On January 1, 2019, the Privacy Commissioner of Canada will begin enforcing Guidelines for obtaining meaningful consent, which impose requirements for obtaining legally valid privacy consents. This bulletin summarizes five steps to compliance with the Guidelines.
In May 2018, the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia jointly issued Guidelines for obtaining meaningful consent (the "Guidelines") to help private sector organizations obtain legally valid consents to the collection, use and disclosure of personal information. The Guidelines criticize "the use of lengthy, legalistic privacy policies", and explain that the requirements and best practices summarized in the Guidelines are intended to "breathe life" into the ways that consent is obtained.
For more information about the Guidelines, see BLG bulletin Preparing for Compliance with New Privacy Consent Guidelines.
Steps to Compliance
Following is a summary of five steps for an organization to achieve compliance with the Guidelines:
- Audit/Assessment: The organization should audit its personal information practices/procedures to determine whether they are accurately and comprehensively described by the organization’s current privacy policies and related notifications, and then assess the practices/procedures to determine whether they comply with applicable laws and regulatory guidance. For example, is the organization obtaining appropriate forms of consent (i.e. express/opt-in or implied/opt-out), using adequate procedures for consent withdrawals, and keeping records to demonstrate legal compliance?
- Practices/Procedures: Based on the results of the audit, the organization should make necessary adjustments to its personal information practices/procedures so they comply with applicable laws and regulatory guidance.
- Policies/Notifications: Based on the results of the audit, the organization should make necessary revisions to its privacy policies and related notifications so they accurately and comprehensively describe the organization’s personal information practices/procedures and comply with applicable laws and regulatory guidance, including by providing sufficient details and emphasis on key elements as required by the Guidelines.
- Implementation: The organization should improve the implementation and presentation of its privacy policies (e.g. using hyperlinks, layering, guided tours, summaries, frequently asked questions, videos, infographics and visual tools) and related notifications (including context-specific notifications during online transactions, notices in emails and periodic reminders) so that required information is easily accessible using all relevant devices (e.g. personal computers and mobile devices), manageable, user-friendly and generally understandable by target audiences.
When preparing for compliance with the Guidelines, organizations should be mindful of other privacy law obligations, including applicable personal information security breach reporting, notification and record-keeping obligations, and the need for an appropriate, documented information security governance framework. For more information, see BLG bulletins Regulatory Enforcement Action Emphasizes Need for an Information Security Governance Framework, Less is More – Data Minimization and Cyber Risk Management, Regulatory Guidance for Safeguarding Personal Information and Canadian Personal Information Security Breach Obligations – Preparing for Compliance.