Draft guidelines: Obtaining meaningful online consent

Notice

These draft guidelines have been published for discussion and commenting purposes as part of our work on improving the current consent model under PIPEDA. Please see our Consultation on consent under PIPEDA web page for more information and our Notice of Consultation and Call for Comments web page for instructions on how to comment on this document.

On this page

Building on past publications examining the current state of consent, including challenges and potential solutions,Footnote 1 this document sets out practical and actionable guidance regarding what organizations should do to ensure that they obtain meaningful consent in the online environment. 

This document reflects the principles of the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the Alberta Personal Information Protection Act and the British Columbia Personal Information Protection Act (AB PIPA and BC PIPA, respectively). While the AB and BC PIPAs are substantially similar to PIPEDA and all three acts are based on the same underlying principles, some differences exist. Organizations are responsible for understanding their specific obligations under the legislation to which they are subject.Footnote 2

Seven Guiding Principles for Online Consent

During the OPC’s 2016 Consent consultations, some suggested that regulators develop templates for privacy policies; we do not believe that should be our role.  Rather, our view is that organizations are best placed to find innovative and creative solutions to developing a consent process that respects their specific regulatory obligations as well as the nature of their relationship with their customers. In designing such a process, we expect organizations to be guided by the following principles:

1. Emphasize key elements

Information provided about the collection, use and disclosure of individuals’ personal information must be readily available in complete form – but to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent.

Privacy laws require individuals to understand the nature, purpose and consequences of what they are consenting to.Footnote 3 In order for consent to be considered valid, or meaningful, organizations have to inform individuals of their privacy practices in a comprehensive and understandable manner.Footnote 4  This means that organizations must provide complete information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read them in full.

However, the reality is that information overload buried in a privacy policy or terms of use serves no practical purpose to individuals in a hurry. To receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions right up front as they are considering using the service or product on offer, making the purchase, or downloading the app, etc.   For this purpose, organizations should put additional emphasis on the following key elements:

  • What personal information is being collected
    Individuals should understand what personal information is being, or may be, collected about them.
  • With which parties is personal information being shared
    Individuals expect that the personal information they provide to one organization will not be shared with another. As such, any disclosures to third parties should be clearly explained, including the types of information being shared. Organizations should be as specific as possible in enumerating these third parties.  In the case where third parties may change periodically or are too numerous to specify, organizations must at the very least specify the types of third parties information is shared with and then use means such as layering to be more specific. Particular attention should be paid to any disclosures to third parties that may use the information for their own purposes, as opposed to simply providing services for the first-party.
  • For what purposes personal information is collected, used or disclosed
    Individuals should be made aware of all purposes for which information is collected, used or disclosed. These purposes should be described in meaningful language, avoiding vagueness like ‘service improvement’. Purposes that are integral to the provision of the service should be distinguished from those which are not, and any available options explained. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context.
  • Risk of harm
    Individuals should be made clearly aware of any known or foreseeable risk of harms arising from the collection, use or disclosure of personal information. Harm includes both material and reputational harm.

At this time, there is no prescribed form in which the above elements should be highlighted so as to give them prominence. We encourage organizations to consider adopting standardized mechanisms, to the extent that best practices emerge in the future in different sectors.  

2. Allow individuals to control the level of detail they get and when

Information must be provided to individuals in manageable and easily-accessible layers and individuals should be able to control how much more detail they wish to obtain, and when.

Beyond the four elements above, the level of detail required to make a consent decision will vary by individual, and by situation, depending on their level of risk tolerance. One person may be comfortable with a quick review of summary information; another may want to do a deeper dive. One person may want to do a more in-depth  review of an organization’s privacy practices up-front; another may look at information piece-meal, returning to it later when they have more time or depending on what services he or she is using and when. Individuals may also want the opportunity to review in detail the information that they ‘clicked-through’ when they signed up for the service originally. All approaches to seeking privacy information should be respected and supported by organizations.

Presenting information in a layered-formatFootnote 5 helps make better sense of lengthy, complex information by presenting a summary of the key highlights up front. Moreover, this information should remain available to individuals as they engage with the organization. Consent choices are not made just once; at any time, individuals should be able to re-consider whether they wish to continue or withdraw their consent, and full information should be available to them as they make those decisions at different points in time.

3. Provide individuals with clear options to say ‘yes’ or ‘no’

Individuals must be provided with easy ‘yes’ or ‘no’ options when it comes to collections, uses or disclosures that are not integral to the product or service they are seeking.

Collections, uses or disclosures of personal information over which the individual cannot assert any control (other than not to use a product or service) are called conditions of service. For a collection, use, or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. Organizations should be transparent and prepared to explain why, any given collection, use or disclosure is a condition of service, particularly if it is not obvious.

Otherwise, for all other collections, uses and disclosures, individuals should be given a choice.  A clear ‘yes’ or ‘no’ option allows the individual to determine whether to provide certain personal information, or allow it to be used or disclosed for a non-integral purpose. This requires that they be given clear indication when the collection, use or disclosure of certain personal information is not required in order to provide the product or service they are seeking, and that they be given a prominent means of saying yes or no, subject to what is reasonably considered to be appropriate under the circumstances.

4. Be innovative and creative

Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.

When seeking consent online, organizations must do more than simply transpose in digital form, their paper-based policies from the offline environment. The digital environment is dynamic in nature, and its capabilities should be considered and taken advantage of. Organizations are encouraged to use a variety of communications strategies – including “just-in-time” notices, interactive tools and customized mobile interfaces – to explain their privacy practices, including the following:

“Just in time” notices

An important consideration in obtaining meaningful consent in the online environment is the speed with which transactions take place. In wanting to quickly access information and services, users often feel a sense of urgency in making decisions about sharing their information. It is therefore important for organizations to bring relevant privacy information to the forefront where it is conspicuous, quick to access, and intuitive. For example, if a user’s age is being requested to register for an online service, a just-in-time notice explaining why this information is needed should appear near the space where the user would input the information. As another example, if a user’s location is required to enable a certain feature of a service, a just-in-time notice explaining this and requesting access can be made when that user first accesses the feature, rather than only when signing up for the service originally.

Interactive Tools

Organizations have also been using the interactive properties of the Internet to aid in the presentation of privacy information. We have seen examples in which organizations create interactive walkthroughs of their privacy settings (presenting them to users at initial sign-up, and then again periodically as ‘refreshers’), videos explaining key concepts, and/or infographics and similar visual tools.

Customized mobile interfaces

Mobile devices present an amplified communication challenge. Individuals’ time and attention are at a premium, and the medium does not lend itself to lengthy explanations. As such, organizations need to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention and need guidance the most.  In that context, privacy information needs to be optimized to be effective in spite of the physical limitations of screen size. Our mobile apps guidance is a good resource when designing the mobile consent experience.

5. Consider the consumer’s perspective

Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s).

Consent is only valid where the individual can understand that to which they are consenting.Footnote 6 Organizations put significant resources into the design of user experiences and interactions; surely, they can put similar efforts toward ensuring that their consent process is understandable, user-friendly and customized to the nature of the product or service they are offering and their target audiences.

Organizations should consider both the content of privacy communications and their accessibility from the perspective of their users. This includes using clear explanations, a level of language suitable to a diverse audience, and a comprehensible means of displaying and/or communicating information.  Organizations should also ensure that privacy policies and notices are easily accessible from all devices the individual may be using, including digital health technologies, smart phones, tablets, gaming devices, as well as more traditional PCs or laptops.   If the practices being described are complex and involve multiple parties, the organization should make a concerted effort to ensure that users can easily access and understand all of the key elements.  

In order to do all of this effectively, organizations may consider: 

  • Consulting with users and seeking their input when designing a consent process;
  • Pilot testing or using focus groups to ensure individuals understand what they are consenting to;
  • Involving user interaction/user experience (UI/UX) designers in the development of the consent process;
  • Consulting with privacy experts and/or regulators when designing a consent process; and/or,
  • Following an established ‘best practice,’ standard or other guideline in developing a consent process.

The suggestions above are non-exhaustive, and are intended to be scalable depending on the size and maturity of organizations and the amount and type of personal information they collect, use or disclose.

6. Stand ready to demonstrate effectiveness

Organizations, when asked, should be in a position to demonstrate the steps they have taken to test whether their consent processes are indeed user-friendly and understandable from the general perspective of their target audience(s).

In order for an organization to demonstrate that it has obtained valid consent, pointing to a line buried in a privacy policy will not suffice. Instead, organizations should be able to demonstrate – either in the case of a complaint from an individual or a proactive query from a privacy regulator – that they have a process in place to obtain consent from individuals, and that such process is actually effective.  This is an integral part of not only the consent process, but also part of an effective accountability regime.

Such demonstrations may include – but are not limited to – showing, when called upon, that the organization has considered and implemented the principles in this document.  As a best practice, organizations should periodically audit their information management practices to ensure that personal information continues to be handled in the way described to individuals. Again, an organization’s ability to demonstrate is intended to be scalable depending on the size and maturity of organizations and the amount and type of personal information they collect, use or disclose.

For general information on privacy management practices, please refer to our guidance document, “Getting Accountability Right with a Privacy Management Program.”

7. Make consent a dynamic and ongoing process

Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process.

Ensuring the effectiveness of individual consent is a dynamic process that does not end with the posting of a privacy policy or notice, but rather, continues as organizations innovate, grow and evolve.  When information flows are complex, as they often are, organizations must provide some interactive and dynamic way to anticipate and answer users’ questions if the information provided is not clear or gives rise to follow-up questions.  While providing 1-800 numbers may not be feasible or practical in a fast-paced online environment, there are myriad other ways organizations can do this, such as, developing and regularly updating FAQs, using new smart technologies, chatbots, etc.

When an organization plans to introduce significant changes to its privacy practices, it should notify users in advance and ask users to confirm that they consent prior to the changes coming into effect. Significant changes include using personal information for a new purpose not anticipated originally or disclosing personal information to a third party for a purpose other than processing a component of what is integral to the service.

Organizations should also consider periodically reminding individuals about their privacy options and inviting them to review these.

Determining the Appropriate Form of Consent

Beyond the above principles, it is important for organizations to consider the appropriate form of consent to use (express or implied) for any collection, use or disclosure of personal information for which consent is required.   While consent should generally be express, it can be implied in strictly defined circumstances.Footnote 7 The Supreme Court of Canada has recently confirmed that in making this determination, organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context.Footnote 8

Organizations must generally obtain explicit consent when:

  • The information being collected, used or disclosed is sensitive;
  • The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or,
  • The collection, use or disclosure poses an increased risk of harm to the individual.

Sensitivity

There is no “bright line” separation of what is, and is not, sensitive information. Certain categories of information (such as health or financial) will generally be considered extremely sensitive, but even non-sensitive information can become sensitive depending on the circumstances.   For example, an individual piece of information considered non-sensitive on its own, could become sensitive depending on what it is capable of revealing when combined with other personal information about the individual.Footnote 9 Conversely, personal information generally considered highly sensitive may become less so where other related information is already in the public domain, depending on the purpose for which such information is being made public and the nature of the relationship between the parties involved.Footnote 10.

Reasonable expectations

In determining the appropriate form of consent, organizations should also consider the reasonable expectations of the individual in the circumstances.    For example, if there is a use or disclosure a user would not reasonably expect to be occurring, such as certain sharing of information with a third party, the downloading of photos or contact lists, or the tracking of location, express consent may be required. 

In some cases, other contextual factors may come into play.  For example, where an organization considers disclosure to a third party, the identity of the third party and their purpose in seeking access to the information may be relevant.  Depending on the circumstances, an individual might reasonably expect that information could be disclosed to a third party with a legal entitlement to it; however, an individual would not reasonably expect disclosure to individuals who are merely curious or seek the information for nefarious purposes.Footnote 11

Risk of Harm

Underlying the contextual analysis of both sensitivity and reasonable expectations is risk of harm to the individual.  Harm should be understood broadly, including material and reputational impacts, restrictions on autonomy, and other factors.  An increased risk of harmwill generally increase the sensitivity of the information and/or go beyond what an individual would normally and reasonably expect.  In such circumstances, express consent will generally be required – assuming it does not meet a threshold which would contravene the “appropriate purpose” requirement described below (e.g. where there is a known or likely risk of significant harm), in which case the purpose would be considered offside subsection 5(3) of the Act.

The ability of children and youth to provide meaningful consent for the sharing of their personal information online depends greatly on their cognitive and emotional development. Given the difficulties that adults have in understanding what is happening with their personal information in a complex online environment, it would be unrealistic to expect children to fully appreciate the complexities and potential risks of sharing their personal information online. In recognition of this, private sector privacy legislation allows for consent through an authorized person, such as a parent or legal guardian.

We recognize that the maturation process is an evolving one, as youth are introduced to– and thus begin to develop an understanding of - online services at increasingly early ages. While a child’s capacity to consent can vary from individual to individual, we believe that there is nonetheless a threshold age below which young children are not likely to fully understand the consequences of their privacy choices, particularly in this age of complex data-flows. As such, in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians. As for youth aged 13 to the applicable provincial or territorial age of majority, their consent can only be considered meaningful if organizations have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly. Organizations undertaking such collections, uses or disclosures should pay special mind to Guiding Principle 6, and stand ready to demonstrate on demand that their chosen process leads to meaningful and valid consent.

What Else Should Organizations Know About Consent?

Lastly, there are some final considerations which need to be kept in mind by organizations designing their online consent processes.

Appropriate purpose

It is important to remember that the purposes for which an organization collects and uses personal information must be appropriate and defined. Even with consent, privacy laws require organizations to limit collection, use and disclosure of personal information to purposes that a reasonable person would consider appropriate under the circumstances.Footnote 12 In other words, an individual’s consent is not a free pass for organizations to engage in collecting and using personal information indiscriminately for whatever purpose they choose.

Withdrawing consent

Under private sector privacy laws, individuals have the right to withdraw consent, subject to legal or contractual restrictions. Withdrawal of consent should be respected and put a stop to any further collection and use of the individual’s personal information. It may also mean that data held by an organization about an individual should be deleted depending on the circumstances. For example, if a user deletes his account on a social networking site, the organization should delete his personal information on the site, to the extent technically feasible. There may be limited circumstances where an organization may need to retain some information about an individual who has withdrawn consent. For example, a “do not contact” list of email addresses could be retained for individuals who have requested no further communication from an online service. Moreover, other laws may require that information be retained. For example, financial sector legislation and regulations require organizations to retain information such as client credit files and credit card applications for five years from the day of closing of the account to which they relate.Footnote 13

Consent is not a silver bullet

Finally, it is important to note that consent does not waive an organization’s other obligations under privacy laws, such as overall accountability, collection limitation, and safeguards. In other words, if an individual consented to have their personal information handled contrary to legal requirements, the organization would still be considered in contravention of those requirements.

Date modified: