- What is consent;
- The form of consent; and
- How to design your consent processes.
What is consent?
Privacy laws such as PIPEDA and the General Data Protection Regulation (GDPR) require websites to obtain the consent of individuals before their personal information is collected, used or disclosed. But what is consent in the context of privacy? Consent is generally defined as the voluntary agreement of an individual to your privacy practices. This means that an individual must have a full understanding of your privacy practices, not be coerced into agreeing, and be able to withdraw their consent if they no longer want you to use their personal information.
How to get meaningful consent under PIPEDA
- What personal information you are collecting (e.g. names, emails, phone numbers or addresses);
- How you will use the personal information that you collect (e.g. to provide customer service, to process orders, to send email marketing newsletters);
- Who you will disclose the personal information to (e.g. email marketing services, customer management systems or payment processors);
- Why you will disclose the personal information to others (e.g. to send email newsletters, to process payments or to investigate fraudulent activity); and
- What are the risks of harm or other consequences.
Form of consent
When discussing how to get consent, PIPEDA acknowledges that you may get express or implied consent, depending on the circumstances. You must obtain express (explicit) consent when:
- The personal information that you collect, use or disclose is sensitive;
- The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or
- The collection, use or disclosure creates a meaningful residual risk of significant harm to the individual.
If there is a complaint made about your privacy practices, you may need to show that you obtained consent from the individual to process their personal information, so you should aim to obtain express consent whenever possible.
How to design your consent processes
When it comes to obtaining consent, your processes for doing so must be understandable to the individual, clear and easily accessible. While there is a multitude of design choices that can be made in the consent process, you should consider the following:
- Consulting with and seeking the input of individuals using your website;
- Pilot testing and focus groups;
- Involving designers that specialize in usability, UI and UX;
- Consulting with privacy experts and regulators; and
- Following best practices and standards.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.