Submission to the OPC’s Consultation on Consent under PIPEDA (Shopify)

Shopify

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

Shopify is a proudly Canadian company on a mission to make commerce better for everyone. We’re committed to protecting privacy and helping entrepreneurs and small and medium-sized businesses (“SMBs”) grow and thrive. As an online software provider to over 300,000 merchants around the world, we believe we can offer a unique perspective on privacy and consent online.

Our view on meaningful consent can be summed up in a few key points:

  • PIPEDA provides robust but flexible privacy principles that were designed to adapt to technological change over time. No further amendments to PIPEDA are needed to promote meaningful consent online.
  • Shopify’s privacy policy is layered, transparent, and accessible, and we provide straightforward tools for our merchants to obtain meaningful consent from their customers. All organizations should meet this standard.
  • Entrepreneurs and SMBs would benefit from more accessible educational tools that explain, in plain language, why privacy is important to business and how to obtain meaningful consent from users.
  • Shopify supports alternatives to consent, such as de-identification, that provide additional privacy protection for users and can be implemented under the current legislative framework.
  • Trustmarks and codes of practice are not practical tools for ensuring that entrepreneurs and SMBs obtain meaningful consent as they add additional complexity and cost.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Introduction

Shopify is a proudly Canadian company on a mission to make commerce better for everyone. We’re committed to protecting privacy and helping entrepreneurs and small and medium-sized businesses (“SMBs”) grow and thrive. As an online software provider to over 300,000 merchants around the world, we believe we can offer a unique perspective on privacy and consent online.

Our view on meaningful consent can be summed up in a few key points:

  • PIPEDA provides robust but flexible privacy principles that were designed to adapt to technological change over time. No further amendments to PIPEDA are needed to promote meaningful consent online.
  • Shopify’s privacy policy is layered, transparent, and accessible, and we provide straightforward tools for our merchants to obtain meaningful consent from their customers. All organizations should meet this standard.
  • Entrepreneurs and SMBs would benefit from more accessible educational tools that explain, in plain language, why privacy is important to business and how to obtain meaningful consent from users.
  • Shopify supports alternatives to consent, such as de-identification, that provide additional privacy protection for users and can be implemented under the current legislative framework.
  • Trustmarks and codes of practice are not practical tools for ensuring that entrepreneurs and SMBs obtain meaningful consent as they add additional complexity and cost.

In Part I of our comments, we describe what meaningful consent looks like on the Shopify platform. In Part II, we address questions and proposals from the OPC’s “Consent and Privacy” research paper (the “Consultation Paper”). In Part III, we offer final suggestions. We have read and understood the consultation procedures, and are pleased to contribute to this discussion on consent and privacy in Canada.

Part I: Shopify: An Overview

One Platform, Every Channel, Any Device

Our business model

Shopify provides the leading cloud-based, multi-channel commerce platform designed for entrepreneurs and SMBs. We power over 300,000 businesses in approximately 150 countries. Our platform is trusted by international brands like Tesla Motors, Budweiser, Red Bull, the New York Stock Exchange, and GoldieBlox. In 2015, our merchants’ shops averaged 140 million unique monthly visitors — 59% of which were from mobile devices — and we processed an average of 8.7 million orders per month. Since 2006, Shopify customers (“merchants”) have generated over $17 billion dollars in sales.

Our platform helps merchants operate and grow their businesses, offering security, scalability, and reliability for a monthly subscription fee. Shopify makes it easy for merchants to do product and inventory management, process orders and payments, ship products, conduct analytics and reporting, and build customer relationships, all from one simple and secure online back office.

We are proud to help entrepreneurs and SMBs realize their business potential and seamlessly sell goods and services on web and mobile storefronts, over social media, and in physical retail locations — anywhere, anytime.

Our consent mechanisms and commitment to transparency

We build our products and services with simplicity and accessibility in mind. We want all of our merchants to understand how we collect, use, and store data, since they must agree to our privacy policy before using our platform. We use plain language and clear section headers to make our privacy policy straightforward and easy to read. A link to our layered privacy policy can be found on every Shopify web page, enabling our merchants to make informed privacy decisions.

We also help our merchants meet their consent obligations to their customers by providing generic and customizable privacy tools. Merchants can use our privacy policy generator to create a clear and comprehensive privacy policy for their online store. The template privacy policy in the generator includes a plain language notice and consent mechanism that merchants can adapt to fit their own privacy practices and needs. It also makes clear to merchants’ customers that when they buy from a Shopify-powered store, Shopify will use and store their information on behalf of the merchant.

How we use data

We use de-identified data to improve the services we offer to merchants and to help our merchants improve their own businesses. While the majority of data that we collect is not considered personal information under PIPEDA, we continuously evaluate our data storage, access, and transport mechanisms to safeguard our users’ privacy. Personal information that we collect from merchants or their customers gets filtered into a separate “sensitive” data pipeline. This lets us monitor where personal information is accessed and stored, and helps us build proactive monitoring and compliance tools. Our automated systems purge personal information when a merchant is no longer active on the platform or upon request.

Part II: Comments on the OPC’s Consultation Paper

PIPEDA’s principles-based, technology-neutral privacy framework is an effective way to ensure that organizations obtain meaningful consent online, now and in the future. Informed consent is possible without legislative amendments and without overhauling the existing Canadian privacy regime. In our view, increased transparency and accessibility in privacy policies and Privacy by Design (PbD) are the best strategies for promoting meaningful consent online. We also support alternatives to consent, such as de-identification, where appropriate.

Shopify supports increased transparency in privacy policies and notices, and strategies that promote Privacy by Design (PbD)

At Shopify, we build security and privacy safeguards into our products and services from the start. We support Privacy by Design principles and are proud to provide our merchants with a powerful and secure platform to run their businesses on. We also offer a privacy policy generator that helps our merchants integrate privacy protection for their customers when they first create their online store.

Transparency and accessibility are the cornerstones of meaningful consent online. We put these values into practice by providing our merchants with comprehensive privacy information at relevant times and by making sure that our privacy notices are clear, accessible, and free of confusing legal jargon. To ensure transparency and accessibility, a privacy policy should have at least three layers: (i) a link to the privacy policy easily found on every web page, (ii) a concise and complete plain language explanation of the organization’s privacy practices, and (iii) detailed supplemental information for the reader who wants to learn more.

Enhancing consent improves user trust and helps online businesses thrive

Recent consumer privacy surveys show that strong privacy practices are essential for business. In a 2014 OPC survey,Footnote 1 many respondents said they avoided or had stopped frequenting businesses that appeared overly intrusive or not serious about privacy protection. A similar survey of 41,000 American households by the U.S. National Technology and Information Administration showed that nearly 50% of respondents had decreased their activities online—mainly shopping and banking—due to privacy concerns.Footnote 2 We take these findings very seriously, as both an ecommerce provider and as a data steward on behalf of our merchants.

In our experience, ensuring strong privacy protection and seamless functionality can be a balancing act. Seemingly small changes to the online user experience can have a dramatic impact on business; data shows that as the number of steps required to complete an online transaction increases, the number of completed transactions decreases. We also recognize that the entrepreneurs and SMBs that make up the overwhelming majority of our merchants often have limited time, financial resources, and access to legal advice. We aim to address these realities by offering our merchants transparent, accessible, and comprehensive privacy tools and information. Going forward, these groups should be a priority focus for OPC education and assistance initiatives that help entrepreneurs and SMBs identify and address their privacy obligations.

Supplementing transparency and accessibility with alternatives to consent

Alternatives to consent, such as the de-identification of personal information, provide additional privacy safeguards that can be implemented under the current legislative framework. Even the basic practices of removing and obfuscating identifiable information can help mitigate against privacy risks, including the risk of re-identification in the case of a data breach and the risk that information will be stored beyond what consent allows. De-identification is a useful privacy tool that we use at Shopify. It allows us to use non-sensitive data for analytics (for instance, calculating order volume over time) while keeping our users’ personal information safe.

What makes sense for a large international brand might not make sense for an entrepreneur selling t-shirts out of their home

“One-size-fits-all” sectoral codes of practice, trustmarks, and privacy seals do not reflect the diversity of practices and needs of businesses in the digital economy. Codes of practice would likely make existing privacy requirements harder for entrepreneurs and SMBs to understand and comply with. In addition, they would not meaningfully enhance the existing legislative framework, particularly since Principles 4.1 and 4.1.4 of Schedule I of PIPEDA already provide concise and comprehensive guidance on accountability. These principles state that organizations must (a) implement procedures to protect personal information; (b) establish procedures to receive and respond to complaints and inquiries; (c) train staff and communicate information about the organization’s policies and practices; and (d) develop information to explain the organization’s policies and procedures.

Similarly, trustmarks and privacy seals are not effective or efficient tools for entrepreneurs and SMBs, particularly in light of the high costs to certify. As an alternative to trustmarks and sectoral codes of practice, the OPC should consider providing more free, practical, plain language privacy tools that can help entrepreneurs and SMBs meet their compliance obligations under PIPEDA.

Part III: Conclusion and other recommendations

PIPEDA provides a robust framework that was designed to evolve organically in response to changes to the digital landscape. Social media, cloud computing, mobile devices, and data analytics are all transforming the way we live and do business online. The existing technology- neutral, principles-based framework provides clear direction and effectively safeguards individual privacy interests. Legislative changes would not materially enhance meaningful consent online.

Obtaining meaningful consent in the ever-evolving digital economy doesn’t need to be complicated. By providing our merchants with clear, plain language privacy information, Shopify empowers users to make informed decisions about how their personal information is collected, used, and stored. We also empower our merchants to better meet their own privacy and consent obligations to their customers by providing them with accessible and customizable privacy tools.

Effective educational tools that promote and model privacy best practices can help businesses comply with the current legislative framework. The OPC's existing guidance documents should be expanded on and shared widely to businesses of all sizes, and tailored especially to the needs of entrepreneurs and SMBs. For example, clear and comprehensive materials that provide guidance regarding when PIPEDA requires enhanced consent and when it allows alternatives to consent would prove useful.

Thank you for this opportunity to share our experience and insights.
Date modified: