The Office of the Privacy Commissioner of Canada recently announced the results of an international “sweep” of more than 2,000 online privacy policies.
The sweep, which was part of a coordinated effort undertaken together with 18 other global privacy enforcement authorities, focused on the importance of transparency and providing individuals with the information they require to make meaningful decisions in exercising control over their own information.
The OPC itself undertook a review of the privacy policies on more than 300 websites. Key trends identified by the OPC were summarized as follows:
Approximately 20% of sites reviewed either failed to list a privacy contact or made it difficult to find contact information for a privacy officer. In one case, website users were invited to send privacy questions by email, yet no email address could be found.
More than 20% of privacy policies raised concerns about the relevance of the information provided. For example, some simply quoted portions of Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), verbatim instead of explaining how personal information is actually collected and used.
A blog post on the OPC’s website (http://blog.priv.gc.ca/index.php/2013/08/13/initial-results-from-our-internet-privacy-sweep-the-good-the-bad-and-the-ugly/) provides specific examples of privacy policies categorized as “The Good, The Bad and The Ugly.”
The best policies were described as being consumer-oriented, providing information that real people would actually want to know and would find helpful. These policies struck the appropriate balance between transparency and concision.
A feature common to many of the “bad” policies was a legalistic approach, such as repeating language found in PIPEDA or merely claiming compliance with legislation while providing very limited information of actual interest to readers.
Also highlighted was the failure by approximately 20% of sites reviewed to identify a privacy contact or make it easy to find applicable contact information.
Examples of the “ugly”:
websites with no privacy policies (10%);
websites with hard-to-find privacy policies; and
websites with privacy policies that offered “so little transparency to customers and site visitors that the sites may as well have said nothing on the subject.”
Key Points to Remember
The sweep highlights a number of key points for all organizations to remember:
The OPC is adopting an increasingly proactive role in identifying privacy compliance challenges. This includes identifying organizations with poor privacy practices when this is deemed to be in the public interest.
Transparency is critical. Individuals need to receive the information they require to make meaningful decisions in exercising control over their own information.
Striking an appropriate balance between meaningful disclosure of your privacy practices and concise language is also critical. Providing too much information or information that is not accessible to consumers will not meet the OPC’s standards.