Submission to the OPC’s Consultation on Consent under PIPEDA (PIAC)

Public Interest Advocacy Centre

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

Canadian consumers generally are not aware of and do not understand how information about their online activities is being collected and used. The problem is not that online businesses are unable to obtain consent, but that consumers’ personal information too often is being used without meaningful consent.

PIPEDA requires online business to obtain informed consent for the collection, use and disclosure of individuals’ personal information. Individuals’ privacy rights are undermined by accepting hollow ‘contractual-type’ consent. Requiring true informed consent serves the objectives of privacy law, including giving user’s confidence in sharing the information required to engage in online transactions, enhancing user’s informational self-determination, and giving effect to the preferences of users as consumers and as citizens.

The current protections of PIPEDA must not be undermined to allow online businesses to collect, use, and disclose personal information against the will of consumers. The solution to online businesses abusing such personal information is not the relaxation of those rules, but stricter enforcement of the requirements for meaningful, informed consent set out in PIPEDA. To this end, the Privacy Commissioner should be given the power to make orders and impose fines.

Among the solutions proposed to enhance consumer control over their personal information online, we favour:

  1. the implementation of a standard set of privacy preferences,
  2. the implementation of a trustmark system,
  3. tagging data to indicate limitations on its use and disclosure.

We are concerned that many of the proposed “Alternatives to Consent” are means of allowing online businesses to collect, use, and disclose personal information against the wishes of, or without the true informed consent of, consumers. De-identification and contractual backstops are useful strategies for minimizing the risks of authorized collection, use, and disclosure. They are not, however, alternatives to consent.

We support the defining of zones where collection, use and disclosure of personal information is prohibited irrespective of consent. We also support defining caution zones where the risk of harm means more disclosure and sensitivity around informed consent is required. We particularly support the implementation of age restrictions reflecting the capacity of children to provide informed consent.

Industry codes of practice and ethical assessments are no substitute for proper regulation. Allowing self-regulation in lieu of consent would not be reducing the transaction costs involved in explaining a use and seeking consent, it would be overcoming the will of most consumers.

The full submission is available in the following language(s):

English (PDF document)

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Date modified: