Notice & consent compliance in US, China & Canada
The first blog of our series on international data protection looks at notice & consent compliance in USA, China & canada
Introduction
In the first of our blog series on international data protection, I’m taking a look at how companies can ensure compliance with notice and consent requirements in the USA, China, and Canada.
In a world where digital footprints are as common as physical ones, the governance of personal data has become a pressing issue. Central to the regulatory frameworks designed to protect consumers (such as GDPR), is the concept of ‘notice and consent,’ a principle that aims to empower individuals with the knowledge and autonomy to manage their personal information. This approach, emphasising the need for a clear notice to consumers and obtaining their meaningful consent, has been a cornerstone of data protection efforts.
Share this Article
Notice & consent around the world
In the United States, the Federal Trade Commission (FTC) has taken a leading role in this area, using Section 5(a) of the FTC Act to address deceptive and unfair practices towards data subjects in online governance. This foundational approach sets a benchmark for other jurisdictions grappling with similar issues in their pursuit of effective data regulation. It invites a closer examination of how regulatory bodies worldwide, from the bustling marketplaces of Canada, to the tech hubs of China curb the abuse of online consumer personal data. In this article, we explore how businesses can effectively adhere to the regulations in these countries, focusing on notice and consent, drawing from recent enforcement actions as instructive examples.
USA
The FTC has been at the forefront of addressing consumer data protection issues. Section 5(a) of the FTC Act promotes notice and consent by requiring companies to clearly inform consumers about data collection, usage, and sharing practices. The FTC provides guidelines for effective notice and meaningful consent, emphasising plain language and consumer choice, in its report titled "Protecting Consumer Privacy in an Era of Rapid Change" which provided recommendations for businesses and policymakers on how to improve consumer privacy. It also emphasises the importance of privacy by design, simplified consumer choice, and transparency in privacy notices. It encourages companies to give consumers clear and simple choices about their data collection and use practices (FTC Privacy Report (2012).
The FTC enforces these principles by taking action against companies that fail to provide proper notice or obtain adequate consumer consent, as documented in the case of USA v. Facebook, where the FTC and the Department of Justice imposed a historic $5 billion penalty on Facebook for failing to provide clear and transparent privacy notices to users about the extent of data sharing with third-party apps. This highlights the FTC's commitment to holding companies accountable for failure to protect users’ privacy.
Canada
In Canada, Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws such as PIPA-AB and PIPA-BC, establish requirements for obtaining consent and ensuring appropriate and reasonable use of personal information.
Canada establishes stringent consent requirements and guidelines for the reasonable use of personal information. High-profile cases like the investigations into ‘Tim Hortons’ and ‘Home Depot’ by Canadian privacy regulators, demonstrates a proactive stance against deceptive practices and the failure to obtain valid consent, reflecting a commitment to upholding consumer privacy and rights.
In the Tim Hortons case, Canadian privacy regulators from different provinces jointly investigated the company's location tracking practices. They found that ‘Tim Hortons’ did not obtain meaningful or valid consent due to misleading statements and lack of clear communication regarding the collection of granular location data, leading to global abuse. The investigation concluded that ‘Tim Hortons’ contravened multiple privacy regulations, including PIPEDA, Quebec's Private Sector Act, PIPA-AB, and PIPA-BC.
Similarly, in the Home Depot case, the Privacy Commissioner of Canada investigated the company's practice of sharing customer data with ‘Meta’ without obtaining valid consent. The investigation found that ‘Home Depot's’ reliance on its Privacy Statement and ‘Meta's’ Privacy Notice was insufficient to support meaningful consent for disclosing customers' personal information to ‘Meta’ and were in contravention of PIPEDA.
These demonstrate that Canadian privacy regulators are actively addressing instances of deception and unfairness in relation to consumer data protection.
China
In China, the focus on regulating the collection and use of personal information through Software Development Kits (SDKs) plays a significant role provided by companies like TikTok, Alibaba, and other tech giants are widely used by app developers to integrate various functionalities, such as social media logins, analytics, and advertising, into their apps. While SDKs are essential for building well-functioning apps, they can also be used to collect and share user data, raising privacy concerns.
China relies on similar regulatory concepts for deception and unfairness in consumer data protection as the U.S. FTC to tackle such issues, as evidenced by various notices, methods, and rectification actions undertaken by the Chinese authorities.
The "Method for Identifying the Illegal Collection and Use of Personal Information by Apps” prohibits misleading users into agreeing to collect personal information through fraud, deception, or other improper means. An official notice by China’s Ministry of Industry and Information Technology outlines rectification objectives, objects, and tasks to strengthen the protection of users' personal information. The notice addresses issues like the unauthorised collection of users' personal information, the collection of personal information beyond the scope, and unauthorised use of personal information for purposes other than providing services without informing users, which can be considered "unfair" practices. The Personal Information Protection Law (PIPL), in Articles 5 & 17, states that personal information handlers shall, before handling personal information, explicitly notify individuals.
China's interventionist approach to consumer data protection emphasises clear definitions of data collection and processing activities, ensuring they are reasonably necessary for providing a service. Companies must identify additional purposes beyond this scope and give individuals the choice to consent. This approach uses consumer notice and choice as a regulatory device, requiring more consent and offering consumers signposts and choices if activities fall outside the defined scope.
The case of Didi Global Inc., highlights the enforcement of these regulations wherein Cyberspace Administration of China imposed an administrative penalty on Didi Global Inc. for violating the Cybersecurity Law, the Data Security Law, and the PIPL in several aspects, such as illegal collection of personal information, excessive collection of various types of information, and failure to explain the processing purposes of personal information.
What do businesses need to do?
To effectively manage personal data and ensure compliance with regulations in the US, China and Canada, companies need to focus on several key areas:
Comprehensive Privacy Notices
To ensure compliance with data protection regulations, privacy notices must be crafted in plain language, providing clear explanations of what data is collected, how it is used, and with whom it is shared, among other things. It's crucial to consider and incorporate all regulatory requirements specific to each jurisdiction, thereby ensuring that the company remains compliant with the law.
Notify users promptly of any significant changes to data collection practices or privacy notices. This ongoing communication is essential to maintain trust, compliance and transparency.
Robust Consent Mechanisms
Obtain explicit consent from users for data collection and usage. This involves providing clear explanations and allowing users to agree or decline. This principle is emphasised by the FTC in the US, required under PIPEDA in Canada, and mandated by PIPL in China.
For any data processing activities that fall outside the initial consent scope, companies must obtain separate, additional consents. This practice ensures compliance with regulatory standards in all three countries.
Regular Privacy Audits
Regularly audit data practices to ensure compliance with privacy notices and regulatory requirements, or; Engage independent third-party auditors to review privacy practices and identify compliance gaps. This adds an extra layer of accountability and transparency. I could add that Bulletproof offers a great service to identify those gaps and enhance overall data protection practices.
Privacy Governance Framework
Establish an independent privacy committee to oversee data privacy practices or appoint dedicated privacy compliance officers/DPOs responsible for implementing and maintaining the compliance with the data protection regulation. As one of Bulletproof’s virtual DPOs myself, I know how good this service can be at ensuring compliance and offering comprehensive support in all aspects of data protection.
User Control and Choice
Provide users with accessible and user-friendly privacy settings to control their data sharing preferences. This is important to meet user expectations and regulatory requirements. Offer easy-to-use opt-out mechanisms for users who do not wish to participate in data sharing activities, marketing activities etc. This practice is crucial for maintaining user trust and compliance with consent regulations.
The FTC favours opt-in mechanisms, especially for collecting and sharing sensitive personal information. Similarly, PIPL requires opt-in consent, where individuals must actively agree to the collection and processing of their personal data. This approach ensures that consumers have control over their information and are aware of how it will be used. While PIPEDA allows both opt-in and opt-out consent depending on the sensitivity of the information, opt-in consent is generally preferred for sensitive personal information. Users must provide consent before their data is collected and used.
Engagement with Regulatory Bodies
Maintain open lines of communication with regulatory bodies and seek guidance on compliance matters. This proactive approach helps ensure ongoing compliance and builds positive relationships with regulators. Be prepared to cooperate with regulators during investigations and audits, and promptly address any identified issues. This is essential for maintaining compliance and avoiding penalties.
Employee Education and Training
Conduct regular training programs for employees on data protection laws, privacy notices, and best practices. This helps ensure that all employees understand their roles and responsibilities in protecting user data. Promote a culture of privacy awareness within the organisation to ensure all employees understand the importance of data protection. This ongoing education helps maintain compliance and protect user data.
Summing up
In conclusion, by adopting these comprehensive measures, companies can ensure compliance with data protection regulations, build trust with consumers, and protect user privacy effectively in the United States, China and Canada. These steps are essential for regulatory compliance and fostering a secure and trustworthy digital environment for consumers globally.
Easy management of global data protection
Bulletproof’s data protection officers can help your business operate effectively whilst meeting global data protection obligations.
Find out moreRelated resources
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.