Best Practices for Consent and Information Purposes
The Annual Report of the Office of the Privacy Commissioner of Canada (OPCC) was published in September with a report on consent that was based on consultations conducted with business, industry associations and consumer groups through 2017. The consultations focused on whether the consent model under PIPEDA needs to be adjusted and clarified, particularly due to advancements in technology and on-line strategies. As a result of the consultations, the OPCC committed to developing consent-related guidance documents. Draft guidelines are available for review and comment with the deadline for feedback being December 4, 2017.
Guidelines on Obtaining meaningful online consent
The guidelines go on to discuss layered privacy notices, just-in-time notices, interactive tools and other creative solutions (as well as pilot testing/consulting users) to make privacy practices more accessible and better known to consumers. I strongly support these initiatives – they are time intensive for organizations but a direction that is important to pursue. The OPCC also highlights that organizations should be ready to demonstrate effectiveness of their consent practices – it is certainly important that organizations remain accountable for transparency and obtaining meaningful, informed consent.
Lastly, the OPCC urges organizations to make consent a dynamic and ongoing process – “Organizations should also consider periodically reminding individuals about their privacy options and inviting them to review these.” My concern here is overwhelming consumers with such notices. Depending upon how straightforward and expected an organization’s information handling practices are, this may not be necessary or practical and should really be addressed, from the consumer’s perspective, on a case-by-case basis.
Guidelines on Inappropriate Data Practices
These guidelines on information purposes essentially provides guiding principles for interpreting and applying section 5(3) of PIPEDA which states: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. The OPCC summarizes the following ‘no-go zones’ – i.e. inappropriate purposes regardless of whether or not consent is received:
- Collection, use or disclosure that is otherwise unlawful.
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment.
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual.
- Publishing personal information with the intended purpose of charging individuals for its removal.
- Requiring passwords to social media accounts for the purpose of employee screening.
- Surveillance through audio or video functionality of the individual’s own device.
The OPCC acknowledges that the test for appropriateness is contextual and must remain a flexible concept, however the ‘no-go-zones’ certainly provide great examples of the OPCC’s expectations, and are definitely important for organizations to review. I think the list contains no surprises and provides important reminders that relate back to cases that the Commissioner or the Courts have delved into when exploring the reasonableness of information practices. A running list of ‘no-go zones’ that is revisited often and updated as necessary is a step in the right direction as big data analytics continue to stretch the boundaries of acceptable use of personal information.
For assistance with your privacy practices, policies and notices, contact PRIVATECH.