Five Steps to Compliance with Privacy Consent Guidelines

On January 1, 2019, the Privacy Commissioner of Canada will begin enforcing Guidelines for obtaining meaningful consent, which impose requirements for obtaining legally valid privacy consents. This bulletin summarizes five steps to compliance with the Guidelines.

The Guidelines

In May 2018, the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia jointly issued Guidelines for obtaining meaningful consent (the "Guidelines") to help private sector organizations obtain legally valid consents to the collection, use and disclosure of personal information. The Guidelines criticize "the use of lengthy, legalistic privacy policies", and explain that the requirements and best practices summarized in the Guidelines are intended to "breathe life" into the ways that consent is obtained.

The Guidelines detail seven principles for private sector organizations to follow to obtain legally valid privacy consents: (1) emphasize key elements “right up front” in a privacy policy; (2) allow individuals to control the level and timing of detail about an organization’s privacy practices; (3) provide individuals with clear options to say “yes” or “no” to the collection/use of their personal information; (4) be innovative and creative when explaining privacy practices; (5) consider the consumer’s perspective when writing privacy policies and related notices; (6) make consent a dynamic and ongoing process; and (7) be accountable and ready to demonstrate compliance. The Guidelines discuss the appropriate form of consent (i.e. express or implied) for the collection, use or disclosure of personal information, and how organizations should obtain consent from or on behalf of children. The Guidelines include a useful checklist that summarizes the guidance into “must do” measures required for legal compliance, and “should do” measures that reflect recommended best practices.

For more information about the Guidelines, see BLG bulletin Preparing for Compliance with New Privacy Consent Guidelines.

Steps to Compliance

Following is a summary of five steps for an organization to achieve compliance with the Guidelines:

1. Audit/Assessment: The organization should audit its personal information practices/procedures to determine whether they are accurately and comprehensively described by the organization’s current privacy policies and related notifications, and then assess the practices/procedures to determine whether they comply with applicable laws and regulatory guidance. For example, is the organization obtaining appropriate forms of consent (i.e. express/opt-in or implied/opt-out), using adequate procedures for consent withdrawals, and keeping records to demonstrate legal compliance?
2. Practices/Procedures: Based on the results of the audit, the organization should make necessary adjustments to its personal information practices/procedures so they comply with applicable laws and regulatory guidance.
3. Policies/Notifications: Based on the results of the audit, the organization should make necessary revisions to its privacy policies and related notifications so they accurately and comprehensively describe the organization’s personal information practices/procedures and comply with applicable laws and regulatory guidance, including by providing sufficient details and emphasis on key elements as required by the Guidelines.
4. Implementation: The organization should improve the implementation and presentation of its privacy policies (e.g. using hyperlinks, layering, guided tours, summaries, frequently asked questions, videos, infographics and visual tools) and related notifications (including context-specific notifications during online transactions, notices in emails and periodic reminders) so that required information is easily accessible using all relevant devices (e.g. personal computers and mobile devices), manageable, user-friendly and generally understandable by target audiences.
5. Communication: The organization should inform existing customers of the updated privacy policies in accordance with applicable laws and regulatory guidance, notice provisions in the current privacy policy and relevant contractual notice obligations.

When preparing for compliance with the Guidelines, organizations should be mindful of other privacy law obligations, including applicable personal information security breach reporting, notification and record-keeping obligations, and the need for an appropriate, documented information security governance framework. For more information, see BLG bulletins Regulatory Enforcement Action Emphasizes Need for an Information Security Governance Framework, Less is More – Data Minimization and Cyber Risk Management, Regulatory Guidance for Safeguarding Personal Information and Canadian Personal Information Security Breach Obligations – Preparing for Compliance.