Comparing the Canadian Guidelines of Meaningful Consent to GDPR

The implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018 drove a ripple effect around the world as organizations were forced to take a close look at their processes to protect personal data of their global customers.

Of course, obtaining an individual’s consent to use their personal data has always been important, but the GDPR requirements tightened the oversight needed and clearly defined that consent must be freely given, specific, informed and unambiguous. In January 2019, the Canadian Office of the Privacy Commissioner (OPC) implemented its own Guidelines of Meaningful Consent, part of that nation’s Personal Information Protection and Electronic Documents Act (PIPEDA).

How do these new Canadian guidelines compare to GDPR? Our Security & Privacy teams have prepared an easy-to-understand, side-by-side assessment of the two.

Privacy Concept Consent Requirements Under GDPR Consent Requirements Under PIPEDA
Implied Consent Consent cannot be implied (should be express) and must always be given through an opt-in. (GDPR Chapter: Consent) Implied consent would generally be appropriate when the information is less sensitive. (PIPEDA Principle 3)
Demonstrating Compliance Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (Article 7) Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) as to allow for valid and meaningful consent. (Guidelines for Obtaining Meaningful Consent – Principle 7)
Withdrawable The data subject shall have the right to withdraw his or her consent at any time. (Article 7) An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. (PIPEDA Principle 3)
Transfer of Obligations In a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organizations should all be named. Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors. (Working Party Guidelines on Consent) Obtain consent when making significant changes to privacy practices, like use of data for new purposes or disclosures to new third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should specify the types of third parties information is shared with. (Guidelines for Obtaining Meaningful Consent – Principle 1)

 

Informed

 

Prior to giving consent, the data subject shall be informed thereof. (Article 7)

 

Individuals must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context. (Guidelines for Obtaining Meaningful Consent – Principle 1)
Innovative Communication Strategies N/A Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used. (Guidelines for Obtaining Meaningful Consent – Principle 1)
Monitoring of Consent Choices

 

Organizations should keep their consents under review. You will need to refresh them if anything changes. (ICO’s Guidance for Consent under GDPR) Organizations should periodically remind individuals about the consent choices they have made, and those available to them. They should also audit privacy communications to ensure they accurately reflect current personal information management practices. (Guidelines for Obtaining Meaningful Consent)
Understandable When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers. (Working Party Guidelines on Consent) Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s). (Guidelines for Obtaining Meaningful Consent – Principle 5)
Parental Consent

 

In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. (Article 8)  * Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. Obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves (the OPC takes the position that, in all but exceptional circumstances, this means anyone under the age of 13), and ensure that the consent process for youth able to provide consent themselves reasonably considers their level of maturity. (Guidelines for Obtaining Meaningful Consent)

 

Choice

 

Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. (Recital 42) Individuals must be given a choice (unless an exception to the general consent requirement applies).

(Guidelines for Obtaining Meaningful Consent)

Notifying Users of Significant Changes

 

Conhttps://gdpr-info.eu/recitals/no-42/trollers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged. (Working Party Guidelines on Consent) When an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. (Guidelines for Obtaining Meaningful Consent – Principle 6)
Appropriate Purpose Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5) Individuals should be made aware of all purposes for which information is collected, used or disclosed. (Guidelines for Obtaining Meaningful Consent)

 

Consent Requirements Under GDPR Consent Requirements Under PIPEDA
Privacy Concept: Implied Consent
Consent cannot be implied (should be express) and must always be given through an opt-in.
(GDPR Chapter: Consent)
Implied consent would generally be appropriate when the information is less sensitive. (PIPEDA Principle 3)
Privacy Concept: Demonstrating Compliance
Where processing is based on consent, the controller shall be able to demonstrate that the
data subject has consented to processing of his or her personal data. (Article 7)
Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) as to allow for valid and meaningful consent. (Guidelines
for Obtaining Meaningful Consent – Principle 7
)
Privacy Concept: Withdrawable
The data subject shall have the right to withdraw his or her consent at any time. (Article 7) An individual may withdraw consent at any time, subject to legal or contractual restrictions
and reasonable notice. (PIPEDA Principle 3)
Privacy Concept: Transfer of Obligations
In a case where the consent sought is to be relied upon by multiple (joint) controllers or
if the data is to be transferred to or processed by other controllers who wish to rely on the original
consent, these organizations should all be named. Processors do not need to be named as part of the
consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to
provide a full list of recipients or categories of recipients including processors. (Working
Party Guidelines on Consent
)
Obtain consent when making significant changes to privacy practices, like use of data for
new purposes or disclosures to new third parties. In the case where third parties may change
periodically or are too numerous to specify, organizations should specify the types of third parties
information is shared with. (Guidelines
for Obtaining Meaningful Consent – Principle 1
)

 

Privacy Concept: Informed
Prior to giving consent, the data subject shall be informed thereof. (Article 7)

 

Individuals must be informed of purposes in sufficient detail such as to ensure they
meaningfully understand what they are invited to consent to. Organizations should in particular
highlight any purposes that would not be obvious to the individual and/or reasonably expected based on
the context. (Guidelines
for Obtaining Meaningful Consent – Principle 1
)
Privacy Concept: Innovative Communication Strategies
N/A Organizations should design and/or adopt innovative consent processes that can be
implemented just-in-time, are specific to the context, and are appropriate to the type of interface
used. (Guidelines
for Obtaining Meaningful Consent – Principle 1
)
Privacy Concept: Monitoring of Consent Choices
Organizations should keep their consents under review. You will need to refresh them if
anything changes. (ICO’s
Guidance for Consent under GDPR
)
Organizations should periodically remind individuals about the consent choices they have
made, and those available to them. They should also audit privacy communications to ensure they
accurately reflect current personal information management practices. (Guidelines
for Obtaining Meaningful Consent
)
Privacy Concept: Understandable
When seeking consent, controllers should ensure that they use clear and plain language in
all cases. This means a message should be easily understandable for the average person and not only for
lawyers. (Working
Party Guidelines on Consent
)
Consent processes must take into account the consumer’s perspective to ensure that they are
user-friendly and that the information provided is generally understandable from the point of view of
the organization’s target audience(s). (Guidelines
for Obtaining Meaningful Consent – Principle 5
)
Privacy Concept: Parental Consent
In relation to the offer of information society services directly to a child, the processing
of the personal data of a child shall be lawful where the child is at least 16 years old. Where the
child is below the age of 16 years, such processing shall be lawful only if and to the extent that
consent is given or authorized by the holder of parental responsibility over the child. (Article 8) * Member States may provide by law for a
lower age for those purposes provided that such lower age is not below 13 years.
Obtain consent from a parent or guardian for any individual unable to provide meaningful
consent themselves (the OPC takes the position that, in all but exceptional circumstances, this means
anyone under the age of 13), and ensure that the consent process for youth able to provide consent
themselves reasonably considers their level of maturity. (Guidelines
for Obtaining Meaningful Consent
)

 

Privacy Concept: Choice
Consent should not be regarded as freely given if the data subject has no genuine or free
choice or is unable to refuse or withdraw consent without detriment. (Recital 42)
Individuals must be given a choice (unless an exception to the general consent requirement
applies).

(Guidelines
for Obtaining Meaningful Consent
)

Privacy Concept: Notifying Users of Significant Changes
Conhttps://gdpr-info.eu/recitals/no-42/trollers do need to obtain a new and specific consent
if purposes for data processing change after consent was obtained or if an additional purpose is
envisaged. (Working
Party Guidelines on Consent
)
When an organization plans to introduce significant changes to its privacy practices, it
must notify users and obtain consent prior to the changes coming into effect. (Guidelines
for Obtaining Meaningful Consent – Principle 6
)
Privacy Concept: Appropriate Purpose
Collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes (Article
5
)
Individuals should be made aware of all purposes for which information is collected, used or
disclosed. (Guidelines
for Obtaining Meaningful Consent
)

To drive a solid compliance program and consent model, organizations need to adopt these requirements, interpret and apply/change processes, procedures and technologies and that requires legal, as well as data and technical skills. While government entities around the world take a more proactive approach to protecting consumers, organizations are best served to stay ahead of the consent curve by committing to maintaining world-class consumer consent protections.

Jeffrey Sanchez

Managing Director
Technology Consulting – Security and Privacy