PIPEDA Fair Information Principle 3 – Consent
Revised: May 2019
- Meaningful consent is an essential element of PIPEDA. Organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information.
- To make consent meaningful, people must understand what they are consenting to. It is only considered valid if it is reasonable to expect that your customers will understand the nature, purpose and consequences of the collection, use or disclosure of their personal information.
- Consent can only be required for collections, uses or disclosures that are necessary to fulfil an explicitly specified and legitimate purpose. For non-integral collections, uses and disclosures, individuals must be given a choice.
- The form of consent must take into account the sensitivity of the personal information. The way you seek consent will depend on the circumstances and type of information you are collecting.
- Individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, and you must inform individual of the implications of withdrawal.
How to fulfill these responsibilities
- Make privacy information readily available in complete form, while giving emphasis or bringing attention to four key elements:
- What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to?
- With which parties personal information is being shared?
- For what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to?
- What are the risks of harm and other consequences?
- Provide information in manageable and easily accessible ways.
- Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service.
- Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable.
- Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties.
- Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate under the circumstances.
- Allow individuals to withdraw consent (subject to legal or contractual restrictions).
- Determine the appropriate form of consent: obtain express (explicit) consent for collections, uses or disclosures which generally: (i) involves sensitive information; (ii) are outside the reasonable expectations of the individual; and/or (iii) create a meaningful residual risk of significant harm.
- Consent and children: Obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves (the OPC takes the position that, in all but exceptional circumstances, this includes anyone under the age of 13), and ensure that the consent process for youth able to provide consent themselves reasonably considers their level of maturity.
- Whether implied or express, consent does not waive an organization’s other responsibilities under PIPEDA, such as being accountable, implementing safeguards, and having a reasonable purpose for processing personal information.
Form of consent
It is important for organizations to consider the appropriate form of consent to use (express or implied) for any collection, use or disclosure of personal information for which consent is required. While consent should generally be express, it can be implied in strictly defined circumstances. Organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context.
Organizations must generally obtain express consent when:
- The information being collected, used or disclosed is sensitive;
- The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or,
- The collection, use or disclosure creates a meaningful residual risk of significant harm.
TipsThe following tips can help make your consent process more meaningful:
- Allow individuals to control the amount of detail they wish to receive, and when.
- Design or adopt innovative and creative ways of obtaining consent, which are just-in-time, specific to the context, and suitable to the type of interface.
- Periodically remind individuals about the consent choices they have made, and those available to them.
- Periodically audit privacy communications to ensure they accurately reflect current personal information management practices.
- Stand ready to demonstrate compliance – in particular, that the consent process is understandable from the perspective of the user.
- In designing consent processes, consider:
- consulting with users and seeking their input;
- pilot testing or using focus groups to evaluate the understandability of documents;
- involving user interaction / user experience (UI/UX) designers;
- consulting with privacy experts and/or regulators; and
- following established best practices or standards.
More about Consent
Report a problem or mistake on this page
- Date modified: