Internet Privacy Laws in Canada
Protecting the Privacy of Your Customers Online
It's important that business owners understand Canadian privacy laws and how they affect their website and their relationship with their customers.
There was a time when the internet was a free and wild place to hang. Businesses put up websites and asked customers for all kinds of information to give them access to special sections, information or promotions. Then they would turn around and sell that information to other companies who would maybe start to spam customers with requests, sales, things customers generally didn’t want. Today, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) laws are in place to protect customer rights and personal information.
PIPEDA is a code that was developed by the Canadian Standards Association in the late 90’s. It contains 10 principles of fair information practices. Companies conducting business in Canada are required to abide by this act.
PIPEDA Definitions
These definitions are defined in the PIPEDA Act:
- Personal Information: this is subjective or factual information about a real person who can be identified. Things like SIN, age, name, income, religion, opinions, social status and personal comments are all examples of personal information. What it does not cover is name, title, business address or phone number of an employee.
- Consent: basically consent means customers have agreed to what is being done with their information or what is proposed to be done with it. Expressed consent reqires the customer to physically do something – either orally or in writing – to give his consent. Implied consent requires that the customer do something that can be inferred as giving his consent.
- Disclosure: Disclosure means that a company makes a customer's personal information available outside the company.
- Use: Use is how the customer's information is treated or handled.
The 10 Principles of PIPEA
This article will not go into detail of all 10 principles; what it will do is provide some basic application of some of the principles to designing websites. To read and understand the full act, visit the Government of Canada Website.
The 10 principles of PIPEDA are as follows:
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting use, disclosure and retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Provide Recourse
Accountability
Most organizations have identified a compliance officer to have overall responsibility for privacy in a company. This person should be working with the owners as they develop their new website or as they run their current website to ensure they are following all the policies and procedures defined for protecting privacy in their organization.
If companies have sections of their site that are restricted based on some kinds of registration, if they offer products or services (like newsletters) via online subscription, then it’s important to ask these questions as they develop their registration forms:
- What information are we collecting?
- Why are we collecting it?
- How are we collecting it?
- What do we use it for?
- Who has access to it or uses it?
- Do we disclose it to anyone?
- How long do we need to keep it?
By asking the questions above, companies are able to ensure they are adhering to the next several principles.
Identify Purpose
When collecting information, owners must identify either at the time of collection or before they actually start collecting it what they are using the information for. They must clearly explain why they need it and how it’s used by their company or other companies they disclose it to.
So at the beginning of every online form, companies must clearly spell out what the form is for, why they need the information and what they are going to do with it.
Obtain Consent
Checkboxes at the end of online forms that request customer agreement to the terms and conditions, or that confirm that customers have read and agree with the privacy statement from the company, are created to obtain consent online. Companies need to carefully store this information, the date it was given and what it was given for.
Companies need to have a privacy statement that outlines their privacy policies and procedures and what a person can do if they feel those policies have been violated. Companies' privacy statements can also indicate how a person can find out exactly what information is being stored about them. The privacy statement helps with all the principles in PIPEDA and is a critical part of any business' website.
Limit Collection
It’s important to only ask for the information the company needs to provide the product or service to the customer/visitor. Asking for things the company doesn’t need is a violation of the act and of a person’s privacy.
This is information that the company needs to carefully store and look after, so companies don’t want to be responsible for a lot of information they don’t even need or really use.
Limiting Use, Disclosure and Retention
Some online forms contain checkboxes that ask if a customer's email can be given to partners so that they can share important news about products or services the customer may be interested in. This is a form of requesting that a company can disclose a customer's information to others.
Another thing to think about is how long the company needs to keep the information collected. Companies must specify this in their privacy statement and then follow it, keeping it no longer than they have to.
Final Thoughts
This has been a brief overview of how to apply the Canadian Privacy Act PIPEDA to a company's website. Following these principles can make potential and current customers feel more safe and secure dealing with a company, and they will save companies a lot of grief if someone decides to complain.
The US also has privacy laws for US-based companies. Companies doing business on both sides of the border should try to understand their privacy laws as well and see if they can comply with both – protecting both their US and Canadian customer base.
