In Canada, private sector privacy laws are governed by the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”), as well as substantially similar legislation across certain provinces such as the Personal Information Privacy Act, SA 2003, c P-6.5 (“PIPA AB”) in Alberta, the Personal Information Protection Act (“PIPA BC”) in British Columbia, and the Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (“Quebec Privacy Act”) in Quebec. This article will focus on developing a privacy policy for private sector corporations that handle personal information in Alberta, with federal guidance from PIPEDA.
Personal information under PIPA AB is defined as “any information about an identifiable individual”. PIPEDA expands on this definition to include a number of factors such as age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, medical records, and the existence of a dispute between a consumer and a merchant (collectively, the “Personal Information”).
When dealing with Personal Information, private sector organizations are required to obtain meaningful consent. Specifically, under PIPEDA, there are ten fair information principles to protect personal information, they are accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and challenging compliance (collectively the “Fair Information Principles”).
The Commissioners of the regulatory bodies governing privacy in Canada, Alberta, and British Columbia jointly developed the following guidelines for private sector organizations to obtain meaningful consent, underlying the principles of PIPEDA, PIPA AB, and PIPA BC.
Emphasize Key Elements
Organizations must make their privacy policies available and emphasize what personal information is being collected, which parties the personal information is being shared with, what the purpose of collecting, using, and disclosing the personal information, and what the risk of harm and other potential consequences of the collection, use, and disclosure of the personal information is.
Practically, private organizations must not bury this disclosure and need to ensure that this information is easily accessible to its users.
Allow Individuals Control
While detailing and highlighting the privacy policy is important, private organizations must give its users the ability to access and review the private information collected by the organization. This includes allowing individual users the opportunity to download and review the entirety of the organization’s privacy policy and allowing them to inquire with a dedicated privacy officer for that organization as to what personal information of theirs has been collected.
Clear “Yes” or “No” Options
When making a decision as to whether an individual’s personal information can be collected, users should be given a choice to either “opt-in” or “opt-out” of different categories of collection. An example of this may be seen when visiting a website, a bar appearing at the bottom of the screen regarding cookies, and the individual being given a list of different types of information being collected, and whether they opt-in to that specific purpose.
In terms of collection of information, certain information may be a “condition of service”, which means that the information collected is essential for the service being provided. For conditions of service, it is likely that this will not be optional as it is required for the service provided to the client, and organizations should be ready to explain why this specific information is necessary for the service itself.
Innovation and Creativity
Privacy regimes welcome any innovative and creative ways to present consent processes and privacy policies to individuals. An example of this could be a click-through experience presenting a privacy policy as a series of pop-ups for which the section is pulled out and presented on its own, rather than a larger document encompassing the entire policy. This provides ease for the individual and offers a less overwhelming experience.
Another innovative strategy commonly used are referred to as “just-in-time” notices, which are an additional notice that presents itself when requesting new permissions after the initial privacy documents have already been accepted. An example of this could be a location request from a service that did not initially use an individual’s location; an information tab would appear and explain to the individual why consent was not initially contemplated, and why it is required now. The user would then be aware of what information is being collected and for what purpose.
Any other visual tools, including videos and tutorials are strongly encouraged as it provides a meaningful and engaging way for an enterprise to illustrate their ongoing privacy commitments.
Consider the Perspective of the Consumer
As an entity, placing itself in the position of its users can be beneficial to the implementation and delivery of privacy disclosure. One consideration here is to make privacy policies and documents accessible over all devices including mobile devices, PCs, and even gaming devices. Organizations may consider consulting with their users through a survey to better understand whether the information presented was clear and understandable. Organizations may also wish to consult with privacy experts or regulators when designing a meaningful consent process.
Dynamic and Ongoing Consent
A large misconception is that once consent is obtained by an organization, it is obtained for the duration that the user utilizes the services provided by the organization, which is incorrect. Organizations are constantly pivoting to meet new demands in the market by collecting and using personal information, and users must be notified and consent to this.
Consumers must also be given notice and must consent to any new third-party uses of their data. It is best practice for organizations to audit their data workflows to understand if new uses are being contemplated, and if there is a need to inform consumers and obtain meaningful consent.
Accountability and Compliance
Organizations should be prepared to produce and explain their process for obtaining meaningful consent not only to a user on request, but also to their regulatory body. The expectations of regulators will depend upon the size of the organization as well as the complexity of the business model pertaining to the collection, use, and disclosure of personal information.
Following the above guidance allows a comprehensive, informative, and clear approach to protecting and handling the data of users engaging with services when personal information is involved.
In a string of decisions ending with an appeal to the Federal Court of Appeal in the decision of (Canada) Privacy Commissioner v. Facebook Inc, 2024 FCA 140, it was determined that Facebook’s practices between 2013 and 2015 breached principles 3 and 7 of the Fair Information Principles, and section 6.1 under PIPEDA through the practice of sharing users Personal Information with a third-party application “thisisyourdigitallife” (“TYDL”), and further through the sale of that information to Cambridge Analytica. Due to this, it was determined that Facebook did not obtain meaningful consent, nor did they uphold their obligation to safeguard user data. A remedy is yet to be determined.
In the decision, the Federal Court of Appeal noted that, while Facebook did have a Data Policy in place, it was approximately 9,100 words long and overly vague and broad. Further, when a user signed up for Facebook and agreed to the Terms of Service, they were deemed to have read the Data Policy as well, although it was not necessary to open the document itself and read the document. Even Mark Zuckerburg, CEO of Facebook, had stated in a hearing in front of the US Congress that he “imagined that probably most people do not” read or understand the entire Terms of Service of Data Policy.
In reaching its decision, the Federal Court of Appeal also analyzed the disclosure by Facebook to third-party applications, specifically TYDL, and determined that TYDL accessed Facebook’s user’s friends’ data for one year after non-compliance with Facebook’s policies, and subsequently sold that data to Cambridge Analyitica.
Following the decision by the Federal Court of Appeal, the Office of the Privacy Commissioner of Canada, Philippe Dufresne, issued the following statement on September 9, 2024:
“This landmark ruling is an acknowledgement that international data giants, whose business models rely on users’ data, must respect Canadian privacy law and protect individuals’ fundamental right to privacy.
Facebook operates the world’s largest social media network and collects a vast amount of personal information and data about its users. The issues at the heart of this matter are critically important to Canadians and their ability to participate with trust in our digital society.
As my Office had done in its 2019 investigation of Facebook, the Federal Court of Appeal concluded in its decision that the social media platform had breached the requirement to obtain meaningful consent from users and had failed to appropriately safeguard users’ personal information.
The Court has asked Facebook and my Office to report back within 90 days on whether an agreement on the terms of a remedial order has been reached. I expect Facebook to now bring forward proposals on how it will ensure that it complies with the Court’s decision.
In this increasingly digital world, the Court’s decision reminds us that Canadians have access to important protections and remedies to protect their fundamental right to privacy. My Office and I remain committed to ensuring that Canadians can be active digital citizens without compromising their privacy.”
It is apparent that data and privacy policies will be at the forefront of privacy law, following the guidelines in this article will help equip private-sector businesses to tackle the challenges of data protection and of obtaining meaningful consent moving forward
Author
Justin T. Lentz, Associate