Two little words with so much power.
Whether standing at the altar or sitting at a computer workstation, the concept of consent has lifelong implications.
The vows or promises a soon-to-be-couple makes to each other during the wedding ceremony are a form of consent between the partners: the couple define certain commitments, activities and boundaries they will follow for the rest of their lives. It may surprise some that the words used in wedding vows, even with such importance attached to them, are not universal and not legally necessary in many jurisdictions (although a medical test of some sort is often required).
Online privacy policies are a lot like wedding vows. When you say “I do”, you agree to certain commitments, activities and boundaries with your partner, who in this case is a website publisher or mobile service provider. By providing your consent, you allow the service operator to use your personal data – sometimes, for the rest of your life!
- Fun cake toppers aside, wedding vows and pledges of consent take on an added meaning in the digital age, with successful marriages and personal data protection both needing lifelong commitment.
Canada’s privacy regime is underpinned by the concept of consent. In order to collect, use or disclose personal information in Canada, a digital service provider needs to get the user’s consent. In some ways, it is like outsourcing: an individual’s consent to the collection, use and disclosure of their personal information is the main way that data protection is accomplished.
If there is no privacy information or consent opportunity, this should raise a red flag. And if you aren’t comfortable with what’s there, you have the option not to use the product or service.
Sounds simple enough, but with so many digital devices and online connectivity options available to us, consent (or denial) is not so straightforward.
One of the biggest problems with and possible solutions to the concept of consent in today’s digital economy is the fact “no one has the time or inclination to read (let alone understand) lengthy online privacy policies.”
(Betcha that excuse wouldn’t work at the altar! No one should be disinclined or unable to commit, control, protect and set boundaries for their own life, or those they care about. As in a good marriage, personal data protection may indeed take some hard work.)
Another problem identified with the current consent model is all the different jurisdictions through which personal data may flow (even without our knowledge…or consent). Personal data transfers in and around Canada are covered by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Our data privacy and security is open to review and subject to the changing political climate in other jurisdictions.
For these and other reasons, the Office of the Privacy Commissioner of Canada (OPC) is currently reviewing its position on consent and fair information practices, and it is planning to release a new policy later this year.
- The Privacy Commissioner of Canada Daniel Therrien is conducting a review of the role of consent in data privacy protection. The OPC is worried no one has the time to read (let alone understand) lengthy online privacy policies. Photo by Dave Chan.
Leading up to its review and in advance of a consultation period (now closed), the OPC proposed possible adjustments or alternatives to the consent strategy, among them:
- Support informed consent by using more user-friendly ways of explaining corporate information management practices and personal privacy preferences;
- Introduce certain limited permissible uses without requiring consent;
- Implement stronger accountability mechanisms on organizations to ensure compliance with legal obligations; and
- Strengthening regulatory oversight to ensure efficacy in protecting privacy.
Stronger accountability measures, broader definitions for lack of compliance and more robust enforcement of legal obligations are also good enhancements for a more effective fair information usage policy. The need for immediate reporting of any data breach, no matter how large or small, should always be a necessity. The ability of a user or privacy advocate to identify and hold accountable any third-party data processing or retention service partner is also an important link in the chain of fair data usage and robust privacy protection.
- The Office of the Privacy Commissioner of Canada offers tips for online privacy and data protection. Despite some of its stated concerns, it’s top tip is to get in the habit of reading privacy information.
The OPC’s review of the consent policy in an effective personal data information protection strategy is welcome and necessary. Many of the comments submitted in the process are informative and insightful, seeking a way to balance the interests of consumers and businesses in a world where personal data has increasing value for all parties involved.
The best tip, whether approaching the altar or the digital screen, is to get in bed with someone who has your best interests in mind.