Best Practices for Consent and Information Purposes

The Annual Report of the Office of the Privacy Commissioner of Canada (OPCC) was published in September with a report on consent that was based on consultations conducted with business, industry associations and consumer groups through 2017. The consultations focused on whether the consent model under PIPEDA needs to be adjusted and clarified, particularly due to advancements in technology and on-line strategies. As a result of the consultations, the OPCC committed to developing consent-related guidance documents. Draft guidelines are available for review and comment with the deadline for feedback being December 4, 2017.

Guidelines on Obtaining meaningful online consent

These consent guidelines outline seven guiding principles for online consent. As stated in the introduction: “The reality is that information overload buried in a privacy policy or terms of use serves no practical purpose to individuals in a hurry.” Thus, the guidelines stress the importance of highlighting key elements of an organization’s information handling practices, such as, what personal information is being collected; who it is being shared with; the purposes of collection, use or disclosure; and the risk of harm. It certainly makes sense to address the concern regarding important information being buried in a privacy policy or terms of use, however, this last information item recommended by the OPCC raises concern in my view. It seems highly unfair to businesses to suggest that “individuals should be made clearly aware of any known or foreseeable risk of harms arising from the collection, use or disclosure of personal information”. When we consider cybersecurity threats and malware that could be introduced on a network, risk of harm is always foreseeable, irrespective of how low that risk may be.

The guidelines go on to discuss layered privacy notices, just-in-time notices, interactive tools and other creative solutions (as well as pilot testing/consulting users) to make privacy practices more accessible and better known to consumers. I strongly support these initiatives – they are time intensive for organizations but a direction that is important to pursue. The OPCC also highlights that organizations should be ready to demonstrate effectiveness of their consent practices – it is certainly important that organizations remain accountable for transparency and obtaining meaningful, informed consent.

Lastly, the OPCC urges organizations to make consent a dynamic and ongoing process – “Organizations should also consider periodically reminding individuals about their privacy options and inviting them to review these.” My concern here is overwhelming consumers with such notices. Depending upon how straightforward and expected an organization’s information handling practices are, this may not be necessary or practical and should really be addressed, from the consumer’s perspective, on a case-by-case basis.

Guidelines on Inappropriate Data Practices

These guidelines on information purposes essentially provides guiding principles for interpreting and applying section 5(3) of PIPEDA which states: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. The OPCC summarizes the following ‘no-go zones’ – i.e. inappropriate purposes regardless of whether or not consent is received:

• Collection, use or disclosure that is otherwise unlawful.
• Profiling or categorization that leads to unfair, unethical or discriminatory treatment.
• Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual.
• Publishing personal information with the intended purpose of charging individuals for its removal.
• Requiring passwords to social media accounts for the purpose of employee screening.
• Surveillance through audio or video functionality of the individual’s own device.

The OPCC acknowledges that the test for appropriateness is contextual and must remain a flexible concept, however the ‘no-go-zones’ certainly provide great examples of the OPCC’s expectations, and are definitely important for organizations to review. I think the list contains no surprises and provides important reminders that relate back to cases that the Commissioner or the Courts have delved into when exploring the reasonableness of information practices. A running list of ‘no-go zones’ that is revisited often and updated as necessary is a step in the right direction as big data analytics continue to stretch the boundaries of acceptable use of personal information.

For assistance with your privacy practices, policies and notices, contact PRIVATECH.