How to seek consent from Canadian users to collect, use and disclose their personal information in the digital age is the subject of ongoing debate.
How to seek consent from Canadian users to collect, use and disclose their personal information in the digital age is the subject of ongoing debate.
It is also an area that could see the country’s privacy watchdog given more power to enforce legislation.
As technology evolves, so, too, do the ways consent can be obtained to make it easier for users.
Federal Privacy Commissioner Daniel Therrien said in his 2017 report to Parliament in September that those often-lengthy policies and the language commonly used by organizations make online consent waivers difficult to understand. He says they can be inadequate to meet the transparency and consent requirements under the Personal Information Protection and Electronic Documents Act.
He is working on developing new guidance on how companies should ask Canadians for meaningful consent and he recently received the support of a parliamentary committee that examined the issues. But there is a primary obstacle in the entire process that may continue to elude those seeking solutions.
“No matter how simple you make it, very few people read these things,” observes Kirsten Thompson, a partner in McCarthy Tétrault LLP’s national technology group and leader of the firm’s national cybersecurity, privacy and data management group based in Toronto.
“It’s not until something looks weird or creepy or your information looks like it’s being used in a weird way that you actually go back to look at these things.”
The privacy commissioner wants organizations to make it easier for people to understand what personal information is being collected, with whom it is being shared, why the information is being collected, used or shared and what the risk of harm might be. In his recent discussion paper to the Standing Senate Committee on Transport and Communications, Therrien suggests approaches such as layered privacy policies, using icons or graphical representation of how a user’s information might be used, pop-ups or drop-down menus and just-in-time notices at the time of purchase or use to better convey what the user is consenting to and why.
“Those general practices make good sense because, of course, organizations need to ensure that consumers are aware of what data about them is being collected, how it’s being used and ultimately be deemed to have given their implicit consent or, when appropriate, provide their express consent,” says Michael Fekete, a Toronto partner and co-chairman of Osler Hoskin & Harcourt LLP’s technology group.
But Thompson sees challenges in adopting consent strategies as pop-ups because of the difficulties facing businesses having to re-engineer their websites to accommodate them.
They may also not be terribly convenient for users who really only seem to be concerned when they feel their trust has been misused, such as when a merchant uses the purchaser’s information for marketing purposes, says Thompson. She sees the lived experience helps to determine what expectations are considered reasonable more so than privacy policy.
While international influences put pressure on Canada and its approach to privacy to accommodate international commerce, the Canadian approach through PIPEDA is principle-based while those in other countries, such as the United States, are much more prescriptive.
Wendy Mee, a partner with Blake Cassels & Graydon LLP in Toronto, says a message or a prompt that brings the issue of consent to the user’s attention at different times during their use of a website or application could be useful and practical for the user.
“All of that is about being clear and making sure people understand what’s going on, so they do feel comfortable engaging with the organization,” she says.
There is a recognition of the need to balance the information consumers should have while avoiding consent fatigue and disrupting the consent flow, she says. But she also hopes that the guidance is useful to companies and not an impediment to them.
In the consent-based regime, she says, there is incentive for a company or organization to provide detailed information about what they will use the information for and who they may need to disclose it to as a way of protecting themselves.
“This also is where the balance between providing more information and creating a longer consent form is weighed against providing shorter information but then maybe the consumer doesn’t even understand why you’re asking for the information,” she says. “I think it’s possible to come up with something that’s flexible but still provides some helpful tips to our clients.”
Having a layered approach to consent is one that appeals to Mee.
That allows users or consumers to consent upfront to providing key information that could be followed by another layer of consent as they proceed further into the company’s website or application.
She also feels that real-time notices are more effective — that’s when notices appear if the user seeks a functionality that requires an app to use a camera function, for instance. That notice could prove to be more meaningful given that it appears in context, perhaps providing a more meaningful illustration of why that access is necessary.
Mee says what works for one application when it comes to consent might not work for a newer app that operates in a different way.
“I think privacy is becoming more of an important issue; people are becoming more aware of it,” says Mee.
She says it’s “higher on the list of important things to think about,” especially with the European Union’s General Data Protection Regulation coming into force this year, and that “organizations are really turning their minds to it.”
There is indication that Canada’s privacy rules will continue to evolve.
In February, the privacy commissioner received support from the House of Commons Standing Committee on Access to Information, Privacy and Ethics.
In its report tabled in the House of Commons, Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, the committee concluded that there is a demonstrated need to grant the office of the privacy commissioner additional enforcement powers.
“[T]he Committee believes there is a demonstrated need to grant the Privacy Commissioner enforcement powers related to PIPEDA,” said the report, including a recommendation that PIPEDA “be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.”
As world competition for business increases, Fekete sees a need for the continuing discussion of Canada’s privacy laws.
“I think we need an ongoing debate and we need to ensure laws in Canada provide flexibility that we see in other jurisdictions, so, from an economic standpoint, we aren’t seeing our leading technology or AI companies relocate to other jurisdictions where there’s a more permissive approach to using data to advance their commercial interests,” he says. “It’s always a balance and balance is key.”