Written by: Gabriella Chan

Advancements in technology and the dawn of the internet of things have spawned new business models and entire new ecosystems based on collection, use, and access to data. Big data analytics tools have the ability to associate information in unprecedented and at times invasive ways. We are barraged by relentless demands to share information in the name of efficiency and seamless personalized service. Our personal information is being grabbed with and without our knowledge or consent. We have privacy legislation that intends to hold those who take and use our personal information accountable, but the system simply was not designed to withstand this attack – it struggles to keep up with the breakneck pace of information flow in the technological revolution.
Does anyone read the privacy policies of every site they visit? Can any of us truly say that we know who has access to our personal information and how they are using it because we consented to its collection and use? And with that, in this day and age, is our consent ever truly informed and meaningful? It should be.
The principle of consent forms the bedrock of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Consent is the way by which we protect our privacy by exercising control over how much of our personal information we choose to share with others. Organizations subject to PIPEDA may not collect, use, or disclose our personal information in the reasonable course of their business without first obtaining our consent, either before or at the time they collect our personal information. If an organization wishes to use our personal information that it already collected for a different purpose, it must seek our consent again.
Recognizing that consent must strike a balance between preserving an our autonomy over our personal information and an organization’s need to access some of our personal information to conduct business in the modern age, in 2016, as part of its strategic priority work on the Economics of Privacy, the Office of the Privacy Commissioner of Canada (the “OPCC”) set out to explore potential enhancements to consent models. That work laid the foundation for the OPCC’s release in May 2018 of its Guidelines for Obtaining Meaningful Consent (the “Guidelines”), which it began to apply on January 1, 2019.
The Guidelines are predicated on seven guiding principles for meaningful consent that serve as a framework on which organizations are expected to layer innovative and creative solutions to develop a contextual consent process that is compliant with privacy law and that:

1. Promotes easy access to clear explanations of why a particular piece of personal information is being collected, how it will be used, to whom it will be disclosed, and whether its disclosure and use may pose significant harm to the individual;

2. Provides information in a manner that allows individuals to control the level of detail they wish to see, possibly through a layered approach, rather than being confronted with the digital equivalent of a hard copy of that information;

3. Recognize that consent must be clear to be meaningful and therefore provide clear consent mechanisms that allow individuals to give or withhold consent as well as the ability to re-consider whether they wish to maintain or withdraw the consent they may have provided at any previous point;

4. Use a variety of interactive communication strategies such as “just-in-time” notices (meaning notices explaining why the information is needed that appear near the space where the user would input the information) or interactive walkthroughs of privacy settings, videos explaining key concepts, and/or infographics and similar visual tools. The Guidelines call for particular attention to mobile interfaces, where given the limited screen real-estate, an individual’s attention should be focused at particular decision points in the user experience where people are likely to pay attention and need guidance the most. Refer to the mobile apps guidance when designing the mobile consent experience;

5. Walks the path of its customers to ensure that the privacy content is accessible from all types of electronic devices, uses clear language at a level of comprehension suitable to a diverse audience, is user-friendly, and is tailored to the product or service being offered. Organizations are even encouraged to engage interaction/user experience (UI/UX) designers in the development of the consent process;

6. Anticipate that the complexity of information flows will give rise to follow-up questions and address these questions by developing and regularly updating FAQs and implementing technologies such as chatbots;

7. Be accountable and be ready to demonstrate that legislation-compliant processes to obtain consent from individuals are in place and that the organization has considered and has implemented the principles in the Guidelines. The OPCC’s expectation of an organization’s compliance and accountability and the steps it has taken to demonstrate them will consider the size of the organization and the amount and type of personal information it collects, uses or discloses.

Despite the Supreme Court of Canada’s proclamation that “Privacy is at the heart of liberty in a modern state…Grounded in man’s physical and moral autonomy, privacy is essential for the well-being of the individual,” the impetus to protect one’s privacy in the technological age is sadly waning because, according to some, “(u)nderstanding how our personal information is being used in this environment is becoming increasingly difficult if not impossible for the average person. Thus, expecting individuals to take an active role in deciding how their personal information is used in all instances is increasingly unrealistic.”[1]
Despite that fatalistic sentiment, making the consent process more transparent, meaningful, and accessible by implementing the seven Guidelines, coupled with embedding privacy at all levels of education will make great strides toward stemming the erosion of our privacy rights.
While these guidelines refer to personal information, their application to the collection and use of personal health information  – the distinctly sensitive subset of personal information governed by Personal Health Information Protection Act (“PHIPA”) – would be a welcome development.

[1] Center for Information Policy Leadership. “The Role of Enhanced Accountability in Creating a Sustainable Data-driven Economy and Information Society.” Discussion draft. October 21, 2015.
Image by Catkin from Pixabay