The Office of the Privacy Commissioner of Canada (OPCC) recently released their Annual Report, covering work conducted under the public sector Privacy Act, and the private section legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). The Annual Report contains a detailed summary of the OPCC’s study on the role of consent under PIPEDA, and highlights that submissions received and focus groups held confirmed “consent may be a poor fit in certain circumstances, for example, where consumers do not have a relationship with the organization using their data; and where uses of personal information are not known at the time of collection, or too complex to explain to individuals.” Essentially, many Canadians are frustrated by a perceived lack of control over how their personal information is collected and used by companies, and feel that they have no choice but to consent to practices they don’t know much about.
As a result of the specific comments received by the OPCC during this study on consent models, the Office has a number of action plans, including providing guidance on 30 different topics ranging from privacy enhancing technologies, smart homes and connected cars, blockchains, social engineering and the sharing economy.
The OPCC encourages organizations to be guided by the following principles in general:
- Information provided about the collection, use and disclosure of individuals’ personal information must still be readily available in complete form, however, to avoid information overload and facilitate understanding by individuals, the following elements deserve greater emphasis and must be explained in a user-friendly way in order to obtain meaningful consent;
- What personal information is being collected?
- Who is it being shared with?
- For what purpose is information being collected, used or shared (including an explanation of purposes that are not integral to the service)?
- What is the risk of harm to the individual, if any?
The first three elements have arguably always been necessary. But D is new and will require some extra language in privacy statements.
- Information must be provided to individuals in easily-accessible layers, so individuals can control how much detail they wish to obtain and when.
- Individuals must be provided with easy “yes” or ‘no’ options when it comes to collections, uses or disclosures that are not integral to the product or service they are interested in.
- Organizations should adopt innovative consent processes that can be implemented just in time, are specific to the context and appropriate to the type of interface used.
- Consent processes must take into account the consumer’s perspective to ensure that the information provided is generally understandable from the point of view of the organization’s target audience. When asked, the steps taken to test the user-friendliness of such consent processes, should be demonstrable.
- Informed consent is an on-going process that changes as circumstances change – organizations should not rely on a static moment in time but rather treat consent as dynamic and interactive.
Time will tell if Parliament responds to the calls for greater order-making powers for the OPCC in the Annual Report. The OPCC also heard calls to develop templates for privacy policies specific to different sectors, but felt that this is not the role of the regulator. If you are looking for privacy templates that provide an example of best practice in Canada and form a good starting point for your own customized privacy policies and procedures, check out PRIVATECH’s Privacy Documentation Suite.1