The Buildings and Skyline of Ottawa

New federal guidance is slated to take effect in the coming months that will set out companies’ obligations for the collection and handling of clients’ data.

Last week, the Office of the Privacy Commissioner of Canada (OPC) published two guidance documents: one gives guidelines on obtaining meaningful consent from Canadians, the second  concerns inappropriate data practices.

Firms “should educate themselves on the obligations set out in this new guidance and take steps to comply with the requirements.”

Among other things, the guidance on meaningful consent: requires that clients be given a clear choice about whether to consent to data collection; establishes that consumers can’t be required to consent to the collection, use, or disclosure of personal information beyond what is necessary to provide the product or service; and requires firms to demonstrate compliance with their legal obligations.

The consent guidance also aims to help Canadians understand their privacy rights, and to guide their expectations from businesses that handle their personal information.

“The consent guidance sets out practical and actionable advice for organizations to ensure they obtain meaningful consent in the online environment,” stated  federal privacy commissioner, Daniel Therrien, in a news release. “Our goal here is also to help empower Canadians.”

The consent guidance takes effect Jan. 1, 2019.

The guidance on firms’ data practices sets out practices that would be considered to be in violation of federal privacy legislation, PIPEDA. It takes effect as of July 1, 2018.

So-called “no-go zones” for firms include: using client data to profile or categorize consumers that leads to unfair, unethical or discriminatory treatment; requiring passwords to social media accounts for employee screening; and carrying out surveillance through the audio or video capabilities of clients’ devices.

“Our role as a regulator includes giving guidance that clarifies PIPEDA requirements and sets expectations as to how the law should generally be interpreted and applied. Given that PIPEDA is so broad in nature, individuals and organizations need an adequate level of certainty,” said Therrien.

“Organizations should educate themselves on the obligations set out in this new guidance and take steps to comply with the requirements.”