Consent management is an essential component of modern privacy program management strategies. It ensures that your organization handles the personal identifiable information (PII) of both its customers and employees responsibly and transparently. It also ensures that user preferences are respected and that your organization meets legal requirements.

In this article, we discuss the current landscape of consent management, who consent management applies to, and the legal and regulatory frameworks governing consent management. We’ll also explore key challenges and considerations for implementing consent management frameworks and share insights from our advisors to help you navigate this evolving landscape.

The consent management landscape for Canadian organizations operating in Canada or a multinational environment is becoming increasingly complex — driven by a rising awareness of data privacy issues and stringent regulatory requirements.

Organizations are under more pressure than ever to understand these requirements and implement robust consent management practices to maintain customer trust. Consent management applies to both commercial organizations and non-profit organizations.

Several of the most significant legal and regulatory frameworks governing consent management for Canadian organizations are included below. These regulations mandate that organizations obtain explicit consent from data subjects such as customers, employees, donors, and volunteers  before collecting, processing, or sharing PII. It is important to note that not all legislation has the same definition of data subjects.

• Personal Information Protection and Electronic Documents Act (PIPEDA): PIPEDA requires organizations that are collecting, using, or disclosing personal information to obtain consent for the purpose of the data. However, PIPEDA does not have strict guidelines around consent management and many organizations may be using blanket consent statements for both primary and secondary purposes. The legislation does not apply to non-profit organizations that are not conducting commercial activity in Canada.
• Law 25: Enforced by the provincial government of Quebec, this new legislation has strict requirements around obtaining express and informed consent from data subjects to ensure the consent collected is valid. Additionally, explicit consent is also required for tracking technologies such as cookies when visiting websites. Quebec’s Law 25 applies to both commercial and non-profit organizations.
• General Data Protection Regulation (GDPR): GDPR is enforced for personal information collected from citizens of the European Union. It requires organizations to obtain explicit and informed consent from data subjects before collecting and processing personal data. It also grants data subjects the right to access, correct, and delete their data.
• Canada’s Anti-Spam Legislation (CASL): This Canadian legislation aims to protect consumers and businesses from digital threats such as spam, phishing, and malware by regulating commercial electronic messages (CEMs) sent within, from, or to Canada. It requires organizations to obtain consent before sending CEMs, which can be express or implied. The legislation is enforced by agencies such as the Canadian Radio-television and Telecommunications Commission (CRTC), Office of the Privacy Commissioner of Canada (OPC), and the Competition Bureau.

Consent management includes the processes and systems that organizations use to obtain, track, and manage user consent for data collection, processing, and sharing. Its purpose is to ensure that your data subjects are fully informed about what data is collected, how it is used, and who it is shared with.

Definitions and key concepts to help you navigate consent management include:

• Explicit consent: A type of consent where data subjects must actively agree to data collection and processing. This is achieved through opt-in mechanisms or an action such as clicking a checkbox.
• Implied consent: This type of consent can be assumed based on the action taken by the data subject. If a data subject makes a purchase online by submitting an order and payment form, for example, you can assume they are providing consent to use this data for payment and order processing.
• Primary purpose: The main reason for the collection and use of the data provided by the data subject.
• Secondary purpose: The reason for the use of the data provided by the data subject outside of its primary purpose (e.g., marketing).

Consent management applies to both commercial organizations and non-profit organizations.

There are many reasons for your organization to focus on implementing consent management, including:

• Comply with legal requirements: As privacy laws such as GDPR and Law 25 become the standard, more organizations are going to need to have consent management in place to avoid significant fines.
• Increase customer trust: Your organization can build trust with data subjects and improve its reputation by providing transparency around how you use data and allowing data subjects to opt out.
• Simplify business processes: Implementing a consent management program can help your organization better understand inefficiencies in its current business processes, define the primary purposes of the business, and identify ways to streamline those processes and reduce data collection and risk.

There are several challenges around consent management in Canada that require creative solutions, including:

• Application of Law 25: Law 25 applies to the personal information of Quebec residents, regardless of where they are currently in Canada. All organizations that collect and/or process this information are subject to the legislation.
• Different legislation: Legislation governing consent management differs from province to province. Additionally, provinces are tabling their own privacy laws ahead of federal legislation, which increases complexity.
• Implementing consent management tools: Many current consent management tools are not designed with Canada in mind. This poses unique technical challenges for businesses looking to implement these tools.
• Different business processes: Law 25 overrides CASL’s consent requirements for the personal information of Quebec residents, but not for the rest of Canada, requiring different business processes.
• Re-obtaining consent: Reobtaining consent for secondary purposes is required under Law 25 if explicit consent was not provided when the information was collected.

There are clear definitions of what is considered valid consent with Law 25 in Quebec. Your organization will need to prove that it meets these requirements if it is challenged by regulators.

These considerations can help you achieve valid consent:

• Clear and concise: It is crucial to use plain language when describing how data will be used, free of jargon or hard-to-understand terms.
• Consent expiry: Consent must be temporary and expire after the purpose of data collection has been fulfilled. Ensure your organization applies proper retention policies to consent data.
• Consent withdrawal: Consent must be as easy to withdraw as it was to provide.
• Granular: The purposes for data use must be clear and separated. Data subjects must be able to provide consent for each purpose.
• Informed consent: Data subjects must understand what they are consenting to, and consent must be provided in a way that demonstrates their true wishes and not collected through coercion.
• Secondary purposes: Data subjects must be able to opt out of the secondary purposes of data use if these purposes are not required to perform the primary purpose of the data collection. Organizations can’t deny service offers to data subjects solely due to their decision to not provide consent for secondary purposes.
• User preferences: User preferences should be managed in combination with consent. This allows users to both provide and revoke consent, while also customizing communication channels and the types of communication they would like to receive from your organization.

Organizations looking to implement a consent management framework can consider several models to operate in Canada, each with its own pros and cons:

• Explicit opt-in model for all of Canada: This is the simplest model to implement since it requires one set of business processes and prepares you for the future. However, it may impact the marketing reach of your organization as all customers will need to provide explicit consent for all marketing activities.
• Different consent models by province: Treating provinces differently can allow organizations to maintain marketing reach through leveraging implied consent defined in CASL. This model is much more complex to manage.
• Different consent models by business process: This model is the most complex to design and manage. However, it can be used if your organization is not providing all services to Quebec residents.