Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents Act

This document was created to provide guidance to organizations as to which form of consent would be appropriate in a given situation. The relevant principles are identified, followed by illustrations of how these principles have been interpreted and applied by the OPC .

Principle 4.3 The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4.3.4 The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.

Principle 4.3.5 In obtaining consent, the reasonable expectations of the individual are also relevant.

Principle 4.3.6 An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.

Positive/Opt-in (Express) Consent

Under this form of consent, commonly referred to as "express consent", the organization presents an opportunity for the individual to express positive agreement to a stated purpose. Unless the individual takes action to "opt in" to the purpose — in other words, says "yes" to it — the organization does not assume consent.

This is the strongest form of consent, and is in keeping with the spirit of PIPEDA. The CSA Model Code for the Protection of Personal Information says "Express consent is unequivocal and does not require any inference on the part of the organization seeking consent". An organization is encouraged to use this form of consent wherever appropriate, taking into consideration the reasonable expectations of the individual. This form of consent is least likely to give rise to misunderstandings and complaints.

Principle 4.3.6 states that an organization should generally seek express consent when the information is likely to be considered sensitive.

Negative/Opt-out Mechanism

The organization presents the individual with an opportunity to express non-agreement to an identified purpose. Unless the individual takes action to "opt out" of the purpose — that is, say "no" to it — the organization assumes consent and proceeds with the purpose. The individual should be clearly informed that the failure to "opt out" will mean that the individual is consenting to the proposed use or disclosure of the information.

The OPC has had opportunity to consider the use of "opt out" in a number of different contexts. A common use of the "opt out" is in the context of using or disclosing personal information for secondary purposes of marketing. Secondary purposes are additional to those for which the information needed to be collected in the first place. The OPC considers that an organization must satisfy the following requirements when using an opt-out, for example to obtain consent for secondary marketing purposes:

• The personal information must be demonstrably non-sensitive in nature and context.
• The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
• The organization's purposes must be limited and well-defined, and stated in a clear and understandable manner.
• As a general rule, organizations should obtain consent for the use or disclosure at the time of collection. In some cases, it may not be reasonably possible to obtain the individual's meaningful consent at the time of collection of the personal information. Principle 4.3.1 recognizes that, in certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before the use or disclosure. In these cases, organizations are encouraged to inform individuals of the proposed use or disclosure, and offer the opportunity to opt out, at the earliest opportunity.
• The organization must establish a convenient procedure for opting out of, or withdrawing consent to, secondary purposes. The opt-out should take effect immediately and prior to any use or disclosure of personal information for the proposed new purposes. In cases where there is an existing use or disclosure for secondary purposes, the organization must provide an ongoing mechanism for withdrawing consent to the secondary purpose, and should ensure that the withdrawal takes effect with minimal delay.

Implied Consent

The CSA Model Code says "Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual". This covers situations where the intended use or disclosure is obvious from the context and the organization can assume with little or no risk that the individual, by providing the personal information, is aware of and consents to the intended use or disclosure. Thus, where circumstances indicate that an individual has a certain understanding, knowledge, or acceptance, or certain information has been brought to the attention of an individual, consent might be implied.

Factors to be considered in determining the appropriateness of relying on implied consent include:

• Whether the individual would reasonably expect that the personal information would be used or disclosed in the proposed manner. This will require a consideration of many factors, such as what information was provided to the individual, whether the purpose was identified, and whether the practices are common and widely known.
• Whether the information is sensitive in nature. This could well affect the reasonable expectations of an individual. Principle 4.3.6 states that an organization should generally seek express consent when the information is likely to be considered sensitive. Under principle 4.3.4, any information can be sensitive, depending on the context.
  
  Non-sensitive information : In some cases, even where the information is not sensitive, an individual may not reasonably expect the information to be further used or disclosed (for example, for secondary purposes of marketing). In other cases involving non-sensitive information, the individual would normally have a certain expectation (for example, an individual buying a subscription to a magazine should reasonably expect that the name and address will be used not just for mailing and billling purposes, but also to contact the individual to solicit renewal of the subscription).
  
  Sensitive information : In some cases involving sensitive information, the individual could reasonably expect the information to be used or disclosed for certain purposes. For example, the OPC supports the current practice of implied consent for uses and disclosures that are directly related to the medical care and treatment of an individual patient (the circle of care).
• The context makes it evident. For example, an internet service provider might rely on implied consent by the customer that the ISP can provide certain service support to the customer, such as identifying and correcting delivery problems, for the benefit of the customer.

No requirement for consent

Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate . The explanatory note that accompanies principle 4.3 is inoperative pursuant to section 2 (2) and section 7 of the Act. Sections 7(1), (2), and (3) set out the only situations where an organization may collect, use or disclose personal information without the knowledge or consent of the individual.