fbpx
Home » A Marketer’s Guide to Collecting Meaningful Consent

A Marketer’s Guide to Collecting Meaningful Consent

0 comments 835 views

The Office of the Privacy Commissioner published these guidelines for collecting meaningful consent and the new Bill C-11 is proposing strong enforcement of meaningful consent for using personal data of any kind – even de-identified data. But as a marketer, how do we ensure that we are collecting, storing, using, sharing and deleting meaningful consent? The proposed new law requires you to PROVE you have consent for every bit of personal data you collect, use, store and process in any way.

We are beginning to see a new breed of automated platforms arise called Information Management Platforms or Preference Management Platforms, not to be confused with lightweight add ons to Privacy platforms. The last thing you need is a platform that tries to do everything and in the end does very little well. As a marketer and privacy professional, my experience is to look for best of breed in all areas. In this case, if you require a preference centre to collect, store and prove all forms of consent to use personal data, then searching out the experts in this one area is the way to go. In our search we found CASSIE by Syrenis, based in Manchester, UK and when we measured it against the Privacy Commissioner’s recommendations, it checked all 7 of the following principles:

Seven guiding principles for meaningful consent

During the OPC’s 2016 Consent Consultations, some suggested that regulators develop templates for privacy policies; we do not believe that should be our role. Rather, our view is that organizations are best placed to find innovative and creative solutions for developing a consent process that respects their specific regulatory obligations as well as the nature of their relationship with their customers. However, in designing such a process, we expect organizations to be guidedFootnote4 by the following principles:

1. Emphasize key elements

Information provided about the collection, use and disclosure of individuals’ personal information must be readily available in complete form – but to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent.

PIPEDA requires individuals to understand the nature, purpose and consequences of what they are consenting toFootnote5. In order for consent to be considered valid, or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable mannerFootnote6. This means that organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it in full.

However, the reality is that information buried in a privacy policy or terms of use serves no practical purpose to individuals with limited time and energy to devote to reviewing privacy information. To receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions right up front as they are considering using the service or product on offer, making the purchase, or downloading the app, etc. For this purpose, organizations must generally put additional emphasis on the following key elements:

  • What personal information is being collectedOrganizations must identify for individuals what personal information is being, or may be, collected about them. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to.Footnote7
  • With which parties personal information is being sharedIndividuals expect that the personal information they provide to one organization will not be shared with another without their knowledge and consent. As such, disclosures to third parties must be clearly explained, including the types of information being shared. Organizations should be as specific as possible in enumerating these third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should at the very least specify the types of third parties information is shared with and then use other means (such as layering) to be more specific. Particular attention should be paid to any disclosures to third parties that may use the information for their own purposes, as opposed to simply providing services for the first-party.
  • For what purposes personal information is collected, used or disclosedIndividuals should be made aware of all purposes for which information is collected, used or disclosed. At a minimum, they must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. These purposes must be described in meaningful language, avoiding vagueness like ‘service improvement’. Purposes that are integral to the provision of the service should be distinguished from those that are not, and any available options explained. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context.
  • Risk of harm and other consequencesUnder PIPEDAFootnote8, for consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consentingFootnote9. One such consequence, about which individuals should be made clearly aware, is risk of harm – and, in particular, those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms. If there is a meaningful risk that such residual risk will materialize and will be significant, the OPC is of the view that it is a potential consequence about which individuals must be notified.The OPC’s premise is that if an organization identifies potential harms that may arise from the collection, use or disclosure of personal information, PIPEDA’s accountability principle will require that the organization will seek to minimize this risk. In some cases, mitigation efforts will reduce the risk significantly. In other cases the risk will remain meaningful. Only meaningful residual risks of significant harm must be notified to individuals.

    By meaningful risk, we mean a risk that falls below the balance of probabilities but is more than a minimal or mere possibility. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.Footnote10

    Note that where there is a likely (probable) risk of significant harm, the intended collection, use or disclosure would generally be considered inappropriate under subsection 5(3) of PIPEDA and therefore should not be the subject of consent.

    Risk of harm should be considered broadly, and in addition to harms which arise directly from the activity, can include reasonably foreseeable harms caused by bad actors or othersFootnote11 (e.g. unauthorized re-use of social media information intended for a limited audience).

At this time, there is no prescribed form in which the above elements should be highlighted so as to give them prominence. We encourage organizations to consider adopting standardized mechanisms, to the extent that best practices emerge in the future in different sectors. Organizations should also consider the principles which follow in this document in determining the most appropriate means of communicating these key elements, while keeping in mind the requirement for additional emphasis on this information.

2. Allow individuals to control the level of detail they get and when

Information must be provided to individuals in manageable and easily-accessible ways (potentially including layers) and individuals should be able to control how much more detail they wish to obtain, and when.

Beyond the four elements above, the level of detail required to make a consent decision will vary by individual, and by situation. One person may be comfortable with a quick review of summary information; another may want to do a deeper dive. One person may want to do a more in-depth review of an organization’s privacy practices up-front; another may look at information piece-meal, returning to it later when they have more time or depending on what services they are using and when. Individuals may also want the opportunity to review in detail the information that they ‘clicked-through’ when they signed up for the service originally. All approaches to seeking privacy information should be respected and supported by organizations.

Presenting information in a layered-formatFootnote12, or by another means that supports user-control over the level of detail provided to them, helps make better sense of lengthy, complex information by offering a summary of the key highlights up front. Moreover, this information should remain available to individuals as they engage with the organization. Consent choices are not made just once; at any time, individuals should be able to re-consider whether they wish to maintain or withdraw their consent, and full information should be available to them as they make those decisions.

3. Provide individuals with…

Read The Full Article at Newport Thomson

related posts

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept