Businesses who collect their customers’ data online need to be clear and transparent in their privacy policies or risk breaking privacy laws, says Jennifer Stoddart, the federal privacy commissioner.
From May 6 to 12, federal privacy authorities in 19 countries worldwide are checking out major corporations’ Web sites to gauge the transparency of their privacy policies. Privacy authorities will each take one day to do an informal inspection of whichever Web sites it chooses as part of a campaign by the Global Privacy Enforcement Network.
Here in Canada, Stoddart spearheaded a campaign on Monday to check the privacy policies of about 200 of the most visited Web sites in Canada, as well as the ones belonging to large Canadian businesses that regularly deal with customers.
Stoddart and other employees in her office tried to look at the Web sites from the perspective of average consumers, rather than as privacy experts, although they did use a ratings guide to ensure consistency. While some Web sites clearly took pains to make their privacy policies clear and understandable, others were disappointing, she said.
“We’re just looking at our findings, but in a more impressionistic way, immediately what did we see? [An] absence of privacy policies,” she said. “Or privacy policies that were really long and unreadable to the average person. Full of legalese, technical language, very uncongenial to try and deal with. Some amazingly that were just a few lines or throwaways.”
Some Web sites also didn’t feature any contact information, meaning that if consumers have questions regarding privacy concerns, they won’t be able to reach anyone or file a complaint.
Stoddart added that many companies employ technical, legal jargon to try to cover themselves as much as possible and to not be liable to legal action. Yet laws demanding clear and understandable privacy policies have been in place in Canada since 2003, so there is no excuse for companies to remain non-compliant.
And the concern is a growing one – in January, the Office of the Privacy Commissioner released a study that polled 1,500 Canadians on privacy issues. More than 60 per cent of respondents were concerned about the protection of their privacy, while 25 per cent reported feeling extremely concerned. Seventy per cent said they feel their personal information is less protected than it was 10 years ago.
Stoddart’s office hasn’t decided how to proceed yet, but in the wake of its report, it may reach out to company Web sites to demand better-worded privacy policies. And if sites refuse to comply, she said she isn’t ruling out auditing and investigating them, or even revealing their names to the public. There is also the possibility of enforcement and prosecution in federal courts.
The privacy commissioner’s office will release a report on its findings in the next few weeks. A more international comparison between the 19 countries should be available in July.
While smaller businesses were unlikely to have been inspected on Monday, SMBs should treat this week as a call to clearly flesh out their privacy policies, Stoddart said.
Here are some things SMBs can do to ensure their privacy policies make the grade:
- Sites should state, in ordinary words, what personal information will be collected
- Why personal information is collected
- How personal information will be used
- Who personal information will be shared with
- How Canadians can access their own personal information on the Web site
- How Canadians can opt out from sharing their personal information with the company
SMBs can also use this online tool to figure out what they need to do to be compliant with current privacy laws.
“The privacy policy has to be written for the consumer. It’s not to limit the liability of the company,” she said. “People have the right to know what’s happening with their personal information.”
“I think a good rule of thumb is that if an ordinary person can understand this easily and quickly, then probably the privacy policy is effective.”