Submission to the OPC’s Consultation on Consent under PIPEDA (PrivacyCheq)

PrivacyCheq

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Dear Policy and Research Group:

This communication comes to you on behalf of PrivacyCheq, a United States corporation, specializing in the PbD development of privacy enhancing software technology.

We are responding to your invitation “to provide submissions on the viability of the consent model and proposing solutions to improve individual control over personal information in the commercial environment”. We have read and understood the consultation procedures as published. The following comments may implicate industry and regulators.

Under “Possible Solutions”, the Consent and privacy discussion paper presents a range of five general solutions that have been proposed by various stakeholders to solve some of the privacy challenges of new technologies and business models. PrivacyCheq believes that the first solution: “Enhancing informed consent through more understandable and useful ways of explaining information management practices to individuals as well as more user-friendly ways of expressing privacy preferences” is the solution that has the most merit. We respectfully offer the following observations, reasoning and opinions in support of that conclusion:

  1. Consent is the cornerstone of PIPEDA. Likewise, the EU’s GDPR and the US FIPPs identify consent as the bedrock for framing fair use of consumer personal information (PII) and building consumer trust. In our thinking, conceptually gathering PII without obtaining consent is a non-starter.
  2. In the context of gathering consumers’ PII, consent is meaningless without notice. In today’s privacy-conscious environment, consent is seriously flawed without effective notice. We believe that a good basic step towards “fixing” consent could be to “fix” notice first, or simultaneously.
  3. Most definitions of effective notice include collections of words like “explicit”, “specific”, “informed”, “concise”, “transparent”, “intelligible”, “easily accessible”, “clear”, and “straightforward”. Yet study after study of privacy policies, privacy notices, and terms of service statement effectiveness show a persistent disconnect between what a consumer needs to (and can) know at consent time, and what actual consumer-friendly (effective) notice is available. It’s a conundrum, and it has been for many years.
  4. In our opinion, this is nobody’s fault … and it is everybody’s fault. For his part, the consumer will rarely take the time to read and digest a lengthy, dry, legal document before breathing deeply and checking the “I Agree” consent box. The data controller, bound by regulation and the need to avoid risk, is most comfortable providing only that same dry, legally detailed, full disclosing “boiler plate” multi-page document … a defensive, yet very understandable notice strategy on his part.
  5. How might the OPC act to gently unravel this information vs. obfuscation conundrum? We believe that by leveraging the extraordinarily capable technology now generally available to everyman, this could largely be accomplished socially, rather than by regulation. Here are some suggestions as to how that might be done:
    1. Work socially with data subjects and data controllers alike to redefine the notice/consent transaction as cooperative, rather than adversarial for both parties. Help data subjects understand that an effective privacy notice is likely a best source of information at consent time. Likewise, help companies understand that a positive notice/consent transaction can be a unique opportunity to gain and build digital and brand trust with the consumer. Ideally, both parties should benefit and grow through the notice/consent transaction.
    2. Work socially to change a popular corporate mindset that every expression of privacy policy, every privacy notice, every TOS, etc. is an opportunity and invitation for legal redress against the data controller. Work to let DCs see that layered notices that restate an organization’s privacy policies in different ways are all useful and desirable in conveying effective notice to consumers at consent time, so long as full “boiler plate” disclosure is readily available for the deep diver. Some data subjects will benefit from having a brief privacy policy layer, while others might prefer a Q&A style layer that lends itself to providing “just in time” answers to why some personal data is needed. Younger people often do better with a video privacy policy, and maintaining a privacy notice in alternate languages is important for organizations that do business throughout the world.  Work to encourage and support DCs efforts to build mutual digital trust and healthy brand recognition with consumers by enriching (as opposed to obfuscating) the notice/consent transaction.
    3. Work socially to change a persistent mindset among consumers that all forms of pre-consent notice are to be avoided and/or ignored. Work to educate consumers (perhaps by example) that where consumer-friendly forms of notice are available (especially enlightened noticesFootnote 1), they can be very effective in giving event-specific “just what I needed to know”, “just in time” information at consent time.
    4. Work as regulators to encourage data controllers to offer electronic management tools to give data subjects methods for exercising their rights to manage their consent.
  6. The technology exists today to implement many of the above suggestions across desktop, laptop, tablet, and smartphone platforms. Several prototype examples have been provided in the links above.

Summarizing, in answer to the prescribed major questions:

  1. Of the solutions identified in this paper, which one(s) has/have the most merit and why? In our opinion, Solution 1) Enhancing consent, has the most merit.
  2. What solutions have we not identified that would be helpful in addressing consent challenges and why? We believe that recognizing and promoting new, more effective and robust techniques for notice presentation and delivery would be a major step towards improving and enriching consumers’ consent experience.
  3. What roles, responsibilities and authorities should the parties responsible for promoting the development and adoption of solutions have to produce the most effective system? N/A
  4. What, if any, legislative changes are required? N/A

The privacy engineers at PrivacyCheq thank you for this opportunity to comment, and stand open to further discussion and explanation as these comments may engender.

Sincerely,

Dale R. Smith, CIPT
Futurist
(Information Technologist)
PrivacyCheq

Date modified: