A recent seminar conducted by the law firm Gowlings provided some practical guidance for business. The new legislation revolves around 3 issues - the collection, use and disclosure of personal information. Legality will hinge on the notion of informed consent - personal information must be used and disclosed only for the purposes for which consent was given. Here are some of the main issues:

What is considered personal information? Thankfully, it isn't business contact information, but does cover information contained in cookies. The Act also creates degrees of personal information.

Opt-out or opt-in consent? Whether to use opt-out (negative option) or opt-in (explicit permission) when collecting personal information depends on if it is sensitive or non-sensitive. Simple data such as name, address and – yes – email address - are considered non-sensitive. This means that you can legally collect them on the basis of opt-out consent. Anything more specific is deemed sensitive, such as age, financial, medical and lifestyle information. For these, consent is strictly opt-in. Anyone using contests to generate sales leads, for example, should pay special attention to this.

What about sharing lists with third party service providers? Many companies use third parties such as mail houses to fulfill marketing obligations, and must provide them with customer information to do so. The key question is whether PIPEDA considers this a disclosure of personal information. The simple answer is that it does not so long as the information collected is restricted to the same rules of use. You can legally pass on your obligation regarding this use of information via your contract with the service provider without having to get additional consent. (If you don’t already have a Non Disclosure Agreement with the supplier, time to get one.) One thing to be careful of is the line drawn between service providers and outsourcers, which is blurry. Outsourcers typically take on entire corporate functions, not just fulfillment. As such, they collect and control the customer information even though it is in your name. PIPEDA views this as a disclosure and requires that you get consent.

What about Provincial privacy legislation? Provinces such as BC and Alberta are working on this but, to date; only Quebec has its own privacy legislation. The intent of PIPEDA is to provide minimum national standards, with Provincial legislation taking precedence.

Does PIPEDA grandfather consent? No, but there has been no ruling from the Privacy Commissioner. Gowlings’ opinion at this point is that you can likely continue to use the information for what it was intended. Any new use or disclosure requires consent.

Does PIPEDA require my firm to post a Privacy Policy? Yes, yes and yes.