The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, January 28, 2007
In Computerworld, Jay Cline asks "Are Privacy Notices Worthless?".
In my not so humble opinion, most of them are. Too many are overly long and full of legalese that is meaningless to most of the prospective readers. Too many are simply a regurgitation of blue sky principles that don't provide any information.
In many cases, they are referred to as "privacy policies". I prefer to call them privacy statements, since they are supposed to communicate with customers. Policies are those things in thick three-ring binders in the back office.
What's the real purpose of a privacy statement? At least in Canada, it is part of the openness requirement in PIPEDA:
4.8 An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
The information made available shall include(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., subsidiaries).
An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.
If your statement doesn't contain that minimum, go back to the beginning.
However, privacy statements are more than that. Companies really need to think about who is going to read it and under what circumstances. Just because very few people read them doesn't mean that we should underestimate their importance.
When someone actually takes the time to read the statement, they are usually either upset about something or actually care about privacy and want to know how you handle personal information. This customer can become a real problem and your privacy statement is your first (and perhaps last) opportunity to keep them as a customer and prevent any problems from arising. (On a purely practical level, the customer who reads the statement is one who cares about privacy and these are the kinds of customers than can become difficult.)
If a customer wants to know how you handle personal information, make it staggeringly easy by spelling it out in your privacy statement. If you don't, they will go somewhere else or will ask one of your employees. A privacy statement is an opportunity to clearly answer that question in a very controlled way. The trend towards layered privacy statements, or those with a snapshot summary at the top is a good way to provide a quick answer to the customer without forcing them to wade through details that may not be relevant to them.
If a customer has a problem or a potential complaint, a clear and meaningful privacy statement will go a long way to providing some comfort. If it's full of legalese, the customer becomes less trusting and increasingly alienated. The statement should answer their question and lead them quickly to the resolution they are looking for. If not, they'll be madder when they finally reach the right person.
Your privacy statement should not be worthless. You should treat it as an important communication opportunity with your customers. It is perhaps the first and last chance to keep your customer and to avoid an unpleasant complaint.
And, as an aside, privacy should permeate all aspects of your business. If you ask customers to input information online, make sure that the form includes explanations about why you are looking for the information and what will be done with it. If you actually operate in the real world, train employees to explain without prompting what information is used for. If you don't provide an explanation, customers will assume the worst.
Of course, you should also treat it like a contract with your customers and follow it accordingly. The FTC in the United States considers not following your privacy statement to be an unfair trade practice and imposes penalties accordingly.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.