Privacy laws around the world may differ on certain issues, but all share a key principle: the collection, use and disclosure of personal information requires user consent. The challenge in a digital world where data is continuously collected and can be used in a myriad of previously unimaginable ways is how to ensure that the consent model still achieves the objective of giving the public effective control over their personal information.
The Office of the Privacy Commissioner of Canada released a discussion paper earlier this year that opened the door to rethinking how Canadian law addresses consent. The paper suggests several solutions that could enhance consent (greater transparency in privacy policies, technology-specific protections), but also raises the possibility of de-emphasizing consent in favour of removing personally identifiable information or establishing “no-go” zones that would regulate certain uses of information without relying on consent.
My weekly technology law column (Toronto Star version, homepage version) notes that the deadline for submitting comments concludes this week and it is expected that many businesses will call for significant reforms to the current consent model, arguing that it is too onerous and that it does not serve the needs of users or businesses. Instead, they may call for a shift toward codes of practice that reflect specific industry standards alongside basic privacy rules that create limited restrictions on uses of personal information.
Suggestions from Canadian business that stronger consent rules are too difficult or costly is nothing new. During the heated debate over anti-spam legislation, the business community claimed that an “opt-in” model of consent that would require a more explicit, informed agreement from users would be expensive to implement and would create great harm to electronic commerce. Yet the reality is that the opt-in model is used in many other countries to provide better privacy protection and improve the effectiveness of electronic marketing.
Rather than weakening or abandoning consent models, Canadian law needs to upgrade its approach by making consent more effective in the digital environment. There is little doubt that the current model is still too reliant on opt-out policies in which business are entitled to presume that they can use their customers’ personal information unless they inform them otherwise. Moreover, cryptic privacy policies that leave the public confused about how their information may be collected or disclosed creates a notion of consent that is often based on fiction, not fact.
How to solve the shortcomings of the consent-based model?
First, Canada should implement opt-in consent as the default approach. At the moment, opt-in is only used where strictly required by law or for highly sensitive information such as health or financial data. The current system means that the majority of information is collected, used, and disclosed without informed consent.
Second, since informed consent depends upon the public understanding how their information will be collected, used, and disclosed, the rules associated with transparency must be improved. Confusing negative-option check boxes that leave the public unsure about how to exercise their privacy rights should be rejected as an appropriate form of consent.
Moreover, given the uncertainty associated with big data and cross-border transfers of information, new forms of transparency in privacy policies are needed. For example, algorithmic transparency would require search engines and social media companies to disclose how information is used to determine the content displayed to each user. Data transfer transparency would require companies to disclose where personal information is stored and when it may be transferred outside Canada.
Third, effective consent means giving users the ability to exercise their privacy choices. Most policies are offered on a “take it or leave it” basis with little room to customize how information is collected, used and disclosed. Real consent should also mean real choice.
Fourth, stronger enforcement powers are needed to address privacy violations. The rush to comply with the Canadian anti-spam law was driven by the inclusion of significant penalties for violation of the rules. The general Canadian privacy law is still premised on moral suasion or fears of public shaming, not tough enforcement backed by penalties. If privacy rules are to be taken seriously, there must be serious consequences when companies run afoul of the rules.