English
French
German
New Rules for Consent in Canada – a deeper dive…
Quebec recently passed Bill 64, changing the privacy and data protection landscape in Canada yet again. In this article we will address:
- Many businesses do not currently track and record consent for data processing. There has never been a need to do so, therefore most companies have no process in place
- Privacy is a fundamental right (like the GDPR). Quebec was not wishy washy on this like the proposed Federal Bill C-11 that stopped well short of taking this stand.
- Historical consent logs are required. The CAI can ask for specific information from the past, so every organization must be able to PROVE what consent they had on a specific date.
- Just as CCPA/CPRA has set the bar for the US, Quebec has set it for Canada. If you are doing business in Canada, your Privacy Management Programme must be at the very least, Bill 64 compliant.
- Scope includes all organizations who collect and use personal data. Any business who collects and uses personal data of any kind are subject to this new law.
- Businesses must be able to PROVE consent. Having it is not good enough.
- There are various types of consent, from email to profiling – even tracking purchases.
- Zero-Party data may be the best way forward. No more third-party data. Only data they knowingly and willing give you. (clear definition later in this article)
- All information collected must have a clearly stated purpose. Should an organization wish to use that information for a new purpose, they must ask the individuals for consent for that purpose.
- In order to be considered valid consent, specific language is required, specific to the purpose for collecting that information.
- Data minimization is a requirement. There must be a good reason and stated purpose for all information collected. The days of collecting data and figuring our what to do with it later, are over.
- If data is collected from a third party, a business must inform the concerned person that they now have the data and allow the individual to opt-out.
- All consents must use plain language that can easily be understood.
- Profiling people using their personal data will require clear informed consent and any individual must be able to opt-out.
- If you collect personal data you must keep it confidential and secure.
- If you make automated decisions using data a new level of transparency and communication of specifics is required.
- You must provide a contact person for people who have questions or concerns.
- You cannot collect data from a minor (under the age of 14) without parental consent
Background
For the past 20+ years we have been using personal data in pretty much any way that technology allowed. Rather than asking “Should we?”, we asked “Could we?”
“No consent” was the order of the day except in the health and financial sectors where it was treated with more sensitivity. But for the most part consent was not a thing. Few organizations even thought about it.
Along came data protection and privacy laws like the GDPR, CCPA and now closer to home, Quebec’s Bill 64 – all requiring, if not explicit consent, a damn good reason to use your personal data or what we might call implicit consent. In Bill 64’s case consent is required, with a few exceptions. So suddenly Canadian organizations have to set up processes to PROVE consent.
Just as California set the standard for data protection in the US, Quebec has stepped forward and done the same here in Canada. Your Privacy Management Programme must be set to the highest bar as you cannot have different policies and procedures in different States or Provinces. Both your staff and your consumer would be confused and it would be impossible to communicate and maintain given today’s technology.
There are many fields of data collected. How does a company ensure the language is consistent yet specific and provides all of the required details for each category and field of data? This would include the stated purpose and retention period. How do you “operationalize” that consent, ensuring you are honouring what you promised when you collected it? In our opinion, organizations must automate consent or it will consume too much time and staff resources.
Privacy as a Right
Let’s look at the fundamentals…
