New Rules for Consent in Canada – a deeper dive…
Quebec recently passed Bill 64, changing the privacy and data protection landscape in Canada yet again. In this article we will address:
- Many businesses do not currently track and record consent for data processing. There has never been a need to do so, therefore most companies have no process in place
- Privacy is a fundamental right (like the GDPR). Quebec was not wishy washy on this like the proposed Federal Bill C-11 that stopped well short of taking this stand.
- Historical consent logs are required. The CAI can ask for specific information from the past, so every organization must be able to PROVE what consent they had on a specific date.
- Just as CCPA/CPRA has set the bar for the US, Quebec has set it for Canada. If you are doing business in Canada, your Privacy Management Programme must be at the very least, Bill 64 compliant.
- Scope includes all organizations who collect and use personal data. Any business who collects and uses personal data of any kind are subject to this new law.
- Businesses must be able to PROVE consent. Having it is not good enough.
- There are various types of consent, from email to profiling – even tracking purchases.
- Zero-Party data may be the best way forward. No more third-party data. Only data they knowingly and willing give you. (clear definition later in this article)
- All information collected must have a clearly stated purpose. Should an organization wish to use that information for a new purpose, they must ask the individuals for consent for that purpose.
- In order to be considered valid consent, specific language is required, specific to the purpose for collecting that information.
- Data minimization is a requirement. There must be a good reason and stated purpose for all information collected. The days of collecting data and figuring our what to do with it later, are over.
- If data is collected from a third party, a business must inform the concerned person that they now have the data and allow the individual to opt-out.
- All consents must use plain language that can easily be understood.
- Profiling people using their personal data will require clear informed consent and any individual must be able to opt-out.
- If you collect personal data you must keep it confidential and secure.
- If you make automated decisions using data a new level of transparency and communication of specifics is required.
- You must provide a contact person for people who have questions or concerns.
- You cannot collect data from a minor (under the age of 14) without parental consent
Background
For the past 20+ years businesses have been using personal data in pretty much any way that technology allowed. Rather than asking “Should we?”, we asked “Could we?”. We allowed technology to rule instead of respecting our customer’s privacy.
“No consent” was the order of the day except in the health and financial sectors where it was treated with more sensitivity. But for the most part consent was not a thing. Few organizations even thought about it. And when they did, they treated the data like it owned it, not realizing it belongs to the individual. At best we are custodians when we collect and use that data. Clearly we are custodians who will put the company’s interests before the individual’s every time.
Along came data protection and privacy laws like the GDPR, CCPA and now closer to home, Quebec’s Bill 64 – all requiring, if not explicit consent, a damn good reason to use your personal data or what we might call implicit consent. In Bill 64’s case consent is required, with a few exceptions. So suddenly Canadian organizations have to set up processes to PROVE consent.
Just as California set the standard for data protection in the US, Quebec has stepped forward and done the same here in Canada. Your Privacy Management Programme must be set to the highest bar as you cannot have different policies and procedures in different States or Provinces. Both your staff and your consumer would be confused and it would be impossible to communicate and maintain given the speed of today’s technology and pace of business.
There are many fields of data collected. How does a company ensure the language is consistent yet specific and provides all of the required details for each category and field of data? This would include the stated purpose and retention period. How do you “operationalize” that consent, ensuring you are honouring what you promised when you collected it? In our opinion, organizations must automate consent or it will consume too much time and staff resources.
Privacy as a Right
Let’s look at the fundamentals. Quebec takes the position, like the GDPR, that privacy is an individual right. The Federal proposed Bill C-11 stopped very short of that. In fact, what the Federal government called a “balanced approach” was very much in favour of businesses carrying on doing what they wanted. The Privacy Commissioner called this Bill a “step backwards” and if passed as written would likely cost Canada adequacy under the GDPR.
Although Bill C-11 stated consent was required, it also included 33 exceptions that would allow a company like Facebook to carry on doing everything they were doing with people’s personal data. Quebec has set a consent bar the Feds cannot ignore. Like California sets the bar for the US, Quebec has set the bar for Canada.
Organizations of all types and sizes must prove they have consent at any given moment in time, including going back in time to prove consent on any given date. As an individual can change their minds regarding consent, how does an organization prove what consent was in play on what date?
Let’s talk a little about Zero-Party Data
ZPD is defined by Forrester as the “data that a customer intentionally and proactively shares with a brand, which can include preference center data, purchase intentions, personal context, and how the individual wants the brand to recognize them”
Many in the marketing community believe that ZPD will be the foundation of direct response marketing. How would ZPD be collected? Stored? Recalled?
There is specific language that must accompany this form of consent.
What is PPIPPS
Bill 64 impacts 21 separate laws in Quebec. The primary one we are addressing is the PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR (PPIPPS)
Some of the requirements include:
“4. Any person carrying on an enterprise who, for a serious and legitimate reason, collects personal information on another person must determine the purposes for collecting the information before doing so.”
In order to prove this was completed, crafting the language when collecting consent must be considered carefully. The organization would want the purpose to be as broad as possible while being specific enough to allow the person to understand specifically, what they are agreeing to, and to pass the sniff test of the Information Commissioner.
97. “Any person collecting personal information on another person may collect only the information necessary for the purposes determined before collecting it.”
If the company conducts a Data Impact Assessment on all data fields collected, they should be able to make conscious decisions regarding data minimization, only collecting what they will actually use.
98. “Any person collecting personal information from another person carrying on an enterprise must, at the request of the person concerned, inform the latter of the source of the information.”
The source of all data must be documented and connected to that data. If the person requests to know the source, it must be provided.
99. Section 8 of the Act is replaced by the following sections:
“8. Any person who collects personal information from the person concerned must, when the information is collected and subsequently on request, inform that person:
- (1)of the purposes for which the information is collected;
- (2)of the means by which the information is collected;
(3) of the rights of access and rectification provided by law; and
(4) of the person’s right to withdraw consent to the communication or use of the information collected.
A company must be able to prove they informed the person WHY the data was collected and HOW. Further they must offer an easy process for the person to rectify or withdraw that consent.
If applicable, the person concerned is informed of the name of the third person for whom the information is being collected and of the possibility that the information could be communicated outside Québec.
The person must be informed of the specific third parties who will have access to this data and where they are located (outside Quebec). Once again, Data Impact Assessment can be used to think this through.
On request, the person concerned is also informed of the personal information collected from him, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information.
The data you collect now has specific obligations to the person you are collecting it from, including knowing all data you possess, how long you intend to keep it and a contact person so the person can reach out to express concerns or preferences.
The information must be provided to the person concerned in clear and simple language, regardless of the means used to collect the personal information.”
You must use plain language – no legalese.
The Facebook (now Meta) clause
If you profile you must inform the person and give them a way to opt out of this process. This requires a Confidentiality Policy to be posted on the Company’s website.
The definition of profiling:
“Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.”
Confidentiality and Security
Section 100.9.1 states that “when offering a technological product or service, must provide the highest level of confidentiality by default, without intervention by the person concerned”
According to Section 102.12 – Explicit Consent is required for Sensitive Information and some clarification of purpose limitations are clarified.
Automated Decision Making
You must inform the person what data was used to make the decision
Reasons for the decision
Give the person a chance to correct any personal information to be used.
Give the person a contact to appeal.
Section 102.14
“14. Consent under this Act must be:
1. clear,
2. free and
3. informed and
4. be given for specific purposes.
It must be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned.
If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested.
The consent of a minor under 14 years of age is given by the person having parental authority. The consent of a minor 14 years of age or over is given by the minor or by the person having parental authority.
Consent is valid only for the time necessary to achieve the purposes for which it was requested.
Consent not given in accordance with this Act is without effect.”
Concerning Minors and Consent.
“4.1. The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.”
“You’re not in Kansas anymore Dorothy.” Using a Preference Management Centre may be the only sane way to manage consent for Canadian companies. After scouring the internet for best of breed we have partnered with Syrenis and their CASSIE solution. Built in the UK prior to the GDPR coming into force, CASSIE has simplified consent management for many global brands, bringing them into compliance and empowering their customers to make their own choices. This may be the fastest route to re-building digital trust with your customers and prospects.
If we can help you sort this out, please reach out to: info AT newport thomson DOT com