After a year of high-profile data breaches that have shaken the public’s trust in companies’ collection of personal data, Canada’s privacy watchdog is issuing new guidelines for private-sector companies to obtain “meaningful consent” from their users and customers.
The guidelines make clear that it’s no longer sufficient for companies to simply provide a legal disclaimer — that most users will never read — to obtain consent to collect, use and monetize users’ personal information.
“Under privacy laws, organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information. However, advances in technology and the use of lengthy, legalistic privacy policies have too often served to make the control — and personal autonomy — that should be enabled by consent nothing more than illusory,” the guidelines, which come into effect Jan. 1, read.
“Consent should remain central. But it is necessary to breathe new life into the ways in which it is obtained.”
The guidelines, issued by federal Privacy Commissioner Daniel Therrien along with his counterparts in B.C. and Alberta, are organized around seven key considerations for companies collecting user data. They include:
- Emphasizing key points, including what data is being collected, how it is being used, and who it will be shared with. The risks associated with sharing things like location data — as well as the possibility of physical harm, embarrassment or loss of employment in the event of a data breach — should also be emphasized, the watchdogs said.
- Providing “layers” of information on privacy policies. Some users may want a quick summary of the dangers, others may want a deep dive into the nitty-gritty legal language of a policy. The watchdogs suggest companies provide both options.
The watchdogs also said children cannot be expected to provide “meaningful consent” for the use of their private information — a particularly pressing issue for those children who unwrapped new gaming systems, mobile phones and other internet-connected goodies over the holidays.
“Where a child is unable to meaningfully consent to the collection, the use and disclosure of personal information … consent must instead be obtained from their parents or guardians,” the guidelines read.
Therrien’s office said children under the age of 13 are considered not being able to consent to the use of their personal information, while children over the age of 13 may be able to — but companies must be sensitive to what they’re asking of minors.
The guidelines are largely voluntary, representing what Therrien’s office considers best practices for companies to follow. But they come at a time when high-profile data breaches — along with cases of companies blatantly taking advantage of their customers’ trust — have shifted the conversation around privacy and data autonomy from the fringes to the mainstream.
While tech giants such as Facebook, Google, Microsoft and Amazon have yet to be hit with substantial fines or penalties for their transgressions, countries around the world — including Canada, the U.S., and the U.K. — are openly talking about reining in those companies’ power.
Public polling released by Therrien’s office showed that Canadians’ awareness and concern about privacy issues have been steadily rising in recent years. In 2012, just 42 per cent of respondents told the Office of the Privacy Commissioner they were concerned or extremely concerned about privacy issues. That grew to 52 per cent in 2014, and 57 per cent in 2016.
Alex Boutilier is an Ottawa-based reporter covering national politics. Follow him on Twitter: @alexboutilier