According to Canada's PIPEDA and their Anti-Spam Law (CASL), personal data can only be processed when you have meaningful consent. This differs from other countries such as the UK that have other legal bases such as the performance of a contract or legitimate interest under the UK GDPR.
In Canada, there are two types of consent - express consent and implied consent.
- Express consent - where someone has taken an action to indicate their consent i.e. Ticked a box to opt-in
- Implied consent - this can only be used in certain conditions that are set out in the laws. One condition is when there is an Existing Business Relationship (EBR) - such as where the recipient has bought from the store in the last 2 years
For consent to be meaningful, the person must be fully informed about how their data will be processed, i.e. all the information that is included in a Privacy Policy. In Canada, it is also required that a store can prove they have meaningful consent, and where they are relying on implied consent prove that their situation meets the criteria for implied consent. Accurate records must be maintained over time where implied consent is being relied on in particular.
How do Dataships ensure compliance for Canadian stores?
The Dataships rules engine relies on implied consent by ensuring that users who interact with the widget on a store’s checkout have completed a purchase. This establishes an Existing Business Relationship under Canadian law, which allows the store to send marketing communications without needing express consent. The Dataships app also supports Canadian stores by automatically maintaining robust and detailed audit logs, helping them meet PIPEDA and CASL requirements to keep accurate records. These logs provide the necessary proof that implied consent is valid based on an Existing Business Relationship.