The Office of the Privacy Commissioner of Canada (“OPC”) recently released a preliminary report outlining the results of a series of focus groups conducted with Canadians about privacy and the protection of personal information. Predictably, participants in the focus groups (which represented a small and restricted sample of Canadians) were concerned by the collection and protection of their information by private companies.
It is likely that the OPC will highlight these results in its upcoming comprehensive report on privacy and consent in September 2017, part of the ongoing review of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), as justification for the expansion of government oversight and enforcement powers in relation to the protection of customer privacy interests. Review of the data however, indicates that, at least among the relatively small sample canvassed as part of the focus groups, participants saw an independent role for Canadian companies in the protection of their data, apart from compliance with government regulations.
This particular series of focus groups collected qualitative data with respect to the sharing of personal information with and by private companies. In total, 64 individuals in four Canadian cities participated in the focus groups conducted over three days by Phoenix SPI on behalf of the OPC.
All participants acknowledged that it was common to be asked to provide personal information when interacting or conducting transactions with Canadian companies, especially when those interactions or transactions took place online. Although there was widespread acknowledgement that these companies had legitimate reasons to collect this information, there was also a common feeling that, as customers, they had no choice but to give their consent to the provision of this information and that they had little or no control over what happened to that information once provided.
The study participants identified three broad areas of concern with respect to what they perceived to be the high volume of personal information that is collected by Canadian companies:
- The level of security of that information and the potential for hacking and consequent fraudulent use (e.g. identity theft);
- The sharing or sale of information with third parties, for whatever purpose; and
- A lack of understanding about companies’ privacy policies and practices and the consequences for companies if those policies are violated.
The report indicates a general feeling among the participants that the current system is skewed in favour of companies at the expense of the customer. Specifically, it was seen that most privacy policies are overly long and complex while remaining vague and unclear, with the result that customers consented to them without a proper understanding of their terms. That said, participants generally believed that corporate privacy policies, whatever their specific terms, operated to protect companies in their use of customer information, rather than the customers themselves.
Study participants also exhibited an overall level of skepticism about the type and quantity of information collected. For example, while participants made the obvious connection between the need to collect credit card information and pay for a good or service, they were less confident that demographic information such as age, gender, or level of education would be put to use other than for targeted advertising, junk e-mail, or sharing with other vendors. Few linked the collection of personal information to the potential for more personalized products or improved customer service. Consequently, some of the respondents stated that they avoided online transactions altogether or where possible withheld or provided false information.
Customers are, perhaps unsurprisingly, more willing to provide personal information to companies with whom they already have a relationship and whom they perceive as established and trustworthy. In this connection it is worth noting that there was a lower level of trust associated with smaller companies and those who ‘cold-called’ customers.
Opportunities for Canadian Companies
Given the perceived power imbalance in their relationship with companies, study participants expressed some support for further government involvement in the regulation of policies and practices with respect to the collection, storage, and sharing of personal information. These include
- Government-imposed standardized policies written in plain language including “opt-out” provisions for different types of or uses for personal information;
- Increased government regulation governing the collection, sharing, and security of personal information, including proactive audits of companies’ privacy practices and the imposition of penalties on violators (such as fines or public ‘naming’ of companies failing to meet standards);
- A public information campaign with respect to privacy and the consent to sharing of personal information, including a public registry of companies that have experienced breaches in information security or have been found to violate privacy laws or policies.
Next Steps and Lessons for Business
As noted above, the OPC plans to release a comprehensive report on privacy and consent in September 2017 and it is not clear at this point what influence this particular study will have in that final report. Given the profile this study has been afforded by the OPC, notwithstanding its restricted scope and scale, it is likely to be used to support an argument for the grant of further powers to the OPC.
It this context, it is easy to overlook the ways in which study participants saw a independent role for companies, independent of government, in the protection of privacy. Canadian companies have a number of opportunities to anticipate the OPC and improve their privacy practices, while reassuring and improving relationships with customers . In particular, as suggested by the feedback by the study participants, Canadian companies should consider:
- Informing customers how the collection of data can improve their experiences, such as through the provision of personalized results, recommendation, and customer service, rather than merely serve marketing goals;
- Stating explicitly and in clear language how the information customers provide will be used by the company and under what conditions it will be retained, shared, and destroyed;
- Revamping their current policies and practices to ensure that they are written in language that is as clear and customer-friendly as possible and providing, where appropriate, plain-language or bullet-point summaries of the policy;
- Where appropriate, allowing customers to opt-out of providing specific information;
- Exercising due diligence in verifying that customers have read and understood the terms of their privacy and personal information policies; and
- Specifying the steps the company will take and/or the recourse available to the customer should personal information be compromised, or otherwise used or shared without consent.