The Office of the Privacy Commissioner of Canada recently
announced the results of an international "sweep" of more
than 2,000 online privacy policies.
The sweep, which was part of a coordinated effort undertaken
together with 18 other global privacy enforcement authorities,
focused on the importance of transparency and providing individuals
with the information they require to make meaningful decisions in
exercising control over their own information.
The OPC itself undertook a review of the privacy policies on
more than 300 websites. Key trends identified by the OPC were
summarized as follows:
cases because it was buried in a lengthy Legal Notice or in the
Terms and Conditions.
Approximately 20% of sites reviewed either failed to list a
privacy contact or made it difficult to find contact information
for a privacy officer. In one case, website users were invited to
send privacy questions by email, yet no email address could be
More than 20% of privacy policies raised concerns about the
relevance of the information provided. For example, some simply
quoted portions of Canada's federal private sector privacy law,
the Personal Information Protection and Electronic Documents
Act (PIPEDA), verbatim instead of explaining how personal
information is actually collected and used.
The best policies were described as being consumer-oriented,
providing information that real people would actually want to know
and would find helpful. These policies struck the appropriate
balance between transparency and concision.
A feature common to many of the "bad" policies was a
legalistic approach, such as repeating language found in PIPEDA or
merely claiming compliance with legislation while providing very
limited information of actual interest to readers.
Also highlighted was the failure by approximately 20% of sites
reviewed to identify a privacy contact or make it easy to find
applicable contact information.
Examples of the "ugly":
websites with no privacy policies (10%);
websites with hard-to-find privacy policies; and
websites with privacy policies that offered "so little
transparency to customers and site visitors that the sites may as
well have said nothing on the subject."
Key Points to Remember
The sweep highlights a number of key points for all
organizations to remember:
The OPC is adopting an increasingly proactive role in
identifying privacy compliance challenges. This includes
identifying organizations with poor privacy practices when this is
deemed to be in the public interest.
Transparency is critical. Individuals need to receive the
information they require to make meaningful decisions in exercising
control over their own information.
Striking an appropriate balance between meaningful disclosure
of your privacy practices and concise language is also critical.
Providing too much information or information that is not
accessible to consumers will not meet the OPC's standards.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).