Consent and Privacy: Facebook Comments on the OPC Discussion Paper

Facebook

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Summary

Facebook appreciates the opportunity to comment on the OPC's discussion paper regarding potential enhancements and alternative approaches to consent under PIPEDA.

We believe that PIPEDA is readily adaptable to new technologies and business models and can support enhancements and alternative approaches to traditional models of consent. In fact, unlike many privacy-related laws, PIPEDA was thoughtfully crafted to endure the tides of changing technologies and innovative new products and services.  PIPEDA’s objective of balancing the protection of individual privacy and the legitimate needs of business to collect and use personal information is an important factor in developing enhancements and alternative approaches to consent. We believe that the existing framework should be used to support alternatives to traditional approaches to consent, and that no legislative changes are required to do so.

As the discussion paper recognizes, consent is fundamentally about transparency and control:  It is about ensuring people understand how their personal information will be collected, used and shared and giving people meaningful choices about those practices. Transparency and control are crucial to building trust in the digital economy, which, in turn, can help drive economic growth and improve people's lives through innovation.

Transparency and control are also fundamental to Facebook’s approach to privacy.  Facebook's mission is to make the world more open and connected by enabling people to engage and share with each other. People who use Facebook want choices when they share, so we build our products to give them exactly that, and to educate people about our practices and how they can control the use of their information. Our submission highlights a number of ways in which we provide transparency and control and also describes Facebook’s privacy governance program, which works to identify and address potential privacy issues during product design, and to ensure accountability for privacy decisions within the organization.

The discussion paper rightly notes that technologies like cloud computing, smart phones, and the Internet of Things call for creative thinking on how to provide transparency and obtain consent. Because PIPEDA is a principles-based framework that was drafted to be technology- and business-practice neutral, the OPC can work within the existing PIPEDA framework to help organizations meet these challenges.

PIPEDA’s flexible, principles-based approach to consent – which permits different consent models based on context, including the sensitivity of the information and the reasonable expectations of the individual – has allowed the OPC to interpret and apply the law to a wide variety of novel circumstances and technologies, and can continue to serve Canada well in addressing the opportunities and challenges of new technologies and business models.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Introduction

Facebook appreciates the opportunity to comment on the OPC's discussion paper regarding potential enhancements and alternative approaches to consent under PIPEDA. The paper poses important questions and reflects the growing view that industry, academia, governments and civil society must continue to evaluate the best ways to communicate data practices to consumers and give them meaningful choices about their personal information.

Facebook believes that PIPEDA is readily adaptable to new technologies and business models and can support enhancements and supplemental approaches to traditional models of consent. As the OPC appreciates, consent is fundamentally about transparency and control:  It is about ensuring people understand how their personal information will be collected, used and shared and giving people meaningful choices about those practices. Transparency and control are crucial to building trust in the digital economy, which, in turn, can help drive economic growth and improve people's lives. Building this trust was, of course, the chief objective of the Government of Canada in creating PIPEDA – and its economic and social values have been borne out in the growing connectedness and economic growth in Canada since PIPEDA’s passage.

The discussion paper rightly notes that technologies like cloud computing, smart phones, and the Internet of Things present challenges to traditional models of consent. Because PIPEDA is a principles-based framework that was drafted to be technology- and business-practice neutral, the OPC can work within the existing PIPEDA framework to help organizations meet these challenges; no legislative changes are needed. Indeed, PIPEDA stands in contrast to other privacy and data protection frameworks in that the OPC and organizations can apply PIPEDA’s privacy principles flexibly, as technology and business practices change, without needing to continually amend the statute to adjust to the latest trends.

A central aspect of PIPEDA’s success in protecting privacy while promoting growth and innovation is its approach to consent, which recognizes that the nature of consent (i.e., whether it is express or implied) may vary depending, among other things, on the expectations of the individual, the circumstances of the transaction, and the type of information being collected, used or shared. PIPEDA also recognizes that a variety of mechanisms may be appropriate for obtaining consent.

These broad principles have given the OPC the ability to address privacy challenges posed by new technologies by taking a people-centered approach to consent – that is, by staying focused on the needs and expectations of individuals across a variety of different contexts.

In these comments, we begin with a discussion of PIPEDA’s approach to consent and demonstrate how the existing law has continued to enable the OPC to address the privacy challenges posed by new technologies. We then turn to a discussion of potential enhancements and supplemental approaches to consent, providing examples of practices we have implemented at Facebook. We emphasize throughout these comments that PIPEDA’s current framework gives organizations the ability and the incentive to develop creative approaches to consent that meet the demands of today’s technology landscape.

PIPEDA’s Continued Viability

PIPEDA was constructed around the principles-based CSA Model Code for the Protection of Personal Information, which was intended to balance the privacy of individuals with legitimate data requirements of businesses and other organizations.^{Footnote 1} This principles-based approach was selected to create a law that would be readily adaptable to new technologies, business models and social environments. As the OPC noted in Protecting Privacy in an Intrusive World, “PIPEDA is intended to be a general and technology-neutral data protection law”.^{Footnote 2} Similarly, in her 2005 Privacy Research Paper respecting the merits of the ombuds-model under PIPEDA,^{Footnote 3} former Privacy Commissioner Jennifer Stoddart noted that even before the Privacy Commissioner becomes involved in the resolution-making process, the inherent flexibility of the CSA Code in PIPEDA enables individuals and private sector organizations to resolve potential conflicts themselves through the application of general fair information principles to specific fact situations. Through its principles, PIPEDA offers the necessary tools and guidance of a self-correcting scheme.

Indeed, the existing PIPEDA framework gives the OPC the ability to think about consent broadly and to apply a fact-specific analysis when considering whether a business has obtained appropriate consent in a particular scenario.

In this regard, we note that the consent framework within Schedule 1 of PIPEDA includes the following important sub-principles respecting consent [emphasis added]:

1. The preamble to Principle 3 – Consent indicates that “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”
2. Subprinciple 4.3.4 provides that “The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information.”
3. Subprinciple 4.3.5 provides that “In obtaining consent, the reasonable expectations of the individual are also relevant.” In the example provided in the subprinciple, a magazine publisher was entitled to assume that the request to subscribe constituted consent to the use of personal information for certain purposes, including being contacted for renewal of the subscription.
4. Subprinciple 4.3.6 provides that “The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected.”
5. Subprinciple 4.3.7 acknowledges that individuals can give consent in many ways.

The Federal Court of Appeal has indicated that, in interpreting the law, and the principles of Schedule 1 in particular, it must protect individual privacy and ensure that organizations can access and use personal information in a way that is consistent with their legitimate business purposes.^{Footnote 4}

The combination of the foregoing principles, along with the statement of the court, provides the OPC with guidance and a great deal of latitude to address some of the challenges to consent highlighted in its discussion paper.

And, indeed, the OPC’s activities over the years demonstrate that, within PIPEDA’s comprehensive and people-centered consent framework, the OPC has been able to address consent issues respecting many new technologies and business models. Specifically, the OPC has issued findings respecting a wide variety of cases that apply PIPEDA’s consent provisions to a broad array of technologies and commercial scenarios. Many such findings are set out in the OPC’s Interpretation Bulletin: Forms of Consent, a document summarizing cases involving data types ranging from voiceprints and palm-vein scanners to consumer purchase information and email addresses.^{Footnote 5} In each of the cases documented, the OPC looked carefully at a range of factors, including the sensitivity of the data at issue and the reasonable expectations of the data subject in a particular context, in determining whether the business had obtained sufficient consent.

In addition to individual findings, the OPC also has issued guidance applying PIPEDA’s consent framework to new technologies and applications, including Guidelines for Online Consent (and related FAQs), the above-noted interpretation bulletin on Forms of Consent, Collecting from kids? Ten tips for services aimed at children and youth, and its Policy Position on Online Behavioural Advertising, which includes guidance on the appropriate form of consent for certain advertising practices. These publications demonstrate the ability of the OPC, within its current legislative framework, to determine appropriate forms of consent with respect to new technologies and data uses. The publications also show that the OPC has been able to tailor the required form and nature of the consent to a variety of specific contexts, frequently involving implied consent models. In the discussion paper, the OPC reiterates the importance of differentiating between different kinds of uses of data, making clear that different approaches to consent may be appropriate in different situations.

Enhancing Consent within PIPEDA’s Existing Framework

PIPEDA’s approach to consent, which, as the discussion paper notes, “recognizes that the form of consent can vary” in light of the “sensitivity of the information and reasonable expectations of the individual,” is a sensible one.^{Footnote 6} Because the range of online and offline services that involve personal information can vary enormously and evolve quickly, static rules mandating the proper method for presenting choice are likely to be difficult to implement and difficult to enforce in the long run. We therefore appreciate PIPEDA’s focus on ensuring people are informed and have choices about their information, while giving companies the flexibility they need to honor the expectations of people who use their products and services.

Facebook’s Approach to Providing Transparency and Control

We also agree with the OPC that organizations should consider a variety of user-friendly means to make their privacy practices, and the choices available to people, as accessible and understandable as possible. We have invested heavily in providing new forms of transparency and control that are designed to empower the people who use Facebook, while providing them with the fast, fluid experience they expect from our service. Our approach to privacy combines (1) products specifically designed to inform people about data practices; (2) features built into products that enable people to understand and control how their information is used and shared; and (3) in-product, contextual experiences that continuously educate and remind people about the ways we use their information to power our services.

We think this approach provides an example for an enhanced approach to consent – one in which a variety of forms of transparency and control are provided, depending on the nature of the data at issue and the expectations of people using our services.

 Products Designed to Inform People About Facebook’s Privacy Practices

We build products that are specifically designed to educate people about how they can control the use of their information on Facebook. This effort starts with our Data Policy, which we have designed in a way that provides an easy-to-read overview of how we use the data we receive. But while privacy policies are important, we also believe that they can only be a starting point for a broader effort to engage our community in a conversation about privacy. We also provide more interactive products that enable people to understand and control the use of their information to power our services. For example:

Privacy Basics. Privacy Basics offers interactive guides to answer the most commonly asked questions about how people can control their information on Facebook. In designing Privacy Basics, we focused on making the information we present as approachable as possible, providing illustrations and real-world examples to help people understand our practices.  

Privacy Basics on mobile with a sample “Choose your audience” page

Text version

A visual representation of Privacy Basics on a mobile, with a sample “Choose your audience” page

Privacy Checkup. Privacy Checkup, a tool that is offered in the Facebook interface itself, walks people through a few quick steps to help them ensure that only the people they want can see the things they share on Facebook. People can review whom they are sharing with, the apps they have connected to Facebook, and the privacy of key pieces of information on their Facebook profile.

Privacy Checkup on mobile

Text version

A visual representation of Privacy Checkup on a mobile

Ad preferences. Ads are a core part of Facebook: They enable us to provide a free service to more than 1.7 billion people each month (21 million in Canada), and they help people discover products, services and causes that they may be interested in. As with other content on Facebook, we use the data we receive about people to help make ads relevant. Ad Preferences is an industry-leading control that explains why people see specific ads and makes it easy to remove interest categories we use to show people ads. We are working on ways to make the ad preferences interface even more engaging and to give people more control over their ad experience.

Ad Preferences Home 

Text version

A visual representation of Facebook’s Ad Preferences home page.

(1) Inline control – Why am I seeing this?, (2) Inline control actions - Hide all ads from this advertiser

Text version

A visual representation of Facebook’s Inline control options – “Why am I seeing this?” and “Hide all ads from this advertiser”

In-Product Controls

In addition to products developed to educate people about how their data is used on Facebook, we also build tools into products people use to connect and share with friends, family and organizations. For example:

Audience Selector. We give people the ability to see the audience for every post they make on Facebook – at the time when they post – and easily change the audience before they decide to share. People can also change the audience for past posts.  

(1) Desktop Audience Selector, (2-3) Mobile Audience Selector, (4) Audience Selector in Settings

Text version

A visual representation of Facebook’s Audience Selector on Desktop, in Mobile and in Settings.

Activity Log. We also enable people to review their past activities on Facebook and to delete or change the privacy of things they have posted.

Text version

A visual representation of Facebook’s Activity Log

App Dashboard Controls. People also can easily control the third-party apps that integrate with the Facebook Platform in order to personalize experiences by using people’s Facebook data.  And they can visit the app dashboard in their settings to see which apps they have previously authorized and make changes to the choices that they made.

Text version

A visual representation of Facebook’s App Dashboard Controls

Contextual Education

As we have continued to develop our approach to transparency and control, we have focused more and more on building lightweight, in-product experiences that ensure people understand how their information is being used at the moment when it matters most to them, but without creating unnecessarily disruptive experiences.  For example, we use overlays that remind people when they are posting publicly: 

Text version

An image of the overlay Facebook uses to remind people they are posting publicly which reads: Your Post is Public. This means anyone can like, share or comment on it. You can change this in the menu on your post.

We also let people know key information about new products, such as this one from Facebook Live, which reminds people that they will be visible to their friends when they are watching a live video: 

Text version

A visual representation of Facebook Live’s reminder that reminds people they will be visible to their friends when they are watching a live video.

And we take additional steps to provide education to minors who are using our products, such as this reminder that we provide when a minor receives a friend request: 

Text version

A visual representation of Facebook’s reminder to minors to only accept Friend Requests from people they really know.

The transparency and control experiences discussed above differ in terms of the nature, quantity and depth of information that people receive, the time at which this information is presented to them, and the form of the control that is offered. These different approaches are largely a result of the nature of the information, the expectations people have about their data when they use Facebook, and the needs and expectations of our community.

For example, while our Data Policy provides a detailed overview of the ways in which we collect, use and share information, Privacy Basics offers a series of topic-specific modules that provides higher-level descriptions of key privacy practices.

We also provide different forms of control depending on the nature of the information that is governed by the control. For example, before we retrieve the contacts stored on a person’s device as a part of helping people connect with their friends on Facebook, we ask people to provide explicit consent. For other information, such as information about activities on websites and apps that use Facebook technologies (such as our social plugins), we provide clear notice in our Data Policy and associated educational materials, and give people the ability to opt-out of the use of that information to create advertising interests. And in other places, we offer in-product information that educates (or reminds) people about the ways our products work so that they can feel confident that their information is being used in ways they expect. 

Accountability as a supplement to consent

The discussion paper also considers consent in relation to other privacy principles, such as accountability. As the OPC notes in its paper, new technologies (like those of the so-called Internet of Things - IoT) may require companies to think beyond traditional notions of consent as the model for protecting consumer privacy while preserving the promise of data-driven services. We support the OPC’s exploration of these governance-based supplements to consent.

Fortunately, the existing legislative framework for privacy is readily adaptable to new technologies and business models and is working well – as it was explicitly designed to do. We also think that this framework could be used to support alternatives to the traditional approaches to consent, and that no legislative changes are required to do so. The OPC could consider, for example, an organization’s maintenance of responsible data practices as part of an accountability or privacy governance program in determining the appropriate form of consent under a given set of circumstances.

At Facebook, we have built an industry-leading privacy governance program that works to identify and address potential privacy issues during the product design phase, and to ensure that we’re accountable for the privacy decisions we make.

Specifically, our cross-functional review process involves people with cross-disciplinary expertise who collaborate to identify privacy issues and address them through product design. Key stakeholders that participate in this process include: 

• Our product managers and software engineers, who ensure we are incorporating sound design and engineering principles into our products;
• Our legal team, which ensures we are complying with our legal obligations;
• Our policy team, which ensures we are incorporating input from external stakeholders and thinking not only about what the law is, but also how privacy is evolving around the world;
• Our marketing and content strategy teams, which ensure we are communicating clearly with people;
• Our security team, which works to protect the integrity of our computing infrastructure and the data we store; and
• Our privacy program management team, which facilitates the reviews so we can build on past learnings and maintain consistency.

We are proud to have had our privacy program in place for more than five years, and we think the kind of accountability it embodies is more important than ever. We also support—and, indeed, are actively engaged in—the efforts of organizations such as the Center for Information Policy Leadership, the Future of Privacy Forum, and the Information Accountability Foundation (all of which are noted in the discussion paper) as they attempt to develop accountability models for the broader industry. We encourage the OPC’s continued exploration of these models.

Conclusion

Facebook agrees with the OPC that new technologies, services, uses of data and business models have presented, and will likely continue to present, challenges to older, more traditional ways of thinking about consent. We are confident not only that the existing PIPEDA framework can meet these challenges, but that the OPC can use them as an occasion to highlight the strength and flexibility of Canada’s privacy regime relative to those in use in other parts of the world. 

Many of the issues and concerns may be managed through the use of enhanced consent approaches, which focus on innovative and user-friendly ways to present an organization’s information management practices, and provide users with clear information regarding their choices with respect to the collection and use of their data, as well as the ways in which those choices might be expressed. Privacy governance approaches to product development can also go a long way to strengthening accountability and enhancing consumer trust.

We believe that a model for privacy protection that is flexible and recognizes a range of approaches to consent that are appropriate to the context in which data is used, continues to be the best approach for enabling people to make choices about their information, and an appropriate basis for a legislative framework. This is the approach currently embodied in PIPEDA, a law that continues to build trust and drive growth in the digital economy. 

We commend the OPC for its proactive approach to exploring how companies can enhance and build supplemental approaches to consent, and we welcome an ongoing dialogue with the OPC on this matter.