Until now, we have not really been required to implement practices or processes to track and record consent to use an individual’s personal data when conducting business.
For the most part over the past 20 years, we collected and bought what we could and then “followed the technology” to determine what we could do with it. While the Personal Information Protection and Electronic Documents Act (PIPEDA) has existed since 1999, it has not really been widely enforced for all organizations in Canada. The enforcement tools available under PIPEDA are cumbersome, legally complex and therefore costly to enforce.
All that changed in September 2021 when Quebec passed Bill 64.
PIPEDA required that individuals be informed of what personal information was being collected, how it is being shared, what it will be used for, and what risks of harm or other consequences might occur. In addition, PIPEDA required parental consent for those under the age of 13.
Bill 64 adds a whole laundry list of additional requirements.
For example, consent must be free and informed. So burying consent in a Privacy Policy resembling a book thicker than MacBeth is finally against the law. The legal battle Facebook is fighting in the EU will not hold water in Quebec, therefore Canada (it is far too difficult to have a different Privacy Management Programme for every Province, therefore most Canadian companies will likely operate to the “highest bar”. At this point in time, that is Quebec.) Sneaking statements into your Terms and Conditions won’t work either. Like the GDPR in the EU, the test as to whether an individual provided free and INFORMED consent will be whether or not the individual was even aware that they gave it! So the old “it’s in the fine print” will not stand up under the Private or Public Sector Acts in Quebec.
Nor will stating it in confusing legal language that leaves most people saying “What!?”. Bill 64 requires that requests for consent use “plain language“. You may want to consider having marketing write your consent language instead of a lawyer. While the language must stand a legal challenge, it can be stated in a way that people can understand what they are giving consent to. Many Privacy Policies written by lawyers scare the daylights out of me. Had a marketer written those, they would have simply stated what’s so, in a non-threatening way that did not make me feel like someone is coming after me to lock me up. Intonation is key when requesting consent in this new world.
Your consent language must also include what you are going to use it for. Specifically. And how long you intend to keep it for that purpose. Should you wish to use that data for other purposes you must ask for free and informed consent to do so. Facebook recently asked for my mobile number “to ensure ongoing access to my account” (which is now closed). Within days I started receiving SMS text messages when people I was connected to posted anything new! When this new law is in force (I will post an article on the fair and reasonable enforcement strategy of Bill 64 shortly), Facebook, or any other organization would not be able to do that. They would have to ask for those 2 consents separately.
Not meaning to be blatantly commercial here, you can begin to see for yourself, with all of the proof of consents required in order to use an individual’s personal data, some powerful, automated solutions will be required for every organization in Canada. We have scoured the internet and partnered with the best of breed Preference Management Centre. Please reach out if you would like a demo.
Of course, consent for minors…
