Definitions

Personal Information

Under PIPEDA, personal information is defined to be any information about an identifiable individual, and has been interpreted to include any factual or subjective information, recorded or not, that relates to an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions; and
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

To be “about an identifiable individual”, there must be a serious possibility that an individual could be identified through the information alone or in combination with other information.  The Office of the Privacy Commissioner of Canada generally takes the view that internet tracking technologies are using personal information, to the extent that they include IP addresses, device identifiers and other persistent identifiers.

 

Sensitive Personal Information

Although the law explicitly refers to the concept of sensitive personal information, it is not a defined term. However, the Schedule to the law indicates that, although some information (e.g., medical and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.

Based on court decisions and the findings and guidance of the Office of the Privacy Commissioner of Canada, the following types of personal information would generally be considered to be sensitive:  biometric information; medical and health-related information; financial information; information respecting children and youth (particularly for young children); and, depending on the context, information relating to any of the prohibited grounds of discrimination under Canadian human rights law.  See “Legal Grounds for Processing”, below.

 

An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.

 

Consent

Consent is also not a defined term in PIPEDA; however, the law imposes several restrictions and requirements:

  • Consent can be express or implied, depending on the sensitivity of the information in question and the reasonable expectations of the individual.
  • Consent must be meaningful: consent is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
  • Consent cannot be obtained through deception.
  • Consent can be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. Organizations must inform an individual of the implications of such withdrawal.
  • Organizations cannot, as a condition of providing a product or a service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes; however, the Office of the Privacy Commissioner of Canada has ruled that requiring an individual to consent to the receipt of advertising in order to access a free-to-the-user online service does not contravene this requirement.

The consent required under applicable privacy laws is distinct from the consent that may be required under Canada’s Anti-Spam Legislation (CASL) or the Unsolicited Telecommunications Rules, discussed above.  Generally, those regimes require only explicit consent, and the “implied” consent referenced under those rules is really a narrowly prescribed form of deemed consent.  In many cases, consent under both applicable privacy law and those direct marketing laws may be required.

The Office of the Privacy Commissioner of Canada has issued several guidance documents respecting the collection of consent, including the following:

  • Guidelines for Online Consent

Please visit: https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/

  • Guidelines for Obtaining Meaningful Consent

Please visit: https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/

The CMA issued its Guide to Transparency for Consumers to help companies respond to Guidelines for Meaningful Consent issued by the Office of the Privacy Commissioner of Canada that took effect in January 2019.

Please visit: https://www.the-cma.org/regulatory/code-and-guidelines/CMA-Guide-Transparency-for-Consumers

 

Children’s age

PIPEDA does not contain provisions specific to the personal information of children; however, its consent requirement may be difficult to meet with respect to children and youth.  In order for consent to be considered to be valid, it must be reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.  This requirement creates particular challenges for minors, and particularly for children under 13.

Canada’s Privacy Commissioner has consistently viewed the personal information of minors as being particularly sensitive and has recommended that organizations limit, or avoid altogether, the collection of personal information from minors, and where such collection is absolutely necessary, to obtain parental consent.  The Commissioner recommends that organizations avoid using web tracking technologies on websites aimed at children, and avoid any use of such technologies to track children.

The Office of the Privacy Commissioner of Canada has issued guidelines to businesses about the collection and use of the personal information of children, entitled: Collecting from kids? Ten tips for services aimed at children and youth.

Please visit: https://www.priv.gc.ca/en/privacy-topics/privacy-and-kids/02_05_d_62_tips/

Sections K and L of the CMA’s Code of Ethics and Standards of Practice outline requirements and best practices in marketing to children and youth.

Please visit: http://www.the-cma.org/regulatory/code-of-ethics