We all encounter scores of user agreements when we go online. Do you read the full terms and conditions governing your use of a site, or do you just hit the "I accept" button and surf on?
If you were to read everything, research suggests you're spending more than 10 full, 24-hour days of your life every year, immersed in privacy policies and related legalese. If you're more inclined to skip that stuff and hit "OK", then know that you're explicitly allowing the organization to collect, use and share your personal information, exactly as it said it would in that fine print you ignored.
Providing meaningful consent is a cornerstone of Canada’s federal private sector privacy legislation.
But in this modern era of technological advances and new business models, the consent provisions in Canada's federal private sector privacy law are being sorely tested.
Routine, predictable, one-on-one interactions with company representatives—be it your bank teller or insurance broker—are quickly becoming a thing of the past. Meanwhile, things like cloud services and third-party marketing, have made it increasingly difficult for Canadians to understand exactly who is processing their information and for what purposes.
Add to that the foibles of basic human nature—especially our impatience with anything that slows us down online—and the old notion of informed consent between customer and business becomes even more challenging.
How can we make the consent model work better and what role might individuals, organizations, regulators and legislators play? This is at the heart of a public discussion the Office of the Privacy Commissioner of Canada is launching.
To set the scene we developed a discussion paper. It reviews the role of consent and the challenges it faces today. We look at what other jurisdictions, principally the U.S. and Europe, are doing to tackle the challenges, as well as some of the solutions that have been proposed.
Nowadays, with all those app-laden, GPS-enabled mobile devices that you carry, wear or have embedded in your personal environment, you're constantly emitting billowing clouds of personal data.
Where do all these bits go? What happens to them? Who has access to them? Are we OK with them being collected, stored and reused for some future purpose yet to be imagined?
These are the sorts of questions that preoccupy people concerned about the sanctity of personal information in this new era of "big data" and the "Internet of things", where, for instance, a "smart" fridge can monitor your perishables, draw up a shopping list and order fresh milk.
As it becomes increasingly difficult to wrap our minds around the meaning of privacy in this brave new world, the obvious question becomes: How can you meaningfully exercise your right of consent over the collection, use and disclosure of your personal information?
Our discussion paper outlines a number of possible solutions, but more importantly, we consider the different roles and responsibilities of the various players—individuals, organizations, regulatory authorities such as our Office and legislators.
Some proposed solutions involve making privacy information more accessible for consumers, giving them the ability to manage privacy preference across different devices and ensuring privacy is not an afterthought, but is rather “baked” into products and services.
Others seek to ban certain collections and uses of personal information outright, while placing restrictions on others. Another school of thought contends certain information should be allowed to be collected and used without consent, so long as there is adequate oversight.
Industry codes of practice and tougher enforcement measures for regulators are some of the other possible solutions discussed in the paper.
At the end of each section, we ask specific questions about the proposed solutions we described, and whether we've missed some.
We hope the paper will help start a conversation across the country and we will be consulting widely on how to address this issue.
We're reaching out to a variety of experts and official stakeholders for their take on the problems around online consent, as well as potential solutions.
And we're also keen to hear from you -- Canadians who, in going about your day-to-day lives, are directly affected by the challenging new environment.
You could address the questions we asked, or share any other thoughts you consider helpful. For example:
- How important is it to you to be able to consent to the collection, use and disclosure of your personal information in the online environment?
- Do you read online privacy policies and user agreements? Can you suggest ways to improve them? Have you come across any privacy pop-ups or notices for apps or other services that you have found helpful?
- Do you feel that always-on, GPS-enabled mobile and wearable technologies, from smart phones and smart cars to wristbands that monitor your fitness or health, raise new consent issues?
- Among individual users, organizations and regulators, who should be responsible for what?
- What can organizations do to make consent work better for you?
You can provide thoughts on these questions or other related issues through:
- The comment feature at the end of this blog post;
- Our Privacy Comment form allows for a less public way to share your thoughts (please add “Consent Consultation” to the top, so we don’t miss your input); or
- The formal consultation process.
By the end of this exercise, we hope to be in a position to identify improvements to the consent model. We will apply those that fall within our jurisdiction and recommend legislative changes to Parliament where needed.
Please provide your thoughts by July 13th. We welcome your comments and thank you for your participation!