Consent is indeed one of the methods for protecting consumers. It's the method that has mainly been used in this bill. Something else could have been chosen, and other protection standards could have been added, but what we still have here is legislation that hinges on consent. Consent can be a method that operates to protect consumers in the digital environment and enables them to control their information, provided that consent is effective and can genuinely be useful to consumers.
Bill C-27 poses a problem with regard to related exceptions to the requirement of consent. We feel that those exceptions are too broad. The exception that concerns us most is the one provided under clause 18, for the purpose of business activities and legitimate interest. This is an exception that we consider too broad. We find it hard to understand how it can be consistent with the implicit consent that already exists. We therefore suggest deleting clause 18, which would allow businesses too much leeway to use consumers' information without their consent.
You also mentioned pop-up windows at the start of your question. It seems to me you're referring to the concept of consent fatigue, which occurs as a result of being constantly asked to give your consent. People are bombarded with demands and requests for consent, and we're aware of this concern about consent fatigue.
We think that businesses should show some creativity. The bill should also offer effective solutions enabling consumers to express a blanket refusal to be tracked online. When we go onto various websites, mobile apps and tech company platforms, our privacy and data are permanently captured for those businesses to use for commercial and other purposes. The current method is to have us consent singly to each business when pop-up windows appear.
The solution we suggest in our brief is that we instead create mechanisms enabling consumers to state a blanket refusal to allow their browsing data or other personal information to be transmitted to any companies with which they do business. This is what we call the "do not track" mechanism, which is already available in web browsers but isn't recognized by businesses. We propose that businesses be required to recognize this kind of signal or parameter that, with one click, enables people to send a blanket refusal to provide their personal information. This would put an end to the consent fatigue we all dislike.