Until now, we have not really been required to implement practices or processes to track and record consent to use an individual’s personal data when conducting business.
For the most part over the past 20 years, we collected and bought what we could and then “followed the technology” to determine what we could do with it. While the Personal Information Protection and Electronic Documents Act (PIPEDA) has existed since 1999, it has not really been widely enforced for all organizations in Canada. The enforcement tools available under PIPEDA are cumbersome, legally complex and therefore costly to enforce.
All that changed in September 2021 when Quebec passed Bill 64.
PIPEDA required that individuals be informed of what personal information was being collected, how it is being shared, what it will be used for, and what risks of harm or other consequences might occur. In addition, PIPEDA required parental consent for those under the age of 13.
Bill 64 adds a whole laundry list of additional requirements.
For example, consent must be free and informed. So burying consent in a Privacy Policy resembling a book thicker than MacBeth is finally against the law. The legal battle Facebook is fighting in the EU will not hold water in Quebec, therefore Canada (it is far too difficult to have a different Privacy Management Programme for every Province, therefore most Canadian companies will likely operate to the “highest bar”. At this point in time, that is Quebec.) Sneaking statements into your Terms and Conditions won’t work either. Like the GDPR in the EU, the test as to whether an individual provided free and INFORMED consent will be whether or not the individual was even aware that they gave it! So the old “it’s in the fine print” will not stand up under the Private or Public Sector Acts in Quebec.
Nor will stating it in confusing legal language that leaves most people saying “What!?”. Bill 64 requires that requests for consent use “plain language“. You may want to consider having marketing write your consent language instead of a lawyer. While the language must stand a legal challenge, it can be stated in a way that people can understand what they are giving consent to. Many Privacy Policies written by lawyers scare the daylights out of me. Had a marketer written those, they would have simply stated what’s so, in a non-threatening way that did not make me feel like someone is coming after me to lock me up. Intonation is key when requesting consent in this new world.
Your consent language must also include what you are going to use it for. Specifically. And how long you intend to keep it for that purpose. Should you wish to use that data for other purposes you must ask for free and informed consent to do so. Facebook recently asked for my mobile number “to ensure ongoing access to my account” (which is now closed). Within days I started receiving SMS text messages when people I was connected to posted anything new! When this new law is in force (I will post an article on the fair and reasonable enforcement strategy of Bill 64 shortly), Facebook, or any other organization would not be able to do that. They would have to ask for those 2 consents separately.
Not meaning to be blatantly commercial here, you can begin to see for yourself, with all of the proof of consents required in order to use an individual’s personal data, some powerful, automated solutions will be required for every organization in Canada. We have scoured the internet and partnered with the best of breed Preference Management Centre. Please reach out if you would like a demo.
Of course, consent for minors (under the age of 14) would require parental control and all consent requirements apply.
And EXPRESS consent is required if your are collecting, processing, sharing, storing or deleting Sensitive Personal Data. Data is considered sensitive when “due to its nature or the context of its use or disclosure, it entails a high level of reasonable expectation of privacy.”
When collecting consent you must inform the individual providing consent that it can be withdrawn at any time (therefore you must know at all times where that consent is stored so upon request, you can indeed honour their wish).
At the time of collection you must also inform the individual who, if any, third parties outside of Quebec will be given access for this data and what they will use it for. Once again Records of Processing Activities (ROPA) will be required, so exactly what language you used 3 years ago when you collected that consent, can easily be recalled upon request. Without a single version of the truth that you can prove, the Quebec authorities will assume it does not exist.
Two other conditions must be met (and you must be able to prove they were met) when collecting consent. You must be clear whether this consent is mandatory or optional, and if it is mandatory, you must have a good reason. You must also tell the individual that they can, upon request ask what personal information has been collected, and you must clearly state what the consequences are if you fail to respond to their access request.
As you can see much of this is an attempt to rebuild digital trust with the consumer, something that has not been on the agenda for most organizations for the past 20 years. Creating processes and finding technology to assist is a must.
Now the question of the day is: do you start mapping our your 3 year plan for compliance today, or do you wait until the month before each coming into force stage (Sept 2022, Sept 2023 and Sept 2024)? Your customers are awakening to their privacy rights and it is becoming a factor in their purchasing decision.