Public opinion survey

Qualitative Public Opinion Research with Canadians on Consent

Final Report

Prepared for the Office of the Privacy Commissioner of Canada by Phoenix Strategic Perspectives Inc.

March 2017

Executive Summary

Phoenix SPI conducted qualitative research on behalf of the Office of the Privacy Commissioner of Canada (OPC) to explore issues related to privacy and the protection of personal information. This work was undertaken to support the OPC’s work to examine the issue of consent under the Personal Information Protection and Electronic Documents Act (PIPEDA). A set of eight focus groups was conducted between February 6-9 2017, with two groups conducted in each of the following locations: Toronto, Montreal (French), Halifax, and Winnipeg. One group in each city was conducted with Canadians under 30 and the other was conducted with Canadians 30 years of age and older.

This research was qualitative in nature, not quantitative. As such, the results provide an indication of participants’ views about the issues explored, but they cannot be generalized to the full population of members of the general public.

General Perceptions

Participants think about privacy and the protection of their personal information at least to some extent. When it comes to acceptable uses of their personal information by companies, selling or passing this information to a third-party crossed the line for participants.

Virtually all participants think about privacy and the protection of their personal information at least to some extent. In every group, participants were most likely to identify identity theft and fraud/financial loss as things that concern them most. In addition to these specific concerns, many expressed a general concern with information about them being ‘out there’, ‘accessible’, and ‘beyond their control’. Participants in every group pointed out that they are often contacted by parties with whom they have not dealt and many consider this evidence that information about them is being collected and shared with others without their consent.

Participants’ degree of trust that companies will protect their personal information depends primarily on the perceived credibility of the company. Factors enhancing credibility include the size of the company (larger size being seen as a sign of success and therefore credibility), length of time the company has been in business, familiarity with the company, perceived safeguards in place, perceived reputability of the company, location (i.e. Canadian vs. foreign company), and source of contact (i.e. did the company contact them or did the individual contact the company).

The two most frequently identified things that a company will do with the personal information it collects are selling it to a third-party and using it to market products or services to current or potential customers. Other routinely identified uses included market research, demographic analyses, product targeting, and providing benefits to clients (e.g. rebates, discounts, points).

When asked what crosses the line in terms of what a company does with their personal information, participants routinely pointed to companies selling or passing this information to a third-party without their consent. Other things routinely considered unacceptable included being asked to provide a SIN, and being asked to provide financial or banking information without it being evident why such information was necessary.

Most participants recognize both potential advantages and disadvantages to providing their personal information to a company. Key benefits include the following:

Discounts/coupons/benefits/fidelity points;
Information about sales;
Product tailoring/recommendations/personalized ads;
Updates;
Newsletters/information.

Key disadvantages include the main concerns identified earlier (i.e. identity theft, fraud) but also spam.

Privacy Policies

Most participants have no idea what it means when a company has a privacy policy and they do not tend to read privacy policies because they are long and difficult to understand.

Most participants have no clear or definite idea in their minds about what it means when a company has a privacy policy. For the most part, participants suggested that what it means depends on the specific terms and conditions identified in it, with some adding that a company’s privacy policy is basically its way of protecting itself, not the client/customer. Most participants indicated that they do not tend to read privacy policies, the main reason being that they are long, complicated, and written in language they do not understand.

Control of Personal Information

Most participants think they have little or no control over how their personal information is collected and used by companies. Everyone wants a combination of personal control and laws to protect their personal information.

Most participants think they have little or no control over how their personal information is collected and used by companies. For many, accepting the terms and conditions is the condition for doing business with these companies. In other words, it tends to be an all or nothing scenario. Lack of clarity and transparency about how their information will be used was routinely identified as another reason for perceived lack of control.

Everyone wants a combination of personal control and laws to protect their personal information. They want to control how their personal information is used by companies (i.e. have a clear say in what companies may do with their information) and they want laws in place to protect them. No one advocated for no government role at all in protecting their personal information.

Consent

Participants view consent as understanding and acceptance of the terms and conditions related to the collection and use of their personal information. Furthermore, they expect to be asked for their consent when they do business with a company.

There was widespread agreement among participants that consent implies understanding and acceptance of terms and conditions related to the collection and use of their personal information. Many added that giving consent is not a one-time thing. In other words, giving consent for them implies that this can be revisited periodically and that it is not given for all time.

There was also a consensus among participants that they expect to be asked for consent to use their personal information when they do business with a company. The main reason given by participants to explain why was that without their consent companies could do whatever they want with personal information.

Possible Solutions

Government was routinely identified as the main organization that does, and should, police businesses to ensure they do not overstep when collecting and using personal information. When it came to the role of government in protecting personal information, there was widespread agreement that it should be both proactive and reactive.

The most frequently identified measures companies could take to increase trust that personal information is being protected was to provide clear and transparent terms and conditions and to list them so that customers can check them off if and as they accept them (i.e. an opt-out option).

When considering whether or not to share their information with companies, participants in every group routinely identified the following as key pieces of information they would like companies to highlight with it:

What personal information is collected.
How it will be used by the company and who is it is sharing the information with.
How long the company will keep personal information.
How the company protects/safeguards personal information.

Participants routinely identified the government when asked what organization polices businesses to ensure they do not overstep when collecting and using personal information. They also identified the government as the organization that should police businesses. When it came to the role of government in protecting personal information, there was widespread agreement that the role should be both proactive and reactive. There was also a virtual consensus that government should have the following powers to enforce Canada’s privacy laws, to ensure businesses are complying:

The power to impose financial penalties.
Order-making powers to force companies to follow recommendations.
Proactive auditing (i.e. conducting audits or spot checks of companies’ privacy practices).

There was a widespread desire for information government could provide by way of outreach/public education on privacy-related matters. Information considered most helpful included the following:

What to look for/be attentive to in privacy policies.
What information not to give/share.
Meaning of various terms/conditions or a glossary of key terms/expressions.
Updates/changes in the law.
What government does in relation to the protection of personal information.
Individual rights and obligations.
An information hotline.
Training and orientation on privacy issues for individuals.
Lists of companies that have violated privacy laws.

Introduction

Phoenix Strategic Perspectives (Phoenix SPI) was commissioned by the Office of the Privacy commissioner of Canada (OPC) to conduct focus group research with Canadians to explore their views on consent with respect to businesses’ use of personal information and related privacy issues.

Background and Objectives

The Privacy Commissioner of Canada is an advocate for the privacy rights of Canadians, with the powers to investigate complaints and conduct audits under two federal laws; publish information about personal information-handling practices in the public and private sectors; and conduct research into privacy issues.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. Among other things, the Commissioner is responsible for enforcing the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. In these provinces, PIPEDA continues to apply to the federally-regulated private sector and to personal information in interprovincial and international transactions.

In May 2016, the OPC launched a consultation and call for input on the issue of consent under PIPEDA. The goal of the consultation was to identify improvements to the current consent model and bring clearer definition to the roles and responsibilities of the various players who could implement them. The OPC plans to apply those improvements within its jurisdiction and recommend other changes to Parliament as appropriate. The consent model examination is part of the OPC’s work on the Economics of Personal Information, which was identified as one of its four strategic privacy priorities.

The purpose of this research was to better understand Canadians’ opinions, attitudes and concerns with respect to consent, to explore their concerns, actions and thinking, and gauge their response to possible solutions. The OPC will use the research to inform and guide the final report and recommendations related to its consultation efforts on the issue of consent under PIPEDA.

Methodology

To meet the research objectives, Phoenix SPI conducted a series of eight focus groups with members of the general public between February 7th and 9th, 2017. Two sessions were conducted in each of four locations: Halifax, Montreal (French), Toronto, and Winnipeg. In each location, there was one group with participants under 30 years of age and one with participants 30 years of age and older. Within each group, there was a mix of participants by age (within the defined parameters), gender, education, and employment status. The groups lasted two hours and turnout was very good, with eight participants taking part in each group. Participants received an honorarium of $100 in appreciation of their time.

The eight sessions were distributed as follows:

Sessions
Date and time	Location	Group Composition
February 7^th, 5:30 p.m. Eastern	Toronto, Ontario	Under 30
February 7^th, 7:30 p.m. Eastern	Toronto, Ontario	30 and older
February 8^th, 5:30 p.m. Atlantic	Halifax, Nova Scotia	Under 30
February 8^th, 7:30 p.m. Atlantic	Halifax, Nova Scotia	30 and older
February 8^th, 5:30 p.m. Central	Winnipeg, Manitoba	Under 30
February 8^th, 7:30 p.m. Central	Winnipeg, Manitoba	30 and older
February 9^th, 5:30 p.m. Eastern	Montreal, Quebec	Under 30
February 9^th, 7:30 p.m. Eastern	Montreal, Quebec	30 and older

The investigators for this study were Alethea Woods and Philippe Azzie. Alethea moderated the groups in Winnipeg. Philippe moderated the groups in Toronto, Montreal, and Halifax. Both moderators contributed to the final report.

The research instruments are appended to this report.

Detailed Findings

1. General Perceptions

This section reports on participants’ general impressions regarding privacy and the protection of their personal information. This includes their concerns regarding privacy, the extent to which they trust companies to handle/protect their personal information, their perceptions of how companies make use of the personal information they collect, their impressions of what is acceptable and unacceptable in terms of the collection and use of personal information, and the perceived advantages and drawbacks of providing personal information to a company.

Participants concerned about privacy of their personal information

Virtually all participants think about privacy and the protection of their personal information at least to some extent. While not a constant preoccupation, it is something that concerns them. Participants collectively identified a variety of concerns, but two concerns in particular dominated and were often linked together. In every group, participants were most likely to identify identity theft and potential fraud/financial loss as things that concern them most when it comes to their privacy. Indeed, some participants have experienced identity theft or know people who have experienced it.

The following concerns or preoccupations were also regularly raised in all groups:

Hacking: A number of participants identified computer hacking and theft of personal information as a concern, with some linking this concern directly to fear about identity theft and/or potential fraud/financial loss. Some participants were all the more concerned about this because they believe that no organization, no matter how sophisticated in terms of security measures, seems to be immune from the possibility of a breach. As an example, some participants pointed to the hacking of Yahoo accounts in 2016.
Volume of personal information in circulation: Many participants expressed a concern about the sheer amount of personal information ‘out there’, and ‘available/accessible’. By way of justifying this concern, participants in every group pointed out that they are often contacted by parties with whom they have no prior interaction (e.g. ads, pop-ups, emails). Many described these contacts as an annoyance, but they were also seen as evidence that their activities online are being tracked and that this information is being collected and shared with others.
Impression that use of their personal information is beyond their control: Related to the previous concern about the volume of information about them in circulation and being shared, was a widespread sense among participants that they have little or no control over the way in which their personal information is being used. In the words of one participant, "it’s a black hole when it comes to personal information".
Lack of understanding of terms and conditions outlined in privacy policies: Related to the latter concern, participants routinely observed that the terms and conditions associated with the collection and use of their personal information are long, complicated, and lacking in clarity or transparency.

One concern identified less frequently, but still raised by a few participants in most groups, was discomfort or apprehensions regarding surveillance. This included discomfort with certain forms of geo-locating software (i.e. tracking of location/movements), as well as apprehensions about web cameras (with a few participants adding that they have covered up their laptop cameras).

Some participants noted that their concerns regarding privacy relate to specific types of personal information. This includes financial/banking information, credit card numbers, and Social Insurance Numbers. These participants observed that they are very careful when it comes to sharing such information.

Requests for personal information are a commonplace experience

Virtually all participants have had the experience over the last year or so of being asked to provide personal information to a company. Participants had no difficulty providing examples of being in such situations, either at point of purchase or online. Point of purchase examples typically involved a sales clerk at a retail outlet asking for a postal code, telephone number, or an email address. In the case of an email address, the purpose offered by companies for collecting such information was to be able to send customers bonus coupons.

Online/digital examples most often involved being asked for a credit card in such situations as booking a hotel, online shopping, and booking a trip. Other situations included the following:

Request for a passport number when booking a trip
Request for one’s name, email address, and credit card number when registering for phone service
Request for one’s name and email address when applying for a job online
Request for a scanned version of a driver’s license when booking travel accommodations.

Trust regarding protection of information depends mainly on perceived credibility

Participants tended to have difficulty pronouncing themselves generally on the extent to which they trust companies to protect their personal information. The level or degree of trust rested primarily on the perceived credibility of the company in question, and this in turn depended on a variety of factors. Factors contributing to the credibility of a company included the following:

The size of the company (larger size being interpreted as a sign of success and therefore credibility).
Length of time the company has been in business (e.g. well established vs. start-up). Like size, the length of time a company has been in business was interpreted by some as a sign of success and therefore credibility.
Familiarity with/trust in the company (e.g. is there an established/long standing relationship/do I deal with them regularly).
Perceived safeguards in place (e.g. does the company use secure methods of online payment).
Perceived reputability of the company (e.g. Amazon, Financial/banking Institutions).
Location (i.e. Canadian company vs. foreign/offshore company).
Initial point of contact (i.e. did the company contact them or did the individual contact the company). A few participants observed that they have less trust if and when they are contacted ‘out of the blue’ by a company than if they themselves have initiated contact.
Reviews of companies by others.
Knowledge of a company’s record when it comes to protecting personal information (e.g. have there ever been breaches, if so how was this handled).

It should be noted that some of these factors were seen to overlap with one another or to be mutually reinforcing (e.g. size, length of time in business, perceived reputability).

Some participants said that, generally-speaking, they have their doubts about the extent to which they trust companies to protect their personal information. This is not because they do not trust the company, but because hacking has become so sophisticated that no company seems to be immune from it.

In responding to this question of trust, some participants suggested that, regardless of the level or degree of trust one has in a company’s ability to protect information, providing them the information they request is sometimes the condition to doing business with them in the first place.

Finally, as part of the discussion surrounding this question a number of participants volunteered that they do not trust companies not to share their personal information with other companies.

Marketing and sharing with third parties — main perceived uses of personal information

Participants, most frequently identified two things that a company will do with the personal information it collects: one is sharing it with a third-party^{Footnote 1} and the other is using it to market products or services to current or potential customers. The latter included both general and targeted/customized ads. Other routinely identified uses tended to be related to marketing purposes, including market research, demographic analyses, and trend analyses, as well as providing benefits to customers (e.g. rebates, discounts, points programs).

No one specifically identified using such information to improve the customer service experience or making decisions about customers for things like insurance claims or health coverage.

Consent and relevance — key criteria regarding collection and use of personal information

Asked what crosses the line or makes them uncomfortable in terms of what a company does with their personal information, participants routinely pointed to selling this information or sharing it with a third-party without their consent. Many added that they do not like to be bombarded by ads or emails from companies they have not dealt with, but that this is an acceptable annoyance as long as they have consented to having their information passed on to third parties. What makes this unacceptable is the perception that this is done without their consent.

It is worth noting at this point that the question of consent became a recurring theme in discussions and emerged as the key criterion used by participants for assessing the acceptability or unacceptability of various uses of personal information by companies. This was confirmed later in the session when participants were provided with four scenarios, each one involving use of their personal information in various ways. In each scenario, participants described as unacceptable the perceived transfer or use of their personal information without their consent.

In addition to it being unacceptable to share their information without their consent, participants tend to think it unacceptable to request certain types of information unless its relevance to the interaction/transaction in question is clear. For example, it was routinely considered unacceptable to be asked to provide a SIN, financial or banking information, and even a phone number or one’s ethnicity without it being evident why such information is necessary or being collected. Some participants also felt that unless they had given explicit consent, it was not acceptable to send them product promos or ads. Finally, a few felt that the use of geo-locating software to track their movements was unacceptable.

Regarding what is acceptable, there was widespread agreement that it is legitimate for companies to use personal information for the following purposes:

To facilitate transactions (e.g. credit card number for a sales transaction, phone number to contact customers regarding delivery or servicing).
To tailor or customize advertising in line with information they have collected about clients regarding potential product preferences.
To conduct market research.
To track visits to a company’s website.

For some participants, the line between what is acceptable and unacceptable depends on the level of trust they have in a company. In other words, the more they trust a company the more likely they will be to provide information. In describing what contributes to building trust, participants tended to reiterate things they had identified earlier as enhancing the credibility of a company.

Benefits and drawbacks of providing personal information

Participants tend to recognize both potential advantages and disadvantages to providing their personal information to a company. Routinely identified benefits included the following:

Benefits (e.g. discounts, coupons, fidelity/reward points, better rates)
Information about sales
Product tailoring/recommendations/personalized ads
Facilitating transactions by having client information
Updates (e.g. new store location)
Newsletters/information (e.g. job postings/opportunities, health-related information)
Credit card monitoring (i.e. being contacted by credit card company if anomalous purchase behaviour is detected)

The most frequently identified disadvantages included the possibility of identity theft or fraud through hacking and the receipt of spam/junk mail. Drawbacks identified by smaller numbers of participants included lack of knowledge/understanding about what is being done with this information, the need to provide such information in order to get benefits/advantages (i.e. feeling compelled to take the enticement as a trade-off for providing personal information), and the feeling of lack of control/lack of choice (i.e. the impression that providing personal information is the condition for doing business with a company).

2. Privacy Policies

This section reports on participants’ impressions and behaviour regarding companies’ privacy policies.

Widespread impression that meaning of privacy policies depends on terms/conditions

Most participants have no clear or definite idea in their minds about what it means when a company has a privacy policy. For the most part, participants suggested that what it means when a company has a privacy policy depends on the specific terms and conditions identified in the policy, with some adding that a company’s privacy policy is basically its way of protecting itself, not the client/customer.

Other implications of a company having a privacy policy included the following, each identified by relatively small numbers of participants:

It means that a company will ensure the confidentiality of one’s personal information.
It means that a company won’t share one’s information with another party.
It means the company will do what it says it will do in the policy (i.e. respect its terms).
It means the company is collecting information and exercising due diligence in trying to protect it.
It means that if a company violates the terms or the policy or if fraud takes place, there will be consequences (e.g. compensation).
It means that customers should feel comfortable providing their personal information.
It means that a company will let customers know if they use cookies.

Most participants do not read privacy policies due to their length and complexity

Most participants indicated that they do not tend to read privacy policies. Routinely given reasons for not reading these policies were that they are long, complicated, and written in terms that ordinary people like themselves do not understand. In the words of some participants ‘one has to be a lawyer to understand companies’ privacy policies’. Some pointed to the fact that they only deal with reputable companies or companies they trust or with which they are familiar to explain why they do not read privacy policies.

Some specified that they will scan the terms and conditions, but very few indicated that they read them in full. Specific conditions or circumstances in which some participants said they will read or have read a privacy policy in full or in part included the following:

If the terms and conditions are brief.
If they are dealing with a new company for the first time.
If they are informed that the terms and conditions in the policy of a company they deal with have changed, or if they deal with a company whose terms and conditions change regularly.
If their dealings/transactions include a financial dimension (e.g. investments, banking, insurance).
In order to learn about a company’s location services.
If they encounter a privacy/personal information problem/issue with the company.
If they hear/learn that there is something unusual or out of the ordinary about a company’s privacy policy.

Example of privacy policy tends to confirm assumptions about vagueness/lack of clarity of such documents

As part of the discussion of companies’ privacy policies, participants were given a handout containing an example of a privacy policy for a fictitious company (Annex 3). They were asked to take a few minutes to review the policy and circle anything that they wished to comment on.

Asked for their general impression of what they had read, participants routinely observed that it seems similar to other privacy policies they have scanned or read. In particular, the document confirmed many participants’ impressions that companies’ privacy policies tend to be complicated and to lack transparency (i.e. they tend to be vague and unclear). That being said, some observed that the language in the hand-out was perhaps a little clearer than others they had looked at. To some participants, the main consequence of this lack of transparency is that it is not at all clear what, if any, are the limits to what the company can do with the information it collects.

Asked specifically what stood out to them, participants in every group tended to focus on terms, passages, or references that struck them as vague and unclear. Routinely asked questions included the following:

What is meant by using personal information to manage ‘personnel and employment matters’?
Who are ‘third parties’ from whom the company collects personal information?
Why and to what end is personal information collected through ‘video surveillance’?
What is meant/implied by the fact that ‘personal information may be stored and processed in the United States…’?.

A number of participants also noted concerns about the statement: ‘We cannot promise that your use of our websites or mobile applications will be completely safe. We encourage you to use caution when using the Internet’. To some this seemed to be a way of shifting responsibility for the safety of personal information to clients by basically saying ‘we cannot guarantee the security of the information we collect’. As well, some participants noted that there were no details about how long the company will keep the personal information it collects.

By this point in the discussion in every group, a key issue emerged in the form of a dilemma acknowledged by many participants. The dilemma is that while participants consider certain uses of their personal information unacceptable, they also acknowledge that they do not usually read the terms and conditions of a company’s privacy policy before accepting them. In short, they acknowledge that their consent is not informed consent and that they may be agreeing to things they find unacceptable. This in turn introduced another issue that became an underlying theme in every group: the desire for clear, simple, easy to understand privacy policies so that consent becomes, in fact, informed consent.

3. Control of Personal Information

This section reports on issues related to the control of personal information.

Most think they have little or no control over their personal information

Most participants think they have little or no control over how their personal information is collected and used by companies. Two reasons were advanced most frequently to explain this impression:

Need to accept terms to interact/do business: For many participants, accepting the terms and conditions related to the collection and use of personal information is the condition for doing business with companies in the first place, at least online. In other words, it tends to be an all or nothing scenario. In this sense, the only personal control they see themselves exercising is accepting or rejecting the terms or in refusing to interact online with companies. Related to this, many participants felt that there is no ‘opt out’ option when it comes to the terms and conditions stipulated by companies for the collection and use of personal information. If there were an opt-out option, they would feel like they do have some control over how their personal information is collected and used by companies.
Lack of clarity/transparency about how their information will be used: Participants also routinely explained their perceived lack of control by pointing to the fact that companies’ policies tend to be long, complicated, and written in terms that ordinary people like themselves do not understand.

Smaller numbers of participants explained their perceived lack of control by pointing to the following:

Pervasiveness of hacking: Some suggested that companies with sophisticated security systems seem get hacked on a regular basis. If this is the case, how can they as individuals exercise any meaningful control over their information once they pass it on to the companies they deal with?
Difficulty getting delisted/off a mailing list: Some pointed to the difficulty (not to say impossibility) of getting off mailing lists or getting de-listed from advertising sent out by online by companies.

Some participants do feel that they have at least some control over how their information is collected and used, but this control tends to be exercised in a negative way (i.e. by not doing certain things). For example, when explaining how they exercise control these participants pointed to the following:

By not conducting online transactions.
By not accepting terms and conditions.
By not responding to a company’s enticements.
By providing false information (e.g. one’s age or birth date).

A few participants suggested that they exercise control over the collection of personal information by clearing their computer cache, changing their passwords periodically, and not providing information that is not absolutely necessary (e.g. not providing one’s SIN).

Everyone wants a combination of personal control and laws to protect personal information

Participants were asked whether they would prefer to control how their personal information is collected and used by companies themselves, or if they would prefer to count on laws to protect them so they do not need to think about these types of decisions.

Everyone expressed a preference for a combination of personal control and laws to protect their personal information. No one wanted to be entirely responsible for controlling the collection and use of their personal information by companies nor did they want to count only on laws to protect them.

Participants who favoured more personal control, rather than simply relying on laws to protect them, pointed to the following reasons:

Preferring personal input/control in general over their lives.
Generally trusting themselves more than government (e.g. governments change and a different government might alter laws to favour companies over individuals).
Having a clear say in what they have and have not given a company the right to do with their personal information.
Lack of control/influence over foreign governments and their regulations of companies.

To be clear, these participants also indicated that they would still want the government and laws to protect their personal information. In other words, no one advocated for no role for government at all in protecting their personal information.

Participants who leaned more towards counting on the government and laws to protect their personal information pointed to the following reasons to explain their preference:

Their own lack of time, knowledge, expertise in such matters.
Perceived effectiveness (i.e. government has the resources and coercive power to be influential in dealings with companies on these issues).
The perceived need for uniformity/standards on the issue of what companies can and cannot collect and do in terms of personal information.
The impression that there are many vulnerable people/groups in society who may not be able to handle this themselves (e.g. the elderly).

Once again, advocates of government control still want some level of personal control.

Both sides were asked how far they would go in the direction they prefer (i.e. individual versus relying on laws) on a scale of zero to 100. Most assessments tended to hover in a range of approximately 60/40 to 80/20, although small numbers went so far as to identify a 90/10 balance in the direction to which they leaned.^{Footnote 2}

Opting out — Main way of exercising personal control over personal information

The ability to ‘opt out^{Footnote 3}’ of aspects of a company’s privacy policy and/or the ability to check ‘yes’ or ‘no’ to specific aspects of a company’s privacy policy were the measures most frequently identified by participants who lean more toward wanting personal control over how their information is collected and used by companies. Other examples of what this would look like, practically-speaking, included the following:

Adjustable privacy settings.
Companies having to request specific authorization to share information with third-parties.
Third-parties having to inform individuals if personal information has been shared with them and require their consent to retain it.
The right to specify the types of companies with whom information can be shared.
Requiring that companies disclose their security levels (i.e. the extent to which they can protect personal information) before allowing them to collect and use personal information.
The ability to request clear/concise summaries of companies’ privacy policies.

Range of governmental measures proposed for protecting personal information

Participants who lean more toward counting on government and laws to protect how their information is collected and used by companies identified a variety of examples of what this would look like, practically-speaking. They included the following:

Uniform/standardized policies so that terms and conditions would be the same for all companies. In this way individuals would always know what to expect, regardless of the company they were dealing with.
Clear limits on what companies can and cannot do when it comes to the collection and use of personal information.
Laws requiring companies to use clear, transparent language in their policies.
Government powers to enforce privacy laws/make businesses comply (e.g., fines, publishing/publicizing the names of companies that do not comply with laws).

4. Consent

This section reports on issues related to consent.

Consent seen to imply understanding and acceptance

There was widespread agreement among participants that consent implies both understanding and acceptance of terms and conditions related to the collection and use of their personal information. Many added another dimension, suggesting that giving consent is not a one-time thing. In other words, giving consent for them implies that this can be revisited periodically and that it is not given for all time.

Participants expect companies they do business with to ask for consent to use their personal information

There was also a virtual consensus among participants that they expect to be asked for their consent when companies they do business with want to use their personal information. The main reason given by participants to explain why was that without consent they felt companies could do whatever they want with someone’s personal information. Other reasons given to explain why included the following:

belief that personal information is private unless one gives consent regarding its use.
asking for consent is an important indication of the credibility/character of a company.
business with a company is ‘semi-contractual’ in nature and therefore all aspects of it require a declaration of consent.
asking for consent shows basic respect to the customer/client.

Collection of information behind the scenes considered acceptable by most

Generally-speaking, participants are comfortable (or at least not uncomfortable) with companies collecting information about their interests or actions ‘behind the scenes’^{Footnote 4} rather than directly asking them for their personal information. On this issue participants tended to reiterate what they had said earlier when identifying what is acceptable when it comes to personal information collected by companies and potential benefits to customers associated with such collection. Specifically, it was re-iterated that it is acceptable for companies to tailor or customize advertising in line with information they have collected about clients regarding potential product preferences and that potential advantages to customers resulting from the collection of such information include benefits such as discounts, coupons, fidelity/reward points, better rates, and information.

Although some participants are not entirely comfortable with this practice and a few described it as ‘sneaky’, they nevertheless said that they expect it.

Presentation of scenarios

At this point of the discussion, participants were given a document containing four different scenarios in order to explore more fully their views regarding consent. The presentation of each scenario involved the following steps:

Each scenario was read out loud by the moderator while participants read along.
Participants were then asked to react to the information presented in the scenario.
Following discussion of the initial scenario, additional details were added and participants were asked to react to the new information.

Overview of participants’ reaction to scenarios

Two questions emerged as key in terms of assessing the acceptability or unacceptability of various uses of personal information in the scenarios presented to participants. One was the question of consent. In each scenario, participants routinely described as unacceptable the perceived transfer or use of their personal information to a third-party without their consent. The other was the question of the relevance of the information being collected. Once again, in each scenario participants questioned the need for some of the information being requested because it did not seem to be relevant to the stated purpose for which it was being collected.

Feedback related to each scenario and its modifications is presented below.

SCENARIO 1: ACME Clothing Outlet

You go to ACME Clothing Outlet to buy something. The sales clerk asks for your email address and telephone number to make it easier to return or exchange the item for any reason.

The issue or problem for participants in this scenario is the perceived lack of connection between the information requested (i.e. email address and telephone number) and the rationale informing the request (i.e. to facilitate a return or exchange). Participants do not object in principle to providing such information as long as it is used for the reasons given, in this case improving the service experience by facilitating a return or exchange.

In this particular case however, participants suspected an ulterior motive behind the request (i.e. providing the store with the opportunity to market its products to the customer). With this suspicion in mind, some participants were more reticent to provide their phone number than their email address because communication by phone for purposes of marketing seemed more invasive to them. Overall however, participants were reticent to provide both pieces of information.

ACME Clothing Outlet uses the phone number and email address they collected from you to analyze your spending habits to send you offers and coupons that are tailored to what the company thinks are your preferences based on previous purchases. This was not mentioned to you when you provided your information.

There was widespread criticism of this scenario because, as many participants had suspected, their personal information was used for reasons other than the one given (i.e. to facilitate a return or exchange) and therefore without their consent. Many noted that this would have been acceptable had they been informed at the beginning that their information was being collected for this purpose. Indeed, participants in all groups said they would have expected the company to ask if they could use the personal information in this way. That being said, most also indicated that this use of their information does not surprise them.

Now, what if ACME Clothing Outlet sends its customers’ personal information to another company that then matches this information with demographic information like mailing addresses, information about interests and hobbies, information about household income, for example. And, suppose this third-party company now sends you a coupon or offer based on the fact that you purchased something at ACME Clothing Outlet…You were not aware that your information was being provided to a third-party.

There was widespread condemnation from participants of this use of their personal information. Although the information is being used to provide them with benefits, it was passed on to a third-party without their consent. As in the previous case, participants would have expected the company to ask if they could use the personal information in this way. Unlike the previous case, many also indicated that this use of their information surprises them (i.e. they would not have expected it as it clearly crosses a line).

SCENARIO 2: ACME Cable Company

When you opened an account with ACME cable company, you were asked to provide a variety of personal information, including your cell phone number, billing address and credit card number. The sales representative tells you that they will use this information to provide you with faster and more efficient service.

This scenario elicited a more divided reaction among participants. As in their reaction to the previous scenario, many objected to the request because they did not see the connection between the information requested and the rationale informing the request. In particular, many did not see why a credit card number was necessary to provide faster and more efficient service, and a few described the reference to providing faster and more efficient service too vague. In addition, some were concerned that this information would be passed on to third-party.

On the other hand, a number of participants did not object to providing this information, observing that having such information on file does help a company with whom one is dealing provide more efficient service.

ACME cable company shares your account information, including your name, contact information and credit card details with a third-party that is subcontracted to perform service calls. Someone in your household calls ACME cable company because of a problem with the reception. Because ACME cable company shared your information with the company contracted to perform service calls, this company has the information it needs to schedule and charge you, the account holder, for a service call. You only learn of the service call when you receive your credit card statement.

Most participants objected to this use of their personal information because they were not informed of this when they opened their account with the cable company. In other words, their information was passed on to a third-party without their consent. In addition, the fact that their credit card number is among the information shared without their consent was particularly disturbing and unacceptable to most. Most participants said they would have expected the company to ask if they could use their personal information in this way and indicated that this use of their information surprises them.

On the other hand, some participants did not object to this use of their information, noting that such arrangements between companies and sub-contractors are relatively common. Indeed, it was noted that such arrangements are sometimes part and parcel of a company’s ability to provide ‘faster more efficient service’. While they might have expected the company to ask if they could use the personal information in this way, the use of their information does not surprise them.

Now, what if ACME cable company uses your customer information and combines it with information about the programs you watch to understand your likes and dislikes? You then start receiving email advertising that the company thinks is likely to appeal to you. ACME notifies you that they will be using your personal information to provide you with advertising, but does not provide you with an opt-out option.

There was widespread criticism of this use of personal information, both because consent to use their information in this way was not requested or given (i.e. they were notified, not asked) and because they were not provided with an opt-out option. Indeed, opposition to the lack of an opt-out option was unanimous. Some participants did not object to the use of their personal information for marketing purposes, but did object to the absence of an opt-out option.

There was a near-unanimous expectation that the company would ask if they could use the personal information in this way, especially given the absence of an opt-out option. Most participants also indicated that this use of their information surprises them, mainly because of the absence of an opt-out option.

SCENARIO 3: ACME Fitness Tracker

You received an ACME Fitness Tracker for your birthday. When you started setting up the system, you were required to provide a lot of personal information, like age, weight, activity level, and heart rate, among other things in order for the device to provide you with tailored fitness assessments.

Participants had no issues or problems with this scenario. They felt comfortable providing the information requested and expressed no concerns about their privacy in this scenario.

Now, what if information about your fitness and eating habits, location, and heart rate, for example, was provided to a third-party health research company? This information will be used by the research company to conduct research about how fitness and eating habits affect the overall health of individuals. This information is made available in the terms and conditions of both the app associated with the tracker, and the information pamphlet contained in the Fitness Tracker box. You read neither.

There was near-unanimity among participants that this use of their information is acceptable. The key point, repeatedly noted by participants, is that information about how the information would be used was made available in the terms and conditions and that the onus was on the customer to read them.

Most said they were not surprised at this use of their personal information but some were. Those who were surprised did not necessarily object to their information being used in this way, rather they were simply not familiar with such an arrangement. Most said they would not have expected the company to ask if they could use the personal information in this way, given that this information was provided in the terms and conditions. On the other hand, some participants said they would have liked an opt-out clause, and a few others would have expected the company to ask if they could use the personal information in this way rather than stating this in the terms and conditions.

Now, what if that same personal information was sold to an insurance company? This information could be used by the company to set the rates for your policy.

Such use of their personal information was considered unacceptable to participants because the information was used for a purpose not identified by the company and passed on to a third-party without the consent of the customer. Some also observed that the information was being used in a way that could adversely affect customers (i.e. to make negative decisions about them). For all these reasons, there was near unanimity that this use of information crosses a line. This impression was underscored by the fact that virtually all participants said that the use of their information in this way surprises them and that they would have expected the company to ask if they could use the personal information in this way.

SCENARIO 4: ACME POINTS PROGRAM

You are offered an ACME points card, with an associated mobile app. In order to sign up, you provide your name, e-mail address, birthday, and information about your household, like annual income and number of people living in the home, for example. You are told the loyalty card tracks your purchases and that you will receive coupons and/or special offers based on the types of purchases you make.

What participants were most likely to object to in this scenario was the amount of information requested. In particular, they routinely observed that there is no need to provide information about annual income and the number of people living in the home. Such information was described as irrelevant and/or not required in order to set up a points program. Because of this, many participants suspected an ulterior motive behind the request for such information and said they would be uncomfortable providing it. On the other hand, some participants had no objection to providing such information, especially given that they would benefit from it.

Based on the household and income information provided by points program members when signing up for the card, ACME decides to raise the prices at certain locations based on the demographics of its shoppers. Your local store is one of the locations where prices are raised. It was stated somewhere in the privacy policy that your personal information would be used to create profiles and for research and marketing purposes. You clicked “I agree” without reading the policy in full.

Differences in reaction to this scenario were based primarily on participants’ interpretation of what is implied in the idea of using their personal information for ‘research and marketing purposes’. Participants agreed that the onus was on the customer to read the privacy policy containing details about how their information would be used.

To many however, the reference to ‘creating profiles and research and marketing purposes’ is too vague and general to include a measure as tangible and consequential as differential pricing. This was described by many as unacceptable because it is discriminatory in a punitive way. On the other hand, some participants were of the opinion that using information for research and marketing purposes could result in this possibility.

Whether they agreed or not on the acceptability of the measure, there was a widespread impression that the company should have been more explicit about the possibility that information could be used in a way that would result in differential pricing and most expressed surprise at the use of their information in this way.

5. Possible Solutions

This section reports on possible solutions for dealing with issues related to the collection and use of personal information.

Possible measures to increase trust that personal information is protected

Participants identified a variety of measures companies could take to make them more likely to trust that companies are protecting their personal information. The two most frequently identified measures companies could take in this regard were the following:

Providing clear, transparent terms and conditions in easy to understand language regarding the collection and use of personal information: This was seen to include information about who/what organization information would be shared with (e.g. companies or types of companies) and how long it will be kept. It also included providing an abbreviated version of terms and conditions with key information, in particular, a summary of key points.
Provision of an opt-out option: Listing terms and conditions so that customers can check them off if they accept them.

Measures identified less frequently included the following:

Ensuring secure storage of information.
Better/more user-friendly formatting of terms and conditions to make them easier to read (e.g. larger fonts, more bulleted text).
More consistency between companies regarding terms and conditions.
A glossary of key terms and expressions used in the terms and conditions regarding collection and use of personal information.
A comment box for customers to ask questions/provide comments about terms and conditions regarding collection and use of personal information.
Acknowledgement from a third party that your information has been shared with them.

Key information about a company’s privacy practices

What personal information is collected.
How it will be used by the company/for what purposes.
Who is the company sharing information with.
How long the company will keep personal information.
How the company protects/safeguards personal information.

Types of information identified by small numbers or individual participants included the following:

What happens if a security breach occurs.
Information about legal liability.
Who owns the company/ownership structure.

Government seen as main overseer of companies

Government was routinely identified in every group as the main organization policing businesses to ensure they do not over step when collecting and using personal information. Other organizations or actors were rarely identified. These included the Ombudsman, the Better Business Bureau, the Office of the Privacy Commissioner, and companies themselves.

There was also near-unanimity that government is the organization that should police businesses.

Limited recall of investigations/audits of companies for privacy practices

Very few participants recall hearing anything about companies being investigated or audited for privacy practices. Moreover, those who recall hearing anything rarely recalled specific details. The only specifics identified included reference to a security breach at Linked-In, a security breach at Yahoo, and a Rogers employee stealing customer credit card information. A couple of participants seem to recall hearing something about internal reports on compliance (IROCs) but they could not recall any details.

Perceptions regarding role of government in protecting personal information

Participants had no difficulty identifying the role(s) of government when it comes to protecting their personal information. Top-of-mind responses to the question of the role of government routinely included the following:

Setting laws/putting laws in place.
Enforcement of the laws.
Supervising/monitoring to ensure compliance.
Conducting investigations/following-up on problems/breaches.
Outreach or providing information to the public.

In addition to these, some suggested that government reward/recognize companies for best practices or exemplary behaviour when it comes to protecting personal information, while others suggested the creation of a government seal of approval/certification program for companies in this area.

Widespread agreement that government has proactive and reactive role to play

Following their top-of-mind feedback on the role of government in this area, participants were informed that there are two different roles the government could play when it comes to the protection of personal information. One is a proactive role where a government organization conducts regular audits of companies’ privacy practices, and the other is a reactive role where a government organization conducts investigations of companies’ privacy practices only in reaction to a complaint or breach.

When asked what they thought of these two roles, there was near unanimity among participants that government should engage in both roles when it comes to protecting personal information.

Variety of specific roles identified for government

There was also a virtual consensus that government should have the following powers to enforce Canada’s privacy laws, to ensure businesses are complying:

The power to impose financial penalties.
Order-making powers to force companies to follow recommendations.
Proactive auditing (i.e. conducting audits or spot checks of companies’ privacy practices).

When it came to imposing financial penalties, some participants suggested that the fines would have to be large in order to be effective.

Widespread desire for information/guidance on privacy-related matters

There was widespread desire for the government to provide information by way of outreach/public education on privacy-related matters. Information considered most helpful included the following:

What to look for/be attentive to in privacy policies.
What information not to give/share.
Meaning of various terms/conditions or a glossary of key terms/expressions.
Updates/changes in the law.
What government does in relation to the protection of personal information.
Individual rights and obligations.
An information hotline.
Training and orientation on privacy issues for individuals.
Lists of companies that have violated privacy laws.

When asked how they would like to receive such information (i.e. in what formats), participants were most likely to identify online formats. This included government websites, email, and even videos (e.g. on YouTube), as well as through primary and secondary school curriculum. A few suggested sending out such information with CRA notices of assessment. It was also suggested that such information could be presented using a hypothetical scenario format in order to make it more concrete and clear.

Appendix

Annex 1: Recruitment Screener

Specifications

Recruit 12 participants.
Participants to be paid $100.
1 group in each location will be held with participants who are under 30 years of age and the other with participants who are 30 years and older.
Each group will be a mix of participants by age (within the defined parameters), gender, education, and employment status.
All groups to be conducted in English, except for Montreal, which will be in French.

Sessions
Group	Location	Date and time	Group Composition
Group 1	Toronto	February 7^th, 5:30 p.m. Eastern	Under 30
Group 2	Toronto/td>	February 7^th, 7:30 p.m. Eastern	30 and over
Group 3	Halifax	February 8^th, 5:30 p.m. Atlantic	Under 30
Group 4	Halifax	February 8^th, 7:30 p.m. Atlantic	30 and over
Group 5	Winnipeg	February 8^th, 5:30 p.m. Central	Under 30
Group 6	Winnipeg	February 8^th, 7:30 p.m. Central	30 and over
Group 7	Montreal	February 9^th, 5:30 p.m. Eastern	Under 30
Group 8	Montreal	February 9^th, 7:30 p.m. Eastern	30 and over

Questionnaire

A. Introduction

Hello/Bonjour, my name is . Would you prefer to continue in English or French? / Préférez-vous continuer en anglais ou en français?

[INTERVIEWER NOTE: FOR ENGLISH GROUPS, IF PARTICIPANT WOULD PREFER TO CONTINUE IN FRENCH, PLEASE RESPOND WITH, "Malheureusement, nous recherchons des gens qui parlent anglais pour participer à ces groupes de discussion. Nous vous remercions de votre intérêt."]

I’m calling from Research House, a Canadian research firm. We’re organizing a series of discussion groups on behalf of the Government of Canada to explore issues of importance to Canadians. The groups will last up to two hours and people who take part will receive a cash gift to thank them for their time.

Before we invite you to attend, we need to ask you a few questions to ensure that we get a good mix of people in each of the groups. This will take 5 minutes. May I continue?

     
    Yes           1             CONTINUE
    No            2             THANK/DISCONTINUE

Participation is completely voluntary. We are interested in your opinions. No attempt will be made to sell you anything or change your point of view. The format is a “round table” discussion led by a research professional with up to eight participants. All opinions will remain anonymous and will be used for research purposes only in accordance with laws designed to protect your privacy.

[INTERVIEWER NOTE: IF ASKED ABOUT PRIVACY LAWS, SAY: “The information collected through the research is subject to the provisions of the Privacy Act, legislation of the Government of Canada, and to the provisions of relevant provincial privacy legislation.”]

B. Qualification

1. Do you, or any member of your household or immediate family, work in any of the following fields? READ LIST

Marketing research, public relations firm, or advertising agency,
The media (radio, television, newspapers, magazines, etc.),
Government, either federal or provincial

    Yes           1             THANK/DISCONTINUE 
    No            2             CONTINUE

2. We have been asked to speak to participants from all different ages. May I have your age please? GET GOOD MIX

    RECORD
       Under 18          THANK/DISCONTINUE
       18 to 24 years                                                                                                      
       25 to 29 years                                                                                                      
       30 to 34 years
       35 to 44 years                                                                                                      
       45 to 54 years                                                                                       
       55 to 64 years                                                                                       
       65 to 74 years
       75 years or older THANK/DISCONTINUE

3. Record gender by observation. 50/50 SPLIT

       Female                                                                                     
       Male

4. Do you use the Internet on a mobile device, such as a smartphone or tablet, a computer, or both?

       Mobile device
       Computer
       Both
       Neither                                        THANK/DISCONTINUE

5. Which of the following do you do online? READ LIST

       Purchase products or services
       Use social networking sites like Facebook, Instagram, and Twitter
       Stream TV or movies
       Check email
       Use maps
       Use search engines

THANK/DISCONTINUE IF ONLY “CHECK EMAIL”

6. Using a 5-point scale, where 1 is not at all and 5 is a great deal, how much attention do you tend to pay to news and current issues?

RECORD . THANK/TERMINATE THOSE WHO GAVE SCORES OF 1-2

7. Could you please tell me what is the last level of education that you completed? READ LIST; GET MIX

     
       Some High School only
       Completed High School
       Trade School certificate
       Some Post secondary             
       Completed Post secondary
       Graduate degree

8. What is your current employment status? READ LIST; GET MIX

     
       Full Time (35 hrs. +)                               
       Part Time (under 35 hrs.)      
       Homemaker                                             
       Student                                       
       Retired                                                       
       Unemployed

9. Participants in group discussions are asked to voice their opinions and thoughts, how comfortable are you in voicing your opinions in front of others? Are you… READ OPTIONS

       Very comfortable             MIN 5 PER GROUP
       Fairly comfortable
       Not very comfortable         TERMINATE
       Very uncomfortable           TERMINATE

10. Have you ever attended a discussion group or interview on any topic that was arranged in advance and for which you received money for your participation?

       Yes             MAXIMUM 5 PER GROUP
       No              GO TO INVITATION

11. When did you last attend one of these discussion groups or interviews?

       Within the last 6 months   TERMINATE
       Over 6 months ago

12. How many discussion groups or interviews have you attended in the past 5 years?

       Fewer than 5
       5 or more                  TERMINATE

13. Sometimes participants are also asked to write out their answers on a questionnaire. Is there any reason why you could not participate? (Add hearing impairment.)

       Yes                        TERMINATE
       No

TERMINATE IF RESPONDENT OFFERS ANY REASON SUCH AS SIGHT OR HEARING PROBLEM, A WRITTEN OR VERBAL LANGUAGE PROBLEM, A CONCERN WITH NOT BEING ABLE TO COMMUNICATE EFFECTIVELY.

14. The session will be video recorded for research purposes. The recordings will be used only by the Phoenix SPI research team to help prepare a report on the research findings and they will not be shared with others. Do you agree to be video recorded for research purposes?

       Yes                        TERMINATE
       No

C. INVITATION TO PARTICIPATE

I would like to invite you to attend the focus group session where you will exchange your opinions in a moderated discussion with other Canadians from your community. The discussion will be lead by a researcher from the national public opinion research firm, Phoenix SPI. The session will be taped and observed but your participation will be confidential. The group will take place on [DAY OF WEEK], [DATE], at [TIME]. It will last two hours. People who attend will receive $100 to thank them for their time. Would you be willing to attend?

    Yes                                                  
    No                        TERMINATE

Do you have a pen handy so that I can give you the address where the group will be held? It will be held at [INSERT FACILITY]. I would like to remind you that the group is at [TIME] on [DATE]. We ask that you arrive 15 minutes early.

At the facility, you will be asked to produce photo identification, so please remember to bring something with you (for example, a driver’s license). If you use glasses to read, please remember to bring them with you. Participants may be asked to review some materials in [ENGLISH/FRENCH] during the discussion.

As I mentioned, the session will be video recorded for research purposes and representatives of the Government of Canada research team will be observing from an adjoining room. You will be asked to sign a waiver to acknowledge that you will be video recorded during the session. The recordings will be used only by the Phoenix SPI research team and will not be shared with others. All information collected in the group discussion will remain anonymous and be used for research purposes only in accordance with laws designed to protect your privacy.

As we are only inviting a small number of people to attend, your participation is very important to us. If for some reason you are unable to attend, please call us so that we can get someone to replace you. You cannot send someone else to participate on your behalf. Only individuals who have gone through this screening process may attend the session. You can reach us at [INSERT NUMBER] at our office. Please ask for [INSERT NAME].

Someone will call you the day before to remind you about the session.

So that we can call you to remind you about the focus group or contact you should there be any changes, can you please confirm your name and contact information for me?

    First name:          
    Last Name:          
    Daytime phone number:          
    Evening phone number:

Thank you very much for your time. We appreciate your willingness to participate in this important research.

Annex 2: Moderator’s Guide

Introduction (5 minutes)

Thank participants for attending
Introduce moderator and Phoenix
Tonight, we are conducting research on behalf of the Office of the Privacy Commissioner of Canada, or OPC, to discuss privacy and the protection of personal information. The discussion will last 2 hours.
My job is to facilitate the discussion, keeping us on topic and on time.
Your job is to offer your opinions about the issues to be covered tonight.
- Not a knowledge test; no right or wrong answers (interested in opinions)
- Looking for candour and honesty;
- Okay to disagree; want people to speak up if hold different view
Comments treated in confidence; reporting in aggregate form only; recording for report writing purposes only; observers behind one-way glass.
If you have a cell phone or other electronic device, please turn it off.
Any questions?
Roundtable introduction: Please tell us your first name and a hobby you have.

Warm-up/General Perceptions (25 minutes)

As I mentioned, we’re going to be discussing privacy and the protection of your personal information tonight. When we talk about personal information, keep in mind that this includes things like your name, age, address, income and email address, but also information like your purchasing habits, online activities, and even your DNA.

We’ll start with a very general question…

How much do you think about privacy and the protection of your personal information? Is it something that concerns you? Why/why not?
For those of you who have concerns about your privacy, what type of things are you most concerned about?

Probes (as needed): identity theft, fraud/financial loss, hacking, surveillance

Many companies collect personal information about customers—some of this information is needed to enable transactions or purchases, like a credit card number, but other types of personal information is collected by companies primarily to learn more about their customers. For example, a cashier asks for your telephone number and email during a sales transaction.

KEEP BRIEF, BUT USE TO SET TONE/PROVIDE CONTEXT FOR TOPIC
In the last year or so, can you think of times you’ve been asked to provide personal information to a company? What information were you asked to provide, and what was the context? ASK FOR SPECIFIC EXAMPLES; FOCUS TO BE ON DIGITAL EXAMPLES (AS OPPOSED TO POINT OF PURCHASE)

Probes (as needed):
- Information: postal code, credit card, photo identification
- Situations: shopping in a retail store, checking in at a hotel, email or DOB when online
In general, to what extent do you trust companies to handle/protect your personal information?

Probe: differences by type of company, type of personal information
What are the types of things that a company will do with the personal information it collects from you and other customers? What else? USE FLIPCHART TO RECORD USES

Probes (as needed):
- sell it to a third-party
- use it to market products or services to you, to improve your customer service experience, to make decisions about you for things like insurance claims or health coverage
What crosses the line? What are you uncomfortable with, and what do you feel is acceptable, and why? MODERATOR: KEEP BRIEF AND DEAL WITH Q7 AT THE SAME TIME AS APPROPRIATE; THESE ISSUES WILL BE FULLY EXPLORED LATER IN THE GROUP.

Probes (as needed):
- Is it the sensitivity of the information being shared?
- Is it the reputation of the company, and/or lack of trust in the company?
- Is it that there is a potential for harm (negative decisions made about you or missed opportunities)?
Can you think of any examples where there is a clear benefit to providing your personal information to a company? And what are the drawbacks of providing your personal information to a company? MODERATOR: REFER TO LIST ON FLIPCHART

Probes (as needed):
- Benefits: improved service, faster service
- Drawbacks: potential privacy breach, identity theft

Privacy Policies (10 minutes)

Organizations that collect personal information must be upfront in explaining their privacy practices.

What does it mean to you when a company has a privacy policy? MODERATOR: LET PARTICIPANTS OFFER TOP-OF-MIND FEEDBACK, AND THEN FOLLOW-UP WITH: Does it ensure the confidentiality of your personal information? Does this mean that a company won’t share your information with another party?
Do you tend to read privacy policies? Why/why not? Are there specific situations or circumstances when you will read a privacy policy? If so, what are they? What drives or motivates you to read privacy policies in these situations? MODERATOR: PROBE TO UNDERSTAND WHAT THE TRIGGER IS FOR PARTICIPANTS.

Probes (as needed):
- Is it the sensitivity of the information being shared?
- Is it the reputation of the company, and/or lack of trust in the company?
- Is it the potential for harm (negative decisions or missed opportunities)?
I’m going to pass around an example of a privacy policy. Please take a few minutes to review the handout and circle anything that you wish to comment on for any reason.

[HAND-OUT DOCUMENT; ALLOW PARTICIPANTS TIME TO READ IT, THEN CONTINUE.]
Let’s start with a general question… what do you think of what you just read? Why do you say that? What stands out for you and why?

Control of Personal Information (10 minutes)

People interact with companies for different reasons, from scheduling services for, say, your car, to purchasing products or services, like groceries or household utilities, to renting things, like cars, computers or apartments. For these interactions to take place, you are often asked to provide different types of personal information.

Thinking about the different ways in which you interact with companies, do you think you have any control over how your personal information is collected and used by these companies? Why/why not?
12. Would you prefer to control how your personal information is collected and used by companies yourself? Or, rather, would you prefer to count on laws to protect you so that you don’t need to think about making all those types of decisions?
1. To put it another way, if you were to lean more in one direction or another (your individual control on one side / more government regulation on the other) which one would you tend to lean more toward and why?
2. How far in either direction would you go? (NOTE TO MODERATOR: TRY TO GET CONCRETE MEASUREMENTS: % OR FRACTIONS OR SCALED)
For those of you who lean more toward wanting personal control over how your information is collected and used by companies, practically speaking, what does this look like for you?

Probes (as needed):
- Easy access to adjustable privacy settings
- Having the choice to opt out of certain aspects of a company’s privacy policy
- Dashboards that allow you to set your general privacy settings on a device and have them apply to any apps or services you use
For those of you who lean more toward counting on the government — and laws — to protect you so that you don’t need to frequently think about making decisions about your personal information when you interact with companies, what does this look like to you?

Probes (as needed):
- More or stronger laws that protect your personal info
- Clearer or detailed restrictions on what companies can and can’t do (e.g., collecting certain types of info in the first place or doing certain things with your personal info)
- More government powers to enforce privacy laws and make businesses comply (e.g., orders, fines, proactive inspections of companies’ practices)

Consent (40 minutes)

When you think about your personal information and privacy, what does consent mean to you? MODERATOR: WAIT FOR TOP-OF-MIND RESPONSES AND PROVIDE THE FOLLOWING DEFINITION BEFORE PROCEEDING.

Consent is the way individuals, like yourselves, can protect your privacy by exercising control over what personal information businesses can collect, how they can use it, and to whom they can disclose it. Changes in technology and newer business models are making it far less clear which organizations are collecting personal information, where this information goes, and what it’s used for, and whether and how people can give meaningful consent.
Can you think of any examples where your personal information was used in an unexpected way?

Probes (as needed):
- A book recommended to you based on an online purchase
- An event or appointment sent to you by email appearing in your online calendar
Do you expect to be asked for your consent when you do business with a company or are you okay with companies assuming they have your consent? Why, why not?

Probe:
- Is it the sensitivity of the information being shared?
- Is it the reputation of the company, and/or lack of trust in the company?
- Is it that there is a potential for harm (negative decisions made about you or missed opportunities)?
- Is it how relevant the information is to the service?
What about in situations where companies are collecting information about your interests, or actions, behind the scenes rather than directly asking you for your personal information? For example, websites often collect data about visitors through cookies. Information about the practice can typically be found in the privacy policies of websites. How comfortable are you with this collection of information? Why, why not?

Probe:
- Is it the sensitivity of the information being shared?
- Is it the reputation of the company, and/or lack of trust in the company?
- Is it the potential for harm (negative decisions or missed opportunities)?

What I’m going to do now is pass around another document with several different scenarios. I’d like you to read each scenario and then we’ll discuss them as a group.

[HAND-OUT DOCUMENT; ALLOW PARTICIPANTS TIME TO READ IT, THEN CONTINUE.] NOTE: Only the first part of each scenario will be on the handout document. The remainder will be prompted by the moderator.

Let’s start with…

SCENARIO 1: ACME Clothing Outlet

You go to ACME Clothing Outlet to buy something. The sales clerk asks for your email address and telephone number to make it easier to return or exchange the item for any reason.

What do you think about the exchange of personal information in the scenario you just read?
Would you feel comfortable providing your personal information in this scenario?
Do you have any concerns about your privacy in this scenario? If so, what and why?

MODERATOR: Probe for differences in perceptions of telephone versus email as the personal information being collected. Is one more sensitive than the other? If so, why?

Now consider this…

Are you okay with this?
1. If so, why do you feel this is acceptable?
2. If not, what crosses the line? What are you uncomfortable with, and why?
Is this use surprising to you? Would you have expected the company to ask you if they could use your personal information in this way?

MODERATOR: Probe for differences in perceptions if they were told about this use at the point of sale.

Now, what if ACME Clothing Outlet sends its customers’ personal information to another company that then matches this information with demographic information like mailing addresses, information about interests and hobbies, information about household income, for example. And, suppose this third-party company now sends you a coupon or offer for baby formula based on the fact that you purchased something at ACME Clothing Outlet… You were not aware that your information was being provided to a third-party.

Are you okay with this?
1. If so, why do you feel this is acceptable?
2. If not, what crosses the line? What are you uncomfortable with, and why?
Is this use surprising to you? Would you have expected the company to ask you if they could use your personal information in this way?

SCENARIO 2: ACME Cable Company

What do you think about the exchange of personal information in the scenario you just read?
Would you feel comfortable providing your personal information in this scenario?
Do you have any concerns about your privacy in this scenario? If so, what and why?

Now consider this…

Are you okay with this?
1. If so, why do you feel this is acceptable?
2. If not, what crosses the line? What are you uncomfortable with, and why?
Is this use surprising to you? Would you have expected the company to ask you if they could use your personal information in this way?

Are you okay with this?
1. If so, why do you feel this is acceptable?
2. If not, what crosses the line? What are you uncomfortable with, and why?
Is this use surprising to you? Would you have expected the company to ask you if they could use your personal information in this way?

SCENARIO 3: ACME Fitness Tracker

What do you think about the exchange of personal information in the scenario you just read?
Would you feel comfortable providing your personal information in this scenario?
Do you have any concerns about your privacy in this scenario? If so, what and why?

Now consider this…

Are you okay with this?
1. If so, why do you feel this is acceptable?
2. If not, what crosses the line? What are you uncomfortable with, and why?
Is this use surprising to you? Would you have expected the company to ask you if they could use your personal information in this way?

MODERATOR: Probe for differences in perceptions if they did read the terms and conditions or the information pamphlet contained in the Fitness Tracker box.

Now, what if that same personal information was sold to an insurance company? This information could be used by the company to set the rates for your policy.

Are you okay with this?
1. If so, why do you feel this is acceptable?
2. If not, what crosses the line? What are you uncomfortable with, and why?
Is this use surprising to you? Would you have expected the company to ask you if they could use your personal information in this way?

SCENARIO 4: ACME Points Program

You are offered an ACME points card, with an associated mobile app. In order to sign up, you provide your name, e-mail address, birthday, and information about your household, like annual income and number of people living in the home, for example. You are told the points card tracks your purchases and that you will receive coupons and/or special offers based on the types of purchases you make.

What do you think about the exchange of personal information in the scenario you just read?
Would you feel comfortable providing your personal information in this scenario?
Do you have any concerns about your privacy in this scenario? If so, what and why?

Now consider this…

Based on the household and income information provided by the points program members when signing up for the card, ACME decides to raise the prices at certain locations based on the demographics of its shoppers. Your local store is one of the locations where prices are raised. It was stated somewhere in the privacy policy that your personal information would be used to create profiles and for research and marketing purposes. You clicked “I agree” without reading the policy in full.

Are you okay with this?
1. If so, why do you feel this is acceptable?
2. If not, what crosses the line? What are you uncomfortable with, and why?
Is this use surprising to you? Would you have expected the company to ask you if they could use your personal information in this way?

Now that we’ve looked at these different scenarios, you can see that providing informed consent is not always clear and straightforward and that there are different factors to consider when deciding whether or not to provide your personal information to a company. What are some of the key factors that you think are important when making those decisions?

Probes (as needed):
- Trade-offs: benefits, convenience versus risk of providing the information
- Reputation of the company
- Perceived sensitivity of the information

Possible Solutions (30 minutes)

Given how complex the issue of consent has become… what do you think can be done to help…

Are there any measures, or things that businesses could do, that would make you more likely to trust that they are protecting your personal information?

PRIVACY POLICIES

Think back to the privacy policy you looked at earlier. Now that we’ve gone through some situations where companies have collected and used your personal information in different ways…

What information about a company’s privacy practices would you like highlighted, or brought to your attention, when considering whether or not to share your information with a company?

Probes (as needed):
- What personal information is collected?
- How it will be used by the company? For what purposes?
- Who is the company sharing your information with?
- How long the company will keep your personal information?
- How the company protects/safeguards your personal information?
- How the company might be using your information beyond directly providing you with a service?

ENFORCEMENT

Who polices businesses to ensure they do not over step when collecting and using your personal information? Who should police businesses?

Do you ever hear anything about companies being investigated or audited for privacy practices? If so, what have you heard?
What is the role of government in protecting your personal information? Why do you say that?
There are different roles the government could play. What do you think of… [INSERT]?

[ROTATE ORDER]
…a proactive role where a government organization conducts regular audits of companies’ privacy practices, much like health and safety spot checks of restaurants, for example?

…a reactive role where a government organization conducts investigations of companies’ privacy practices only in reaction to a complaint or breach?
What powers, if any, should the government have to enforce Canada’s privacy laws, to ensure businesses are complying? What about… [INSERT]

[ROTATE ORDER]
…financial penalties… should fines be imposed?
…order-making powers… the ability to force companies to follow recommendations? …proactive auditing… conducting audits or spot checks of companies’ privacy practices?

GUIDANCE FOR INDIVIDUALS

Do you want more information/guidance on privacy-related matters? Why/why?

MODERATOR: FOCUS ON EDUCATION/OUTREACH; INFORMATION THAT COULD BE PROVIDED BY GOVERNMENT (NOT A COMPANY'S PRIVACY PRACTICES)

Would you seek more information if available? If so, where would you go?
What kind of information would be most helpful? What would this look like? PROBE FOR SPECIFIC EXAMPLES/FORMATS (E.G. RADIO, WEB, ETC.)

Conclusion

Any final thoughts on anything we’ve discussed tonight?

THANK PARTICIPANTS. COLLECT ALL MATERIALS.

Annex 3: Handouts

Privacy Policy

Last updated: January 30. 2017

This page informs you of our policies regarding the collection, use and disclosure of personal information we receive from customers. As used herein, the term “personal information” means information that specifically identifies any individual, (including without limitation, name, date of birth, address, telephone number, e-mail address or payment/billing information) and any other information that is required by applicable law to be treated as personal information. Personal Information does not include “aggregate” or “anonymized“ information, which is data we collect about a customer’s, or group or category of customer’s, use of the services and products and/or other sites or services (including without limitation demographic or preference information) from which individual identities or other personal information has been removed. Please note, if ACME Companies combine this information with personal information, ACME Companies will treat this information as personal information pursuant to this Policy.

ACME Companies collect personal information only for the following purposes: a) to establish and maintain responsible commercial relations with customers and to provide ongoing service; b) to understand customer needs and preferences, and determine eligibility for products and services; c) to recommend particular products and services to meet customer needs; d) to develop, enhance, market or provide products and services; e) to manage and develop their business and operations, including personnel and employment matters; and f) to meet legal and regulatory requirements.

ACME Companies collect personal information in a variety of ways such as during the course of your purchase of, or application or request for a quote for, our products and services or your participation in one or more of our programs, contests, promotions or events. ACME Companies collects personal information in the following ways: a) directly from you in person, by mail, over the telephone, through websites or in any other direct manner; b) from related companies; c) from Third Parties; d) through technology; e) point-of- sale-systems; f) video surveillance in areas surrounding our stores, parking lots and other locations for security purposes; g) websites, social media, applications and other electronic means.

We use and disclose an individual’s personal information for the purposes stated above, unless we have the individual’s consent to using or disclosing it for another purpose or unless required or permitted by law, which may include lawful access by Canadian or U.S. courts or governmental authorities. We may transfer (or otherwise make available) personal information to our affiliates and other third parties who provide services on our behalf. Personal information may be stored and processed in the United States by us or our third-party service providers. Our service providers are not authorized to use or disclose personal information for any purpose other than providing the services on our behalf or as otherwise required by applicable law. We do not disclose personal information concerning our customers to anyone else and we do not permit anyone else to use personal information about our customers for any purpose without the customer’s consent, except as set out in this Privacy Statement or in our Global Customer Personal Information Privacy Policy. We keep personal information about individuals for as long as we need it to fulfill our stated purposes or as otherwise required by law.

When you place orders on our websites, all of your order information, including your credit card number and delivery address, is transmitted through the Internet using Secure Sockets Layer (SSL) technology. SSL technology causes your browser to encrypt your order information before transmitting it to our secure server. SSL technology, an industry standard, is designed to prevent someone other than operators of our websites from capturing and viewing your personal information. While we use industry standard means to protect our websites and your information, the Internet is not 100% secure. The measures we use are appropriate for the type of information we collect. We cannot promise that your use of our websites or mobile applications will be completely safe. We encourage you to use caution when using the Internet. Online access to your personal information is protected with a password you select. We strongly recommend that you do not share your password. We maintain your personal information for as long as required for the purposes set out in this Privacy and Security Statement, or as otherwise required or permitted by law.

If you have any questions about this Privacy Policy, please contact us.

ACME Clothing Outlet

You go to ACME Clothing Outlet to buy something. The sales cleak asks you for your email address and telephone number in order to make it easier to return or exchange the item for any reason.

ACME Cable Company

When you opened an account with ACME Cable Company, you were asked to provide a variety of personal information, incluing your cell phone number, billing address and credit card number. The sales representative tells you that they will use this information to provide you with faster and more efficient service.

ACME Fitness Tracker

ACME Points Program

You are offered an ACME points card, with an associated mobile app. In order to sign up, you provide your name, e-mail address, birthday, and information about your household, like annual income and number of people living in the home, for example. You are told the points card tracks your purchases and that you will receive coupons and/or special offers based on the types of purchases you make.

Footnotes

Footnote 1

A few participants specifically mentioned “selling” their personal information to third-parties, but most described it as “sharing”.

Return to footnote 1

Footnote 2

For example, if they leaned more towards counting on government to protect their personal information, this meant that 90% of the control would reside with government and laws and the remainder, in this case, 10%, would be within their control as an individual.

Return to footnote 2

Footnote 3

While participants were much more likely to use the expression ‘opt out’ than ‘opt in’, it was clear that the emphasis was on exercising greater control regarding the use of their personal information.

Return to footnote 3

Footnote 4

This refers to behavioural advertising, customer profiling, data mining, and other activities companies engage in to learn more about their customers or potential customers without directly asking them for information about personal preferences, etc.

Return to footnote 4

Date modified:: 2017-06-15

Public opinion survey

Table of Contents

Qualitative Public Opinion Research with Canadians on Consent

Final Report

Executive Summary

General Perceptions

Privacy Policies

Control of Personal Information

Consent

Possible Solutions

Introduction

Background and Objectives

Methodology

Detailed Findings

1. General Perceptions

Participants concerned about privacy of their personal information

Requests for personal information are a commonplace experience

Trust regarding protection of information depends mainly on perceived credibility

Marketing and sharing with third parties — main perceived uses of personal information

Consent and relevance — key criteria regarding collection and use of personal information

Benefits and drawbacks of providing personal information

2. Privacy Policies

Widespread impression that meaning of privacy policies depends on terms/conditions

Most participants do not read privacy policies due to their length and complexity

Example of privacy policy tends to confirm assumptions about vagueness/lack of clarity of such documents

3. Control of Personal Information

Most think they have little or no control over their personal information

Everyone wants a combination of personal control and laws to protect personal information

Opting out — Main way of exercising personal control over personal information

Range of governmental measures proposed for protecting personal information

4. Consent

Consent seen to imply understanding and acceptance

Participants expect companies they do business with to ask for consent to use their personal information

Collection of information behind the scenes considered acceptable by most

Presentation of scenarios

Overview of participants’ reaction to scenarios

SCENARIO 1: ACME Clothing Outlet

SCENARIO 2: ACME Cable Company

SCENARIO 3: ACME Fitness Tracker

SCENARIO 4: ACME POINTS PROGRAM

5. Possible Solutions

Possible measures to increase trust that personal information is protected

Key information about a company’s privacy practices

Government seen as main overseer of companies

Limited recall of investigations/audits of companies for privacy practices

Perceptions regarding role of government in protecting personal information

Widespread agreement that government has proactive and reactive role to play

Variety of specific roles identified for government

Widespread desire for information/guidance on privacy-related matters

Appendix

Annex 1: Recruitment Screener

Specifications

Questionnaire

A. Introduction

B. Qualification

C. INVITATION TO PARTICIPATE

Annex 2: Moderator’s Guide

Introduction (5 minutes)

Warm-up/General Perceptions (25 minutes)

Privacy Policies (10 minutes)

Control of Personal Information (10 minutes)

Consent (40 minutes)

SCENARIO 1: ACME Clothing Outlet

SCENARIO 2: ACME Cable Company

SCENARIO 3: ACME Fitness Tracker

SCENARIO 4: ACME Points Program

Possible Solutions (30 minutes)

PRIVACY POLICIES

ENFORCEMENT

GUIDANCE FOR INDIVIDUALS

Conclusion

Annex 3: Handouts

Privacy Policy

ACME Clothing Outlet

ACME Cable Company

ACME Fitness Tracker

ACME Points Program

Table of Contents