CMA, GDMA release new global privacy principles

The framework comes after Canada's privacy commissioner expressed concern about whether new regulations were strong enough.

The Global Data and Marketing Alliance (GDMA), along with the Canadian Marketing Association (CMA), has released a new framework intended to help marketing organizations align their data activities with consumer expectations around privacy.

The Global Privacy Principles are meant to establish a set of ethical best practices that will enhance the self-regulation the GDMA’s member organizations are already providing. The GDMA is made up of marketing industry associations from 28 countries, including the CMA.

The framework includes seven key principles:

  • valuing the privacy expectations of individuals by making it a core value in the development of any codes or policies, and taking the necessary steps to ensure all employees, partners and suppliers are committed to those values.
  • being clear and transparent about how data is collected, used and where it is coming from.
  • respecting an individual’s preferences, making it easy for them to express those preferences and opt-out if desired.
  • processing data ethically, collecting only what is necessary, using it only for its stated purpose and ensuring it is stored securely.
  • take responsibility for ensuring employees involved in data and marketing respect privacy practices and that managers ensure data is used responsibly in all activities.
  • keeping data secure and safe from potential misuse or breaches.
  • being accountable for all of the above, and taking responsibility when activities fall short of these standards.

The hope, according to an announcement from the CMA, is that the framework will help organizations build consumer trust by giving them guidance on how to demonstrate that consumers’ personal information is valued and “create a privacy-protected environment where data sharing is beneficial to all parties.”

Along with Wednesday’s announcement, the CMA also restated its encouragement for Members of Parliament to adopt Bill C-11, legislation that would update Canada’s privacy regulations, which experts have said are in desperate need of updating to bring them in line with the current digital economy.

First introduced last November, Bill C-11 aims to give Canadians greater control and transparency over how their personal information is handled by companies, allow for organizations to move information more securely and give the privacy commissioner greater ability to compel organizations to comply with its orders. Fines for contravening the regulations could reach up to 5% of revenue or $25 million, whichever is higher. Innovation, Science and Economic Development Canada has previously described these penalties as the highest among G7 countries.

The CMA has urged legislators to adopt the bill in a timely fashion and avoid a “patchwork” of regulations across jurisdictions, which creates confusion for both businesses and consumers. The CMA has also called for its own “key” and “targeted” amendments to the bill to align Canada with international privacy laws and ensure Canadian businesses can succeed globally by removing “barriers to data innovation.”

In a statement to strategy, the CMA said its proposed amendments fall into four areas: how data with no identifying features is treated; the degree to which regulations rely on express consent for data collection; the scope of rules around automated decision-making; and exceptions to the right to deletion of personal information, a new provision in the bill sometimes referred to as “the right to be forgotten.”

The CMA is not the only one calling for changes to the bill this week, as Privacy Commissioner Daniel Therrien told the House of Commons that the legislation does not go far enough.

During testimony before the committee on access to information, privacy and ethics on Monday, Therrien said the legislation required “significant amendments” to adequately protect the privacy of Canadians. In particular, he said that the bill favoured the interests of companies over privacy rights, and it should be changed so that, if commercial interests and privacy rights were to ever come into conflict, the rights of Canadians should be favoured.

He also pointed to the need for more regulation around the use of facial recognition technology, pointing to Clearview AI contravening privacy laws in selling its data to police.