Many companies seem to be struggling with the issue of online consent, according to a 2012 study by the Office of the Privacy Commissioner of Canada (OPC). The review of popular Canadian websites showed significant shortcomings in how organizations communicate their online privacy practices to consumers. On May 8, 2014, the federal, British Columbia and Alberta Privacy Commissioners published new guidelines to help organizations understand the importance of being transparent about their online privacy practices, specifically regarding consent.
Chantal Bernier, Interim Privacy Commissioner of Canada, explains the need for these new guidelines:
“The online world is creating new challenges for privacy transparency and meaningful consent. This environment is so fast-paced and complex that traditional methods of informing people about privacy issues and seeking consent may fall short”
“It is important for online organizations to take a thoughtful, creative approach to providing privacy information to Canadians.”
Under the Alberta and British Columbia Personal Information Protection Acts (PIPAs), as well as the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are required to obtain an individual’s consent for the collection, use and disclosure of her or his personal information. Meaningful consent for the collection and use of personal information is an essential component of Canadian private-sector privacy laws. However, it is hard to obtain meaningful consent as required under the law.
The new guidelines outline some of the key considerations for obtaining meaningful online consent. For example:
- Organizations should be fully transparent about their privacy practices. Privacy policies should be easily accessible, simple to read and accurate.
- Communicating privacy practices is not a one-size-fits-all proposition. In addition to privacy policies, other types of privacy disclosures, like just-in-time notifications, icons or layered notices, should provide privacy explanations at key points in the user experience.
- Organizations should recognize and adapt to special considerations in managing the personal information of children and youth. Organizations should implement innovative ways of presenting privacy information to children and youth that take into account their cognitive and emotional development and life experience.
When organizations clearly explain their information management practices, and make those explanations easily accessible, individuals are in a better position to make informed decisions about sharing their personal information. Understanding what organizations do with personal information is essential for users when deciding with whom to share personal information and under what circumstances. Informed individuals might also willingly share more relevant and accurate information and therefore improve the quality of organizations’ records and allow them to provide better service.
Regardless, it is the law.
It is clearly a challenge for organizations to engage customers with respect to privacy and obtain meaningful consent necessary to collect, use and disclose personal information. But it seems organizations have made little effort to change the way they inform users of their privacy rights and seek consent. Despite privacy breaches never staying out of the headlines for long, many organizations may be waiting for a case that really hits home.
These guidelines may be a helpful warning to organizations that operate online and use customers’ personal information: users have the duty to provide meaningful consent, and organizations have the duty to obtain it. Organizations should engage users in their privacy for everyone’s sake—to avoid privacy breaches and prosecution and improve relations with customers.