Consent - The Key to Trust and Respect of Customers

Like Europe and the UK, Quebec’s Law 25 has moved closer to ensuring that customers control how, when, and where their personal information is processed. Consent ensures that your customer’s personal information is treated like the precious cargo it is – handled with care and not tossed into the sea of manipulation. Consent allows the customer to set boundaries and feel like they are driving.

As we navigate our way through Law 25 and the new requirement of Privacy-by-Default, it is clear that consideration was made to “consent fatigue” and the previous notion that everything is on unless the customer is awake enough to switch it off. Privacy-by-Default awakens the fatigued customer into actively deciding to waive the right of confidentiality and privacy either partly or completely based on their preferences through technology.

Marketing and customer service teams now need to find new and exciting ways of convincing customers to lower their guard. A positive way to do this is through transparency in both properly worded consents and privacy notices and having privacy programs to back it up.

Clarity and simplicity – the key to valid consent

Law 25 provides that consent must be "clear, free, and informed" (section 14). Individuals should be fully informed through notices written in clear and simple language. Requests for express consent must be equally clear including the purposes for which consent is being sought.

Consent to be given freely (void of coercion and deception)

Section 14 also emphasizes that consent must be given freely. This means that individuals cannot be coerced, misled, or deceived into providing their personal information for processing purposes. Furthermore, goods or services cannot be withheld based on consent refusal for unnecessary data processing. This ensures that individuals have the autonomy to make informed decisions about their personal information.

Consent must be separate

The requirement of separateness, outlined in section 14, ensures that consent requests are presented separately from any other information. This prevents "bundled consent" and contributes to clarity. The intention is that individuals should clearly understand the specifics of their consent and that it is not hidden in pages and pages of terms that no one will read.

Express vs Implied

Law 25 distinguishes between express and implied consent, each applicable in specific scenarios. Express consent is required for (i) sensitive information, (ii) communication of data to third parties, (iii) the use of biometrics and (iv) in terms of the draft consent guidance - for identification, location and profiling. Implied consent comes into play when individuals provide personal information for specific purposes and are fully informed about such purposes.

Crafting an effective Privacy Notice

Whether you have a mature or basic privacy program, your privacy notice is the first glance that the commissioner, customers and potential partners have into your privacy program and practices. A compliant Privacy Notice, as per section 8, should provide information about the collection, means, rights of access and rectification, withdrawal rights, and third-party involvement related to personal information. Additional elements like contact information of the individual responsible and data retention periods should also be included as well as any communication or sharing of personal information outside of Quebec.

Timing

When collecting information or requesting consent, timing is of utmost importance. In general, at the time personal information is collected, your customer must be informed (notified) of the purposes for which their personal information is collected. Notice must also be given subsequently on the request as well as where automated decision-making is concerned. There are various ways to do this. It is important to note that in some instances, notice is required before collection, such as when collecting information that leads to identification, location and profiling of the customer.

What do you need to do?

When developing your consent management program, remember that consent isn't just a "yes" - it's the power of choice, the protector of privacy, and the ultimate basis for processing in the world of data. Develop your consent management program with the customer in mind and trust will follow.

Need help with that? Call Bamboo Data Consulting to find out how we can help you achieve this.

Previous
Previous

The Challenge of Public Expectation

Next
Next

Navigating the Tightrope: Balancing Security and Privacy Conflicts