🏰 CASLs in the sky

🇨🇦's 1 simple trick we forgot about

Jan 28

me on january 1: this year is gonna be all about balance me on january 17: maybe if i drink enough coffee i’ll just burst into flames

⚜️bradley⚜️ @bradapalooza

First of all DO NOT address me as “Honey” if you’re coming to tell me you just SHRUNK the damn KIDS.

Malcolm Harris @BigMeanInternet

Hearing good things about this "talking about ideas" activity, gonna look into it more

Canada is in the process of reconsidering federal private sector privacy legislation (Bill C-27) and we are also thinking big thoughts about what it means for citizens (“consumers”) to engage in an increasingly digital economy. With weak consumer protection advocacy in the country, progress has been slow (and steady?).

I’ve written a lot about the work that people need to do to navigate the norms of the internet - we deal with opaque algorithmic pricing, dark patterns that trick us into subscribing and make it difficult to cancel, ‘personalised’ ads we don’t particularly care for, and self-preferencing in online search that isn’t disclosed. There’s probably more that we could do to reduce murkiness in our online lives, like basic labelling of private labels and ‘flanker’ brands. I digress!

It could be that we already have the POWER to do more, but have failed to make use of this potential.

In considering what policy people could do to improve our online experiences and give more power back to people, Canada has a strong and simple precedent that we could remix. It’s Canada’s Anti-Spam Legislation (CASL) and it was created in 2014 (the same year that the Apple Watch launched). What I like about CASL is how it balances appropriate consent for receiving commercial electronic messages (CEMs) with the ability to engage with a firm even if you don’t feel like getting electronic communications from them.

The provisions in CASL basically state that organisations can’t make your consent to their electronic mailing list for marketing a condition of supplying you with their product or service. The legislation is intended to control spam (“unsolicited CEMs”). CEMs are defined as any “electronic messages” - emails, text messages, direct social media messages - that encourage participation in a “commercial activity.”

In addition to anti-spam provisions, CASL includes provisions to combat:

the unauthorised alteration of transmission data; ❌
the installation of computer programs without consent; ❌
false or misleading electronic representations (including websites); ❌
the harvesting of addresses (collective and/or using email or other electronic addresses without permission); and ❌
the collection of personal information by accessing a computer system or electronic device illegally. ❌

Stretching the intention of CASL - “protecting consumers and businesses from the misuse of digital technology” could significantly enhance consumer protection in online environments by introducing new power for people. The simple ability to say: no, thanks.

This would mean that, among other things, you could:

search without self-preferencing algorithms dictating the order of what you see; ✔️
see prices that aren’t tailored to ‘you;’ ✔️
access discounts through loyalty program apps without trading your privacy; and ✔️
return to an online store you’ve shopped at without seeing ‘special’ offers based on your browsing or purchase history. ✔️

If the vibe of CASL is a part of our heritage, are we reluctant to use it elsewhere or ready to rumble?

🏰 Turns out, the rule to not require consent as a condition of service ALREADY EXISTS under PIPEDA. So this is an implementation failure, not a design gap - we simply don’t enforce it. As we build CASLs in the sky we need to get serious about how we are going to fund the enforcement of these ambitious laws. Plus, until now, we have not had penalties that were meaningful, so they couldn’t serve a deterrent function.

Plus, in C-27 (An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts) AKA the Digital Charter Implementation Act, in Section 15 (which is about consent), the proposed legislation clarifies that “an organisation must obtain an individual’s valid consent for the collection, use or disclosure of the individual’s personal information.” Subsection 15(7) (“Consent - provision of a product or service), clarifies that “The organisation must not, as a condition of the provision of a product or service, require an individual to consent to the collection, use or disclosure of their personal information beyond what is necessary to provide the product or service.”

🔎 Let’s zoom in on this language: “beyond what is necessary.” Who decides what is “necessary”?

In the Privacy Commissioner’s investigation into the complaint filed by the CIPPIC against Facebook from 2009, it was found that consent was necessary. Elizabeth Denham, the then Assistant Privacy Commissioner of Canada, “determined that Facebook did not have adequate safeguards in place to prevent unauthorised access by application developers to users’ personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.”

Jason Kint @jason_kint

Digging through a court filing in a Meta (Facebook+Instagram+WhatsApp) antitrust lawsuit. Pretty compelling chart to make the point.

But there is a troubling aspect in Denham’s report from ~thirteen years ago. One wonders whether Ms. Denham still shares this view, given her more recent experience dealing with Facebook when she was the UK’s Privacy Commissioner (2016-2021). Here it is:

131. Facebook has a different business model from organizations we have looked at to date. The site is free to users but not to Facebook, which needs the revenues from advertising in order to provide the service. From that perspective, advertising is essential to the provision of the service, and persons who wish to use the service must be willing to receive a certain amount of advertising.

Canada has a strong precedent for establishing express consent online in CASL and seems ready to extend that to consumers in a range of digital solutions through C-27. We should be able to use an online product or service without consenting to supplementary messaging, special offers, tailored or dynamic pricing and other forced trade-offs that compromise our online experiences. I hope that as the legislation is reviewed, we can obtain the meaningful consent of Canadians to expand (and actually enforce) this principle. 🤞