On May 8, the federal, British Columbia, and Alberta privacy commissioners published new guidelines to remind organizations that under Canadian private-sector privacy laws, organizations are required to obtain meaningful consent for the collection, use, and disclosure of personal information.
The guidelines stress individuals have to actually understand what organizations are doing with their information before they can give meaningful consent.
Above all, the guidelines focus on the need for transparency and openness and remind organizations they have to make their personal information policies and practices clear, comprehensive, and easy to find. It's a laudable goal, but is still not happening in practice, especially in the area of privacy policies.
The Office of the Privacy Commissioner has been urging companies for years to more effectively inform individuals about their data gathering practices, using a variety of methods such as online banners, just-in-time notices, layered approaches, and interactive tools like mouse hover pop-ups.
However, most organizations I know rely on privacy policies to meet their regulatory requirements and according to the OPC, are doing a pretty terrible job of it.
Not surprisingly, many privacy policies are either overly vague or legal in tone and substance, which actually helps organizations not to disclose their information usage in any meaningful way to consumers. A 2012 OPC survey found Canadians rarely consult online privacy policies and when they do, often find them unclear.
Only one in five respondents said they either always (six per cent) or often (14 per cent) read privacy policies. Another 29 per cent said they sometimes read privacy policies, while half either rarely (26 per cent) or never (24 per cent) do. Sixty-two per cent of respondents found privacy policies to be either somewhat vague (36 per cent) or very vague (26 per cent). Considering how opaquely some of them are written, I am pleased people are even taking the time to read them.
Conversely, I sometimes see the other side of the coin — very verbose privacy "disclaimers" or "statements" preferred by some American organizations wanting to do business in Canada that contain detailed descriptions of information collection, use, and disclosure that may not be reasonable for stated purposes.
Why are organizations doing such a bad job on their privacy policies? Is it because they cannot be bothered to write clearly and succinctly? (I particularly liked the reference to the article cited in the guidelines that found Internet users would need 244 hours per year to read the privacy policies of the sites they visited). Is it negligent misconduct and a conspiracy on the part of some companies to deliberately obscure their privacy practices? Or just sheer laziness, i.e. forgetting to update them when an organization adds a new service or suddenly hires a third party cloud provider located in another jurisdiction and neglects to mention personal information collected is now sitting in another jurisdiction? Probably a bit of everything, frankly.
I like to remind my clients their policies should be reviewed at least yearly and after any major corporate event or new or changed use of personal information — but not everyone takes me up on my suggestion.
The guidelines reiterate while privacy policies may not be enough to ensure privacy compliance, they should at least ensure individuals receive sufficient information to be able to understand what they are consenting to. This would include:
- what information is being collected, especially if the information is not coming directly from them;
- why information is being collected;
- what will the information be used for;
- who will have access to the information;
- how will the information be safeguarded;
- how long will the information be retained;
- whether individuals can opt out of certain practices, such as behavioural advertising; and
- if information is being shared with third parties:
- what types of third parties;
- what will the third parties be doing with the information; and
- whether the third parties are located in a foreign jurisdiction, and potentially subject to other laws.
Organizations should also present privacy information in an easily understandable and readable way for the average person. This means clear explanations in English not obscure legalese, suitable/age appropriate language, and yes, an easily readable font size — not four-point mouse print.
Organizations have to ensure privacy policies are easily accessible from all devices, including smartphones, tablets, and gaming devices, as well as PCs.
Transparency and consent, indeed.
First published: May 19, 2014, Canadian Lawyer Magazine, "The IT Girl" column (www.canadianlawyermag.com/author/Lisa-R.-Lifshitz.html)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.