Form of Consent

March 2014

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.

I. Relevant Statutory Provisions

Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”)

Principle 4.3: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

Principle 4.3.4: The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

Principle 4.3.5: In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.

Principle 4.3.6: The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).

Principle 4.3.7: Individuals can give consent in many ways. For example:

  1. an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
  2. a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
  3. consent may be given orally when information is collected over the telephone; or
  4. consent may be given at the time that individuals use a product or service.

Section 6.1: For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

II. General Interpretations by the Courts

  1. “The form of the consent sought by the organization, and the way in which the organization seeks consent, may vary, depending on the circumstances and the type of information (clauses 4.3.4 and 4.3.6). In obtaining consent, the reasonable expectations of the individual are relevant (clause 4.3.5). Implied consent would generally be appropriate when the information is less sensitive (clause 4.3.6). Examples of ways in which individuals can give consent are: on application forms, on checkoff boxes, over the telephone, at the time of use, all of which imply that the consent is given at the time of collection and before use.” (Englander v. Telus Communications Inc., 2004 FCA 387 at para. 60)
  2. Principle 4.3.4 makes it clear that “medical information is almost always considered to be sensitive, calling for a rather more explicit form of consent.” (Townsend v. Sun Life Financial, 2012 FC 550 at para. 25)
  3. “I agree with the respondent that [information concerning an individual’s frequency of usage of a fitness centre] is at the lower end of the scale of sensitivity, viewed objectively. The content was limited to the number of times per week that the applicant attended one of the respondent’s fitness centres. The information disclosed said nothing about what he did at the fitness centres, how long he remained, the nature of his training regime, level of fitness or any other personal information. In other circumstances, implied consent for the disclosure of information at a low level of sensitivity may be found.

    I accept the applicant’s submission that in the circumstances of this case the information was sensitive particularly as it was being disclosed to his work colleagues at a staff meeting and encouraged rivalry with colleagues that made him uncomfortable. The employer should have been aware that some employees might not be comfortable with disclosure of the information to their colleagues in a public forum. In these circumstances, the level of sensitivity of the information was not so low that I would consider that consent to its disclosure could be implied.” (Randall v. Nubody’s Fitness Centres, 2010 FC 681 at paras.42-43)
  4. “A consent is not informed if the person allegedly giving it is not aware at the time of giving it that he or she had the possibility to opt out.” (Englander v. Telus Communications Inc., supra at para. 67)

III. Application by the OPC in Different Contexts

General Considerations

Assessing the sensitivity of personal information in different contexts

Health-related information in the context of tailored advertising

Email addresses in the context of social media

Palm-vein scans in the context of admissions testing

  • All biometrics are privacy invasive to a certain extent because they involve the collection of an individual’s physical characteristics. But not all biometrics are highly privacy invasive in and of themselves. The binary representation of a candidate’s palm-vein scan was not considered overly sensitive personal information in this specific case, given the test administrator’s current use of the technology.

    For example, the palm-vein scans in this case were immediately transformed into an encrypted binary template, the binary code was non-reversible and no raw biometric image was retained. As well, the binary code information retained from the scan could not easily be interpreted by other parties or applied to other purposes, and the binary template was stored separately from any other personal information about the test taker. Palm-vein scanning was considered a “non-trace” biometric in this case, since latent images could not be left on objects, including the system used for the scan.

Financial information in the context of secondary marketing

Purchasing habits and preferences in the context of loyalty programs

Voiceprints in the context of employment

Taking an individual’s reasonable expectations into account

Examples of appropriate use of implied consent

In the context of litigation or dispute resolution

In the context of employment

  • Consent for the collection of employee personal information via Global Positioning Systems (GPS) technology in their work vehicles can only be implied if used for appropriate purposes that an employee would reasonably expect. For example, implied consent is appropriate and meets the reasonable expectation of the individual if theGPS-enabled vehicles tracking their whereabouts are used to improve workforce productivity, to ensure safety of drivers, or to protect and manage company assets. Implied consent cannot be relied on to evaluate or manage employees on a routine basis, other than in exceptional circumstances where there is a complaint investigation or a clear performance issue, and where a clear policy setting out an appropriate process of warnings and progressive monitoring exists and has been brought to employees’ attention beforehand.
  • A municipal transportation service was found to have the implied consent of its employees and of its clients for the use of a Mobile Data Terminal, including a Global Positioning System, on its vehicles. The information collected was used for an appropriate purpose – that of providing efficient service to clients. Since notice of the installation of the technology had been provided to employees, their continued use of vehicles constituted implied consent to the collection and use of their personal information for this purpose. Similarly, clients had to be aware that the respondent and its drivers require their name, pick-up location and drop-off location in order to provide the requested transportation service.

Conditions for appropriate use of opt-out consent

Date modified: