The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Sunday, November 20, 2005

Who is reading your privacy statement and why? 

I've written loads of privacy statements and have probably reviewed five times as many since I started practicing privacy law. One of the first things that the writer of a privacy statement has to ask is, "who is the intended audience?" "Our customers" is invariably the reply. That's a start and gets you part-way there. I've found that not many people read privacy statements. Most are aware they exist, but don't care.

The main audience for privacy statements is almost always a subset of your customers: those who are privacy aware, those who have a specific question and those who are really upset about something. There's a secondary audience, too: regulators (such as the privacy commissioner), privacy activists and journalists who are looking for a "gotcha!". Writers of privacy statements need to keep this in mind.

Your privacy statement may make your lawyer happy and may be legally correct, but writing it in legalese and burying important provisions in the text are actually counter-productive. Nobody in your intended audience appreciate this and doing so actually undermines whatever good stuff may be in your policy.

From time to time, journalists and columnists read the privacy policies from the companies with whom they deal and are often surprised with what they find. That certainly was the case with Nicole Brodeur of the Seattle Times, who took a gander at the Starbucks privacy policy and wrote a column for today's paper:

The Seattle Times: Local News: Your life is theirs to share:

Thought you were just getting a happy holiday Peppermint Mocha from Starbucks?

If you paid for it with a Starbucks card, you weren't so much warming yourself up as opening yourself up to a world where your personal information is traded like animal skins. After years of surfing, searching and shopping online, I took the time to read the coffee company's just-revised privacy policy, which opens by stressing the company's "foundation of trust."

A later paragraph made me wonder: "Unless permitted by law, no personal information is collected, without first obtaining your consent for the collection, use and sharing of that information."

Fine, but read on: "The provision of personal information to Starbucks means that you agree and consent that we may collect, use, and share your personal information in accordance with this privacy policy."

In other words, the simple act of giving personal information is implied consent for Starbucks to share that information with its "consultants, strategic partners, agents, distributors, suppliers, contractors and other companies," as well as third-party, credit-card processors, mailing houses, Web hosts and e-mail vendors.

That's a lot of people to share a couple of pounds of Christmas Blend with, isn't it?

Indeed, Starbucks is as connected as Santa. The company sees where you are surfing. It knows when you're online. It knows just what you bought for whom, so be patient as you try to "opt out." ...

The "problematic" paragraph in the policy reads:

Our website may also share information with companies that provide support services to us (such as credit card processors, mailing houses or web hosts) or that help us market our products and services (such as email vendors). These companies may need information about you in order to perform their functions. These companies are not authorized to use the information we share with them for any other purpose.

Frankly, all of this "sharing" of information is entirely reasonable (if you pay with Visa, that transaction won't process itself and Starbucks ain't your bank), but you can easily see how an upset customer or someone looking make a story can read this paragraph to suggest they throw your personal information to the four winds.

If you have the task in your organization of writing or updating your privacy statement, be very aware of who will be reading it and how it can be interpreted.


Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs