Carpool Consulting: Consent with Kris Klein (Season 2 Premiere)
0:00
Sharon: Just to change things up a bit, I understand that you like salted roasted almonds as your road trip snack.
0:06
6 seconds
Kris: You just happen to run into me on the street and and happen to have
0:09
9 seconds
Sharon: It's crazy. It's crazy. Like I and I and I know this cuz I've been following you online and listening to everything you've been saying.
0:18
18 seconds
Kris: It’s good profiling
Sharon: So that's how I know like
I'm going to ask you this. Salted roasted almonds are like privacy because
0:27
27 seconds
Music
0:34
34 seconds
Sharon: my next guest is such a treat. He is one of Canada's leading advisors on privacy with 25 years of public and private sector experience.
0:42
42 seconds
He's litigated. He's advised on federal regulatory matters.
0:48
48 seconds
And he's even served at the Department of Justice and previously advised the privacy commissioner of Canada on high-profile and sensitive cases.
0:58
58 seconds
Many of you know him as the Canadian leader at IAPP. Let's see if we can get him in the car.
1:05
1 minute 5 seconds
Hey, need a ride? Come on in.
1:08
1 minute, 8 seconds
Hey Kris , how are you?
Kris: Good. Good.
1:10
1 minute, 10 seconds
Sharon: Thank you so much for coming on Carpool Consulting. This is the evening before
Kris: the big conference
Sharon: the big symposium in Toronto 2026 and I have you in the car.
1:21
1 minute, 21 seconds
That's amazing.
1:22
1 minute, 22 seconds
Kris: Yeah. I don't know that I even have time.
1:24
1 minute, 24 seconds
Sharon: I have a pressing question. This is a question that comes up in every single engagement of mine.
Kris: Yes?
1:29
1 minute, 29 seconds
Sharon: Consent. When do you need it? When do you not? Why do you need it? Is transparency notice enough?
1:36
1 minute, 36 seconds
Kris: Okay. So you have to like let's take a step back and remember that our fair information practices in Canada were developed in 1980 by the OECD.
1:46
1 minute 46 seconds
They had eight principles then we carved them into 10.
1:51
1 minute 51 seconds
But one of them was hey if an organization is going to sort of collect and use your information you should consent to it.
2:00
2 minutes
And again, 1980, think about sort of what society was like and and how, you know, we weren't sort of giving our data at every turn at in every second.
2:10
2 minutes 10 seconds
And so it made a lot of sense to sort of yeah, absolutely require consent when an organization is going to uh collect and use your information.
2:18
2 minutes, 18 seconds
But fast forward sort of 46, is that 46 years? I'm getting old.
2:21
2 minutes, 21 seconds
Uh in in any event, uh the world has changed. It's no longer Stranger Things.
2:26
2 minutes, 26 seconds
I I think we have to realize uh in Canada that consent isn't possible in every single situation.
2:33
2 minutes, 33 seconds
I mean in Europe they recognized this back eight years ago now uh when they passed GDPR. Consent is one of the lawful basises for processing personal information.
2:42
2 minutes, 42 seconds
Sharon: But not the only one
Kris: but not the only one. Right? And there's a recognition now that you can't just force the consumer always to be responsible for saying yes or no, yes or no
2:50
2 minutes, 50 seconds
because that's all we end up doing is always saying yes.
2:57
2 minutes 57 seconds
Just think of uh cookie banners and and how many times in a day do you click I accept, I accept or
Sharon: you just want to move on.
3:00
3 minutes
Let's let's just go. Let me use this app already.
3:06
3 minutes, 6 seconds
Kris: Exactly. If the organization is applying a cookie to force me to click I agree is a it's meaningless cuz they're not obtaining my meaningful consent.
3:15
3 minutes, 15 seconds
Most people go yes because we have a reasonable expectation that what they're going to do with the cookie is not harmful to us
3:21
3 minutes, 21 seconds
and in fact it might be beneficial to us or or at least it it has some societal benefit.
3:30
3 minutes, 30 seconds
It's it's to improve the website or it's to make the organization more efficient or to offer a better service or whatnot.
3:37
3 minutes, 37 seconds
So it's this idea of sort of doing good with data.
Sharon: So some people may argue and they may say well it's also to collect information about you
3:45
3 minutes, 45 seconds
and share it with a third party who will target you with advertisement which is probably not nefarious like it's an advertisement
3:53
3 minutes, 53 seconds
But some people feel like I I don't want you to target me and you try to influence my thoughts
4:00
4 minutes
Kris: right so so on that on that I think what
you have to do is is when you are um collecting someone's personal information online advertising is a perfect example,
4:10
4 minutes, 10 seconds
you have to provide a means of transparency and to allow the the individual to say, "Hey, I'm not a Toronto Maple Leafs fan." I don't know, Sharon, are you a Toronto? You better not be cuz we can't be friends
4:21
4 minutes, 21 seconds
So, so Ottawa Senators all the way. Yeah. All the way. But, but so, yeah, like when I go I go to the newspapers every morning.
4:29
4 minutes, 29 seconds
It's the first thing I do. And the ads I see
Sharon: Oh, sorry. Sorry. The news like online
Kris: online.
Sharon: Okay. I was glad.
Kris: No, no, no.
4:36
4 minutes, 36 seconds
Sharon: I was like what How old are you?
4:38
4 minutes, 38 seconds
Kris: Uh, so I go and the first, uh, banner I see is, you know, Brady Tkachuk or Tim Stützle trying to get me to buy more tickets
4:46
4 minutes, 46 seconds
and I'm like, I've already bought my tickets. So, uh, but in any event, I prefer that ad over, you know, uh, Nylander or Austin Matthews trying to get me to buy Leafs tickets.
4:55
4 minutes, 55 seconds
That would be sort of that would make me angry. So, so I don't mind a little bit of targeted advertising.
5:03
5 minutes, 3 seconds
Now, the point being though is that like if somebody did make a mistake and used my information, sort of maybe they used an algorithm that didn't work well and they did give me a Maple Leafs ad,
5:12
5 minutes, 12 seconds
I want to be able to go in and say that's not me. I I want to opt out.
5:16
5 minutes, 16 seconds
And we do have this. Now, the industry can do better at teaching people on how to sort of, you know, click that little icon.
5:23
5 minutes, 23 seconds
But but I think I think there's a lot of good that is done with data. And and if you're transparent and you give people options to sort of manipulate it to their own likings, then then I think
5:33
5 minutes, 33 seconds
that's that's the way to go. And I'm not saying that we get rid of consent entirely. Uh for example, if you want to use my medical information to do a study,
5:41
5 minutes, 41 seconds
uh I think in in many instances that that's the type of thing where it's like it's very sensitive information.
5:48
5 minutes, 48 seconds
It's not really for the purpose of helping me at all, but it's for some other societal benefit. I still think I should have a say in In in saying yes or no to my information being used for that particular type of thing.
6:00
6 minutes
Say it. It's similar like there are different things, medical information, financial information,
6:05
6 minutes, 5 seconds
and the sensitivity is depending is dependent on the context.
6:10
6 minutes, 10 seconds
Sharon: Can I ask a question? This is a pressing one for some of my clients. biometrics and facial recognition especially in retail stores
6:18
6 minutes, 18 seconds
So we know and there have been decisions that you must get express consent
6:25
6 minutes, 25 seconds
in order to use uh facial recognition collect biometrics which is impossible.
6:30
6 minutes, 30 seconds
You cannot ask everyone entering your store can you just check here. So would that be a legitimate interest
6:37
6 minutes, 37 seconds
for the purpose of loss prevention and safety or would would consent uh be required in that situation?
6:45
6 minutes, 45 seconds
Kris: So your example I think is awesome in the sense that it 6:52
6 minutes, 52 seconds
shows it shows how um our our reasonable expectations change and they change over time.
6:56
6 minutes 56 seconds
It's a double-edged sword because I I don't want to say that our reasonable expectations of privacy are just going to
7:00
7 minutes
sort of eventually become nothing as this technology sort of keeps on proliferating.
7:06
7 minutes 6 seconds
However, I think right now uh facial recognition is is uh is seen and is perceived as being like uh kind of sort of creepy.
7:16
7 minutes, 16 seconds
It's that scene from Minority Report where he walks into the gap. And we're not there yet, but but you know, maybe in in 26 years we'll we'll be there.
7:22
7 minutes, 22 seconds
And maybe in 26 years we'll have enough rules, guidance, policies, procedures to suggest to organizations
7:30
7 minutes, 30 seconds
when it is okay to use that technology and when it isn't. And just because the retailer can tell, you know,
7:39
7 minutes, 39 seconds
certain characteristics about me doesn't just in and of itself make that sensitive. It depends on sort of the context and what's happening to it and everything like that.
7:49
7 minutes, 49 seconds
Sharon: That leads me perfectly, thank you very much, to my next question.
7:54
7 minutes, 54 seconds
So, the regulators are always talking about this mysterious character in privacy that I've never met or seen or know who it is, and that is the reasonable person. Who the hell is the reasonable person?
8:05
8 minutes, 5 seconds
Kris: Yeah.
Sharon: Who is it?
8:06
8 minutes, 6 seconds
Kris: Funny story. Uh, okay. So again, I'm showing my age, but uh in the mid1 1990s, I'm sort of fresh out of law school
8:13
8 minutes, 13 seconds
and I would go as often as I could to hear the regulator sort of speak about sort of how what was important in this new law
8:22
8 minutes, 22 seconds
And the regulator back then uh was a was a character named George uh Radwansky . And uh George was a great speech giver.
8:29
8 minutes, 29 seconds
He was very animated. And in his mind, PIPEDA had three main requirements. One was an organization had to provide access
8:37
8 minutes, 37 seconds
Fair enough. One, the second one was that an organization always had to have the person's consent, which again late 1990s maybe, okay, we can we can debate the need for that.
8:45
8 minutes, 45 seconds
But but then third, and and I loved it. He he would go uh the third thing you have to do is act in a way that the reasonable person would consider appropriate in the circumstance
8:56
8 minutes, 56 seconds
And then he'd pause and he'd go, "And who is the reasonable person?"
9:00
9 minutes
Sharon: Exactly. Exactly. Thank you
Kris: And but then he'd pause again and the room's like, "Is he going to answer?" And and then he'd go,
9:08
9 minutes, 8 seconds
"I am the reasonable person."
Sharon: What? He is not the reasonable person.
9:12
9 minutes, 12 seconds
Kris: No.
Sharon: And then he knows he set the test for what a reasonable person is. He can't be it.
9:17
9 minutes, 17 seconds
Kris: That's exactly it. Okay. He didn't.
9:21
9 minutes, 21 seconds
His office came up with um a test for what is what is a reasonable uh like what uh would a reasonable person consider appropriate?
9:31
9 minutes, 31 seconds
Has this sort of four-part test. We owe a great debt of uh gratitude to Carmen Baggaley who was a policy adviser at the OPC at the time
9:39
9 minutes, 39 seconds
and uh again it was a video camera case that came before the OPC. Carmen was asked you know like let's not analyze this case through the lens of consent.
9:50
9 minutes, 50 seconds
Let's analyze this case through the lens of is it reasonable? What does a reasonable person think? And they came up with this four-part test. Now the the case is Eastman
9:58
9 minutes, 58 seconds
.it went on to court and the court looked at the OPC four-part test and and ultimately sort of said
10:07
10 minutes, 7 seconds
that's a great test, that's a fantastic test. And so since 2004, we've been using this four-part test to determine what uh what is reasonable and what isn't.
10:15
10 minutes, 15 seconds
I think us in the industry, we know it and and like it looks like this four-part test is even going to be codified in the law that will replace PIPEDA .
10:24
10 minutes, 24 seconds
like as as you know we had parliament tried to introduce a law uh to replace PIPEDA it's sort of since died
10:31
10 minutes, 31 seconds
but part of that law was the codification of the four-part test now the issue is I think
10:38
10 minutes, 38 seconds
and and I and I think you you would agree here is that in the industry we can always go to the four-part test and we can point our clients to the four-part test and everything
10:46
10 minutes, 46 seconds
but but when I'm sitting around the dinner table with my in-laws or with my children my adult children and and we get into the discussion as to sort of
10:54
10 minutes, 54 seconds
is Is this reasonable or not? Uh they don't know the four-part test and and and in their mind they are the reasonable person.
11:02
11 minutes, 2 seconds
Sharon: Right. Exactly.
Kris: And and and this is why I think I I think we have to have something something even more than the reasonable person test.
11:09
11 minutes, 9 seconds
Something more than consent. We have to have this idea that when organizations use our data
11:17
11 minutes, 17 seconds
that it is done for an ethical reason that it's that it serves a good purpose.
11:23
11 minutes, 23 seconds
And the purpose doesn't have to be beneficial to the individual. It it but but it otherwise has to sort of be something that is worthwhile.
11:32
11 minutes, 32 seconds
And and like right here on this, I'll I'll just use the uh the the case that was decided about a year ago now or is it 2 years?
Sharon: About two years. Yeah.
11:40
11 minutes, 40 seconds
Kris: About Home Depot.
Sharon: Yeah.
Kris: You know, an instance where I'm at the checkout and the clerk says, "Uh, do you want an email receipt?" And I say, "Yeah, cuz I hate scanning paper receipts."
11:48
11 minutes, 48 seconds
Um, and this is where Home Depot sort of made a mistake because they were essentially not being transparent.
11:56
1 minutes, 56 seconds
And this to me is the reason why they should have got in trouble. But instead instead of just using the email address to email the receipt,
12:05
12 minutes, 5 seconds
they were then sort of checking whether or not any of their online ads were placed to the individual who owned that email address to sort of determine if you know,
12:15
12 minutes, 15 seconds
okay, we're spending a million dollars on these online ads. Like, are they working?
12:21
12 minutes, 21 seconds
Sharon: Is there a conversion rate online in in store purchases?
12:25
12 minutes, 25 seconds
Kris: Yeah. So am I am I sort of uh wasting my money or is it you know is it worthwhile to spend on these online platforms
12:33
12 minutes, 33 seconds
and I think you know that is a perfectly legitimate use of data. It's like a a business wants to know
12:40
12 minutes, 40 seconds
that it is spending it advertising money properly and and again like it to me that's a legitimate use. There's no harm to the individual
12:48
12 minutes, 48 seconds
particularly because of the way it was technically done. like there was very very almost no personally identifiable information that was that was being used in this ROI exercise.
12:56
12 minutes, 56 seconds
And then like I'm quite certain in Europe because of the legitimate interest
13:02
13 minutes, 2 seconds
use uh that it Home Depot would have been sort of like no one would have even complained about what Home Depot was doing.
13:09
13 minutes, 9 seconds
But here in Canada because uh of the need for meaningful consent and the lack of consent here for using the information for this purpose then then it was sort of seen as offsite.
13:20
13 minutes, 20 seconds
I'm not excusing the fact that Home Depot wasn't transparent and that was the mistake.
13:24
13 minutes, 24 seconds
What I am suggesting is that it was a good use of data and this 1980s concept of always needing the customer to consent to everything
13:32
13 minutes, 32 seconds
got in the way of a a reason like a perfectly reasonable business practice.
13:40
13 minutes, 40 seconds
Sharon: Kris, thank you so much. It is such a treat to have you in the car, especially hours before the conference.
Kris: Yes, I know. I got to get going.
Sharon: Okay. Yeah. Well, thank you.
13:47
13 minutes, 47 seconds
Kris: Okay. Thanks you Sharon.
Sharon: Okay. Bye-bye. Bye. Amazing.
13:54
13 minutes, 54 seconds
Kris: And you're what do you call it?
Sharon: Car carpool consulting. Carpool consulting. What do you mean? You don't know?
13:59
13 minutes, 59 seconds
you don't watch every single episode.
Kris: I can't I I I try to watch as many and I I did I did catch um I
14:06
14 minutes, 6 seconds
thought it was very good when Pat Kosseim, Pat Kosseim, joined you.
14:10
14 minutes, 10 seconds
Oh man. Very good. You should
Sharon: the Vitamin Water.
14:13
14 minutes, 13 seconds
Kris: Oh yes, that's funny.
Sharon: Yeah, that was hilarious. Yeah.
