CANADA: Meaningful Consent, Inappropriate Data Practices, and Breach Notification
With all the excitement in 2018 over the enforcement start date for the European Union’s General Data Protection Regulation (GDPR) and the enactment of the California Consumer Privacy Act of 2018 (which is slated to come into effect on January 1, 2020), US companies may have missed important developments in neighboring Canada. First, the Office of the Privacy Commissioner of Canada (“OPCC”) issued Guidelines for Obtaining Meaningful Consent and related Guidance on Inappropriate Data Practices. OPCC will apply the new consent guidelines as enforcement policy effective January 1, 2019. Second, nationwide security breach reporting requirements came into force this month. These developments are significant for any organization that deals with Canadian consumers.
Inappropriate Data Practices
Canada’s Privacy Commissioner, Daniel Therrien, released two related documents in May 2018 after soliciting and reviewing public comments, offering guidance on “meaningful consent” and “inappropriate data practices” that will be considered unlawful even with consent.
The “Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection (5)(3),” which OPCC has applied since July 1, 2018, refers to a subsection of the federal Personal Information Protection and Electronic Documents Act (PIPEDA). This simply states an overarching standard of reasonableness for everything an organization does with personal data:
“An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.” (PIPEDA sec. 5(3))
Citing court decisions as well as its own prior opinions interpreting PIPEDA, OPCC points out that this requirement always applies, whether or not there is consent. It requires an objective balancing of interests to determine whether “1) the collection, use or disclosure of personal information is directed to a bona fide business interest, and 2) whether the loss of privacy is proportional to any benefit gained.”
OPCC cautions that some purposes would simply not be considered “appropriate” by a “reasonable person.” This effectively means that consent will not be allowed as a basis for handling personal data in such cases, which OPCC refers to as “no-go zones”:
Collection, use, or disclosure that is otherwise unlawful (OPCC gives the example of using credit score data to deliver targeted ads in violation of Ontario’s Consumer Reporting Act);
Profiling or categorization that leads to unfair discrimination contrary to human rights law (OPCC raises the concern the Big Data analytics must be used ethically and transparently to avoid effects that entail unfair discrimination, as defined, for example, by the Canadian Human Rights Act);
Collection, use, or disclosure for purposes that are known or likely to cause “significant harm” to the individual, defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one’s) credit record and damage to or loss of property”;
Publishing personal information with the intended purpose of charging individuals for its removal;
Requiring passwords to social media accounts for the purpose of employee screening (OPCC points out that many US states have also prohibited this practice);
Surveillance through the audio or video functionality of the individual’s own device (although OPCC allows that “[i]t may be permissible for the audio or video functionality of a device to regularly or constantly be turned on in order to provide a service if the individual is both fully aware and in control of this fact, and the captured information is not recorded, used, disclosed or retained except for the specific purpose of providing the service”, such as the service of tracing a lost phone or laptop).
The Guidelines for Obtaining Meaningful Consent will apply in OPCC investigations and enforcement recommendations to prosecutors beginning January 1, 2019. The Information and Privacy Commissioners of Alberta and British Columbia joined OPCC in promulgating these Guidelines. Commissioner Therrien explained at a conference this year OPCC’s view that “[w]e need to change our approach to privacy protection. The scale and pace of technology and their use are significantly preventing people from protecting their privacy." The Guidelines are meant to provide “practical and actionable guidance” to ensure that the consent principle is viable in a changing technological environment. The Guidelines articulate seven guiding principles and add related recommendations and a “consent checklist.”
Here is a snapshot of the Commissioners’ “seven guiding principles” for meaningful consent, based on PIPEDA and the Personal Information Privacy Acts (“PIPAs”) of Alberta and British Columbia:
Emphasize key elements. For consent to be considered valid or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner. But recognizing that not everyone will want to read a policy in full, summary information highlighting key elements should be emphasized. These should generally include what personal information is collected, whether it is shared with third parties (“layering” the specific disclosures if the third parties are numerous or change frequently), for what purposes, and the meaningful risks or consequences.
Allow individuals to control the level of detail they get and when. Information must be provided to individuals in manageable and easily accessible ways. Companies should “layer” information in ways that enable individuals to control how much more detail they wish to obtain and when, taking into account that some will want more surface level information while others will want to dive deeper.
Provide individuals with clear options to say “yes” or “no.” Beyond what is necessary to provide the product or service, individuals cannot be required to consent to the collection, use or disclosure of personal information. Consumers must be given a choice that is clear and easily accessible.
Be innovative and creative. Organizations should design or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used. OPCC recommends optimizing notices and forms for mobile interfaces, presenting consent “refreshers” at intervals after initial sign-up, and considering techniques such as infographics and videos to illustrate privacy options.
Consider the consumer’s perspective. Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s).
Make consent a dynamic and ongoing process. Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process over time.
Be accountable: stand ready to demonstrate compliance. Organizations, when asked, should be in a position to demonstrate compliance, and in particular to show how the consent process they have implemented is sufficiently understandable from the perspective of their target audience(s) as to provide for valid and meaningful consent.
The Guidelines also emphasize that organizations must determine the appropriate form of consent, taking into account the sensitivity of the information at issue and the reasonable expectations of the individuals. Express consent will normally be required when the information is sensitive or when its collection, use, or disclosure is outside reasonable expectations or creates a meaningful risk of significant harm.
For children, OPCC takes the position that “for all but exceptional circumstances” consent must be obtained from a parent or guardian of a child under the age of 13. The Guidelines note that the privacy commissioners of Alberta, British Columbia, and Quebec have not set a specific age threshold under their provincial privacy laws but rather consider whether the individual understands the nature and consequences of giving consent.
(Of course, for businesses in international and interprovincial commerce, the OPCC’s view under PIPEDA is normally the relevant measure. Settling on age 13 as the age for parental consent is helpful, as it provides certainty and aligns with the age limit in the long-established US rules under the Children’s Online Privacy Protection Act, “COPPA”.)
Withdrawal of consent must be respected and may, depending on the circumstances, entail erasure of the individual’s data. The Guidelines suggest that when an individual deletes a social media account, for example, that means that the organization should normally delete personal data associated with that account. The Guidelines recognize, however, that there may be legal requirements to retain certain data (such as records of financial transactions), and it may be necessary to keep some identifying information simply to ensure that a “do not contact” request is respected in the future.
Alberta added security breach notification provisions to its PIPA in 2010, and in 2015 the federal Digital Privacy Act amended PIPEDA to add a mandatory security breach notification requirement. The implementing Breach of Security Safeguards Regulations (“Regulations”) went through several drafts and rounds of public comments, however, before they were finalized and published in March. The Regulations came into effect on November 1.
The Regulations require an organization that controls personal information to report to OPCC incidents of unauthorized access or disclosure resulting from a breach of security safeguards (or failure to establish safeguards) if there is a “real risk of significant harm.” The report must be made on a form provided on the OPCC website.
In such cases, the organization is also obliged to notify the affected individuals directly, if possible, or indirectly if that is not feasible. Notification is to be given “as soon as feasible” after determining that a breach has occurred with a real risk of significant harm. Notification to individuals must include:
a description of the circumstances of the breach;
the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
a description of the personal information that is the subject of the breach to the extent that the information is known;
a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
contact information that the affected individual can use to obtain further information about the breach.
Notably, this notice is more detailed that what is required under many of the US state breach notification laws.
Interestingly, the organization is also expressly obliged to notify any other agencies or organizations that it believes can reduce the risk of harm or mitigate the damage to affected individuals, such as law enforcement authorities, payment networks, or business partners.
The Regulations include record-keeping requirements for organizations to log, at a minimum, the date or estimated date of each breach, a general description of the circumstances of the breach, the nature of information involved in the breach, and whether or not the breach was reported to OPCC and whether the individuals were notified. Breach records are to be retained for two years, although they should not include personal data unless necessary to describe the incident and its sensitivity.
The Regulations encourage organizations to develop a “framework for assessing the real risk of significant harm,” taking into account the sensitivity of the data and the probability that the data has been or will be misused (encryption is just one of the factors mentioned in that analysis). “Significant harm” includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
As the Regulations implement amended provisions of PIPEDA, violations can entail serious sanctions, with fines up to CAD 100,000 per offense for knowingly failing to report or notify, or to keep required records. Arguably, each unnotified individual could be treated as a separate offense.
PIPEDA also allows individuals to seek damages in Federal Court after OPCC has issued a finding on their complaints; these could conceivably be consolidated as the equivalent of class actions.
The breach notification Regulation and the OPCC official guidance and enforcement policies on consent and inappropriate data practices obviously govern businesses operating in Canada. They inevitably affect as well the affiliates and vendors in the US and other countries that process data or run marketing campaigns from abroad in support of those businesses.
These instruments also have a broader reach, however. Canadian courts have held on several occasions that PIPEDA applies to foreign companies (specifically including website operators) with a “real and substantial connection” to Canada. Thus, a US company with no Canadian establishment that regularly does business online with Canadian consumers might well be deemed subject to PIPEDA and the breach notification Regulation. Similarly, a US-hosted website or mobile app that targets Canadian consumers should conform to OPCC guidelines for consent and acceptable practices, at least with respect to Canadian users.
The potentially broad jurisdictional reach of PIPEDA suggests that many US companies should review their practices (especially with respect to the use of Big Data analytics) that might raise a red flag under the new OPCC Guidance summarized above. They should also carefully consider the OPCC recommendations on “meaningful consent,” which are broadly consistent with the direction the EU has taken in the GDPR and with California’s approach under the Consumer Privacy Act of 2018. Many companies have already implemented a layered approach to privacy notices and have tried to render their privacy options in plain language at the point of data collection, with links to fuller descriptions for those who want them. OPCC’s views on the circumstances demanding express consent are particularly important, as many US companies are still oriented to an opt-out approach by default. And it should be noted that while the Canadian approach to withdrawal of consent is not quite tantamount to the GDPR’s much-discussed “right of erasure” (or “right to be forgotten”), it reaches similar results in many circumstances.
Most urgently, organizations in the US and elsewhere that hold Canadian personal information need to develop or update security and breach notification policies covering that data. The scope for notification is broader than in the US (where it is limited to fixed data elements such as Social Security Numbers and payment card details), and organizations should follow the Regulation’s format for record-keeping and for creating a “framework” to assess the risk of significant harm. This should be done in advance, to facilitate notification to OPCC and to individuals “as soon as feasible.” The procedures can be integrated with those that the organization has put into place for US and European breach notification, but there are somewhat different standards and forms that must be employed.
As always when new data privacy or security requirements appear in a jurisdiction important to an organization, it is worthwhile considering to what extent the organization should make adjustments only for that market or consider revising the organization’s regional or even global practices. There are often benefits to establishing harmonized best practices, where feasible, in a way that meets compliance requirements in multiple jurisdictions and also streamlines and standardizes as much as possible the organization’s policies, customer relations, IT architecture, security management, staff training, and incident response protocols. The North American market is closely integrated commercially, especially in the online context, and it seems likely that organizational best practices and consumer expectations will continue to spread across the state, provincial, and international borders. There are costs to handling data differentially in compliance bubbles. If, for example, a company sends different versions of a security breach notification arising from the same incident to consumers in the US and Canada (and Europe, for that matter) it is likely to attract negative attention – even more so if it decides it must notify in one jurisdiction but not in another. For global companies, global solutions are often preferable.
Beyond their direct application, the Canadian guidance and regulations reflect a great deal of recent comment and experience. They are worth consideration from the perspective of developing best practices in responsibly handling personal information.