Thank you for that question, Mr. Lake.
The concern is that we already have language in the law which says that to make a consent meaningful, the purposes must be stated in such a way that the individual can reasonably understand how the information will be used or disclosed. What we're trying to understand is what additional requirement is being proposed under this consent, particularly given that we've already had decisions out of the OPC and guidance issued particularly about vulnerable groups.
The concern is, how far does this go?
I think the industry accepts, particularly when you're dealing with children and youth, that you need to have privacy policies worded in such a way that they would be reasonably understandable by that audience.
But how far does it go? If I have a multitude of sites, and for operational reasons I'd obviously like to have a single privacy policy for each one, how granular do I have to be? If one of my sites is directed at hockey fans, do I have to do survey research to tailor that to hockey fans because they might have a different way of understanding the way things are presented? If I'm a game manufacturer and I have a role-playing game and I have something like Candy Crush and I also have a word game, do I have to have something different for each of those? I think this is what we're concerned about.