In May 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) published Guidelines for obtaining meaningful consent (the “Guidelines”), a guidance document that sets out the OPC’s expectations for how organizations should obtain an individual’s meaningful consent to the collection, use, and disclosure of personal information under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Guidelines do not create new legal obligations under PIPEDA. Rather, the Guidelines communicate the OPC’s interpretation and application of existing legal requirements. Further, the Guidelines provide recommendations for how organizations should structure their privacy practices in order to promote compliance with current law, and in particular with the principles of Schedule I of PIPEDA. The Guidelines came into effect on January 1, 2019.
Key Obligations Under the Guidelines
The Guidelines provide additional guidance on organizations’ compliance obligations when it comes to obtaining meaningful consent under PIPEDA. Most importantly, the Guidelines include a checklist of “must-do” privacy practices, which are practices that arise from legal requirements under PIPEDA and that the OPC views as required in order to obtain individuals’ meaningful consent. In addition, the Guidelines set out “should-do” practices that do not stem from legal requirements, but are instead best practices that organizations can adopt in order to further (and demonstrate) their efforts to obtain meaningful consent.