The Canadian Marketing Association has published new research that it says supports its position regarding both targeted amendments to, and the adoption of, Bill C-27, otherwise known as the Digital Charter Implementation Act, which aims to modernize privacy law by regulating how companies can collect, use, and disclose consumer information.
Of particular interest to the CMA is the Consumer Privacy Protection Act (CPPA), a piece of proposed legislation contained within C-27 that Sara Clodman, chief public affairs and governance officer for the association, said “is set out in a way that will protect consumers’ data and also let companies innovate.”
According to Clodman, existing law and the CPPA both have dual purpose statements: first to protect consumers while also enabling companies to operate effectively. “They are not mutually exclusive goals,” she said. “They can be achieved in harmony.”
“Consumers feel more comfortable when businesses are transparent about how they’re using personal information and, of course, they want the option to opt out as is required by law,” she said. “A stronger privacy law would certainly increase their comfort in sharing their personal information, which helps organizations to deliver the products and services they need.”
According to Clodman, CMA research found that consumers are vastly more concerned about their information being stolen and used by bad actors (53%) than they are about having it used by businesses (5%) or third parties (6%), with their consent, to create targeted advertising and offers. Further, 90% of consumers say that one of the most important reasons they share their data with companies is to receive those offers and discounts on products that they want.
“Getting that kind of value is very important to them, especially given how concerned consumers are about the rising cost of daily living in recent months,” Clodman said. “The personalization that comes from data usage can provide financial relief. Consumers might not always stop to think about how it is that they received the ad for exactly what they want to purchase at a given time, but they really value when that happens.”
The revised privacy laws—and continued access to information—are equally important for companies to avoid serving undesired products to audiences, because “Canadians say that when they get information about products that don’t interest them, it impacts their opinion of that company,” she added.
The CMA does have some targeted amendments it would like to see made to the CPPA, including changes to how it would protect the personal information of minors, how anonymized data would be handled, and how to avoid what it calls “consent fatigue.”
With respect to the data of minors, the CMA supports the position that such data should only be collected when there is a relevant business case to do so—for instance, when the products being sold are pertinent to people below the age of minority—and that the data of those people should be protected when it is gathered. However, in the case of products where the age of the consumer should be irrelevant, collecting such data shouldn’t even be a question, Clodman said.
Meanwhile, the ability for companies to gather and pool anonymized data, which Clodman said is vital to functions such as market research, needs to be preserved in the CPPA.
On the topic of “consent fatigue,” Clodman pointed to failings of legislation in Europe—namely the General Data Protection Regulation—to support the CMA’s case for amendments to the CPPA.
“Consent [under the GDPR] is required so frequently that consumers don’t bother reading the requests for it, they just accept them so that they can access the information and offers they are after,” she explained. “But the point of informed consent is so that consumers know what is being done with their data and agree explicitly to that.”
Rather than require companies to seek consent for every instance of data collection, Clodman said, the CMA supports the position that “consent should be sought when the activity that a business is engaging in isn’t something a reasonable person would expect.”
For instance, if a consumer visits a clothier’s website, they shouldn’t need to be prompted for consent to collect data in order to tailor product promotions to their personal style from that clothier—but they should be asked for consent to sell their shopping preference data to third parties.
“While we do have these amendments that we have proposed to the CPPA, generally it is a strong law,” Clodman said. “It just needs some targeted amendments to be effective.”
