Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Philippa Lawson

 

May 2003

 

Terry McQuay, Nymity's President recently spoke with Philippa Lawson, the senior counsel for the Public Interest Advocacy Centre (PIAC). She has been practicing consumer advocacy with PIAC since 1991 and specializes in telecommunications regulation, privacy and consumer protection in electronic commerce. PIAC is a non-profit organization that represents the ordinary consumer interest in matters involving essential services and related marketplace issues. PIAC has been representing consumers since 1976 before public utility tribunals, courts, legislators and policy-makers. (See www.piac.ca for more information.)

 

Nymity:  What is PIAC position on PIPEDA?


Lawson:   PIAC was, and continues to be, a strong supporter of the federal PIPEDA. This legislation was a bold step taken by the federal government, in more ways than one. It resulted partly from external pressure (e.g., the EU demanding adequate data protection for trade purposes), but also from a recognition that electronic commerce will not reach its potential unless consumers have control over their personal information in the marketplace. The PIPEDA was necessary because technological and market developments had far outpaced the law in respect of the collection, use and disclosure of personal information, especially in the online marketplace. It was high time for the law to catch up with technology and provide businesses with some guidelines as to what is acceptable and what is not when dealing with the personal information of others. I would say that the PIPEDA was long overdue and that the marketplace would have been much better off had we established these guidelines earlier on.

 

Nymity:  In one letter, you made five complaints to the Privacy Commissioner. Why?

 

Lawson:   Under the PIPEDA, businesses must not collect, use or disclose personal information about consumers without their knowledge and consent. Consent can be obtained in a number of different ways. These can be broken down into three general categories: implied consent (where consent is clearly inferred on the fact, such that if the person were asked, there is no doubt that they would consent); explicit consent (where, in the absence of an express, positive indication of consent, there is considered to be none; this is often referred to as "opt-in" consent); and negative option consent (where consent is assumed, or deemed, unless the person indicates otherwise; this is often referred to as "opt-out" consent). The PIPEDA requires opt-in consent where the information in question is sensitive, or where the individual would reasonably expect their consent to be obtained in this manner. Otherwise, it allows for negative option consent, but provides little guidance as to the necessary components of a valid negative option.

The predominant method being used to obtain consumer consent for marketing purposes is negative option. Our research, however, indicated that most consumers were unaware of the fact that their personal information was being collected, used, and/or disclosed by businesses for various marketing purposes using this method of notice and consent. In other words, the consumer knowledge required by the PIPEDA was not there. We further found that a large proportion of consumers would not consent to typical uses and disclosures were they asked; in other words, consent was being deemed in many cases where it did not exist. Finally, we found that a large majority of consumers want to be given a real choice in the matter of how their personal information is used and do not consider the negative option approach adequate for this purpose. The details of this market research are available on our website (see EKOS Research report dated August 2001).

 

Based on this clear message from the Canadian public, which is consistent with other market research as well as positions taken by other groups representing consumers worldwide, we realized that there was a serious gap between public desires and expectations on one hand and business practices on the other. In discussions with business representatives we also realized that that the failure of the PIPEDA to deal with the issue of what constitutes valid negative option consent was being exploited by businesses who were comfortable deeming knowledge and consent knowing full well that their data subjects likely had no such knowledge and might not consent if asked. Clearly, the vagueness of the PIPEDA in respect of negative option consent to data use for marketing purposes needed to be corrected. Therefore, we picked a few examples from the marketplace, and put the issue to the Privacy Commissioner: what are the necessary components of valid negative option consent?

 

It's important to note that the problem addressed by our complaint is widespread in the marketplace, and that the five companies we chose to target are just five examples that we chose for no particular reason other than that they were relatively high profile companies serving a large segment of the marketplace. We could have lodged this same complaint against thousands of other businesses as well.


Nymity:  Did the Privacy Commissioner's response meet your expectations?


Lawson :  Yes. He confirmed the key point that we were making: that negative option consent, to be valid, must be:

  • brought to the attention of the individual
  • clearly worded
  • sufficiently detailed for the consumer to make an informed choice, and
  • easy to execute with minimal effort.

 

And he agreed with us, in most cases, that the company was failing in at least one of these respects.


Nymity:  It has been a year, did the companies respond to the privacy complaints?


Lawson:   We have not yet checked to see what changes have been made, although some were made or promised in the course of the Privacy Commissioner's investigation. We will be doing this soon as part of a more general review of marketplace practices under the PIPEDA. I remain concerned that prevailing market practices in respect of notifying consumers and obtaining their consent to data collection, use and disclosure are inadequate and do not meet the standard that the PIPEDA was meant to set.


Nymity:  Will you making any more complaints?

 

Lawson:   I expect so, given the apparent predilection of so many businesses to err on the side of data collection and use rather than consumer privacy.

 

Nymity:  What are you looking for?

 

Lawson :  Meaningful notice of data practices - not hidden in the fine print of a policy, but actually brought to the attention of consumers. Separation of essential from non-essential data collection, use and disclosure. Clear choice to consumers in respect of all non-essential collection, use or disclosure. Methods of obtaining consent that minimize the chance of error (i.e., assuming consent only where it clearly exists). Opt out methods that do not place an undue burden on the consumer. Those are just some things that we are looking for.

 

Nymity:  What would you expect from PIPEDA's Parliamentary Review in 2005?

 

Lawson:   We will certainly be pointing out deficiencies in the Act that need attention, such as the lack of clarity around what constitutes "knowledge and consent", when explicit consent is needed, and what are the criteria for valid consent - either implied, explicit, or negative option. These are critical issues on which current interpretations of the Act are unfortunately divergent and on which everyone needs more direction from law-makers. Other issues that need to be examined include special protection of children. I hope that the Act will be given a full airing and that we can amend it in ways that are helpful to all.

 
Nymity:  How do you expect the public will respond to PIPEDA?


Lawson :  I think people are already responding by lodging complaints when they are made aware of their rights under the Act. The more public awareness there is of this the more demand we will see for changes to business practices so as to put control back in the hands of the individual to whom the personal information fundamentally belongs.

 

Nymity:  Where does consumer privacy fit as a priority for PIAC?


Lawson:   Consumer privacy has gradually evolved into a priority issue for PIAC over the past decade. Ten years ago, we treated it as just one aspect of the other advocacy we were doing; now it's an issue unto itself, crossing all sectors that we deal with. Until there is a national privacy advocacy organization PIAC will no doubt continue to be a leading voice for consumers in this area.

 
Nymity:  In closing, what would you recommend to organizations that are in the process of complying with PIPEDA?

Lawson:   Get with it - don't wait for complaints; they can generate bad publicity that has lasting effects. And don't try to skimp on privacy. It's better to err on the side of caution than to take advantage of gray areas in the law. In the long term, a cautious approach to consumer privacy will pay off and, in the short term at least, you'll be able to distinguish yourself from the competition.

 

 

 

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY