Two little words with so much power.
Whether standing at the altar or sitting at a computer workstation, the concept of consent has lifelong implications.
The vows or promises a soon-to-be-couple make to each other during the wedding ceremony are a form of consent between the partners: the couple defines certain commitments, activities and boundaries they will follow for the rest of their lives. It may surprise some that the words used in wedding vows, even with such importance attached to them, are not universal and not legally necessary in many jurisdictions (although a medical test of some sort is often required).
Online privacy policies are a lot like wedding vows. When you say “I do”, you agree to certain commitments, activities and boundaries with your partner, who in this case is a website publisher or mobile service provider. By providing your consent, you allow the service operator to use your personal data – sometimes, for the rest of your life!
Do You Take This Privacy Policy Seriously?
With such importance attached to them, it may surprise some that the words used in a privacy policy are not universal either, and they are not legally necessary in many jurisdictions.
- Fun cake toppers aside, wedding vows and pledges of consent take on an added meaning in the digital age, with successful marriages and personal data protection both needing lifelong commitment. Wedding Cake Toppers image.
Canada’s privacy regime is underpinned by the concept of consent. In order to collect, use or disclose personal information in Canada, a digital service provider needs to get the user’s consent. For better or worse, an individual’s consent to the collection, use, and disclosure of their personal information is the main way that data protection is accomplished.
If there is no privacy information or consent opportunity on a website you visit or app you use, this should raise a red flag. And if you aren’t comfortable with what’s written there, you have the option not to use the product or service.
Sounds simple enough, but with so many digital devices and online connectivity options available to us, consent (or denial) is not so straightforward.
Do You Promise to Read This Entire Privacy Policy?
One of the biggest problems with and possible solutions to the concept of consent in today’s digital economy is the fact “no one has the time or inclination to read (let alone understand) lengthy online privacy policies.”
(It can be a headache-inducing process, reading some privacy policies out there. But no one should be disinclined or unable to commit, control, protect and set boundaries for their own life, or those they care about. As in a good marriage, personal data protection may indeed take some hard work.)
Another problem identified with the current consent model is all the different jurisdictions through which personal data may flow (even without our knowledge…or consent). Personal data transfers in and around Canada are covered by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Our data privacy and security is open to review and subject to the changing political climate in other jurisdictions.
For these and other reasons, the Office of the Privacy Commissioner of Canada (OPC) is currently reviewing its position on consent and fair information practices, and it is planning to release a new policy later this year.
- The Privacy Commissioner of Canada Daniel Therrien is conducting a review of the role of consent in data privacy protection. The OPC is worried no one has the time to read (let alone understand) lengthy online privacy policies. Photo by Dave Chan.
Leading up to its review and in advance of a consultation period (now closed), the OPC proposed possible adjustments or alternatives to the consent strategy, among them:
- Support informed consent by using more user-friendly ways of explaining corporate information management practices and personal privacy preferences;
- Introduce certain limited permissible uses without requiring consent;
- Implement stronger accountability mechanisms on organizations to ensure compliance with legal obligations; and
- Strengthening regulatory oversight to ensure efficacy in protecting privacy.
For sure, some privacy policies and online terms of use are interminable, written by lawyers and not for consumers. Clear intent and plain language are certainly needed, and there’s every reason to require privacy policies be more user-friendly. For example, they don’t have to be all text all the time. There are some clever ways to present data usage policies in a visually attractive graphic format. Likewise, the privacy policy should not be buried in a website, linked almost as an afterthought: there’s every reason nowadays to have the privacy policy pop-up first on your screen.
Stronger accountability measures, broader definitions for lack of compliance and more robust enforcement of legal obligations are also good enhancements for a more effective fair information usage policy. The need for immediate reporting of any data breach, no matter how large or small, should always be a necessity. The ability of a user or privacy advocate to identify and hold accountable any third-party data processing or retention service partner is also an important link in the chain of fair data usage and robust privacy protection.
- The Office of the Privacy Commissioner of Canada offers tips for online privacy and data protection. Despite some of its stated concerns, its top tip is to get into the habit of reading privacy information.
The OPC’s review of the consent policy in an effective personal data information protection strategy is welcome and necessary. Many of the comments submitted in the process are informative and insightful, seeking a way to balance the interests of consumers and businesses in a world where personal data has increasing value for all parties involved.
The best tip, whether approaching the altar or the digital screen, is to get in bed with someone who has your best interests in mind.
-30-