Do You Have Meaningful Consent to Handle Personal Information? Now is the Time to Review Your Consent Process. OPC to Apply Consent Guidelines Beginning in January

October 17, 2018
By Catherine Lovrics and Amanda Branch 

Meaningful consent is a cornerstone of Canadian private sector privacy legislation. Meaningful consent to collect, use and disclose personal information is one of, if not ‘the’ central unifying concept of our private sector privacy laws. Meaningful consent can be a challenge in today’s digital world, with small screens and increasing reliance on lengthy privacy policies. To help organizations stand up to the challenge, the Office of the Privacy Commissioner of Canada (the “OPC”) in connection with the Offices of the Privacy Commissioner of Alberta and British Columbia released the Guidelines for obtaining meaningful consent (the “Consent Guidelines”). The Consent Guidelines are intended to provide practical and actionable guidance for organizations to obtain meaningful consent under the federal private sector legislation, the Personal Information Protection and Electronic Documents Act ("PIPEDA").

The Consent Guidelines encourage businesses to be creative and innovative when developing a consent process, and set out the following seven guiding principles.

  1. Emphasize key elements. Ensure your privacy policy is readily available in complete form, but also provide individuals with a way to quickly review key elements impacting their privacy decisions by putting additional emphasis on:
  • What personal information is being collected,
  • With which parties personal information is being shared,
  • For what purposes personal information is collected, used or disclosed, and
  • Risk of harm and other consequences.
  1. Allow individuals to control the level of detail they get and when. Provide individuals with information in a manageable and easily accessible way that allows the individual to control how much more detail they wish to obtain and when.
  2. Provide individuals with clear options to say ‘yes’ or ‘no’. Recall that individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or services. Unless an exception applies, for all other collections, uses and disclosures, individuals must be given a choice. Organizations should assess whether opt-in or opt-out consent is appropriate. In the Consent Guidelines, the OPC gives further insight on determining the appropriate form of consent and encouraged organizations to consider the sensitivity of the information, the reasonable expectations of the individual and the risk of significant harm when making that determination.
  3. Be innovative and creative. Organizations should do more than simply post their paper-based policies online. Organizations should consider a variety of communication strategies, like just-in-time notices, interactive tools and customized mobile interfaces, to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention and need guidance.
  4. Consider the consumer’s perspective. Consent is only valid where the individual can understand that to which they are consenting. Organizations should use clear explanations and a level of language that is suitable to a diverse audience. Ensure that your privacy policy and notices are accessible from a variety of devices.
  5. Make consent a dynamic and ongoing process. Informed consent is an ongoing process that changes as circumstances change. When introducing significant changes to its privacy practices, organizations should notify users and obtain consent prior to the changes coming in to effect.
  6. Be accountable: Stand ready to demonstrate compliance. Organizations should be able to demonstrate (both in response to a complaint from an individual or a proactive query from a privacy regulator) that they have processes in place to obtain consent and that those processes are compliant with the legislation.

The Consent Guidelines also contain a checklist to help guide organizations in their compliance efforts. Organizations should pay particular attention to the “must do” list.

Now is the time to familiarize yourself with the Consent Guidelines, and ensure your practices are compliant, as the OPC will begin to apply them on January 1, 2019.

For more information, please contact our Privacy, Cybersecurity and Data Protection Group.


This site is registered on as a development site.