Consent in the Private Sector
Types of Consent
There are three types of consent – express, deemed or implied.
Express Consent
In many cases consent must be “express”, meaning you have to actually say yes or check a box on a form, but in a few types of situations, consent can also be “implied” or “deemed”.
Implied Consent
An organization can treat your consent as having been implied by you if:
- the organization tells you that it will collect your personal information, and tells you the reason why (either verbally or by showing you its written “notice of purposes”) and
- you don’t explicitly refuse consent within a reasonable amount of time.
For example, when you call a bank or telecom company for service a voice may announce that the call will be recorded for quality control and training. By staying on the line and speaking with a service representative, you are implying your consent to the collection of your personal information in the recording for quality control and training. You are not implying your consent for any other purpose and so your personal information in the recording cannot be used or disclosed for any other purpose without consent.
Another example is when you walk into a shop right past a sign stating that video surveillance is used for security purposes. You have implied your consent to the collection of your image on the surveillance recording for security purposes. However, the shop cannot use the surveillance tape to find out what you buy and then use the information to market to you, because that type of purpose was not included in the notice you walked past.
Other Rules about Consent in the Private Sector
Usually, once it has your consent, the organization may not collect, use or disclose your personal information for other, new purposes unless it gets a new consent from you.
Unless the information is necessary to provide the product or service, the organization cannot require you to give it your personal information as a condition of being supplied the product or service. So a clothing store cannot require you to give it your postal code when you are buying some clothes.
An organization is not allowed to get your consent by giving you false or misleading information or by using deceptive or misleading practices. If you do give your consent based on false or misleading or deceptive information or practices, your consent is not valid and the organization is not allowed to rely on it.
When Consent is Not Required in the Private Sector
In certain circumstances, an organization does not have to get consent before it collects, uses or discloses personal information. These circumstances are limited by PIPA and PIPEDA.
The limitations in each law are somewhat different, and so private sector organizations will have different rights depending on which of the two laws apply. If you wish, you can figure out which law applies to your circumstances.
Here are some situations when a private sector organization in BC covered by PIPA does not need your consent to collect, use or disclose your personal information:
- when it is clearly in your interests and your consent cannot be obtained in a timely way;
- when it is necessary for medical treatment and you can’t give consent;
- when getting your consent might compromise the availability or accuracy of the information and the information is reasonably needed for an investigation or proceeding;
- when it is collecting a debt owed to it;
- when it needs to contact a next of kin or friend of an ill or deceased person, or where compelling circumstances exist affecting health and safety; or
- when it is allowed or required by a court order, warrant, subpoena, law or a treaty;
- when you appear at a public event voluntarily and your personal information is collected at the event (for example, you’re photographed on stage at a demonstration); or
- when your personal information is needed to determine whether to select you for an award, honour, or an athletic or artistic purpose.
An organization is also allowed to disclose personal information:
- to a public body or law enforcement agency in Canada in connection with investigating or prosecuting crime;
- if there are compelling circumstances affecting someone’s health or safety;
- if the disclosure is to an archive or for research or in connection with a business transaction involving the organization.
In each of these cases, certain conditions must be met.
- List of the circumstances in which an organization can collect personal information
- List of the circumstances in which an organization can use personal information
- List of the circumstances in which an organization can disclose personal information
Different Consent Requirements for an Employee’s Personal Information under PIPA
Under BC’s provincial law, PIPA, an employer is not required to get consent to collect, use or disclose employee personal information, if:
- the collection, use or disclosure is reasonable for the purposes of establishing, managing or terminating the employment relationship; and
- the employer has given the employee a notice of purposes.
Under PIPEDA, an organization is allowed (PIPEDA itself is not clear on this point, but in a series of case summaries, the Privacy Commissioner of Canada reached this conclusion) to treat an employee’s consent as being implied if they remain in their job after being given notice of purposes for the collection, use or disclosure by the organization.
Rather than give notice in each instance, most organizations provide a general notice through the privacy policy that applies to their employees. The purposes listed in the notice of purposes must always be reasonable and appropriate in the circumstances.
Withdrawal of Consent in the Private Sector
In any circumstance where consent is required and you gave consent, you also have a right to withdraw consent.
First, you must give reasonable notice to the organization. When the organization receives your notice of withdrawal, it has to tell you what will happen when you withdraw your consent.
For example, a fitness club may cancel your membership if you refuse to give it a billing address, or a retailer may not be able to remind you of upcoming sales if you refuse to give it your email address.
If you exercise your withdrawal right, the organization must, according to your instructions, stop collecting, using or disclosing your personal information. The organization cannot prohibit you from withdrawing your consent.
However, if your consent is not required for a particular purpose, an organization can continue to collect, use or disclose for that purpose. For example, a bank does not need your consent to file certain tax forms with Canada Revenue Agency to report interest income, because it is required by law to file the forms.
You may not withdraw your consent at all in two circumstances: i) if doing so would frustrate the performance of a legal obligation; and ii) if you gave your consent for the purposes of a credit reporting agency creating a credit report about you.