According to Canada's PIPEDA and their Anti-Spam Law (CASL), personal data can only be processed when you have meaningful consent. This differs from other countries such as the UK that have other legal bases such as the performance of a contract or legitimate interest under the UK GDPR.
In Canada, there are two types of consent - express consent and implied consent.
- Express consent - where someone has taken an action to indicate their consent i.e. Ticked a box to opt-in
- Implied consent - this can only be used in certain conditions that are set out in the laws. One condition is when there is an Existing Business Relationship (EBR) - such as where the recipient has bought from the store in the last 2 years
For consent to be meaningful, the person must be fully informed about how their data will be processed, i.e. all the information that is included in a Privacy Policy. In Canada, it is also required that a store can prove they have meaningful consent, and where they are relying on implied consent prove that their situation meets the criteria for implied consent. Accurate records must be maintained over time where implied consent is being relied on in particular.
How do Dataships ensure compliance for Canadian stores?
The Dataships rules engine relies on implied consent as any user who interacts with the checkout widget on the Thank You page will have made a purchase from the store and as such they have an Existing Business Relationship. The Dataships app is also extremely valuable to stores in Canada because of the requirement under PIPEDA and CASL to maintain accurate records over time, which is done automatically through the robust Dataships Audit Logs.