How can your business navigate consent management?

Consent management is an essential component of modern privacy program management strategies. It ensures that your organization handles the personal identifiable information (PII) of both its customers and employees responsibly and transparently. It also ensures that user preferences are respected and that your organization meets legal requirements.

In this article, we discuss the current landscape of consent management, who consent management applies to, and the legal and regulatory frameworks governing consent management. We’ll also explore key challenges and considerations for implementing consent management frameworks and share insights from our advisors to help you navigate this evolving landscape.

What does the current landscape of consent management look like for a Canadian organization?

The consent management landscape for Canadian organizations operating in Canada or a multinational environment is becoming increasingly complex — driven by a rising awareness of data privacy issues and stringent regulatory requirements.

Organizations are under more pressure than ever to understand these requirements and implement robust consent management practices to maintain customer trust. Consent management applies to both commercial organizations and non-profit organizations.

Several of the most significant legal and regulatory frameworks governing consent management for Canadian organizations are included below. These regulations mandate that organizations obtain explicit consent from data subjects such as customers, employees, donors, and volunteers  before collecting, processing, or sharing PII. It is important to note that not all legislation has the same definition of data subjects.

• Personal Information Protection and Electronic Documents Act (PIPEDA): PIPEDA requires organizations that are collecting, using, or disclosing personal information to obtain consent for the purpose of the data. However, PIPEDA does not have strict guidelines around consent management and many organizations may be using blanket consent statements for both primary and secondary purposes. The legislation does not apply to non-profit organizations that are not conducting commercial activity in Canada. 
• Law 25: Enforced by the provincial government of Quebec, this new legislation has strict requirements around obtaining express and informed consent from data subjects to ensure the consent collected is valid. Additionally, explicit consent is also required for tracking technologies such as cookies when visiting websites. Quebec’s Law 25 applies to both commercial and non-profit organizations.
• General Data Protection Regulation (GDPR): GDPR is enforced for personal information collected from citizens of the European Union. It requires organizations to obtain explicit and informed consent from data subjects before collecting and processing personal data. It also grants data subjects the right to access, correct, and delete their data.
• Canada’s Anti-Spam Legislation (CASL): This Canadian legislation aims to protect consumers and businesses from digital threats such as spam, phishing, and malware by regulating commercial electronic messages (CEMs) sent within, from, or to Canada. It requires organizations to obtain consent before sending CEMs, which can be express or implied. The legislation is enforced by agencies such as the Canadian Radio-television and Telecommunications Commission (CRTC), Office of the Privacy Commissioner of Canada (OPC), and the Competition Bureau.

Why focus on consent management?

There are many reasons for your organization to focus on implementing consent management, including:

• Comply with legal requirements: As privacy laws such as GDPR and Law 25 become the standard, more organizations are going to need to have consent management in place to avoid significant fines.
• Increase customer trust: Your organization can build trust with data subjects and improve its reputation by providing transparency around how you use data and allowing data subjects to opt out.
• Simplify business processes: Implementing a consent management program can help your organization better understand inefficiencies in its current business processes, define the primary purposes of the business, and identify ways to streamline those processes and reduce data collection and risk.

What are the key challenges of consent management?

There are several challenges around consent management in Canada that require creative solutions, including:

• Application of Law 25: Law 25 applies to the personal information of Quebec residents, regardless of where they are currently in Canada. All organizations that collect and/or process this information are subject to the legislation.
• Different legislation: Legislation governing consent management differs from province to province. Additionally, provinces are tabling their own privacy laws ahead of federal legislation, which increases complexity.
• Implementing consent management tools: Many current consent management tools are not designed with Canada in mind. This poses unique technical challenges for businesses looking to implement these tools.
• Different business processes: Law 25 overrides CASL’s consent requirements for the personal information of Quebec residents, but not for the rest of Canada, requiring different business processes.
• Reobtaining consent: Reobtaining consent for secondary purposes is required under Law 25 if explicit consent was not provided when the information was collected.

What are key considerations for designing a consent management solution?

There are clear definitions of what is considered valid consent with Law 25 in Quebec. Your organization will need to prove that it meets these requirements if it is challenged by regulators.

These considerations can help you achieve valid consent:

• Clear and concise: It is crucial to use plain language when describing how data will be used, free of jargon or hard-to-understand terms.
• Consent expiry: Consent must be temporary and expire after the purpose of data collection has been fulfilled. Ensure your organization applies proper retention policies to consent data.
• Consent withdrawal: Consent must be as easy to withdraw as it was to provide.
• Granular: The purposes for data use must be clear and separated. Data subjects must be able to provide consent for each purpose.
• Informed consent: Data subjects must understand what they are consenting to, and consent must be provided in a way that demonstrates their true wishes and not collected through coercion.
• Secondary purposes: Data subjects must be able to opt out of the secondary purposes of data use if these purposes are not required to perform the primary purpose of the data collection. Organizations can’t deny service offers to data subjects solely due to their decision to not provide consent for secondary purposes.
• User preferences: User preferences should be managed in combination with consent. This allows users to both provide and revoke consent, while also customizing communication channels and the types of communication they would like to receive from your organization.

What consent management models can my organization implement?

Organizations looking to implement a consent management framework can consider several models to operate in Canada, each with its own pros and cons:

• Explicit opt-in model for all of Canada: This is the simplest model to implement since it requires one set of business processes and prepares you for the future. However, it may impact the marketing reach of your organization as all customers will need to provide explicit consent for all marketing activities.
• Different consent models by province: Treating provinces differently can allow organizations to maintain marketing reach through leveraging implied consent defined in CASL. This model is much more complex to manage.
• Different consent models by business process: This model is the most complex to design and manage. However, it can be used if your organization is not providing all services to Quebec residents.

MNP’s lessons learned

Our advisors have learned some of the following lessons through the experience of implementing consent management programs for both commercial and non-profit organizations in Canada. We are sharing these insights to help you navigate the journey of implementing a consent management framework within your own organization:

• Many organizations are not prepared for the significant amount of change management needed to comply with consent management requirements.
• Organizations that rely on implied consent will face significant difficulties adjusting to Law 25.
• Many organizations are not aware that the time to become compliant with Law 25’s requirements has passed. These organizations are not currently in compliance and could face the possibility of large fines. Regulators have started to observe organizational practices and could soon begin to probe into organizations and issue penalties.
• Law 25 will require many organizations to re-assess how they strategically approach marketing to maintain customer reach.
• Some organizations may need to assess their business processes to better understand what their primary purposes are and how to define secondary purposes that will require additional consent.
• Implementing consent management requires thoughtful consideration of the impact to the organization and how to achieve informed consent.