Interpretation Bulletin: Form of Consent
Notice
Currently being reviewed.
March 2014
One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.
In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.
I. Relevant Statutory Provisions
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”)
Principle 4.3: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
Principle 4.3.4: The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
Principle 4.3.5: In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.
Principle 4.3.6: The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
Principle 4.3.7: Individuals can give consent in many ways. For example:
- an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
- consent may be given orally when information is collected over the telephone; or
- consent may be given at the time that individuals use a product or service.
Section 6.1: For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
II. General Interpretations by the Courts
- “The form of the consent sought by the organization, and the way in which the organization seeks consent, may vary, depending on the circumstances and the type of information (clauses 4.3.4 and 4.3.6). In obtaining consent, the reasonable expectations of the individual are relevant (clause 4.3.5). Implied consent would generally be appropriate when the information is less sensitive (clause 4.3.6). Examples of ways in which individuals can give consent are: on application forms, on checkoff boxes, over the telephone, at the time of use, all of which imply that the consent is given at the time of collection and before use.” (Englander v. Telus Communications Inc., 2004 FCA 387 at para. 60)
- Principle 4.3.4 makes it clear that “medical information is almost always considered to be sensitive, calling for a rather more explicit form of consent.” (Townsend v. Sun Life Financial, 2012 FC 550 at para. 25)
- “I agree with the respondent that [information concerning an individual’s frequency of usage of a fitness centre] is at the lower end of the scale of sensitivity, viewed objectively. The content was limited to the number of times per week that the applicant attended one of the respondent’s fitness centres. The information disclosed said nothing about what he did at the fitness centres, how long he remained, the nature of his training regime, level of fitness or any other personal information. In other circumstances, implied consent for the disclosure of information at a low level of sensitivity may be found.
I accept the applicant’s submission that in the circumstances of this case the information was sensitive particularly as it was being disclosed to his work colleagues at a staff meeting and encouraged rivalry with colleagues that made him uncomfortable. The employer should have been aware that some employees might not be comfortable with disclosure of the information to their colleagues in a public forum. In these circumstances, the level of sensitivity of the information was not so low that I would consider that consent to its disclosure could be implied.” (Randall v. Nubody’s Fitness Centres, 2010 FC 681 at paras.42-43) - “A consent is not informed if the person allegedly giving it is not aware at the time of giving it that he or she had the possibility to opt out.” (Englander v. Telus Communications Inc., supra at para. 67)
III. Application by the OPC in Different Contexts
General Considerations
- Express consent is the most appropriate and respectful form of consent to use in any circumstances; implied consent can be acceptable in strictly defined circumstances.
- In determining the form of consent to use, organizations are required to take into account the sensitivity of the information and the reasonable expectations of the individual.
- “In light of the purpose ofPIPEDA, and the underlying balance it seeks to achieve between protecting personal information and allowing organizations to use personal information for reasonably appropriate purposes, the Act favours a contextual approach in assessing whether personal information is sensitive for the purpose of determining the appropriate form of consent an organization should seek. “
Assessing the sensitivity of personal information in different contexts
Health-related information in the context of tailored advertising
- An individual’s online activity related to the viewing of health-related websites (e.g., research concerning a device for treating sleep apnea) constitutes sensitive personal information. It is inappropriate to rely on implied consent to use such information for the purpose of remarketing tailored advertising. Express consent is required.
Email addresses in the context of social media
- “[A]lthough an email address may not at first blush be considered to be a sensitive piece of personal information, the existing or presumed social connections between people derived from the use of the e-mail address… could be considered sensitive in certain unique contexts.”
Palm-vein scans in the context of admissions testing
- All biometrics are privacy invasive to a certain extent because they involve the collection of an individual’s physical characteristics. But not all biometrics are highly privacy invasive in and of themselves. The binary representation of a candidate’s palm-vein scan was not considered overly sensitive personal information in this specific case, given the test administrator’s current use of the technology.
For example, the palm-vein scans in this case were immediately transformed into an encrypted binary template, the binary code was non-reversible and no raw biometric image was retained. As well, the binary code information retained from the scan could not easily be interpreted by other parties or applied to other purposes, and the binary template was stored separately from any other personal information about the test taker. Palm-vein scanning was considered a “non-trace” biometric in this case, since latent images could not be left on objects, including the system used for the scan.
Financial information in the context of secondary marketing
- While it may be reasonable for an organization to rely on opt-out consent to disclose customer contact information for secondary marketing purposes, it cannot do so if it intends to disclose sensitive financial information such as annual income and credit history.
Purchasing habits and preferences in the context of loyalty programs
- The use and disclosure of information customized according to points plan members’ purchasing habits and preferences are likely sufficiently sensitive to warrant opt-in or positive consent.
Voiceprints in the context of employment
- While a human voice may reveal behavioural and physical characteristics that make an individual unique, a digital voiceprint used by an employer solely for one-to-one authentication of employees seeking to access the company’s internal computer network, is fairly benign.
- (PIPEDA Case Summary #2004-281 Organization uses biometrics for authentication purposes , cited with approval by the Federal Court of Appeal in Wansink v. TELUS Communications Inc., 2007 FCA 21)
Taking an individual’s reasonable expectations into account
- While in certain circumstances, the pre-selection of default settings in an online environment may be reasonable in order to avoid making the registration process overly cumbersome, these settings must accord with users’ reasonable expectations and users must be properly informed of the settings and of the implications of choosing one setting over another.
- “[I]t is important to bear in mind that a non-user might not reasonably expect that a site like Facebook would use his or her email to create social connections. This is all the more so in the context of this complaint where the complainants, as non-Facebook users, had no prior relationship with Facebook.”
- A reasonable person would not expect an organization to tailor marketing to his or her potentially sensitive personal or professional interests, uses or of preferences for certain products and services, and financial status, without his or her express consent.
Examples of appropriate use of implied consent
In the context of litigation or dispute resolution
- By initiating an arbitration proceeding before the Financial Services Commission of Ontario in which she put her personal medical information in issue, the complainant gave her implied consent to the collection, use and disclosure of her personal information by the insurer for the limited purpose of defending itself in these particular proceedings.
- (PIPEDA Case Summary #2009-003 Insurer discloses individual’s medical information to third-party consultant based on implied consent)
- (PIPEDA Case Summary #2009-016 An employee appealing the termination of workers’ compensation benefits consents to the disclosure of personal information allowed under the appeal process)
In the context of employment
- Consent for the collection of employee personal information via Global Positioning Systems (GPS) technology in their work vehicles can only be implied if used for appropriate purposes that an employee would reasonably expect. For example, implied consent is appropriate and meets the reasonable expectation of the individual if theGPS-enabled vehicles tracking their whereabouts are used to improve workforce productivity, to ensure safety of drivers, or to protect and manage company assets. Implied consent cannot be relied on to evaluate or manage employees on a routine basis, other than in exceptional circumstances where there is a complaint investigation or a clear performance issue, and where a clear policy setting out an appropriate process of warnings and progressive monitoring exists and has been brought to employees’ attention beforehand.
- A municipal transportation service was found to have the implied consent of its employees and of its clients for the use of a Mobile Data Terminal, including a Global Positioning System, on its vehicles. The information collected was used for an appropriate purpose – that of providing efficient service to clients. Since notice of the installation of the technology had been provided to employees, their continued use of vehicles constituted implied consent to the collection and use of their personal information for this purpose. Similarly, clients had to be aware that the respondent and its drivers require their name, pick-up location and drop-off location in order to provide the requested transportation service.
Conditions for appropriate use of opt-out consent
- Use of an opt-out consent mechanism may be acceptable where:
- The personal information is demonstrably non-sensitive in nature and context;
- The context in which information is shared is limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure;
- The organization’s purposes are limited and well-defined, and stated in a reasonably clear and understandable manner and brought to the individual's attention at the time the personal information is collected;
- The organization obtains consent for the use or disclosure at the time of collection, or informs individuals of the proposed use or disclosure, and offers the opportunity to opt out, at the earliest opportunity;
- The organization establishes a convenient procedure for opting out of, or withdrawing consent to, secondary purposes, with the opt-out taking effect immediately and prior to any use or disclosure of personal information for the proposed new purposes.
- (PIPEDA Case Summary #2003-192 Bank does not obtain the meaningful consent of customers for disclosure of personal information)
- (PIPEDA Case Summary #2003-203 Individual raises concerns about consent clauses on credit card application form)
- (PIPEDA Case Summary #2003-207 Cellphone company meets conditions for “opt-out” consent)
- (PIPEDA Report of Findings #2012-002 Facebook didn’t get non-members’ consent to use email addresses to suggest friends, investigation finds at para. 47)
- “…[W]here there is an existing use or disclosure for secondary purposes, the organization must provide an ongoing mechanism for withdrawing consent to the secondary purpose, and should ensure that the withdrawal takes effect with minimal delay.”
- The opt-out option for withholding consent should be immediate and convenient. Requiring a customer to fill out an application form to withhold consent to use or disclosure for secondary purposes is not likely reasonable.
- An individual who is already in an organization’s marketing system may reasonably expect it to take a number of weeks for the organization to process an opt-out request, but an organization should have systems in place to respond to such requests in a timely manner and in any case, within the period it has advertised to individuals.
- Not only must an organization provide an opportunity for its customers to withdraw consent, it must also ensure that such withdrawal, where expressed, is also communicated to related businesses, affiliates and subsidiaries.
- Date modified: