Friday, January 02, 2004

Privacy Commissioner clarifies the requirements for "opt-out" consent

Commissioner's Finding 207 - August 6, 2003 - Privacy Commissioner of Canada

In a recently-released finding, the Privacy Commissioner (Robert Marleau) provided some long-awaited guidance on the use of "opt-out" consent. Opt-out consent is expressly provided for in PIPEDA (Principle 3 - Consent), but was consistently denigrated by former Commissioner George Radwanski. Businesses have been left wondering where it stands and what they can expect from the OPC if they use opt-out. Well, in decision 207, some definition is given to the shades of grey of the consent principle. The finding contains the following:

  1. The personal information must be clearly non-sensitive in nature and context.
  2. The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
  3. The organization's purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected.
  4. The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.

No comments: