The Federal, British Columbia and Alberta privacy commissioners published guidelines last month to remind organizations that under Canadian private sector privacy laws, organizations are required to obtain meaningful consent for the collection, use, and disclosure of personal information.
The guidelines stress the need for transparency. Individuals have to actually understand what organizations are doing with their information before they can give meaningful consent. This only occurs with policies and practices that are clear, comprehensive, and easy to find.
The Office of the Privacy Commissioner of Canada (OPCC) has been urging companies for years to more effectively inform individuals about their data gathering practices, using a variety of methods such as online banners, just-in-time notices, layered approaches, and interactive tools like mouse hover pop-ups.
However, most organizations rely on privacy policies to meet their regulatory requirements many privacy policies are either overly vague or legal in tone and substance, which actually helps organizations not to disclose their information usage in any meaningful way to consumers. According to a 2012 OPCC survey, Canadians rarely consult online privacy policies (only 14 percent of respondents said they often read them), and when they do, most find them unclear.
The guidelines reiterate while privacy policies may not be enough to ensure privacy compliance, they should at least ensure individuals receive sufficient information to be able to understand what they are consenting to. This would include:
- what information is being collected, especially if the information is not coming directly from them;
- why information is being collected;
- what will the information be used for;
- who will have access to the information;
- how will the information be safeguarded;
- how long will the information be retained;
- whether individuals can opt out of certain practices, such as behavioral advertising; and
- if information is being shared with third parties:
• what types of third parties;
• what will the third parties be doing with the information; and
• whether the third parties are located in a foreign jurisdiction, and potentially
subject to other laws.
Organizations should also present privacy information in an easily understandable and readable way for the average person. This means clear explanations in English not obscure legalese, suitable/age appropriate language, and an easily readable font size. Policies should be reviewed at least yearly and after any major corporate event or new or changed use of personal information