New on my YouTube Channel.
Today I am going to be talking about what privacy policies are really for under Canadian privacy laws.
They are everywhere – on every website – seldom read. But their purpose in Canada is a little misunderstood.
I am going to limit this discussion to Canada’s current federal private sector privacy law, called the Personal Information Protection and Electronic Documents Act or PIPEDA. But most of my comments would be applicable for the “substantially similar” laws in British Columbia and Alberta.
I think most people who follow this sort of stuff know that Canadian private sector privacy law is based on consent – knowledgeable informed consent. There’s often an assumption that the “knowledgeable” and “informed” parts come from people reading privacy policies.
That’s not the way it usually works, however. I think we all know that people seldom read privacy policies. At least based on my own informal polling of my students, fewer people are actually reading privacy policies than ever before.
Let’s look at what the Act actually says about consent. To be informed consent, you have to look at principles 2 and 3 (which are taken from the Canadian Standards Association Model Code for the Protection of Personal Information).
Getting Consent
Principle 2 says
“The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.”
It then goes on and says
“The identified purposes should be specified at or before the time of collection … to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.”
It does not say that it should be simply set out in a privacy policy.
Principle 3 – Consent
Principle 3 is about consent. It says simply
“The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”
We can ignore the “except where inappropriate” part because all the exceptions are enumerated in section 7 of the Act.
Principle 3 then goes on and says
“The principle requires “knowledge and consent”.Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.
To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.”
Again, it does not say just throw it in the privacy policy.
So you’re really only confident that you have adequate consent if you are confident the individual has actually been apprised of the purposes for the collection, use or disclosure of their personal information.
In most cases, you can’t be confident that any particular visitor to your website has scrolled to the bottom and has even seen the link to a privacy policy, let alone clicked on one.
In some cases, however, you could use the privacy policy to “identify purposes”. That would be if you require a new visitor to or someone who is just creating a new account to read and acknowledge the privacy policy. In that case, you have made the effort to bring all the purposes to the user’s attention.
In other cases, you might give users clear notice that your privacy policy has been updated.
And either making them review it or at least telling them to do so.
So if a privacy policy in Canada isn’t for getting consent, what is it for?
Principle 8 – Openness
To find out, we have to flip forward to the 8th principle, entitled “Openness”.
Spoiler alert – privacy policies in Canada are about being open and transparent. They should also be where you go for answers to any privacy-related questions.
Let’s read Principle 8, starting with the main principle:
“An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”
It doesn’t come right out and say “thou shalt have a privacy policy”, but it essentially means that.
Subprinciple 8.1 says:
“Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.”
Be open about what you do with personal information. Make it really easy to find and make it easy to understand.
There’s then a list of all the additional things that an organization must have in a privacy policy:
The information made available shall include
(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
This essentially means the contact information for the organization’s privacy officer. It doesn’t have to name them, but there has to be a way to reach that person if there are any complaints or any questions.
(b) the means of gaining access to personal information held by the organization;
In Canada, individuals have a right of access to their personal information, subject to some limitations. This means you have to let individuals know about this right and how to exercise it.
I’ll likely do a full video soon on data subject access rights in Canada.
(c) a description of the type of personal information held by the organization, including a general account of its use;
You have to say what information you collect and how you use it.
(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
This essentially says you have to have a privacy policy to communicate all this information.
(e) what personal information is made available to related organizations (e.g., subsidiaries).
If you share information between related companies, you should call this out here.
Also, the Privacy Commissioner of Canada says that the privacy policy should include information on whether personal information is stored outside of Canada.
Who reads privacy policies?
In my experience, there are only three categories of readers.
Regulators, who want to make sure you have a mature privacy program.
People with questions about the handling of their personal information.
People with concerns or complaints about the handling of their personal information.
Privacy policies should be written with these audiences in mind.
So at the end of the day, what are privacy policies for?
At the very least, they are so you can say you’ve complied with Principle 8.
But what else? It should serve as a reference for anyone who has any questions or concerns about how an organization handles personal information.
Someone reading it should be able to get a handle on what information the organization collects, understand how it is used and know who to contact with any questions or concerns.