CMA makes changes to its privacy compliance guide

The guide includes new best practices for the collection and protection of consumer data, as well as PIPEDA compliance.

The Canadian Marketing Association (CMA) has updated its privacy compliance guide to show marketing organizations the importance of getting meaningful consent from consumers and better protecting their personal information.

The guide has been updated by drawing from the Personal Information Protection and Electronic Documents Act (PIPEDA), which was updated in 2018, saying in regards to “meaningful consent” that “organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.”

“To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.”

The CMA guide also refers to PIPEDA when it comes to data protection, noting that a company’s “security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.”

The updated guide was released on Tuesday as part of Data Privacy Day. The CMA was included as a “Data Privacy Day Champion” by the National Data Security Alliance on Tuesday.

Sara Clodman, VP of public affairs and thought leadership at the CMA, says the guide has existed for a long time, but it was “time to update it and refresh it” with the latest guidance from the Office of the Privacy Commissioner and best practices developed by the CMA.

“It’s a matter of [marketers] making sure that they are doing a number of things to a very high standard,” Clodman says. “Those things centre around making sure that they do everything they can to inform consumers, in a meaningful way, and making sure consumers have the right to consent to various things related to their data (and use of their data).”

She also notes how the data breach regulations are “very important.” According to the Office of the Privacy Commissioner of Canada’s website, while all breaches don’t have to be reported to the OPC, the law mandates that any breach of security safeguards involving personal information under a company’s control be reported if “it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual.”

Clodman adds that the OPC requires companies to keep a record of any breach. “Record-keeping is very important, more so than ever before,” she said. “You will see, more and more, on websites now a pop-up that tells people, ‘We track you if you visit our site. If you continue, then you’ll be approving of that. If you don’t wish to have that happen, then click here etc.’ More and more, you will see those kinds of notices for consumers. That’s more evidence of these rules coming into effect.”

Beyond legal compliance, Clodman notes that treating customers’ data responsibly and thoroughly strengthens marketers’ relationship with their customers. “It’s part of a customer experience to have their data protected,” she says. “I think the way marketers need to think about it is that, in order to have a strong customer relationship, they need to make sure they’re protecting customer data and using it in all the ways that are required, and that that will, in fact, build trust with their customers and will actually be good for them, for their company.”

Clodman notes that the majority of the guide would affect every company in Canada that would deal with customers – not just the more than 400 members the CMA represents.