Four Tips for Keeping Your Company Compliant With Canadian Privacy Laws
Recently the Office of the Privacy Commissioner of Canada, Canada’s main privacy watchdog, indicated that the behavior of Canadian online advertisers will be subject to increased scrutiny, announcing a project aimed at studying privacy compliance in behavioral advertising, a practice which targets ads at individuals based on their browsing history.
The main purpose of this project will be to look at whether Canadian online advertisers engaging in the practice are complying with applicable privacy laws.
While it remains to be seen whether the project will lead to any regulatory changes, it serves as a useful reminder that privacy remains one of the most contentious and quickly evolving aspects of Canadian law, and it’s never a bad idea to ask yourself whether your company is doing everything it can to ensure it stays in compliance with applicable privacy legislation. To that end, below are a few tips and best practices for ensuring your company stays within the bounds of such laws.
1. Pay Attention to What Information Your Company Collects
It is very important that you pay close attention to exactly what information your company collects from the public. Canadian privacy laws place significant limits on the type of personal information companies can collect.
Companies must disclose the purpose for which they are collecting personal information, and may only collect information that is necessary to achieve that purpose. Further, information cannot be collected for any purpose a company chooses, but instead may only be collected for a purpose that a reasonable person would consider appropriate.
This means that companies cannot collect information from the public indiscriminately, and instead need to be able to provide a clear justification for all the information they collect. Usually this means relating the collection to a reasonable business purpose.
For example, it will generally be reasonable for a company that sells products online to collect customer addresses and credit card information to process those sales. However, if the company also asks customers to provide their marital status or SIN to complete the sale, it may potentially run into issues down the road unless it can show it had a reasonable and appropriate purpose for collecting this information.
In order to remain in compliance with privacy legislation, you should thus always be aware of not only what information your company collects, but also why you collect it. If you find it difficult to come up with reasonable business justification for why your company collects a given category of information, you may want to consider whether that information should be collected at all.
2. Be Open About The Information You Collect
One of the fundamental principles underlying Canadian privacy legislation is the requirement for consent before information is collected. Both federal and provincial legislation generally require members of the public give consent before a company may collect their information (consent may be express or implied depending on the circumstances).
However, individuals cannot give meaningful consent to the collection of their personal information unless they know why their information is being collected and what will be done with it. Any company that collects private information from the public thus needs to disclose in a clear and forthright manner the purpose for which information is collected and how the information will be handled.
One good way to accomplish this is through having a public privacy policy. Such a policy does not have to be 5,000 words long or written in legalese (in fact it’s probably better if it’s not). A policy that explains briefly and in plain English what information your company collects, why it collects it, and what you will do with it can go a long way ensuring your customers have enough information to make an informed choice about whether to disclose their personal information to you and thus keep you in compliance with your obligations under applicable privacy laws. (However, having such a policy in place will not always be enough, by itself, to obtain consent.
For instance, if the information your company is collecting is particularly sensitive, it may be necessary to have additional safeguards in place such as requiring that individuals actively confirm their consent before you collect the information).
3. Develop Internal Policies and Practices to Deal With Privacy Issues
Having privacy policies and procedures in place at your company is not just a best practice, but a legal requirement, as Canadian privacy legislation expressly requires companies to design and implement policies and practices to meet their privacy obligations. Making a privacy policy available to the public on your website may not be enough to meet this requirement, and companies should also have internal policies and procedures fully addressing their obligations under the legislation, and train staff in how those policies should be followed.
Having such policies in place will not only help you deal with your privacy obligations on a day to day basis, but may also be useful in defending your company if you are ever subject to a complaint or scrutiny by privacy regulators.
Beyond fulfilling your duties under the legislation, sitting down and drafting such policies can be beneficial to your company by turning your attention to privacy issues you may not have otherwise considered. For a smaller company that operates with few formal procedures, sitting down and establishing some basic policies and procedures addressing matters like what information your company will collect, how that information will be stored, and how to respond to complaints or inquires from the public will go a long way towards ensuring that the company remains in compliance with applicable legislation and potentially avoids more serious problems down the road.
Here it’s also worth keeping in mind that while all policies must address certain core issues, the scope and detail of the policies each company requires will vary, and a small startup with only a few employees will generally not need binders upon binders of policies spelling out procedures for every possible eventuality in minute detail.
4. Appoint a Designated Privacy Officer
In addition to requiring the development of internal privacy policies, both federal and provincial privacy legislation require companies to expressly designate an individual who will be responsible for the organization’s compliance with privacy legislation. Your company may also need to make this person’s identity and contact information available to regulators and in some circumstances to the general public.
This role can be assigned to any existing member of your team, as there is no requirement that the individual be specifically hired for this position or that they focus 100% of their time on privacy issues. However, the responsibilities of this role should not be underestimated, and it’s important that the person you appoint is the right fit for the job.
You should keep in mind that your privacy officer will usually be the first person anyone outside your company contacts when they have a privacy issue, from a member of the public who is unhappy with how their information is being handled to a regulator from a government agency. The privacy officer will also have a wide range of responsibilities, from answering questions about your company’s privacy policies, dealing with public complaints, answering information access requests (some legislation gives individuals the right to request their personal information from your company) and dealing with regulators.
It is important that the person you designate have both a thorough understanding of your company’s legal obligations and internal privacy policies, as well as the interpersonal and administrative skills necessary for the job.
The above is of course by no means a comprehensive list of everything your company needs to do to make sure it is compliant with Canadian privacy laws. Indeed the laws in this area are evolving at a brisk pace (by legal standards) as the legislature and regulators try to catch up with changes in technology, and compliance with privacy legislation will continue to be a challenge for Canadian businesses for the foreseeable future. However, simply being alive to privacy issues in your everyday decision making and taking steps to remedy any major gaps in your internal privacy procedures you can a long way towards ensuring that your company remains compliant with privacy legislation, and steers clear of potentially costly regulatory issues down the road.
Note: This article contains general advice presented educational purposes and does not represent legal advice.