The Office of the Privacy Commissioner of Canada recently
announced the results of an international "sweep" of more
than 2,000 online privacy policies.
The sweep, which was part of a coordinated effort undertaken
together with 18 other global privacy enforcement authorities,
focused on the importance of transparency and providing individuals
with the information they require to make meaningful decisions in
exercising control over their own information.
The OPC itself undertook a review of the privacy policies on
more than 300 websites. Key trends identified by the OPC were
summarized as follows:
cases because it was buried in a lengthy Legal Notice or in the
Terms and Conditions.
Approximately 20% of sites reviewed either failed to list a
privacy contact or made it difficult to find contact information
for a privacy officer. In one case, website users were invited to
send privacy questions by email, yet no email address could be
More than 20% of privacy policies raised concerns about the
relevance of the information provided. For example, some simply
quoted portions of Canada's federal private sector privacy law,
the Personal Information Protection and Electronic Documents
Act (PIPEDA), verbatim instead of explaining how personal
information is actually collected and used.
The best policies were described as being consumer-oriented,
providing information that real people would actually want to know
and would find helpful. These policies struck the appropriate
balance between transparency and concision.
A feature common to many of the "bad" policies was a
legalistic approach, such as repeating language found in PIPEDA or
merely claiming compliance with legislation while providing very
limited information of actual interest to readers.
Also highlighted was the failure by approximately 20% of sites
reviewed to identify a privacy contact or make it easy to find
applicable contact information.
Examples of the "ugly":
websites with no privacy policies (10%);
websites with hard-to-find privacy policies; and
websites with privacy policies that offered "so little
transparency to customers and site visitors that the sites may as
well have said nothing on the subject."
Key Points to Remember
The sweep highlights a number of key points for all
organizations to remember:
The OPC is adopting an increasingly proactive role in
identifying privacy compliance challenges. This includes
identifying organizations with poor privacy practices when this is
deemed to be in the public interest.
Transparency is critical. Individuals need to receive the
information they require to make meaningful decisions in exercising
control over their own information.
Striking an appropriate balance between meaningful disclosure
of your privacy practices and concise language is also critical.
Providing too much information or information that is not
accessible to consumers will not meet the OPC's standards.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Peerenboom v Marvel Entertainment (2016 NY Slip Op 31957(U)) is drama-driven case in which the New York County Supreme Court afforded Toronto businessman Harold Peerenboom the right to obtain the private emails...
The Supreme Court of Canada released a landmark decision today giving important guidance on how Canada's federal privacy law, the Personal Information Protection and Electronic Documents Act, should be interpreted.
The Ontario Superior Court of Justice recently approved a settlement agreement in the Lowanski v The Home Depot class action, a decision that highlights adequate protection and a sufficient response can significantly reduce the legal risks after a data breach.
The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the "EU Decision") raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).