Published:

Updated:

PIPEDA: how to get consent

Privacy Policy

Canada, PIPEDA

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

How to get consent under PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that aims to protect the personal information of Canadians by requiring websites that the law applies to have a compliant Privacy Policy, respect the privacy rights of Canadians, and obtain consent before collecting, using or disclosing personal information. In fact, consent is one of the ten PIPEDA fair information principles governing the privacy practices of business websites, which must be followed to avoid non-compliance fines. In this article, we will discuss how to get consent under PIPEDA, including: 

  • What is consent; 
  • What your Privacy Policy needs to include to properly obtain consent; 
  • The form of consent; and 
  • How to design your consent processes. 

What is consent? 

Privacy laws such as PIPEDA and the General Data Protection Regulation (GDPR) require websites to obtain the consent of individuals before their personal information is collected, used or disclosed. But what is consent in the context of privacy? Consent is generally defined as the voluntary agreement of an individual to your privacy practices. This means that an individual must have a full understanding of your privacy practices, not be coerced into agreeing, and be able to withdraw their consent if they no longer want you to use their personal information. 

How to get meaningful consent under PIPEDA

In order to properly get consent under PIPEDA, such consent must be meaningful. To make consent meaningful, individuals must have an understanding of what it is that they are agreeing to. This means that they should understand the nature, purposes, and consequences of the collection, use, and disclosure of their personal information. Your Privacy Policy is key to obtaining meaningful consent and should contain the following disclosures: 

  • What personal information you are collecting (e.g. names, emails, phone numbers or addresses); 
  • How you will use the personal information that you collect (e.g. to provide customer service, to process orders, to send email marketing newsletters); 
  • Who you will disclose the personal information to (e.g. email marketing services, customer management systems or payment processors); 
  • Why you will disclose the personal information to others (e.g. to send email newsletters, to process payments or to investigate fraudulent activity); and 
  • What are the risks of harm or other consequences. 

To be clear, the above disclosure requirements apply only to obtaining consent and PIPEDA prescribes a multitude of other disclosures that need to be included in your Privacy Policy. 

Form of consent 

When discussing how to get consent, PIPEDA acknowledges that you may get express or implied consent, depending on the circumstances. You must obtain express (explicit) consent when: 

  • The personal information that you collect, use or disclose is sensitive; 
  • The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or
  • The collection, use or disclosure creates a meaningful residual risk of significant harm to the individual. 

If there is a complaint made about your privacy practices, you may need to show that you obtained consent from the individual to process their personal information, so you should aim to obtain express consent whenever possible. 

How to design your consent processes

When it comes to obtaining consent, your processes for doing so must be understandable to the individual, clear and easily accessible. While there is a multitude of design choices that can be made in the consent process, you should consider the following: 

  • Consulting with and seeking the input of individuals using your website; 
  • Pilot testing and focus groups; 
  • Involving designers that specialize in usability, UI and UX; 
  • Consulting with privacy experts and regulators; and 
  • Following best practices and standards. 

When you are making the determination of how to get consent under PIPEDA, it is important that you have a Privacy Policy that makes all of the required disclosures, that you use the proper form of consent and that your consent process is designed to be easy to use, accessible and understandable to individuals. Use Termageddon’s Privacy Policy generator to help you create a PIPEDA ready Privacy Policy that can help you to avoid privacy-related fines and lawsuits.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles

Is your Wordpress Privacy Policy compliant?

State privacy bill tracker

What laws require websites to have a Privacy Policy?

Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates

More from the Termageddon Blog

Nebraska Data Privacy Act LB 1074 Compliance Guide

General

Nebraska Data Privacy Act Compliance Guide 

Example of a Do Not Share My Personal Information Page

General

Example of a “Do Not Share My Personal Information” page 

Example of a Limit The Use of My Sensitive Personal Information Page

General

Example “Limit The Use Of My Sensitive Personal Information” page 

Example_Do_Not_Sell_Page

General

Example of a “Do Not Sell My Personal Information” page 

© 2016 - 2024 Termageddon, LLC

Privacy Policy

Terms & Conditions

Disclaimer

Affiliate Terms & Conditions

Cookie Policy