Submission to the OPC’s Consultation on Consent under PIPEDA (CMA)

Canadian Marketing Association

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

As noted in the discussion paper, the ultimate goal of this initiative is to “help strengthen the privacy protection of individuals”. To achieve this goal, the Canadian Marketing Association (CMA) believes that strengthening the accountability framework, combined with expanded use of implied consent, offers the best approach to enhancing privacy protections for individuals.

While some argue that the consent model is dead, CMA believes that the model upon which the Personal Information Protection and Electronic Documents Act (PIPEDA) is built, is alive and well. We do agree that with the proliferation of technological advancements over the last ten years alone, some consumers are either overwhelmed with the various avenues of data collection and understanding terms and conditions to which they are agreeing, or simply don’t take the time to properly inform themselves as they trust companies will do the right thing and be accountable for their data processing.

However, these concerns do not arise because organizations are not being truthful and transparent with consumers. There are challenges in explaining complex data activities in a manner that consumers can easily and quickly understand. In addition, not all consumers take an interest in this information. Even so, there are viable solutions available within the current legislative framework that will protect privacy and support responsible use of personal information (PI) by businesses. Strengthening accountability frameworks, combined with recognition of the appropriateness of implied consent in a wider range of situations, shifts some of the burden of making complex privacy assessments from consumers to organizations that seek to collect, use or disclose PI.

The current consent model faces practical challenges. To meet those challenges, the interpretation of what is reasonable under PIPEDA must evolve with the times to make full use of existing options. Consent must evolve by shifting the focus from a rigid interpretation of notice and consent to an accountability model that would allow organizations more flexibility in the way that they collect, use, and disclose PI. Data governance principles (as reflected in the Office of the Privacy Commissioner’s (OPC) Accountability Guidelines), provide a roadmap for “responsible use” of data, while the reasonable person test in section 5(3) of PIPEDA  provides a good basis when it comes to fair processing for legitimate purposes.

CMA proposes that the accountability model be enhanced in the following ways: 1) expanding the recognition and use of implied consent, 2) the development by stakeholders of more relevant and targeted codes of practice, 3) greater use of de-identification, 4) if necessary for greater certainty, allowing the processing of data without consent for legitimate interests, and 5) rendering the definition of publically available information technology neutral. We believe this enhanced accountability framework is a positive way to build on the current ombudsman model which has proven its effectiveness over the years.

The full submission is available in the following language(s):

English (PDF document)

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Date modified: