As a business owner, it’s essential that you ensure that your digital properties, like your business website or app, are compliant with governing laws. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), commercial organizations in Canada must follow certain requirements when it comes to the use of their users’ personal information. This includes informing users about what information they’re collecting and how they’re using it. The document that outlines the use of this information is called a privacy policy, and it should be easily accessible to the website’s users.
What is a privacy policy?
A privacy policy is a legal document or statement that describes, in plain language, how that organization collects, uses, and distributes its users’ personal data. This should include not only the type of personal data being collected but also the method of collection (for example, through user-submitted forms or essential cookies). The aim of this policy is to give users more transparency and control over how their personal data is handled.
The most common personal data includes:
- Name
- Age
- Address
- ID numbers (eg. passport)
- IP address
- Billing and credit card information
- Additional personal information (race, marital status, nationality, religion, blood type and more)
Each website’s privacy policy should speak directly to the use of user information for that site. It may include additional information on how user-generated content is used (eg. photos or videos uploaded to the site), as well as subjective information gathered from user comments or profiles.
A site’s policy should also be made easily apparent to its users. It often will include language that by reading it and/or continuing use of the site, the user is providing their consent.
Having a privacy policy is not just a best practice; it is a legal requirement for businesses. The law that enforces a business’s policy is dependent on the location of the business and its customers. Canadian organizations governed by PEPIDA may be fined up to $100,000 CAD for offences.
Canadian laws related to privacy policies
PIPEDA is the Canadian law that governs data privacy for private sector organizations “that collect, use or disclose personal information in the course of a commercial activity”.
What businesses are subject to PIPEDA?
PIPEDA applies to most commercial businesses in Canada, with the exception of those maintaining operations solely in Alberta, British Columbia and Quebec. Those provinces each have their own provincial equivalents that govern data privacy in the region.
If a business handles information across either provincial or national borders, it is subject to PIPEDA, even if it is based in a province with its own legislation.
Any federally-regulated business is always subject to PIPEDA.
The 10 fair information principles of PIPEDA
Under PIPEDA, any personal data collected must be only “for purposes that a reasonable person would consider appropriate in the circumstances”. To determine these appropriate circumstances, there are 10 principles that form the ground rules. They are:
- Accountability: The business is responsible for the personal data it collects and must appoint someone to be accountable for its compliance with PIPEDA.
- Identifying purposes: The reason the personal data is being collected must be made clear before or at the time it is being collected.
- Consent: The user must be notified and provide consent to their personal data collection.
- Limiting collection: The collection of data must be for the purposes that have been identified in the privacy policy.
- Limiting use, disclosure and retention: The user’s personal data should only be disclosed or used for the purposes identified in the privacy policy, and should only be stored as long as necessary to serve those purposes.
- Accuracy: In order to satisfy the purposes for which the personal data is collected, it should be updated and accurate.
- Safeguards: Appropriate cybersecurity measures should be in place to protect users’ personal data.
- Openness: Information about the privacy policy should be made easily available.
- Individual access: A user should be able to access and challenge the accuracy of the personal data collected about them.
- Challenging compliance: Individuals have the right to challenge a business with the Chief Privacy Officer if they believe it is not compliant with PEPIDA.
The Office of the Privacy Commissioner (OPC) makes it easy to find the right contact for your privacy concern. Use the online tool here.
Benefits of privacy policies for businesses
While creating a privacy policy may seem like tedious legality, there are benefits to you, the business owner.
- Transparency: Privacy policies promote transparency and trust between your business and customers or users.
- Limits liability: Should a dispute between you and a customer or user arise, you can point to your policy and the user’s acceptance as a legal defence. This is especially helpful when express consent is given by a user clicking an “I Agree” button.
- Futureproofing: A privacy policy not only limits your libaility int he present, but it creates a foundation for growth and security in the future, too.
- Professional image: A privacy policy makes your business website look and feel more legitimate (in addition to satisfying important laws).
How to create a privacy policy
When creating your business’s privacy policy, you may choose to write your own, or consult with a contract lawyer.
Consulting with a lawyer is obviously going to cost you, and when it comes to drafting your own? Don’t even think about it—you will lose hours of time and have to deal with the stress of wondering whether or not it was done correctly.
When you become an Ownr Managed Corporation Plan customer, you can access privacy policy templates, along with a whole host of other legal documents, as part of our legal library. They’re flexible and accurate, so you can save time, money, and stress.
If writing your own policy, remember to use plain language that’s easily understood by your users. You may want to review the privacy policies of businesses like yours, but avoid copying verbatim as that would constitute copyright infringement.
Depending on the complexity of your privacy policy, it may be worth consulting with a legal professional to ensure your business is compliant.
Key elements of a privacy policy
To begin, your privacy policy should include whether or not you collect personal data. Even if you do not, you should still include a privacy policy which states that personal data is not collected.
Additionally, your privacy policy may include:
- User data: The data you collect and how it will be collected.
- User tracking: Information on user tracking including the types of cookies collected or any other tracking methods.
- Data usage: How that data will be used, and if it will be sold or shared.
- Data protection and storage: How long the data will be stored for, and any cybersecurity measures in place to protect it.
- Company information: Further information about your company, including who to contact for questions or concerns regarding the privacy policy.
- Opt-in/out: The privacy policy should provide the option and instructions for users who wish to opt-out.
Key takeaways about privacy policies
What’s essential to a privacy policy is that it is clear, easy to understand and simple for users to find. Including it as a popup banner with express consent needed is the best way to ensure that a user has seen and read it.
It’s also a good idea to link to other key legal documents on your site from your privacy policy, such as your business’s terms of use policy.
Remember, a privacy policy is required by law and businesses that fails to include one may be fined up to $100,000 for non-compliance under PEPIDA.
What is a privacy policy FAQs
Can I write my own privacy policy?
Yes, you can write your own privacy policy, but we recommend consulting a legal professional, especially if your circumstances are complex and involve the collection of large amounts of personal data. You may also consider using a generator as a starting point to create your policy.
Why is it Important to have a privacy policy?
Beyond it being a legitimate legal requirement for your business, it’s important to have a privacy policy in order to maintain transparency for your business’s use of personal data. This helps legitimize your business and will build trust with your users and customers. These policies outline the personal data you collect and how, and may limit your organization’s liability in a dispute.
What is the meaning of a privacy policy?
A privacy policy is a legal document that outlines exactly what personal data your website collects about users, and the way in which that data will be stored, shared and used. It should be clear, free of jargon and easily found on a website in order to maintain transparency between the organization and the user.
This article offers general information only, is current as of the date of publication, and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While the information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the author(s) as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by RBC Ventures Inc. or its affiliates.