News release

Privacy Commissioner issues new guidance to help address consent challenges in the digital age

TORONTO, May 24, 2018 – The Office of the Privacy Commissioner of Canada has published two important new guidance documents – on obtaining meaningful consent and on inappropriate data practices – to help organizations ensure they comply with their privacy obligations in the digital age.

“The consent guidance sets out practical and actionable advice for organizations to ensure they obtain meaningful consent in the online environment,” says Privacy Commissioner Daniel Therrien, who launched the guidance today at a conference of the International Association of Privacy Professionals in Toronto. “Our goal here is also to help empower Canadians.”

The guidance on “no-go zones”, meanwhile, suggests to companies which practices are inappropriate and informs individuals of what organizations are generally prohibited from doing, even with consent.

“During an extensive public consultation, we heard very clearly that the increasingly complex digital environment – with technological innovations such as big data, the Internet of Things and artificial intelligence – is posing challenges for privacy protection and the consent model,” says Commissioner Therrien. “This new guidance is part of a series of measures we are undertaking to help address that issue.”

The guidance will also help Canadians to understand their privacy rights under the law – and what they can expect from businesses that handle their personal information.

The two guidance documents are:

The guidance on meaningful consent, which was issued jointly with the offices of the Information and Privacy Commissioners in Alberta and British Columbia, sets out seven guiding principles for meaningful consent. For example:

  • Emphasizing certain key elements in privacy information and explaining them in a user friendly way

    This will help make it easier for individuals to understand important privacy information and make informed decisions about whether to consent to the collection use and disclosure of their personal information.

    The four elements are: what personal information is being collected; with which parties personal information is being shared; for what purposes personal information is collected, used or disclosed; and risk of harm and other consequences.

  • Providing people with clear options to say ‘yes’ or ‘no’

    Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service – they must be given a choice. These choices must be explained clearly and made easily accessible.

  • Being accountable and standing ready to demonstrate compliance

    Organizations, when asked, should be in a position to demonstrate how they are complying with the law, and, in particular, that their consent processes permit their target audience to provide consent that is valid and meaningful.

The second guidance document sets out a series of “no-go zones” which the Office of the Privacy Commissioner generally considers offside of Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

The “no-go zones” are:

  • Collection, use or disclosure that is otherwise unlawful.
  • Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law.
  • Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual.
  • Publishing personal information with the intended purpose of charging individuals for its removal.
  • Requiring passwords to social media accounts for the purpose of employee screening
  • Surveillance by an organization through audio or video functionality of the individual’s own device.

Commissioner Therrien noted that there is value in, even a need for, specific examples of practices that will generally be found inappropriate and that the no-go zones should set useful boundaries for individuals and organizations.

“Our role as a regulator includes giving guidance that clarifies PIPEDA requirements and sets expectations as to how the law should generally be interpreted and applied. Given that PIPEDA is so broad in nature, individuals and organizations need an adequate level of certainty.”

Organizations should educate themselves on the obligations set out in this new guidance and take steps to comply with the requirements. The Office of the Privacy Commissioner of Canada will begin applying the inappropriate data practices guidance July 1, 2018 and the consent guidance starting Jan. 1, 2019.

The consultation on the issue of consent was launched in mid-2016 with the goal of identifying improvements to the existing model and to bring clearer definition to the roles and responsibilities of the various players who could implement them.

In September 2017, the Office of the Privacy Commissioner published a report outlining the results of the consultation, including actions and recommendations. At that time, the Commissioner said his office would update key guidance on online consent and develop new guidance that would specify areas where collection, use and disclosure of personal information is prohibited. Drafts were issued for public comment, which was considered before the final guidance was issued.

About the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law.

Related content

- 30 -

For more information:

communications@priv.gc.ca

Date modified: