Edelman Canada’s view on the Digital Charter Implementation Act
The digital landscape is constantly evolving, and right now we’re in the midst of a major shift. For years, global corporations have been leaning on data – big and small – to fuel their innovation with little regulation safeguarding these practices. Now, we’re seeing an emphasis placed on the privacy and protection of consumers above all else.
The emergence of a privacy-first digital landscape was reinforced by the Government of Canada last month with the tabling of Bill C-11 – the Digital Charter Implementation Act – to establish two new pieces of legislation that govern privacy within the private sector: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act.
If passed, the new legislation will give Canadians more control and require greater transparency over how private sector organizations handle their personal information – with significant financial penalties for violations. And in turn, this will have substantial impact on how organizations operate, and reach and influence audiences.
As marketers and communicators, there are things we can – and should – be doing to protect brand reputation, build and maintain trust with stakeholders, and prepare for the mandated changes.
BUT FIRST, AN OVERVIEW OF WHAT MAY CHANGE
Details of the new legislation will undergo public and industry consultation in the House of Commons and the Senate. As drafted, the Bill has similarities to the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) with responsible data management at its core. Emphasis will be placed on:
- Meaningful consent. Modernized consent rules to ensure individuals are provided with the plain-language information they need to make meaningful choices about the use of their personal information and data.
- Data mobility. To further improve control, individuals would have the right to direct the transfer of their personal information from one organization to another. For example, directing your bank to share your personal information with another financial institution. Organizations will be required to be transparent about how this data is being shared or handled.
- Disposal of personal information and withdrawal of consent. The legislation would allow individuals to request that organizations dispose of their personal information, and in most cases, permit individuals to withdraw consent for the use of their information.
- Algorithmic transparency. New requirements for businesses to disclose how they’ve used automated decision-making systems like algorithms and artificial intelligence to make predictions, recommendations or decisions about individuals.
- De-identified information. The practice of removing direct identifiers – like a name – from personal information is becoming increasingly common, but the rules that govern how this information is used are not clear. The legislation will clarify that this information must be protected and provide guidelines around when it may be used without consent.
- Repercussions. The Government of Canada has made it clear that there will be significant consequences for those who do not adhere, including penalties for those who do not report breaches to the commissioner, notify individuals or keep records of such incidents. Organizations that knowingly contravene obligations could be subject to a fine of up to 3-5% of global revenue or $10-$25 million. In addition, a Tribunal will be put in place to oversee the administration of penalties.
More on the principles of the CPPA & the Data Protection Tribunal Act here.
WHAT THIS MEANS FOR YOUR ORGANIZATION IN THE SHORT AND LONG-TERM
1. Now is the time to assess your privacy and data practices. Privacy topics have never been more mainstream than they are now, and this news brightens the spotlight.
- Understand the data your company handles and what it’s used for. A recent study from Edelman Canada (2017) surveying Information, Data, Security & Technology Officers across Canada found that only half of respondents believe their critical stakeholders – from senior leadership to legal teams and employees broadly – are aware of the type of data their company stores and processes.
- Review your current processes for personal data collection, storage, usage and removal – and prepare to make changes
2. Start working on your privacy narrative. Organizations will be required to obtain meaningful consent, which means your stakeholders must clearly understand what data is being collected, how it is being handled and trust you to manage it properly.
- Most Canadians (85%) feel a “greater reluctance to share their personal information with organizations in light of recent news reporting of sensitive information, such as private photos or banking information, being lost, stolen or made public (2016 Survey of Canadians on Privacy, December 2016, OPC). Privacy is more than a policy on a piece of paper – work with your leadership team to foster a culture of transparency and define your privacy narrative – for internal and external distribution.
3. Beyond the penalties, your brand reputation is on the line. Thousands of organizations a year are victims of data security breaches. Ensure your organization is prepared to respond to and defend against an incident.
- Ensure your employees have ongoing training for cyber threats and appropriate data storage, usage and sharing
- Undergo a data security and privacy preparedness assessment
- Create or update your breach response plans to ensure your team is prepared to manage notifications quickly and effectively after a breach
- Host annual training for your internal teams responsible for a data breach response – including IT, communications, legal
4. Targeting will continue to evolve and play a key role with creative and content as primary drivers of impact. Data-driven audience targeting will evolve to open and balance opportunities to reach more diverse audiences while still driving impact. The advertising industry has been expecting this type of legislation to come to Canada for several years and has been working in partnership with the governing bodies to balance the needs of consumers and corporations. We will see a shift in deep targeting across both data management platforms and “walled gardens” as they need to adhere to the same rules – and first-party data ownership and message relevancy will play a key role in optimizing programs.
5. Consider whether your organization needs a seat at the table for legislation consultation. The House of Commons will begin studying Bill C-11 once Parliament resumes sitting in early 2021. Making changes to the Bill is possible through direct engagement with Parliamentarians, either by written submission, appearing as a witness at the Committee studying the Bill, or both. Knowing that privacy advocates will be looking to further strengthen protections, it will also be important to continuously monitor all legislative activity related to the Bill and be prepared to react and respond
THE WAY WE SEE IT: WE MUST TAKE A NEW APPROACH TO COLLECTING AND PROTECTING FIRST-PARTY DATA – ONE GROUNDED IN TRUST
Trust can’t be bought. It must be earned. Organizations that offer a more mutual value exchange will do best in this environment, and that requires reimagining the role of data and adopting a new approach, one with “data with empathy” at its core.
Edelman’s global chief data & analytics officer, Yannis Kotziagkiaouridis, describes this as the process of identifying insights into who people really are, beyond the superficial or transactional level the industry has been collecting for years. With a true understanding of cultural and human insight, companies can connect with audiences by creating emotive, meaningful and connected experiences, ultimately leading to a mutual data value exchange in which trust is the foundation.
How organizations treat and protect data is now part of their brand promise and risk profile.
CONNECT WITH OUR EXPERTS
For more information on the evolving digital landscape and how your organization can adapt, contact Dave Fleet, Executive Vice President & National Practice Lead of Digital.
To engage with Government as Parliament studies the Bill, please connect with Christopher Vivone, Senior Vice President and National Practice Lead, Public & Government Affairs.
For counsel or support in defining your privacy narrative or preparing a data security response plan, contact Greg Vanier, Senior Vice President, Crisis & Risk & National Lead of Data Security and Privacy
For more information on performance marketing and third-party targeting, please reach out to Nirmala Bahall, Senior Vice President of Performance & Paid Marketing.
To better understand first-party data collection and the impacts this legislation may have on your processes, please contact Catherine Yuile, Executive Vice President, Data & Intelligence.