Consent
Consent and meaningful consent under PIPEDA
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
Consent is the engine of PIPEDA. It is the third of the ten fair information principles, and it conditions almost everything else: with narrow exceptions, an organization may only collect, use, or disclose personal information with the individual's knowledge and consent. The full text sits in Schedule 1 of the Personal Information Protection and Electronic Documents Act, and the Office of the Privacy Commissioner summarizes all ten principles here.
Express vs implied consent
PIPEDA recognizes two forms of consent, and the right one depends on sensitivity. Express consent — an affirmative, opt-in action — is expected whenever information is sensitive (health, financial, biometric), whenever the purpose falls outside what a person would reasonably expect, or whenever there is a real risk of harm. Implied consent can be appropriate for non-sensitive information used in obvious ways: using a delivery address to deliver an order does not require a separate checkbox. The rule of thumb: the more sensitive the data or the more surprising the use, the more you should move toward clear, express, opt-in consent.
What "meaningful consent" requires
Consent is only valid under PIPEDA if it is meaningful — that is, if a reasonable person would understand what they are agreeing to. In practice that means making four things clear and prominent, not buried:
- What personal information you are collecting;
- Who you will share it with, including third parties and processors;
- Why — the specific purposes;
- The risk of harm and other meaningful consequences.
Consent requests should be in plain language, layered so the key points are obvious without reading a wall of text, and — critically — should give people a genuine choice for anything that is not integral to the product or service. Bundling an unrelated data-sharing permission into a take-it-or-leave-it agreement is the pattern the OPC's meaningful-consent expectations are designed to catch.
Form of consent and the reasonable-person standard
PIPEDA does not prescribe a single mechanism — consent can be written, verbal, or through a clear affirmative action — but the form must be appropriate to the sensitivity of the information. The governing question is always the same: would a reasonable person consider the consent valid given how the information is being used? Designing for that standard, rather than for the minimum legally defensible click, is what keeps consent durable.
Withdrawal of consent
Consent is not permanent. Individuals may withdraw it at any time, subject to legal or contractual restrictions and reasonable notice. When someone withdraws, you must stop the activities that relied on that consent and explain the consequences. The practical obligation most organizations overlook: the path to withdraw should be about as easy as the path that granted consent in the first place.
When consent is not required
PIPEDA contains a defined set of exceptions where collection, use, or disclosure may proceed without consent — for example, certain investigations and legal proceedings, specified business-transaction (due-diligence) contexts, some uses of publicly available information, and emergencies threatening life, health, or security. These exceptions are specific and bounded; they are not a general escape hatch. Treat them as narrow, document why one applies, and default back to consent whenever you are unsure. Provinces add their own wrinkles — Quebec's Law 25 imposes stricter consent and transparency rules than PIPEDA, especially for sensitive information and minors. For how consent questions show up in buyer due diligence, see our PIPEDA questionnaire guide.
Common questions.
What's the difference between express and implied consent under PIPEDA?
Express consent is given explicitly — a checkbox, a signature, a verbal yes — and PIPEDA expects it whenever the information is sensitive, the purpose is outside what a person would reasonably expect, or the risk of harm is meaningful. Implied consent can be reasonable for non-sensitive information used in ways an individual would obviously expect (for example, using a shipping address to ship an order). The more sensitive the data or surprising the use, the more the law expects express, opt-in consent.
Can we bury consent in our terms of service?
Not safely. PIPEDA's meaningful-consent standard asks whether a reasonable person would understand what they are agreeing to. Burying a broad data-sharing permission inside lengthy terms tends to fail that test, especially for sensitive information or secondary uses. The OPC's expectation is that the key elements — what you collect, who you share it with, why, and the risk of harm — are highlighted and understandable, with a genuine choice for anything not integral to the product.
How do we handle a withdrawal of consent?
Individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. When they do, you must stop the collection, use, or disclosure that depended on that consent, and you should explain the consequences (for example, that you can no longer provide a feature). Build a path to withdraw that is as easy to use as the path that granted consent.
Do minors give valid consent under PIPEDA?
PIPEDA does not set a fixed age of consent, but the OPC's position is that consent is only valid if the individual can reasonably understand the nature and consequences of what they are agreeing to. For information collected from children, that generally means obtaining consent from a parent or guardian, and treating children's information as sensitive. Quebec's Law 25 goes further with specific rules for minors under 14.