In a letter to the Office of the Privacy Commissioner, the CBA’s Privacy and Access Law Section and CCCA note that many of the problems it identified last year in the OPC’s draft guidelines for obtaining meaningful online consent were still present after those guidelines were revised.
The Sections reiterate four recommendations from the earlier submission, namely:
- The relationship between risk of harm and consequences of collection, use and disclosure of personal information must be clarified
- The types of risk that organizations are expected to disclose must be clarified
- The sub-heading “Risk of Harm” in the Consent Guidelines should be replaced with “Consequences of collection, use or disclosure”
- The text under the subheading “Risk of Harm” should be revised to say, “Individuals should be made clearly aware of any known or foreseeable consequences arising from the collection, use or disclosure of personal information.”
“These recommendations stem from a concern of the CBA Sections that the revised guidelines (as well as the initial draft guidelines) do not contain any clarification of the relationship between the risk of harm and the consequences of collection, use and disclosure of personal information,” the Sections say. “Similar to what we said in our December 2017 submission, the revised guidelines risk confusing the concept of ‘risk of harm’ with an individual’s appreciation of the consequences that result from the collection, use or disclosure of personal information.”
In their earlier submission, the Sections said the consent guidance should be “sensitive to commercial realities.” For example, they object to the wording of one paragraph in the revised guidelines, calling it “impractical and excessive to expect legitimate organizations to describe the risk of reasonably foreseeable harms that could result from their collection, use and disclosure of personal information,” adding that it would be a “highly speculative exercise,” and “challenging” to provide this disclosure “in a meaningful manner.”