fbpx

PIPEDA: how to get consent

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that aims to protect the personal information of Canadians by requiring websites that the law applies to have a compliant Privacy Policy, respect the privacy rights of Canadians, and obtain consent before collecting, using or disclosing personal information. In fact, consent is one of the ten PIPEDA fair information principles governing the privacy practices of business websites, which must be followed to avoid non-compliance fines. In this article, we will discuss how to get consent under PIPEDA, including: 

  • What is consent; 
  • What your Privacy Policy needs to include to properly obtain consent; 
  • The form of consent; and 
  • How to design your consent processes. 

What is consent? 

Privacy laws such as PIPEDA and the General Data Protection Regulation (GDPR) require websites to obtain the consent of individuals before their personal information is collected, used or disclosed. But what is consent in the context of privacy? Consent is generally defined as the voluntary agreement of an individual to your privacy practices. This means that an individual must have a full understanding of your privacy practices, not be coerced into agreeing, and be able to withdraw their consent if they no longer want you to use their personal information. 

How to get meaningful consent under PIPEDA

In order to properly get consent under PIPEDA, such consent must be meaningful. To make consent meaningful, individuals must have an understanding of what it is that they are agreeing to. This means that they should understand the nature, purposes, and consequences of the collection, use, and disclosure of their personal information. Your Privacy Policy is key to obtaining meaningful consent and should contain the following disclosures: 

  • What personal information you are collecting (e.g. names, emails, phone numbers or addresses); 
  • How you will use the personal information that you collect (e.g. to provide customer service, to process orders, to send email marketing newsletters); 
  • Who you will disclose the personal information to (e.g. email marketing services, customer management systems or payment processors); 
  • Why you will disclose the personal information to others (e.g. to send email newsletters, to process payments or to investigate fraudulent activity); and 
  • What are the risks of harm or other consequences. 

To be clear, the above disclosure requirements apply only to obtaining consent and PIPEDA prescribes a multitude of other disclosures that need to be included in your Privacy Policy. 

Form of consent 

When discussing how to get consent, PIPEDA acknowledges that you may get express or implied consent, depending on the circumstances. You must obtain express (explicit) consent when: 

  • The personal information that you collect, use or disclose is sensitive; 
  • The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or
  • The collection, use or disclosure creates a meaningful residual risk of significant harm to the individual. 

If there is a complaint made about your privacy practices, you may need to show that you obtained consent from the individual to process their personal information, so you should aim to obtain express consent whenever possible. 

How to design your consent processes

When it comes to obtaining consent, your processes for doing so must be understandable to the individual, clear and easily accessible. While there is a multitude of design choices that can be made in the consent process, you should consider the following: 

  • Consulting with and seeking the input of individuals using your website; 
  • Pilot testing and focus groups; 
  • Involving designers that specialize in usability, UI and UX; 
  • Consulting with privacy experts and regulators; and 
  • Following best practices and standards. 

When you are making the determination of how to get consent under PIPEDA, it is important that you have a Privacy Policy that makes all of the required disclosures, that you use the proper form of consent and that your consent process is designed to be easy to use, accessible and understandable to individuals. Use Termageddon’s Privacy Policy generator to help you create a PIPEDA ready Privacy Policy and avoid privacy-related fines and lawsuits.

Categories PIPEDA