Federal, British Columbia and Alberta Privacy Commissioners Issue New Guidelines for Online Consent

May 8, 2014

The federal, British Columbia and Alberta Privacy Commissioners have today published new guidelines to help organizations understand the importance of being transparent about their online privacy practices.

“The online world is creating new challenges for privacy transparency and meaningful consent. This environment is so fast-paced and complex that traditional methods of informing people about privacy issues and seeking consent may fall short,” says Chantal Bernier, Interim Privacy Commissioner of Canada. “It is important for online organizations to take a thoughtful, creative approach to providing privacy information to Canadians.”

The guidelines were developed in cooperation with the Offices of the Information and Privacy Commissioners of British Columbia and Alberta.

“Organizations have an obligation to effectively inform people what is happening with their information. In addition to a clear and comprehensive privacy policy, organizations should highlight privacy information where people need the most guidance, for example, when they are downloading an app or when they are being asked for their personal information,” says Elizabeth Denham, Information and Privacy Commissioner for British Columbia.

“To obtain meaningful consent, organizations need to be open and transparent with consumers. People are only able to make informed decisions about sharing their personal information if organizations clearly explain their information management practices,” says Marylin Mun, Assistant Information and Privacy Commissioner for Alberta.

Meaningful consent for the collection and use of personal information is an essential component of Canadian private-sector privacy laws. Private sector organizations are required to obtain meaningful consent before collecting, using and disclosing personal information.

The new guidelines outline some of the key considerations for obtaining meaningful online consent. For example:

  • Organizations should be fully transparent about their privacy practices. Privacy policies should be easily accessible, simple to read, and accurate.
  • Communicating privacy practices is not a one-size-fits-all proposition. In addition to privacy policies, other types of privacy disclosures, like just-in-time notifications, icons or layered notices, should provide privacy explanations at key points in the user experience.
  • Organizations should recognize and adapt to special considerations in managing the personal information of children and youth. Organizations should implement innovative ways of presenting privacy information to children and youth that take into account their cognitive and emotional development and life experience.