A new age of online consent

Lisa R. Lifshitz
On May 8, the federal, British Columbia, and Alberta privacy commissioners published new guidelines to remind organizations that under Canadian private-sector privacy laws, organizations are required to obtain meaningful consent for the collection, use, and disclosure of personal information.

The guidelines stress individuals have to actually understand what organizations are doing with their information before they can give meaningful consent.

Above all, the guidelines focus on the need for transparency and openness and remind organizations they have to make their personal information policies and practices clear, comprehensive, and easy to find. It’s a laudable goal, but is still not happening in practice, especially in the area of privacy policies.

The Office of the Privacy Commissioner has been urging companies for years to more effectively inform individuals about their data gathering practices, using a variety of methods such as online banners, just-in-time notices, layered approaches, and interactive tools like mouse hover pop-ups.

However, most organizations I know rely on privacy policies to meet their regulatory requirements and according to the OPC, are doing a pretty terrible job of it.

Not surprisingly, many privacy policies are either overly vague or legal in tone and substance, which actually helps organizations not to disclose their information usage in any meaningful way to consumers. A 2012 OPC survey found Canadians rarely consult online privacy policies and when they do, often find them unclear.

Only one in five respondents said they either always (six per cent) or often (14 per cent) read privacy policies. Another 29 per cent said they sometimes read privacy policies, while half either rarely (26 per cent) or never (24 per cent) do. Sixty-two per cent of respondents found privacy policies to be either somewhat vague (36 per cent) or very vague (26 per cent). Considering how opaquely some of them are written, I am pleased people are even taking the time to read them.

Conversely, I sometimes see the other side of the coin — very verbose privacy “disclaimers” or “statements” preferred by some American organizations wanting to do business in Canada that contain detailed descriptions of information collection, use, and disclosure that may not be reasonable for stated purposes.

I then have to remind such clients here, at least, disclosure does not equate forgiveness; an individual’s consent (or at least acquiescence via a privacy policy) is not a free pass to engage in collecting and using personal information indiscriminately for whatever purpose they choose, given our overriding “reasonable purpose” principle. Not to mention the fact “consent” does not waive an organization’s other obligations under privacy and other laws, such as overall accountability, limiting collection, and safeguards.

Why are organizations doing such a bad job on their privacy policies? Is it because they cannot be bothered to write clearly and succinctly? (I particularly liked the reference to the article cited in the guidelines that found Internet users would need 244 hours per year to read the privacy policies of the sites they visited). Is it negligent misconduct and a conspiracy on the part of some companies to deliberately obscure their privacy practices? Or just sheer laziness, i.e. forgetting to update them when an organization adds a new service or suddenly hires a third party cloud provider located in another jurisdiction and neglects to mention personal information collected is now sitting in another jurisdiction? Probably a bit of everything, frankly.

I like to remind my clients their policies should be reviewed at least yearly and after any major corporate event or new or changed use of personal information — but not everyone takes me up on my suggestion.

The guidelines reiterate while privacy policies may not be enough to ensure privacy compliance, they should at least ensure individuals receive sufficient information to be able to understand what they are consenting to. This would include:

•    what information is being collected, especially if the information is not coming directly from them;
•    why information is being collected;
•    what will the information be used for;
•    who will have access to the information;
•    how will the information be safeguarded;
•    how long will the information be retained;
•    whether individuals can opt out of certain practices, such as behavioural advertising; and
•    if information is being shared with third parties:
•    what types of third parties;
•    what will the third parties be doing with the information; and
•    whether the third parties are located in a foreign jurisdiction, and potentially subject to other laws.

Organizations should also present privacy information in an easily understandable and readable way for the average person. This means clear explanations in English not obscure legalese, suitable/age appropriate language, and yes, an easily readable font size — not four-point mouse print.

The guidelines also remind us a privacy policy should be made accessible in a conspicuous manner, such as a hyperlink on the organization’s landing page, so users can easily locate it. Years ago, I had a client that buried a reference to their privacy policy about three pages into the “about us” section of their site with the actual policy only being available upon request. Clearly not acceptable!

Organizations have to ensure privacy policies are easily accessible from all devices, including smartphones, tablets, and gaming devices, as well as PCs.

The guidelines also note when an organization plans to introduce significant changes to the privacy policy, it should notify users in advance and consider asking users to confirm consent prior to the changes coming into effect. Significant changes include a new arrangement to share personal information with a third party, or using personal information for a new purpose.

Finally, as a best practice, organizations should periodically audit their information management practices to ensure personal information is actually being handled in the way described by their privacy policy. From personal experience, this gulf can actually be enormous. This means for those organizations that initially drafted their privacy policy in 2001 following the enactment of The Personal Information Protection and Electronic Documents Act, it is time for an update.

Lastly, while not all Canadians appear to be reading privacy policies, it would be a mistake to underestimate the zeal of those who do. Speaking to the Standing Committee on Access to Information Privacy and Ethics on Main Estimates on May 6, the interim federal privacy commissioner recently noted in 2013, her office saw an increase in complaints under PIPEDA to 426 from 220 the previous year. More than a quarter of these complaints — 168 to be exact — related to complaints about the changes Bell Canada made to its privacy policy.

Transparency and consent, indeed.