Is “Meaningful Consent” a Contradiction in Terms?: Three Design Jams Seek the Answer

As Canadians continue to embrace connected devices, are they aware of the privacy trade-offs they might be making? Are they ‘meaningfully’ consenting to how these devices collect and use their information?

3964 words and 18 minutes. According to one study, that’s the average word count of a typical privacy policy, and the average time it takes someone with proficient reading abilities to read it.

Let’s be honest, like millions of other Canadians, when we get a new device, whether it’s a smart watch, a digital personal assistant, or even a wearable health monitor, we typically pull it out of the box and rapidly click "Agree" regardless of its terms of service and privacy policies. We impatiently scroll and finger-swipe our way down lengthy and arcane ‘consent’ agreements, replete with opaque legalese – without knowing what information will be collected about us, who will get to look at it, and what it’s actually worth in the burgeoning data market.

And once we click “Agree”, it’s entirely possible that multiple companies will end up knowing more about our daily habits and activities than many of our closest friends and neighbours. We quickly ‘agree’ even though we are keenly aware that companies will possess sensitive information about us, that data breaches are a common occurrence, and that our personal information can be both used and abused.

But what choice do we have? Against our better judgment, we ‘agree’ because we want to use technology. In some cases, we need to use it. And who among us has the time, expertise, or inclination to become privacy, legal, or datamining experts? So we click “Agree”, and hope for the best.

“Once we click “Agree”, it’s entirely possible that multiple companies will end up knowing more about our daily habits and activities than many of our closest friends and neighbours.”

Under the federal Personal Information Protection and Electronic Documents Act – PIPEDA, as it is known – organizations are required to obtain “meaningful consent” for the collection, use, and disclosure of personal information. In order for consent to be meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner.

However, many privacy experts believe that complex legal agreements with private companies and governments that collect, analyze, and store our personal information do not constitute meaningful consent.

Even though some would argue that PIPEDA is old and obsolete, consent remains central to personal autonomy and continues to play a prominent role in privacy protection – where it can be meaningfully obtained.  

Sometimes when a problem seems intractable, the best way forward is to get everyone in a room to try and figure things out. To grapple with the relationship between technology and meaningful consent, the OPC issued a call for “Design Jams” – collaborative brainstorming events that bring together experts from varied backgrounds to generate solutions in a creative environment.

Applicants were asked to develop proposals that aimed at developing new, cutting-edge consent solutions that incorporate the OPC’s Guidelines for obtaining meaningful consent.

Three Design Jam projects were funded. To learn more about each project:

• Meaningful Consent in Healthcare Innovation: Barrier or Enabler? – Design jam on a modernized consent model to unlock health innovation
• Your Devices Are Watching… – Design jam: “In the age of connected devices, what is meaningful consent?”
• Hacking Privacy – Citizen hacks design jam: A youth-run jam