Why ad experts are welcoming Canada’s new privacy rules

While Bill C-27 will weed out bad actors and improve consumer confidence, it will require work on overhauling privacy policies and ensuring tech partners are up to the bill's standards.

Earlier this month, the federal government introduced Bill C-27 in an attempt to give Canada’s privacy legislation a much-needed update for the modern digital age.

The bill is made up of two acts designed to regulate business’ use of personal data. The Consumer Privacy Protection Act requires businesses to be clear about how data is collected and used, obtain clear consent from consumers to do so and regulates the use of “de-identified” data. The Artificial Intelligence and Data Act creates clear parameters around the development of deployment of AI systems, as well as defining the “harms” it can cause Canadians.

A third act, the Personal Information and Data Protection Tribunal Act, would create a tribunal that would have the authority to issue steep financial penalties to those who break privacy rules.

While the bill will have an impact on increasingly data-reliant advertisers, agencies and content publishers, it is one that media professionals expect to be positive.

Scott Atkinson, SVP of digital for Publicis Media, says the Consumer Privacy Protection Act not only updates PIPEDA for today’s complex data reality, but adds teeth to ensure compliance. And that’s a good thing.

“Empowering the Privacy Commissioner of Canada to issue orders and establishing significant fines will weed out bad actors and start to build faith with consumers that digital marketers are respecting their privacy,” he says. “If data truly is the new ‘oil,’ then we need privacy and data protection to be our new carbon capture technology.”

Devon MacDonald, president of Cairns Oneil, thinks the additions in AI and clearer definitions around data usage and privacy are important. He says these additions help contemporize the problems consumers face and increase transparency for them, both of which are critical in building public confidence around online activities and how their data is being used.

“For Canada, I think it’s a good opportunity to take a leadership position that will improve the public trust and ultimately strengthen marketing support,” MacDonald says. “A consumer that is aware and opted-in is more aware of the value exchange that they’re entering and open to discovery and engagement. Similarly with previous privacy efforts, though, there will be work needed by marketers to bolster their digital activities to ensure compliance.”

One of the points in the bill that Scott Stewart, general manager of Glassroom, is pleased to see is the inclusion of protection from the use of Artificial Intelligence. “There are examples of digital recklessness happening that have long been unchecked and C-27 is certainly a step in the right direction in terms of setting more rigid parameters around how personal data can be collected and providing far more detail and transparency around what it sets up to regulate than the previous bill.”

He adds: “One of the biggest priorities for digital marketers today should be centered on how to manage privacy around children and the impact of the digital ecosystem getting younger and younger, especially on social platforms and implementing the necessary controls to protect them.”

But the new rules will mean advertisers and agencies alike will have to put some work in to ensure compliance Communication of privacy policies and the increased use of clean room technology are two areas on Maura Hanley’s radar.

Hanley, the SVP and chief digital officer for Dentsu International, says a couple of things advertisers and publishers are going to have to think about is the new requirement to make privacy policies readily available to consumers in plain language, although the grade level of plain language is not defined in the bill.

“I think that’s a bit of a challenge to those 5000-word privacy policies written in university level English that you can find through a tiny link at the bottom of a website,” Hanley says. “That’s a challenge for companies to really work at their privacy policies, particularly those with content in an environment that attracts children.”

Hanley says the other area that is important to think about is a new requirement that service providers provide a level of protection equivalent to that which the transferring organization is required to provide. It means all the partners need to be at the same level of privacy protection.

“As we as an industry are engaging in more and more clean room projects and looking at first party data fusion initiatives, we really have to hold each other to account, ideally at the highest standards,” she says. “I think that’s really a big one for us in the industry – to hold each other to account.”

What’s interesting in the whole clean room area, says Hanley, is that the bill also distinguishes between data being anonymized and de-identified. “For the most part, when we’re doing first party data fusion, we’re talking about de-identified information, which means the data can be reverse engineered to identify the people. Again, we just need to hold each other to the highest standards in terms of these types of approaches.”