Advanced Privacy Consent Systems

Signatu

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

PIPEDA’s accountability principle requires organizations to develop and implement policies and practices to uphold the Fair Information Practice Principles (FIPPs), including the obligation to obtain meaningful consent. The OPC states that the FIPPs challenge organizations, researchers and technologists to be more creative in how they present information to data subjects and use technology to build in privacy protections with a view to making consent more meaningful for data subjects. In this consultation paper we will elaborate on the OPC’s question:

“(w)hat tools (for consent) would be effective and who is best placed to implement them?”

The OPC points out that the vehicle for conveying information about privacy practices, i.e. the privacy policy, has not evolved at the same pace as the ecosystem.

Further, the OPC points out that data subjects have little time and energy to fully engage with privacy policies and face cognitive biases and practical constraints when making privacy decisions while controllers are confronted with the practical difficulties of trying to explain their personal information management practices.

A major challenge is how to author meaningful information about privacy risks in order to inform the data subjects’ decisions whether or not to provide consent.

Below, we will present a few of Signatu’s considerations behind the making of its advanced engine that allows controllers to author meaningful information in different output formats in order to inform the data subjects’ decisions whether or not to provide consent  (see points 5-12 below).

Furthermore, the OPC points out that the complexity of today’s information ecosystem, especially in the context of cloud computing, big data and the Internet of Things (IoT), poses challenges to obtaining and providing meaningful consent.

A major challenge in this environment is how to provide data subjects with a privacy policy given that information and communication systems may impose constraints on how to provide the privacy policy given such systems’ different interfaces, input and output modalities, limited screens, lack of screens, persistence of personal data collection, relation to specific audience groups etc. Hence, privacy policies need to be designed to the specificities of a system.

Below, we will present a few of Signatu’s considerations behind the making of its advanced engine that allows for multiple scenarios in which controllers can integrate privacy policies into systems for delivery to data subjects through different channels, en bloc or layered or integrate parts of privacy policies at key points in the user experience (granular consent) (see points 13-14 below).

The full submission is available in the following language(s):

English (Google document)

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Date modified: