Did you feel the earth move January 1, 2019?

If you are an aficionado of privacy rights in Canada, you just may have. Starting January 1, 2019, the Office of the Privacy Commissioner of Canada (OPC) commenced enforcement of its meaningful consent guidelines, first published in May 2018.

If your organization collects personal information from Canadians, you must assess whether your privacy policy complies with the new guidelines. And even if your collection and use practices have not changed in years, if your policy has not been recently updated – odds are it does not comply.

As a general rule and subject to only a few exceptions, an organization needs the ‘meaningful’ consent of an individual before it can collect and use the individual’s personal information. The purpose of a privacy policy is to facilitate this consent by explaining the nature of the information being collected, the purposes for which it will be used, how it will be stored, with whom it will be shared, and how it may be accessed and reviewed, and/or corrected or deleted. Consent cannot be meaningful unless all this information is provided at the relevant time to the individual from who the personal information is collected.

The new guidelines were developed because the OPC believed too many organizations were hiding behind lengthy, legalese filled policies that were difficult to find and harder to understand.

Here is a taste of the new guidelines and the challenges your new approach to obtaining meaningful faces:

• The consent process should be innovative, just-in-time, specific to the context, and appropriate to the type of interface used.

• Information must be provided in manageable and easily-accessible ways.

• Individuals must be allowed to quickly review the key elements impacting their privacy decisions up front while considering using the product or service and provided with clear ‘yes’ and ‘no’ options.

• Individuals should be able to control how much detail they wish to obtain, and when.

• Interactive tools including videos or infographics that explain key concepts are recommended.

• When describing the purposes for which information is collected, vague purposes such as “service improvements” are inadequate.

• Consent should be treated as an ongoing, dynamic and interactive process.

• The individual’s perspective should be considered, and consumer input (including via pilot tests and focus groups) should be consulted when designing a consent process.

•‘Express consent’ should be considered the standard, with reliance upon ‘implied consent’ limited to narrowly defined circumstances such as where the personal information is already publicly available.

• Organizations should always be prepared to demonstrate compliance with privacy legislation (including the new guidelines) to both individuals and regulators.