The question's excellent, because it illustrates how you can't address privacy in a meaningful fashion with just an upfront consent process, especially for platforms that get more complicated.
There are two approaches to dealing with all sorts of different contexts, not just in the pure technology sector, but even more broadly. One is that in addition to a meaningful drafted notice upfront about what the user should be engaged in, really the most important thing has become twofold. One part is making sure users have appropriate control, and know where they can exercise that control. The other is—and this is an absolutely critical point and the emerging theme over the practice during the last ten years—that we've seen a move from concepts of consent and notice being important parts of privacy protection to the concept of privacy governance and a much more holistic approach to how you address these issues.
I think two or three weeks ago the Office of the Privacy Commissioner of Canada and the Alberta and B.C. privacy regulatory authorities issued a joint 26-page guidance document on their expectations for effective privacy management programs. Those expectations set out obligations for organizations to look at privacy five steps back from the whole range of the life cycle of data but from a risk perspective, in a manner through which they continually improve their practices and address things like controls and transparency. But most importantly, they addressed it in a much more detailed format.
I encourage the committee to refer to that document. There are at least 110 expectations set out that really go to the heart of your question. If companies are relying solely on those long-winded consent forms.... I used to draft those things. I know what they're about. They're not effective for privacy compliance. It's privacy governance that's exactly at the heart of what you're raising.