The OPC’s new Consent Guidelines – GDPR lite?
August 8th, 2018 | David Young, Principal, David Young Law
On May 24, 2018 the Office of the Privacy Commissioner of Canada (OPC) published an important new guidance document under the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The Guidelines for Obtaining Meaningful Consent, which will come into force on January 1, 2019, are significant and will require all businesses to review – and likely enhance – their procedures for obtaining consent to collect and process personal information. Most significantly, they raise the bar for user control, focusing on consent to the collection and use of data in digital environments.
The Guidelines articulate “Seven guiding principles for meaningful consent”. Significantly, they also identify which elements of the guidance are considered requirements (“must do”) as well as best practices (“should do”), the former in effect having the force of law.
The release of the Guidelines should be viewed as the salient development in a rush of privacy-related news items this spring, and while not a direct response to any of these events, can only be seen as part of an overall policy initiative to make privacy compliance more prescriptive – and non-compliance more costly. Following close upon the Facebook/Cambridge Analytica disclosures in March and the EU’s new General Data Protection Regulation (GDPR) which also came into force in May, the federal government has signaled a focus on consumer data protection with its Digital and Data Transformation Consultation. At the end of June a private members bill was introduced that would impose significant fines for privacy breaches.
The Guidelines are the end result of a more than two-year process of stakeholder consultation by the OPC focusing on the role and viability of consent under PIPEDA. The challenges to PIPEDA’s consent model posed by technology, in particular digital data and ad tech functionalities, provided much of the context for this review.
In its report on the review, the OPC concluded that consent should remain a central tenet of Canada’s privacy framework but that the challenges to its practicability must be met with enhanced (read, more rigorous) processes, supported by active guidance and oversight by the regulators.
Not entirely coincidentally, the release of the guidelines occurred one day before the coming into force of the GDPR which, due to its extended extra-territorial rule, will now apply to multi-national organizations wherever located. Together with the EU’s new ePrivacy Regulation (expected to be issued next year), the GDPR will require organizations to revisit and significantly upgrade their data collection practices. It will have particular impact on digital media and online data collection. Under the GDPR, consent must be pro-actively given, specific, informed and unambiguous. Silence, pre-checked boxes or failure to opt out are no longer sufficient for valid consent. The intended uses must be explained in an intelligible and easily accessible form, using clear and plain language.
The thrust of the Consent Guidelines is very much aligned with the GDPR. The most significant aspect for the advertising industry, and in particular ad tech, is that they mandate more rigorous consent procedures in the online environment. They require explicitly highlighting key information elements, disclosure of information in a manageable and accessible form, and clearly providing a yes/no choice for information uses not central to the primary consumer/user transaction (so-called “secondary purposes”, which typically represent most or all of the purposes for which online tracking is used).
Specifically, in any tracking or other collection of personal data, advertisers must place emphasis on:
- the personal data collected;
- the persons to whom the data will be disclosed; and
- the purposes of intended use in sufficient detail to ensure a meaningful understanding.
Clearly, the Consent Guidelines will require significant adjustments to online data collection procedures and tracking protocols. Furthermore, the arguably new requirement to disclose significant risks of harm that may result – whether financial, emotional or reputational – from any permission to use data likely will impose a new constraint on open-ended information collection practices.
Implications for advertisers and ad tech
Even before that GDPR came into force, online data collection through cookies, gifs and similar technologies was more rigorously regulated in the EU than in Canada or the U.S. The EU’s current ePrivacy Directive (often referred to as the “Cookie Directive”) mandates proactive disclosure of user tracking – typically satisfied by the use of pop-ups relying on an opt-out consent. However those functionalities likely will not satisfy the new GDPR rules, or the rules anticipated under the new ePrivacy Regulation. Not only will proactive disclosure of actual collection and intended uses be required but some opt-in functionality likely also will be needed.
For GDPR accountability compliance, evidence of consent at every stage of data use – including in the digital ad ecosystem – must be available. How can this be provided? One technique is the “consent string” a numerical code added to an ad bid that identifies the consent status of the data being used by the ad tech vendor.
While not intentionally aligned with the GDPR, the Consent Guidelines will move Canada significantly in that direction. For advertisers and their ad tech agencies who operate on a global scale and now subject to the GDPR, compliance with the Guidelines may not be that onerous if they already are moving to adopt procedures to comply with the new EU rules.