The Personal Information Protection and Electronic Documents Act (PIPEDA) is more comprehensive than many people realize. While the Canadian privacy law often speaks in broad principles, those principles are still enforceable, and Canadian regulators have been forceful in interpreting them.

PIPEDA does not contain the words “opt-out” or “targeted advertising” (it was first drafted in 2000, after all), but the Office of the Privacy Commissioner (OPC) has clearly stated that Canadians do nonetheless have the right to opt out of targeted advertising. 

We’ll explain how that works.

Background: PIPEDA & Consent

Virtually all processing of personal information that falls under PIPEDA requires the individual’s informed consent. At first glance, this would appear to create problems for businesses and consumers alike, as it would result in an avalanche of consent requests for every online interaction. 

However, the Canadian law makes it clear that, in many cases, implied consent is acceptable. If a business is transparent about its data privacy practices and makes that information easily available, consumers will be deemed to have impliedly consented to those practices by continuing to use the business’s services. This is also called “opt-out” consent.

Express (opt-in) consent is still required in some situations, such as when the personal information is sensitive or if the processing falls outside of the reasonable expectations of the individual. It is a fuzzy line, and figuring out when express or implied consent is required is one of the trickier aspects of PIPEDA compliance.

PIPEDA Opt-Out Rules

Luckily, the OPC has already grappled with the question of whether targeted advertising requires opt-in or opt-out consent. Noting that “advertising plays a key role in providing free content on the Internet,” the Privacy Commissioner determined that the opt-out consent is acceptable in the context of targeted advertising, provided that certain conditions are met.

These conditions are:

• Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. 
• Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved.
• Individuals are able to easily opt-out of the practice.
• The opt-out takes effect immediately and is persistent;
• The information collected and used is limited, to the extent practicable, to non-sensitive information.
• Information collected and used is destroyed as soon as possible or effectively de-identified.

This approach is somewhere in between that of U.S. privacy laws and European laws. U.S. laws such as the CCPA require a privacy-policy disclosure of targeted advertising and an opt-out link at the bottom of the page. Europe’s ePrivacy Directive requires opt-in consent for all non-essential cookies (and presumably tracking pixels as well).

PIPEDA allows for opt-out consent, BUT the OPC is also saying that businesses can’t rely on disclosures buried deep in their privacy policies. This would seem to require something along the lines of a pop-up banner that makes website visitors aware of the business’s use of targeted advertising, along with information about how to opt out.

‍