Federal, British Columbia and Alberta Privacy Commissioners Issue New Guidelines for Online Consent

Many companies seem to be struggling with the issue of online consent, according to a 2012 study by the Office of the Privacy Commissioner of Canada (OPC). The review of popular Canadian websites showed significant shortcomings in how organizations communicate their online privacy practices to consumers. On May 8, 2014, the federal, British Columbia and Alberta Privacy Commissioners published new guidelines to help organizations understand the importance of being transparent about their online privacy practices, specifically regarding consent.

Chantal Bernier, Interim Privacy Commissioner of Canada, explains the need for these new guidelines:

“The online world is creating new challenges for privacy transparency and meaningful consent. This environment is so fast-paced and complex that traditional methods of informing people about privacy issues and seeking consent may fall short”

“It is important for online organizations to take a thoughtful, creative approach to providing privacy information to Canadians.”

Under the Alberta and British Columbia Personal Information Protection Acts (PIPAs), as well as the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are required to obtain an individual’s consent for the collection, use and disclosure of her or his personal information. Meaningful consent for the collection and use of personal information is an essential component of Canadian private-sector privacy laws. However, it is hard to obtain meaningful consent as required under the law.

Despite individuals being asked to “agree” constantly to online terms of service, our consent may be meaningless if we fail to read and understand an organization’s privacy policy. Often times, the consent is meaningless because we check a box without knowing what it means, or just to get rid of the message. This poses problems for individuals who aren’t aware of their rights and obligations, and for organizations that rely on this meaningless consent as a legal protection.

The new guidelines outline some of the key considerations for obtaining meaningful online consent. For example:

  • Organizations should be fully transparent about their privacy practices. Privacy policies should be easily accessible, simple to read and accurate.
  • Communicating privacy practices is not a one-size-fits-all proposition. In addition to privacy policies, other types of privacy disclosures, like just-in-time notifications, icons or layered notices, should provide privacy explanations at key points in the user experience.
  • Organizations should recognize and adapt to special considerations in managing the personal information of children and youth. Organizations should implement innovative ways of presenting privacy information to children and youth that take into account their cognitive and emotional development and life experience.

When organizations clearly explain their information management practices, and make those explanations easily accessible, individuals are in a better position to make informed decisions about sharing their personal information. Understanding what organizations do with personal information is essential for users when deciding with whom to share personal information and under what circumstances. Informed individuals might also willingly share more relevant and accurate information and therefore improve the quality of organizations’ records and allow them to provide better service.

Regardless, it is the law.

It is clearly a challenge for organizations to engage customers with respect to privacy and obtain meaningful consent necessary to collect, use and disclose personal information. But it seems organizations have made little effort to change the way they inform users of their privacy rights and seek consent. Despite privacy breaches never staying out of the headlines for long, many organizations may be waiting for a case that really hits home.

These guidelines may be a helpful warning to organizations that operate online and use customers’ personal information: users have the duty to provide meaningful consent, and organizations have the duty to obtain it. Organizations should engage users in their privacy for everyone’s sake—to avoid privacy breaches and prosecution and improve relations with customers.

Comments

  1. David Collier-Brown

    It’s easier if your company is mostly on-line, and has a continuing relationship with your customers.

    Virgin Gaming, as a good example, has a built-in check in the login screen that sees if the person had agreed to the moist recent terms and conditions. If not, they get sent to a screen that a lawyer would find odly familiar: it’s the latest amendment, with links to the full test, complete with change-marks. Looks a bit like CanLII (;-))

    Conversely, if most of your customers operate off-line, getting consent for on-line material verges on a waste of effort.

    For all other customers, and especially with millenials, I’d call them on the telephone. Email may well be something they rarely use.