With data privacy a large and growing concern for consumers—and therefore marketers—the Canadian Marketing Association (CMA) has released some new guidance to help its members develop “user-friendly” privacy policies.

The CMA Guide to Transparency for Consumers is intended to reflect the Office of the Privacy Commissioner of Canada’s new guidelines for obtaining meaningful consent, which took effect Jan. 1. The OPC guidelines are aimed at making it easier for people to understand how exactly their data is being used by businesses in a fully transparent fashion, rather than buried in conditions agreements and dense legalese.

“The reality is that information buried in a privacy policy or terms of use serves no practical purpose to individuals with limited time and energy to devote to reviewing privacy information,” said the Privacy Commissioner.

The CMA guide similarly contains “practical advice and approaches” that organizations can tailor to suit their own consumer interactions, said Sara Clodman, vice-president of public affairs and thought leadership.

The Privacy Commissioner states that organizations must provide information about their privacy management practices in way that emphasizes “key elements.” These include an overview of what information is being collected, with which parties the information is being shared, the purposes for which information is being collected, used or disclosed, and the risk of harm and other consequences.

The guiding principles, which can be read in full here, also require companies to allow the individuals to control the level of detail they get by presenting it in a layered format; provide clear options to say “yes” or “no”; be innovative and creative through the use of tools such as just-in-time notices (eg: a note adjacent to the space asking for a user’s age explaining why this information is being requested); considering the consumer’s perspective; making consent a “dynamic and ongoing” process; and being accountable.

“As the world evolves and consumers have a higher understanding of data collection and protection, this is a way for organizations to build strong relationships with their customers,” said Clodman. “It will help organizations comply with the federal rules.”

The CMA guide is built around consumer perspectives on privacy gleaned from a pair of research studies it commissioned last year:

• The first, “Data Privacy—What the Canadian consumer really thinks,” conducted by Foresight Factory in 10 countries, found that 75% of consumers are willing to exchange personal data for benefits such as free products and services, greater value for money, improved service and tailored offers, but only as long as that data is adequately protected.
• The second study, “Attitudes towards Data Privacy and Transparency,” conducted by Environics Research, contains extensive details about the kind of information consumers want to have about how their personal data is being used.

The guide also contains the CMA’s new transparency framework, which was developed by the organization’s Privacy and Data Committee—which is comprised of some of Canada’s leading chief privacy officers—and built around three pillars:

1. Information is layered so that consumers can choose the level of detail that suits them, and they receive information in smaller amounts, as it is needed. To achieve this, the Guide outlines a range of approaches. “More information is not better information, and adding more paragraphs to a lengthy, legally-worded policy is not going to help consumers understand,” said Clodman
2. Information is tailored to the medium and the audience, such as a simple, succinct “privacy label” that can easily be read on a small screen, making it user-friendly and user-appropriate.
3. The approach reflects the shared roles of individuals, organizations and regulators.

Clodman said that the approaches outlined in the CMA guide will help organizations meet the requirements of both Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the EU’s General Data Protection Regulations (GDPR), which took effect last year.

“Many—if not all—Canadian companies are in great shape because of the privacy compliance programs they established in response to PIPEDA [nearly 20 years ago],” she said.

The CMA guide is being released in advance of Data Privacy Day, which takes place Jan. 28. Created in 2007 to raise awareness about best practices in privacy and data protection, Data Privacy Day is currently observed in Canada, the U.S., India and nearly 50 European countries.

– Chris Powell