Consent is a weighted word these days, and people in many sectors are trying to decide when it’s necessary, how it must be given and how it can be recognized.
Sometimes the question of whether consent was granted can be explained using the simple metaphor of a cup of tea: does the other person want tea? Yes or no?
When it comes to the gathering and sharing of personal information for business purposes, however, the question of consent becomes a lot more complex.
This fall the Office of the Privacy Commissioner released for consultation draft guidelines for obtaining meaningful online consent under PIPEDA. The Privacy and Access Law Section and the CCCA submitted their response in December.
“The requirement for consent is a foundational component of PIPEDA,” the Sections say in the submission. “However, for consent to be valid – to allow individuals to exercise greater control over their personal information – consent must be meaningful.”
As with earlier submissions, the Sections state that privacy protection must balance individual privacy rights with the legitimate needs of businesses to collect, use and disclose personal information.
The guidance document should not attempt to add new obligations under PIPEDA, but rather to give organizations information about how to comply with existing obligations.
The Sections note that the guidance document’s use of prescriptive language makes it difficult sometimes to distinguish between legal obligations and guidance, and suggests that this language be clarified.
As well, many of the examples in the document represent the “gold standard” and are not realistic or practical for many organizations. The Sections recommend that the document offer a wider range of examples, and that the guidance be revised to avoid giving the impression that the gold standard would be expected or required of all organizations.
While the concept of harm plays an important role in privacy protection, the Sections say “the consent guidance, as currently drafted, risks confusing the concept of ‘risk of harm’ with an individual’s appreciation of the consequences that result from the collection, use or disclosure of personal information. Put another way, the consent guidance could cause an individual to believe a risk of harm exists every time personal information is provided to an organization.”
The Sections offer up a total of six recommendations on the guidance document, mostly dealing with clarifying language. They also urge the Office of the Privacy Commissioner to seek input from stakeholders before issuing its final guidance.