ARTICLE
30 August 2024

Understanding Privacy Policies: Clarifying What They Are Not, And Avoiding Common Misconceptions

ML
McMillan LLP

Contributor

McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa, Montréal and Hong Kong. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
When it comes to establishing a comprehensive and compliant website, one of the most critical documents is your privacy policy (formally referred to as a "confidentiality policy" under Quebec laws).
Canada Privacy

When it comes to establishing a comprehensive and compliant website, one of the most critical documents is your privacy policy (formally referred to as a “confidentiality policy” under Quebec laws).

Companies that mistakenly conflate their privacy policy with other legal documents may run into trouble by falling afoul of Quebec privacy law requirements or by being exposed to unwanted liability with their users.

In this article, we aim to help you understand the privacy policy by highlighting what it is not, and thereby help you avoid common misconceptions and pitfalls.

1. A privacy policy is not the same as Terms of Use

One common misconception is that a company's Terms of Use (“ToU”) posted on their website adequately covers all their legal bases with their users, including privacy. However, this is not the case. The ToU is very different from a privacy policy. Here's how:

To start with, a company's ToU refers to the legal framework applicable to the access and use of the company's website and includes terms and conditions covering both the company's and the user's rights, obligations, responsibilities, prohibitions, and disclaimers, among other things. In essence, the ToU represents a legally binding “contract” between the company and a user navigating its website.

On the other hand, a privacy policy is a document designed to specifically inform users how the company collects, processes, and handles personal information through technological means.1 Typically, the privacy policy will provide users with an explanation of what personal information the company may collect and how it uses, stores, and protects such information.

Quebec law not only imposes an obligation on companies to post a privacy policy on their website when they collect personal information by technological means, but also mandates them to include specific information in their privacy policy, such as the contact information of the company's privacy officer, and more. In this respect, a privacy policy represents a legally mandated “disclosure” document and a “transparency” tool designed to inform users about their privacy rights and how their personal information is collected and handled by the company.

2. A privacy policy is not a privacy governance policy

While a privacy governance policy, also referred to as a data protection policy or personal information protection policy (“Privacy Governance Policy”), is related to a privacy policy, it has a very different purpose.

A Privacy Governance Policy refers to a company document setting out specific technical, physical, and organizational measures taken by the company to protect personal information in its possession from data breaches, unauthorized use and access, or loss. The Privacy Governance Policy generally targets the company's personnel, contractors, and other stakeholders.

Under Quebec privacy laws, companies must establish and implement governance policies and practices regarding personal information to protect any personal information in their possession. More specifically, the Privacy Governance Policy represents a framework (i) for the keeping and destruction of personal information; (ii) to define the roles and responsibilities of a company's personnel handling personal information throughout its life cycle; and (iii) providing a process for dealing with complaints regarding the protection of the information.2

In contrast, the privacy policy is a public-facing document informing the public about the company's practices relating to the collection, processing, and handling of personal information.

However, a privacy policy intersects with a Privacy Governance Policy as Quebec privacy laws require companies to provide detailed information about their Privacy Governance Policies, in clear and simple terms, on their website.3 As such, companies will include details about their Privacy Governance Policies within their privacy policy published on their website.

3. A privacy policy is not the same as getting express consent

It is tempting for companies to assume that a user's express consent to collect and process personal information can be used as a substitute for a privacy policy. This, unfortunately, is not the case.

A user's express consent to collect and process personal information for a particular purpose means precisely that. The user is specifically “authorizing” the company to collect the personal information requested and process it as disclosed. For example, a company may obtain users' express consent to collect their personal information for marketing and promotional purposes. This authorization does not alleviate the company's obligation to post a privacy policy on its website, which provides a detailed overview of its privacy policies and practices.

A privacy policy refers to a document that outlines how a company collects, uses, stores, and protects personal information obtained from its users, customers, clients, or other stakeholders. This document is not designed to obtain express consent from a user; its primary purpose is to provide clear and accessible information, letting users know how their personal information is managed and giving them control over their privacy.

4. A privacy policy is not a cookie policy

With the rise of data protection regulations, cookies have become a focal point in privacy discussions. However, it is essential to distinguish between a privacy policy and a cookie policy.

A cookie policy is a document that explains how cookies and similar tracking technologies are used on a company's website. It typically details what types of cookies are used, their purpose, how they enable companies to collect information, and how users can manage their preferences.

On the flip side, while a privacy policy may reference the use of cookies by a company, it covers a broader scope, including all aspects of personal information collection and processing, not just through cookies but through all interactions with the company. In this manner, you can consider a cookie policy to represent a subset of a privacy policy.

Although a cookie policy is highly relevant to collecting personal information, companies should be cautioned that it does not serve the same purpose as a comprehensive privacy policy.

5. A privacy policy is not a legal disclaimer

Legal disclaimers are often found on websites, covering a range of issues from liability to intellectual property rights. However, they are not a substitute for a privacy policy.

Legal disclaimers generally limit a company's liability for the use of its website and provide notices regarding the user's legal rights and responsibilities. The primary purpose of the disclaimer is to protect the company from liability. Conversely, a privacy policy is about transparency and user rights relating to their personal information.

Using a legal disclaimer in place of a privacy policy can expose the company to legal risks, as one cannot be used in lieu of the other.

Conclusion

We hope that you have a better comprehension of what a privacy policy is by understanding what it is not.

Your privacy policy presents your privacy commitments to the general public and serves as a promise to your users as to how their personal information will be collected and treated.

Make sure your privacy policy stands alone, clear, and distinct from other policies, not only to fully comply with Quebec laws but also to build trust with your users and various stakeholders.

Footnotes

1. Article 8.2 of the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1.

2. Article 3.2 of the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1.

3. Article 3.2, par. 2 of the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More