Earlier this year, the Canadian Marketing Association (CMA) released its Guide to Transparency for Consumers (CMA Guide), intended to help organizations provide consumers with clear and user-friendly information about how such consumers’ personal information is collected, used and shared. The CMA Guide reflects consumers’ perspectives identified in research conducted by the CMA in 2018 and sets out a transparency framework that will help companies comply with the new Guidelines for obtaining meaningful consent (OPC Guidelines), issued by the Office of the Privacy Commissioner of Canada (OPC), which came into effect on January 1, 2019. For more information on the OPC Guidelines, see BLG bulletin: Preparing for compliance with new privacy consent guidelines.

Using information collected from its consumer-focused research, the CMA Guide explains that transparency for consumers means not only being informed of the existence and purpose of any processing activity involving their personal information, but also being able to effectively derive enough understanding from this information. Where organizations provide sufficient transparency, consumers can make informed choices about their personal information and provide meaningful consent.

The CMA’s transparency framework is built on the following three pillars, which find their source in the OPC Guidelines:

  1. Layered: Information is layered so that consumers can easily choose the level of detail that suits them, and they can receive information in smaller amounts, as it is needed. To achieve this, the CMA Guide outlines a range of approaches, including providing a standard detailed privacy policy or terms and conditions as well as succinct privacy labels, icons or bubbles for those who want less detail.
  2. Tailored: Information is tailored to the medium (e.g., desktop, mobile, call center) in which they are being provided and the audience (adults vs. kids and teens), such that the information is optimized and varied allowing it to be user-friendly and user-appropriate.
  3. Shared: Individuals, organizations and regulators share responsibility regarding data security. While businesses are required to do the heavy lifting by sharing clear, concise information so that consumers can rely on the information they are provided, consumers are responsible for the actions they take to receive goods and services.

In addition to the three pillars, the CMA Guide provides certain practical methods for complying with the OPC Guidelines and also outlines the specific type of information that consumers want to know regarding how their personal information is being processed (e.g., whether personal information is sold to third parties, whether personal information is collected from third parties, whether the organization engages in data analytics or big data activities and what choices the consumer has when it comes to their personal information). The CMA Guide suggests including this information as much as possible and as appropriate in order to enhance the customer experience. The CMA Guide’s main suggestion for providing this information so that it is “layered” is through a “privacy label,” which is a short transparency notice, which can have a strong visual element and can be easily accessible to consumers. The privacy label allows organizations to fulfill their duty of emphasizing key elements of the personal information processing, while supporting user-control over the level of detail provided to the consumers. A historic analogy for the privacy label is the food label, which also provides consumers with simple, easy-to-understand information about their food.

In addition to the privacy label, the CMA Guide also includes many of the same techniques for improving transparency included in the OPC Guidelines, such as “just-in-time” pop-ups or push notices, which are intended to provide specific privacy information when it is most relevant to the consumer. Another practical example for providing consumers with increased transparency is to make the privacy notice available through a hyperlink in commercial electronic messages, which can be easily included alongside the unsubscribe mechanism required by Canada’s Anti-Spam Law.

Takeaways for businesses

In the advent of increased consumer awareness regarding privacy practices, the CMA Guide proposes how organizations may effectively communicate the specific information consumers are looking for in a manner that complies with Canadian private sector privacy legislation. With privacy now being a competitive differentiator, where organizations communicate with consumers in a more meaningful way about their privacy practices, they will build trust and loyalty with current and future customers. Organizations should look to revise their privacy policies/notices and privacy practices to align with the practical suggestions included in the CMA Guide and the OPC Guidelines.