Do I really need a Privacy Statement on my Website?

In 2018 Google and Facebook security breaches and the arrival of GDPR made online privacy a front-page news topic. As a website owner or entrepreneur, how much thought have you put in to your own website's privacy policy? If not enough, this article will help you understand privacy policies from a Canadian perspective and provide links to help you create, update, or re-evaluate your own privacy policy.

But first, let’s answer one of the most pressing questions.

Does anyone even read privacy policies?

Let’s be frank: Privacy policies don’t get much attention. A study posted in 2016 from Toronto’s York University showed that 77% of people don’t look at privacy policies at all. In fact, that same study, found that as many as 98% of visitors agreed to a Privacy Policy which included a clause to provide their first-born child as payment!

So it is true that very few visitors to your website will take the time to read your Privacy Policy. But that is not the point of having one.

There are 3 main reasons you need a privacy policy on your website:

1. Increase customer trust: When your visitors or clients become concerned about the privacy of their personal information, they have a resource they can inspect to be reassured. This document helps reinforce their perception of trust for your company or organization.
2. Reduce risk and liability: By publishing an official document discussing visitor privacy, you’re also taking the first steps towards ensuring you comply with your legal obligations surrounding the management of customer data and are therefore protecting yourself from associated risks surrounding data loss or theft.
3. Expose organizational weaknesses: By taking the time to write an effective privacy policy, you're taking the time to think about your customer's private data and what you are currently doing to protect it. This exercice is likely to expose a few areas of improvements, some that you may be able to quickly address with minimal or no additional cost.

Let’s examine the major framework dictating privacy requirements in Canada: PIPEDA

PIPEDA: Canada’s Answer to Privacy Concerns

If you are a Canadian company or you collect the information of your Canadian visitors, then you are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada.

PIPEDA defines personal information and sets out 10 principles that every business needs to address. According to PIPEDA, there are two types of personal information:

1. Customer, such as financial information and shipping information.
2. Employee, such as SIN numbers, resumes, and employment records.

Each of the 10 principles are detailed in schedule 1. For example, principle 3 talks about the need for consent before the collection of personal information and how you can use and dispose of this information. PIPEDA also includes audit and compliance procedures.

If you have either of these two types of information, you need to develop a privacy policy.

The Privacy Commissioner’s website has a guide that walks your through each of the principles and how to address them. There are also an interesting archive of past cases that provide specific examples and how they were addressed.

Other Privacy Considerations for Website Owners

PIPEDA’s 10 principles are wide ranging but there are some other fine grain details that a website owner should be aware of.

Subscribers & Anti-Spam

If you plan to collect emails for a contact list, you will be collecting personal information. You should be aware that there is Canada’s Anti-Spam Legislation (CASL) which dictates how to gather, maintain and use this type of information. Among other things, this legislation has rules governing consent, how to provide ways to unsubscribe, data protection and explicit use provisions. For a quick look, check out their fast facts page.

Cookies

Cookies are most commonly used to track a visitors website activity, often acting as identification cards. While cookies are generally an important part of websites that provide users with useful functionality, it's also caused some concern regarding the privacy of one’s personal information. Due to the different types of cookies and the diversity of information they can collect, the Canadian Government does not require website operators to stop using cookies. Instead, the official directives mention that it is website visitor's responsibility to manage their cookie preferences:

To protect your privacy on the web, you need to learn about the cookie controls provided in your browser.”

Want to know more? You can find detailed information on web tracking with cookies within the website for the Office of the Privacy Commissioner of Canada.

Roll-your-own Privacy Policy

Hopefully by now you've understood the importance of having an effective privacy policy. But how do you start creating one that will help make your business compliant with PIPEDA?

Developing a privacy policy and internal procedures is made easier in Canada by reviewing the contents of the PIPEDA compliance help page for businesses, provided by the Privacy Commissioner.

As legislators in Canada and around the world grapple with finding the right balance between enforcement, security, user consent, and access, the legal frameworks will continue to evolve. Thus, your own privacy policy should be reviewed at least once a year.

Have a look at the Government of Canada’s 10 Tips for a Better Online Privacy Policy and Improved Privacy Practice Transparency infographic to get a head start on building your own website’s Privacy Policy. Termsfeed.com offers a convenient Privacy Policy Generator as well as a template to help you get started on the right foot.

Final Note About Privacy

Other than the legal obligations of a website owner, privacy is an important issue to all members of the online community. Perhaps you stop yourself from speeding through a school zone or littering on the streets because it is illegal, but you probably also see the community benefit.

Building a privacy policy is a way to self-test your online business principles, integrity and values and put privacy “speed limits” on your business.

We need to look out for each other and our data to ensure a thriving internet community in Canada because we all benefit in the end. Just don’t ask for anyone’s first-born children, though!