Experts weigh in on recent developments in Canada’s privacy and AI landscape
On October 12, more than 140 people tuned in to the CMA’s Building Trust as Technology Transforms event to hear from leading Canadian experts on privacy reform and ethical AI.
The CMA was delighted to host a fireside chat on “Getting Consent Right” with Phillipe Dufresne, Privacy Commissioner of Canada.
“The great exchanges and strength(s) of the privacy community, especially in Canada, includes the CMA and other experts I’ve been involved with,” said Commissioner Dufresne. “Whatever our roles, whether it’s regulation, private sector, citizens groups or academia, we are all focused on the key principles of privacy and innovation.”
To marketers, consumer trust and loyalty are everything. And in an age where consumers expect increasingly personalized and intuitive experiences, emerging regulatory frameworks and best practices for privacy and AI are more important than ever.
Read more below about what experts had to say about some of the major ethical and regulatory developments impacting data-driven marketing.
Fireside Chat: “Getting Consent Right”
Commissioner Dufresne acknowledged the challenge of ensuring consumer understanding and user-friendliness in an age of widespread consent fatigue.
“We know that legalese and lengthy documents don’t make information easier to digest,” said Commissioner Dufresne, “That’s a challenge not just for marketers but for all who write these documents.” The Commissioner highlighted how the timeliness, location and formatting of privacy information matters to consumers’ understanding of privacy rights.
The surge of AI use in marketing and business practices more broadly has uncovered a new host of considerations surrounding consent. “[AI] can mimic human text and images – what is that going to do to the trust of individuals?” suggested Commissioner Dufresne. It’s safe to assume that matters of consent will only be further complicated as technology transforms.
As Canada sits in a period of legislative limbo, the Commissioner offered some general tips for marketers and businesses trying to navigate the landscape of federal and provincial legislation, official guidance documents, and voluntary codes of conduct:
- Businesses should be proactive to ensure meaningful consent, keeping “as much onus on [themselves]” as possible.
- When it comes to the reasonable expectations of consumers, companies should make their intentions of data use obvious to the consumer rather than “ride the legal threshold.”
- When dealing with third parties, businesses need to review contractual provisions and expectations around consent and data use clearly.
- Businesses should consult the Office of the Privacy Commissioner (OPC) when in doubt.
Commissioner Dufresne expressed his confidence in Canada’s privacy community to get the job done. “Where legislation and regulation are catching up to fast-moving technology, we already have solid professionals, values and ways of thinking that can provide us some, but not necessarily all the protection we need.”
Bill C-27 is poised to bring even more strength to the privacy landscape in Canada. “[Bill] C-27… offers a mechanism where there is a clear gain in terms of more legal certainties [for businesses],” the Commissioner argued.
Panel Discussion 1: Making the Most of AI – Ethical Considerations for Marketers
Canada is undertaking its first attempt at regulating AI through the proposed Artificial Intelligence and Data Act (AIDA). Intended to be overseen by a new AI and Data Commissioner, AIDA proposes a risk-based approach to the regulation of high-impact AI systems across Canada – one that’s backed by stiff penalties.
Independent of AIDA’s status (as it works its way through the legislative process) is the reality that widespread AI use is already making a notable mark on the marketing world. Marketers and compliance professionals need to be considering the ethical implications of AI and mitigating its risks.
The panelists settled on a key takeaway for audience members – don’t work in isolation. “Diversity works,” said Isaac DeSouza, AI & Emerging Technology Risk Officer at BMO, “Bring as many people to the table as possible and think about everyone who might be affected [by your company’s use of AI].” This includes engaging both technical experts and individuals who can adequately evaluate ethical issues.
Parama Ray, AVP, AI & Data Analytics Specialist at Canada Life, added to DeSouza’s advice by encouraging oversight bodies to “have the tough conversations [about ethics and risk management] early on” in their marketing team’s project timeline. This can go a long way in supporting their work while ensuring that best practices are followed from the get-go.
The panelists discussed the importance of best practices when working with third parties. DeSouza stressed the importance of settling on standards and common language to establish mutual understanding and trust – such as the NIST management framework, ISO standard, or OECD guidance on ethical AI use.
Ray reminded audience members that marketers and organizations can make use of vendor evaluation checklists to ensure that a third-party organization’s practices align with their ethical standards. When in doubt, panelists urged marketers to lean on their legal teams as a valuable resource.
Rupinder Dhillon, Head of Enterprise Data at Sobeys, mentioned Canada’s new Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, which echoes the principles that underpin AIDA. “I’d encourage folks who are starting to look at the real practical applications of generative AI in their organizations to take a look at that voluntary code and understand it,” she suggested, “Organizations are going ahead and putting these types of controls in place because they recognize that it’s their brand, their trust, their relationship with the customers that are at stake.”
For more on ethical AI and other topics, Dhillon encouraged audience members to take a look at the CMA AI Working Group’s new monthly thought leadership series.
Panel Discussion 2: Preparing for New Privacy Rules – The Impact of Canada’s Privacy Overhaul on Marketing
With PIPEDA predating the digital era, privacy reform is long overdue. “Organizations need clear and consistent rules,” asserted James Smith, Chief Compliance, Risk & Privacy Officer at Environics Analytics, “and there’s no contradiction between being data-driven and respecting privacy.
The proposed Consumer Privacy Protection Act (CPPA), contained in Bill C-27, is designed to provide leading protections for consumers while ensuring businesses can continue to innovate with data and serve consumers well. Against that backdrop, there are fundamental changes that marketers should be aware of. Panelists explored the implications of some of these changes, with Deborah Evans, Chief Privacy Officer at Rogers and Chair of the CMA’s Privacy & Data Committee, guiding this important discussion.
The CPPA includes enhanced transparency requirements, especially when dealing with third parties. Panelists discussed how these requirements would necessitate additional granularity in disclosures about the types of personal information that businesses collect and use, and the manner by which it’s processed.
The legislation proposes to deem all data related to minors as sensitive - regardless of their age or capacity, the nature of the data itself or the risk of harm.
As David Elder, Head of Privacy & Data Protection Group at Stikeman Elliott LLP, explained, this information would then be subject to enhanced obligations under the law, including a requirement for express consent. Given the protection of minors’ data is such an important and nuanced issue, the CMA is advocating for a more targeted and effective approach.The panelists discussed the importance of ensuring that the bill’s framework for de-identified and anonymized data doesn’t overly restrict its use. “The use of anonymization for years has been a tried and true method to convert personal information into non-personal information,” outlined Suzanne Morin, VP of Enterprise Conduct, Data Ethics & Chief Privacy Officer at Sun Life Financial.
The panelists wrapped up by discussing the impact of Quebec’s Law 25 on marketing activities. According to Elder, as of now, it is clear that marketers collecting information through identification, location and profiling technologies need to make detailed disclosures to consumers, informing them about certain details of their intended use. What’s not clear – as we wait on official guidance from Quebec’s privacy regulator – is whether express consent is required in all cases and at all times. The hope is that the CAI’s official guidance, expected this month, will help to clarify the law.
Marketers looking for a brush-up on privacy rules are encouraged to register for our CASL and Privacy Essentials Workshop, taking place on November 21.
