The Standing Committee on Industry, Science and Technology continues its hearing on the Digital Privacy Act (Bill S-4) yesterday, with appearances from Privacy Commissioner of Canada Daniel Therrien, the Canadian Chamber of Commerce, and the Canadian Marketing Association. Therrien expressed general support for the bill, but concern with the expanded voluntary disclosure provision.

The Canadian Chamber of Commerce and the Canadian Marketing Association seemed to take the committee by surprise by criticizing a provision in the bill that clarifies what constitutes meaningful consent. The proposed provision states:

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

That provision should be uncontroversial given that it only describes what most would take to mean consent, namely that the person to whom the activities are directed would understand the consequences of consent. Indeed, Therrien expressed support for the change, noting:

As for the proposed provision that aims to enhance the concept of valid consent, I believe this is a useful clarification of what constitutes meaningful consent under PIPEDA.  It underscores the need for organizations to clearly specify what personal information they are collecting and why in a manner that is suited to the target audience.

Yet immediately after Therrien wrapped up, both the Canadian Chamber of Commerce and the CMA criticized the change. The Chamber described it as “unnecessary” and urged deletion. The CMA also called for it to be deleted:

I think the concern here is that the clause, as written, could lead to a broad interpretation with additional obligations. We’ve heard that the concern is about children and vulnerable groups. However, that’s not what the bill says, it’s much broader than that, and we would like some clarification of that bill. Actually, our recommendation would be to drop this clause or, as a fallback, to amend it to clarify that it is intended to apply only to vulnerable groups.

This led to an interesting exchange with Conservative MP Mike Lake, who noted:

I don’t really understand the hesitation from both of you regarding that kind of language. I think most Canadians would expect that a user taking a look at a website or signing up for an organization’s activities would be able to understand what that information is going to be used for.

The CMA responded:

I think the industry accepts, particularly when you’re dealing with children and youth, that you need to have privacy policies worded in such a way that they would be reasonable understandable by that audience. But how far does it go? If I have a multitude of sites, and for operational reasons I’d obviously like to have a single privacy policy for each one, how granular do I have to be? If one of my sites is directed at hockey fans, do I have to do survey research to tailor that to hockey fans because they might have a different way of understanding the way things are presented. Or if I’m a game manufacturer and I have a role playing game and I have something like Candy Crush and then I have a word game, do I have to have something different for each of those? I think this is what we’re concerned about.

Lake wasn’t buying the concern, noting that you do have to have something different for those different audiences, adding:

How far do you have to go? You have to go to the point where the person would understand the nature, purpose and consequences of the collection, use, or disclosure of the personal information. That seems pretty clear.

The strong response from Lake – who also swiftly rejected the Chamber’s comment that the provision does not define “vulnerable” groups – suggests that removing the clarification of consent is not in the cards.  However, when combined with the other recommendations (including higher thresholds on some of the data breach disclosure rules), it appears that business groups plan to fight provisions in Bill S-4 that would improve privacy protections.