Jeffrey SanchezThe implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018 drove a ripple effect around the world as organizations were forced to take a close look at their processes to protect personal data of their global customers.
Of course, obtaining an individual’s consent to use their personal data has always been important, but the GDPR requirements tightened the oversight needed and clearly defined that consent must be freely given, specific, informed and unambiguous. In January 2019, the Canadian Office of the Privacy Commissioner (OPC) implemented its own Guidelines of Meaningful Consent, part of that nation’s Personal Information Protection and Electronic Documents Act (PIPEDA).
How do these new Canadian guidelines compare to GDPR? Our Security & Privacy teams have prepared an easy-to-understand, side-by-side assessment of the two.
| Privacy Concept | Consent Requirements Under GDPR | Consent Requirements Under PIPEDA |
| Implied Consent | Consent cannot be implied (should be express) and must always be given through an opt-in. (GDPR Chapter: Consent) | Implied consent would generally be appropriate when the information is less sensitive. (PIPEDA Principle 3) |
| Demonstrating Compliance | Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (Article 7) | Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) as to allow for valid and meaningful consent. (Guidelines for Obtaining Meaningful Consent – Principle 7) |
| Withdrawable | The data subject shall have the right to withdraw his or her consent at any time. (Article 7) | An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. (PIPEDA Principle 3) |
| Transfer of Obligations | In a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organizations should all be named. Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors. (Working Party Guidelines on Consent) | Obtain consent when making significant changes to privacy practices, like use of data for new purposes or disclosures to new third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should specify the types of third parties information is shared with. (Guidelines for Obtaining Meaningful Consent – Principle 1)
|
| Informed
|
Prior to giving consent, the data subject shall be informed thereof. (Article 7)
|
Individuals must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context. (Guidelines for Obtaining Meaningful Consent – Principle 1) |
| Innovative Communication Strategies | N/A | Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used. (Guidelines for Obtaining Meaningful Consent – Principle 1) |
| Monitoring of Consent Choices
|
Organizations should keep their consents under review. You will need to refresh them if anything changes. (ICO’s Guidance for Consent under GDPR) | Organizations should periodically remind individuals about the consent choices they have made, and those available to them. They should also audit privacy communications to ensure they accurately reflect current personal information management practices. (Guidelines for Obtaining Meaningful Consent) |
| Understandable | When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers. (Working Party Guidelines on Consent) | Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s). (Guidelines for Obtaining Meaningful Consent – Principle 5) |
| Parental Consent
|
In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. (Article 8) * Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. | Obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves (the OPC takes the position that, in all but exceptional circumstances, this means anyone under the age of 13), and ensure that the consent process for youth able to provide consent themselves reasonably considers their level of maturity. (Guidelines for Obtaining Meaningful Consent)
|
| Choice
|
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. (Recital 42) | Individuals must be given a choice (unless an exception to the general consent requirement applies). |
| Notifying Users of Significant Changes
|
Conhttps://gdpr-info.eu/recitals/no-42/trollers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged. (Working Party Guidelines on Consent) | When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. (Guidelines for Obtaining Meaningful Consent – Principle 6) |
| Appropriate Purpose | Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5) | Individuals should be made aware of all purposes for which information is collected, used or disclosed. (Guidelines for Obtaining Meaningful Consent) |
| Consent Requirements Under GDPR | Consent Requirements Under PIPEDA |
| Privacy Concept: Implied Consent | |
| Consent cannot be implied (should be express) and must always be given through an opt-in. (GDPR Chapter: Consent) |
Implied consent would generally be appropriate when the information is less sensitive. (PIPEDA Principle 3) |
| Privacy Concept: Demonstrating Compliance | |
| Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (Article 7) |
Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) as to allow for valid and meaningful consent. (Guidelines for Obtaining Meaningful Consent – Principle 7) |
| Privacy Concept: Withdrawable | |
| The data subject shall have the right to withdraw his or her consent at any time. (Article 7) | An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. (PIPEDA Principle 3) |
| Privacy Concept: Transfer of Obligations | |
| In a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organizations should all be named. Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors. (Working Party Guidelines on Consent) |
Obtain consent when making significant changes to privacy practices, like use of data for new purposes or disclosures to new third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should specify the types of third parties information is shared with. (Guidelines for Obtaining Meaningful Consent – Principle 1)
|
| Privacy Concept: Informed | |
| Prior to giving consent, the data subject shall be informed thereof. (Article 7)
|
Individuals must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context. (Guidelines for Obtaining Meaningful Consent – Principle 1) |
| Privacy Concept: Innovative Communication Strategies | |
| N/A | Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used. (Guidelines for Obtaining Meaningful Consent – Principle 1) |
| Privacy Concept: Monitoring of Consent Choices | |
| Organizations should keep their consents under review. You will need to refresh them if anything changes. (ICO’s Guidance for Consent under GDPR) |
Organizations should periodically remind individuals about the consent choices they have made, and those available to them. They should also audit privacy communications to ensure they accurately reflect current personal information management practices. (Guidelines for Obtaining Meaningful Consent) |
| Privacy Concept: Understandable | |
| When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers. (Working Party Guidelines on Consent) |
Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s). (Guidelines for Obtaining Meaningful Consent – Principle 5) |
| Privacy Concept: Parental Consent | |
| In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. (Article 8) * Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. |
Obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves (the OPC takes the position that, in all but exceptional circumstances, this means anyone under the age of 13), and ensure that the consent process for youth able to provide consent themselves reasonably considers their level of maturity. (Guidelines for Obtaining Meaningful Consent)
|
| Privacy Concept: Choice | |
| Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. (Recital 42) |
Individuals must be given a choice (unless an exception to the general consent requirement applies). |
| Privacy Concept: Notifying Users of Significant Changes | |
| Conhttps://gdpr-info.eu/recitals/no-42/trollers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged. (Working Party Guidelines on Consent) |
When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. (Guidelines for Obtaining Meaningful Consent – Principle 6) |
| Privacy Concept: Appropriate Purpose | |
| Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5) |
Individuals should be made aware of all purposes for which information is collected, used or disclosed. (Guidelines for Obtaining Meaningful Consent) |
To drive a solid compliance program and consent model, organizations need to adopt these requirements, interpret and apply/change processes, procedures and technologies and that requires legal, as well as data and technical skills. While government entities around the world take a more proactive approach to protecting consumers, organizations are best served to stay ahead of the consent curve by committing to maintaining world-class consumer consent protections.
Joe Breithaupt
James Eick
Darragh O'Grady
Wilson Tarleton
Terry Jost
Justin Turner
Derek Dunkel-JahanTigh
