as a best practice, organizations should periodically audit their information management practices to ensure that personal information continues to be handled in the way described to individuals.

7. Be accountable: Stand ready to demonstrate compliance

Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) as to allow for valid and meaningful consent.

In order for an organization to demonstrate that it has obtained valid consent, pointing to a line buried in a privacy policy will not suffice. Instead, organizations should be able to demonstrate – either in the case of a complaint from an individual or a proactive query from a privacy regulator – that they have a process in place to obtain consent from individuals, and that such process is compliant with the consent obligations set out in legislation. This is an integral part of not only the consent process, but of an effective accountability regime.

Such demonstrations may include – but are not limited to – showing, when called upon, that the organization has considered and implemented the principles in this document. Again, regulators’ expectations around the steps an organization has taken to demonstrate compliance and accountability will depend on the size of organizations and the amount and type of personal information they collect, use or disclose.

For general information on privacy management practices, please refer to our guidance document, “Getting Accountability Right with a Privacy Management Program.”

Determining the appropriate form of consent

Beyond the above principles, it is important for organizations to consider...

Read The Full OPC Communication

 

  

PIPEDA: Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)

 May 29, 2018 11:00 AM
by Derek Lackey

Overview

Subsection 5(3) of PIPEDA is a critical gateway that either allows or prohibits organizations to collect, use and disclose personal information, depending on their purposes for doing so. It is the legal boundary that protects individuals from the inappropriate data practices of companies. It separates those legitimate information management practices that organizations may undertake in compliance with the law, from those areas in which organizations cannot venture, otherwise known as “No-go zones”. In this guidance document, the Office of the Privacy Commissioner of Canada (OPC) describes the guiding principles for interpreting subsection 5(3) of PIPEDA as informed by past Court decisions, and sets out a series of no-go zones which we have determined, through past findings and extensive consultations with stakeholders and focus groups with individuals across Canada, are offside PIPEDA as viewed from the perspective of the reasonable person.

What is PIPEDA subsection 5(3)?

Subsection 5(3) of PIPEDA states:

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

How the Courts interpret 5(3)

1. A guiding principle

Subsection 5(3) “is a guiding principle that underpins the interpretation of the various provisions of PIPEDA”.Footnote1 In turn, it must be read in light of the underlying purpose of Part 1 of PIPEDA which is to balance the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information.Footnote2 In applying subsection 5(3), one is therefore required to engage in a “balancing of interests” between the individual and the organization concerned.Footnote3

2. Reasonable person lens

Subsection 5(3) requires a balancing of these interests “viewed through the eyes of a reasonable person.”Footnote4

3. An overarching requirement

Within the scheme of PIPEDA, subsection 5(3) is “an overarching requirement”Footnote5 that is superimposed on an organization’s other obligations to ensure that their purposes for collection, use and disclosure of personal information are limited to only those which a reasonable person would consider appropriate in the circumstances.

4. Necessary but not sufficient

In order to comply with subsection 5(3), it is not enough to demonstrate compliance with the other provisions of the Act. For instance, even with consent, an organization must still show that its purposes for collecting, using or disclosing personal information in the first place are ones that a reasonable person would consider appropriate in the circumstances.

Conversely, compliance with subsection 5(3) does not automatically mean compliance with other provisions of the Act. Even if an organization’s purposes are considered appropriate under subsection 5(3), it must also ensure that the Act’s other requirements relating to the protection of personal information are satisfied.Footnote6

Evaluating an organization’s purposes under 5(3)

The evaluation of subsection 5(3) requires an examination of whether the purposes are appropriate “in the circumstances.” As such, the analysis must be conducted “in a contextual manner” and look at the particular facts surrounding the collection, use and disclosure, “all of which suggests flexibility and variability in accordance with the circumstances”.Footnote7

In applying subsection 5(3), the courts have generally taken into consideration whether: “1) the collection, use or disclosure of personal information is directed to a bona fide business interest, and 2) whether the loss of privacy is proportional to any benefit gained.”Footnote8 In Turner v. Telus Communications Inc, the Federal Court, in a decision affirmed by the Federal Court of Appeal, set out the following factors for evaluating whether an organization’s purpose was in compliance with subsection 5(3):

  • The degree of sensitivity of the personal information at issue;
  • Whether the organization’s purpose represents a legitimate need / bona fide business interest;
  • Whether the collection, use and disclosure would be effective in meeting the organization’s need;
  • Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and
  • Whether the loss of privacy is proportional to the benefits.Footnote9

Inappropriate purposes or No-Go Zones

Based on the guiding principles and evaluative framework above, our Office’s practical experience with the application of subsection 5(3) over the course of more than fifteen years of applying PIPEDA, and comments received during our consultation on consent—we have determined that the following purposes for collection, use or disclosure of personal information would generally be considered “inappropriate” by a reasonable personFootnote10. The following No-Go Zones are currently considered to be offside PIPEDA, and may evolve over time.

1. Collection, use or disclosure that is otherwise unlawful

Organizations should have knowledge of all regulatory and legislative requirements that may govern their activities, and individuals should be safe in the knowledge that collection, use or disclosure of their personal information will not be done for purposes that contravene the laws of Canada or its provinces. This is supported by PIPEDA Principle 4 which requires collection to be “by fair and lawful means”.

For instance, the “reasonable person” would generally consider to be inappropriate any collection, use or disclosure of their personal information that would violate credit reporting legislation. In PIPEDA Report of Findings 2016-002, the OPC found that it was inappropriate for a landlord association to be operating a “bad tenant list” as by doing so, it was acting as an unlicensed credit reporting agency in violation of provincial credit reporting legislation. Similarly, in OPC’s Report of Findings in respect of Bell Canada’s Relevant Ads Program, we found the company’s use of credit score information for the delivery of targeted ads was not permitted under Ontario’s Consumer Reporting Act, and was therefore inappropriate under 5(3).

As another example, organizations that require individuals to undergo a genetic test, or disclose the results of a genetic test, as a condition of providing good or services, or entering into a contract, will be in contravention of the Genetic Non-Discrimination Act of 2017. Hence, consistent with OPC’s Policy statement on the use of genetic test results by life and health insurance companies, and its Guidance on Direct to Consumer Genetic Testing, requiring individuals to undergo genetic tests or provide existing genetic test results has been deemed to be a No-Go Zone.

2. Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law

In an age of big data, it is it is increasingly important to understand the connection between the upstream collections, uses and disclosures of personal information and the downstream discriminatory impacts thereof.Footnote11 Data analytics—or any other type of profiling or categorization—that results in inferences being made about individuals or groups, with a view to profiling them in ways that could lead to discrimination based on prohibited grounds contrary to human rights lawFootnote12 would not be considered appropriate under subsection 5(3)’s “appropriate purpose” test.

While profiling that leads to discrimination contrary to human rights law will always be inappropriate under 5(3), determining whether a result is unfair or unethical will require a case-by-case assessment. Organizations should know, however, that unfair or unethical profiling or categorization will also generally be found inappropriate under subsection 5(3).

This is consistent with the spirit of the International Resolution on Big Data adopted by Data Protection and Privacy Commissioners around the world at their annual Conference in Mauritius in 2014, where we committed to calling on all parties to demonstrate that decisions around the use of Big Data are fair, transparent and accountable; that results from profiling be responsible, fair and ethical; and that injustice for individuals due to fully automated false positive or false negative results be avoided.

3. Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual

The digital marketplace is filled with privacy trade-offs individuals make every day in order to exercise their freedom as consumers. This includes giving up a reasonable amount of one’s privacy in order to seek out convenience and choice. Individuals should be free to make their own discerning decisions of how much privacy they are willing to give up in order to obtain certain products or services.

However, the OPC believes that a reasonable person would not consider it appropriate for organizations to require an individual to undergo significant privacy harm as a known or probable cost for products or services. By “significant harm”, we mean “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one’s) credit record and damage to or loss of property”.Footnote13

4. Publishing personal information with the intended purpose of charging individuals for its removal

OPC has written extensively about the challenges of protecting one’s reputation online, and released a draft position paper on the topic. While this remains a complex issue overall, our Office has come across one practice which we clearly consider to be offside PIPEDA and that is, publishing sensitive personal information online for the primary purpose of charging individuals to have it removed. In short, we believe a reasonable person is unlikely to consider “blackmail” an appropriate purpose, and the Federal Court of Canada agreed with us when it confirmed the findings of our investigation of Globe24h.

5. Requiring passwords to social media accounts for the purpose of employee screening

PIPEDA, as amended by the Digital Privacy Act, protects the personal information of job applicants as well as employees of federal works, undertaking or businesses (organizations that are federally-regulated, such as banks, airlines, and telecommunications companies). Given the unequal positions of power between employer and employee (or potential employee), there is a risk that employers ask for more information than is needed to assess an individual’s merit, and individuals, in turn, may feel unduly pressured to provide such information for fear of not being given the job or maintaining their employment. In some cases, employers may go overboard in requesting that employees (or potential employees) provide them with access to password-protected areas of their social media accounts. Requiring passwords in order to access private parts of social media accounts has the potential of exposing incredible amounts of highly sensitive personal information that are neither relevant nor necessary for the employers’ legitimate business purposes. Many U.S. States have passed legislation prohibiting this practice.Footnote14 The OPC agrees that requiring passwords to social media accounts for the purpose of employee screeningFootnote15 would generally not be considered appropriate by a reasonable person.

6. Surveillance by an organization through audio or video functionality of the individual’s own device

Nothing can be more privacy-invasive than being tracked through the audio or video functionality of an individual’s device either covertly, that is without their knowledge or consent, or even with so-called consent, when doing so is grossly disproportionate to the business objective sought to be achieved.

In PIPEDA Report of Findings 2013-016, the OPC found that a spyware application called “Detective Mode,” used by several rent-to-own companies to covertly trace missing laptop computers resulted in surreptitious collection of keystrokes, screenshots, webcam photographs, and other information. Our Office found that the loss of privacy resulting from the use of Detective Mode in this context is vastly disproportionate to the possible benefits to be gained.

It may be permissible for the audio or video functionality of a device to regularly or constantly be turned on in order to provide a service if the individual is both fully aware and in control of this fact, and the captured information is not recorded, used, disclosed or retained except for the specific purpose of providing the service.

Conclusion

An appropriate purpose judged from the standpoint of a reasonable person is a flexible concept that requires time, careful reflection and practical experience to define. In practice, the test for appropriateness will require a contextual analysis but we find it useful—for transparency to both individual and organizations—to provide examples of our expectations, such as those listed above. It is our intention to periodically revisit and update the above list of “No-Go zones” as warranted.

OPC Site