Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up?

Similar documents
1 The types of personal information we collect

OPM RFC PRIVACY NOTICE

SECTION I: RBC ROYAL BANK ONLINE APPLICATION TERMS AND CONDITIONS

ROYAL BANK OF CANADA ONLINE APPLICATION TERMS AND CONDITIONS

Guidance on the Privacy and Electronic Communications (EC Directive) Regulations

Lions Ski Club Privacy Policy (Version 1: 23/05/2018)

CSI Student Information and FAQ Guide

Data Protection Officer: Phil Oakman

Data Protection Officer: David Parkes

Data Protection Officer: Tracy Landon

Quality Hotel View is a full-service conference hotel located in Malmö, Sweden, and is a part of the hotel chain Nordic Choice Hotels.

Isetan Personal Data Protection Policy (PDPP)

PROCESSING NOTICE ALUMNI

CHERRYTREE FARM CAMPING WEBSITE AND MARKETING PRIVACY NOTICE

Craw-Kan Telephone Cooperative Inc. CPNI / Privacy Policy

Privacy Policy with regards to The General Data Protection Regulation

What You Should Know About GDPR. What is the GDPR?

What You Should Know About GDPR. What is the GDPR?

PRIVACY POLICY. Last Modified: 23 rd of May, 2018

Privacy Notice. Read more. What information do we collect from you?

ABLE Commission Q&A Q&A Regarding Licensing and Application

Mersham Sports Club Flood Street, Mersham, Ashford, Kent, TN25 6NX

Mersham Sports Club Flood Street, Mersham, Ashford, Kent, TN25 6NX

OLA Privacy Policy for Australia

Apprenticeship ERR Workbook

PRIVACY NOTICE - STUDENTS

BANBURY UNITED COMMUNITY FOOTBALL CLUB LTD

Please contact us if you have questions about our privacy practices that are not addressed in this Privacy Policy.

CHIPPING SODBURY GOLF CLUB PRIVACY NOTICE FOR VOLUNTEERS

North Hockey Umpiring Association (NHUA) PRIVACY NOTICE FOR OUR MEMBERS

Our Intent. We are committed to safeguarding the privacy of users to our website and we will only use the information we collect about you lawfully.

CCE Application Guidelines

References to we, our or us in this privacy notice are to The Joanne Banks Dancers, Studio 10, Durham Street, Spennymoor, Co.

SUMMIT LEARNING PLATFORM PRIVACY POLICY Effective Date: August 1, 2017

CCE Application Guidelines

References to we, our or us in this privacy notice are to MIDLANDS NORDIC WALKING

Repton Hockey Club PRIVACY NOTICE FOR OUR JUNIOR MEMBERS

PRIVACY POLICY. Effective Date: 1 June 2018

The Grannies Cricket Club

Finastra collects and processes the following types of personal data about you in connection with your job application.

Alumni and Supporters Privacy Notice

PRIVACY POLICY. We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:

Privacy Policy AreaTen Pty Ltd

of approximately 140 Catholic primary and secondary schools and colleges within the Archdiocese of Brisbane.

Ctrl + click to go directly to any section in this Privacy Policy statement

Penketh Panther Netball Club

HAMPSHIRE CRICKET BOARD LTD PRIVACY NOTICE

Frequently asked questions:

The Data Processor. This eadmissions website is owned and operated by LGfL. The eadmissions support team can be contacted at:

Selling and Purchasing Items

Privacy Notice Alumni Relations and Fundraising

Aggregate LLC ( AGGREGATE LLC ) is committed to protecting your privacy. We have prepared

Personal Computing Services FAQ s

Acerta respects your privacy

Introduction. Putting The Toyota Way to Service Excellence principles into practice at PrimePay. Do you know what LEAN process improvement is?

SUNBURST SKI & SNOWBOARD CLUB PROGRAM PARENT, CLUB MEMBER & ADVISOR INFORMATION

NORTHERN IRELAND JUDO FEDERATION PRIVACY NOTICE FOR VOLUNTEERS

Huntington Credit Card New User Guide

St Albans Musical Theatre Company

If you do not consent to the Terms of Use or Policy, please do not download or use the application or provide any Personal Information.

Extension of the Senior Managers and Certification Regime by the UK s FCA

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Rainforest Alliance Privacy Policy May 2018

What Information Is Collected and How Is It Collected?

NEW LAWS REGARDING BUILDING PRODUCTS (QLD)

SOCIAL MEDIA IN YOUR JOB SEARCH

Making the move from Sage Abra Suite (FoxPro) to Sage HRMS (SQL)

Company Accounts are identified by a 4-5 digit account number and can be used in all company stores nationally.

Recruitment Privacy Notice. Information we collect about you

Guidance notes for completing the International Start-up Form

UK Recycling Index 2018

Customer best practices

Sandra White MSP Data Protection Privacy Notice. This privacy notice explains how my office collects and uses personal information about individuals.

What is the deadline to sign up for Rockwell Automation TechED EMEA? What is the cost to register for the Rockwell Automation TechED EMEA event?

CODE OF BUSINESS CONDUCT AND ETHICS

A. Rational for change

Shepherd Neame Mystery Visitor Programme Terms & Conditions for Mystery Visitors

Cookie Policy Dokteronline.com

FAMILY-FRIENDLY WORKPLACE ASSESSMENT

CORPORATE. Freedom to Speak Up Standard Operating Procedure. Document Control Summary Status:

*************************************************************************************************************

Recruiting Companies for HealthLinks:

PRIVACY NOTICE FOR IMPERIAL COLLEGE LONDON EVENTS

Privacy Policy. Last Updated: September 10, 2018

SWIM IRELAND PRIVACY NOTICE SWIM IRELAND MEMBERS/VOLUNTEERS/CUSTOMERS/PARTICIPANTS

Self- certification criteria for signatories of the IAB Europe OBA Framework

Career Entry and Development Profile Companion Guide. A Guide for ITT Tutors and Induction Tutors

Education Payroll Services

New Website Design Brief Considerations

Birmingham Airport Response REDACTED (for external use)

TERMS AND CONDITIONS OF USE

Family Media Agreement: K-5

Company Policy Buying Additional Annual Leave

Results Day: Clearing Information and Apprenticeships. Thursday 16th August 2018

Results Day: Clearing Information and Apprenticeships. Thursday 16th August 2018

Susan E Young // One96.co

Processing of your personal data

Results Day: Clearing Information and Apprenticeships. Thursday 17th August 2017

Safer and Fair Recruitment Policy

FN6 LTD PRIVACY AND COOKIES STATEMENT INTRO

Transcription:

Cmpliance with Canadian Data Prtectin Laws: Are Retailers Measuring Up? EXECUTIVE SUMMARY The Persnal Infrmatin Prtectin and Electrnic Dcuments Act ( PIPEDA ) was intrduced in 2001 t prtect Canadians frm inapprpriate cllectin, use and disclsure f their persnal data by rganizatins in the curse f cmmercial activities. Five years later, it is nt clear t what extent rganizatins are in fact respecting the legislatin. This study was designed t shed sme light n that questin, by assessing the cmpliance f retailers with certain key prvisins f PIPEDA. We assessed the cmpliance f 64 nline retailers with the PIPEDA requirements fr penness, accuntability and cnsent. We als assessed the cmpliance f 72 nline and ffline retailers with the PIPEDA requirement fr individual access. The results f ur assessment indicate widespread nn-cmpliance in all fur areas. While almst all cmpanies we assessed had a privacy plicy and were thus aware f the need t respect custmer privacy, many failed t fulfill even basic statutry requirements such as prviding cntact infrmatin fr their privacy fficers, clearly stating what they d with cnsumers persnal infrmatin, and respnding t access t infrmatin requests. A significant prprtin f the plicies we examined were unclear n key pints such as whether r nt cnsumer infrmatin is shared with ther cmpanies. Many failed t prvide a clear and cnspicuus methd fr cnsumers t pt-ut f unnecessary uses and disclsures f their persnal infrmatin, ften relying n a clause buried deep in a lengthy privacy plicy that cnsumers are unlikely t review. A number f plicies we examined were misleading, suggesting fr example that n secndary use r sharing f persnal infrmatin wuld take place withut the cnsumer s explicit cnsent, but then assuming such cnsent unless the cnsumer exercised an ften incnspicuus r incmplete pt-ut. The fllwing are key findings frm the cmpliance assessments: General Practices Almst all nline retailers have privacy plicies (94% f ur sample), and mst pst them n their websites (92%). Privacy plicies tend t be lengthy: 63% f thse in ur sample were ver 1000 wrds lng, and 35% were ver 2000 wrds lng. The vast majrity f nline retailers (at least 93% f ur sample) use persnal cnsumer infrmatin ( cnsumer infrmatin ) fr their wn marketing purpses.

A large prprtin f nline retailers (1/2 t 2/3 f ur sample) share cnsumer infrmatin with ther cmpanies fr purpses beynd thse necessary fr the transactin r service in questin. Only ne-third f ur sample stated that they d nt d s. Only ne f the 29 cmpanies in ur sample that admitted t sharing cnsumer infrmatin with ther rganizatins, restricted its data-sharing t affiliates. A large majrity f retailers (78% f ur sample) rely n pt-ut methds t btain cnsumer cnsent t secndary uses r disclsures f their persnal infrmatin. Principle 4.1 Accuntability Online retailers are ding a pr jb f ensuring that frnt-line staff are aware f the existence f the privacy plicy, knw wh is respnsible fr it, and can direct inquirers t bth the plicy and the respnsible fficer. 68% f cmpanies we cntacted tk ver five minutes, and 22% tk ver ten minutes, t answer the questins: D yu have a privacy plicy?, Hw can I get it? and Wh in yur cmpany is respnsible fr privacy matters? 56% f cmpanies we cntacted by phne culd nt prvide the name f an individual respnsible fr privacy when asked. Mrever, 30% f privacy plicies we reviewed did nt prvide cntact infrmatin fr a persn respnsible fr cmpliance with the plicy. Few f the retailers we tested (nly 14%) prvided cnsistent cntact infrmatin fr designated privacy fficers in their privacy plicies and ver the phne. Principle 4.8 - Openness It is unreasnably difficult fr cnsumers t acquire infrmatin ver the phne abut cmpanies plicies and practices with respect t the management f persnal infrmatin. As nted abve, 68% f cmpanies we cntacted tk ver five minutes, and 22% tk ver ten minutes, t answer the questins: D yu have a privacy plicy?, Hw can I get it? and Wh in yur cmpany is respnsible fr privacy matters? Fur cmpanies (6%) in ur sample had n privacy plicy whatsever. While mst nline retailers make their privacy plicies accessible nline, 63% f cmpanies in ur sample culd nt r wuld nt prvide a cpy by mail, fax r email when requested t d s. A significant prprtin f privacy plicies fail the test f clarity, even when tested by peple with university educatin. Althugh 87% f plicies reviewed were cnsidered generally understandable by Assessrs, many fewer were fund t be clear n key pints nce Assessrs lked mre clsely. Specifically, Assessrs fund that cmpanies were unclear abut the purpse f cllectin in

22% f cases, abut what persnal infrmatin they cllect in 27% f cases, abut hw they use the infrmatin in 30% f cases, and abut t whm they disclse the infrmatin in 45% f cases. An even higher prprtin f privacy plicies were incmplete: 30% did nt prvide cntact infrmatin fr a privacy fficer; 38% made n reference t the cnsumer s right t access his r her persnal infrmatin held by the cmpany; 27% did nt describe the type f cnsumer infrmatin held by the cmpany; 18% did nt describe what the cmpany des with cnsumer infrmatin; 34% f thse that admitted t sharing cnsumer infrmatin with ther rganizatins did nt describe the type f infrmatin that they share; 86% f thse that admitted t sharing did nt indicate with whm they share cnsumer infrmatin; and the remaining 14% prvided examples nly. Principle 4.3 Cnsent Nt surprisingly, the vast majrity f nline retailers we surveyed (78%) rely n ptut methds, at least in part, t btain cnsumer cnsent fr secndary uses and disclsures f their persnal infrmatin. Only 8% use pt-in methds exclusively, and a surprising 14% d nt bther t get cnsent thrugh any means when custmers register r rder n their site, even thugh they admit t secndary uses r disclsures r are unclear n this pint. Under PIPEDA, cnsent must be infrmed. Yet, 17% f the privacy plicies reviewed were unclear abut whether the cmpany uses cnsumer infrmatin fr marketing purpses, and 18% were unclear abut whether the cmpany shares cnsumer infrmatin with ther cmpanies. A further 6% f cmpanies did nt have privacy plicies at all. In 31% f the cases we reviewed, the cmpanies prvided n ntice via the privacy plicy r therwise during the registratin r rdering prcess. Mrever, during the registratin r rdering prcess, the majrity f the 64 cmpanies we assessed (53%) prvided ntice t custmers nly via a link t the privacy plicy, requiring cnsumers t visit the privacy plicy and read thrugh it fr an understanding f what the cmpany des with their persnal infrmatin. Of these, 56% failed t bring the link t the privacy plicy t the custmer s attentin during the registratin r rdering prcess. We fund a number f misleading privacy plicies. In particular, f the 60 privacy plicies assessed, 18% suggest that the cmpany uses pt-in cnsent when in fact it relies n pt-ut cnsent. This misleads cnsumers int thinking that their infrmatin will nt be used fr secndary purpses when in fact it will.

Twenty-nine cmpanies (48% f ur sample) admitted t sharing cnsumer infrmatin with ther cmpanies fr purpses ther than the transactin in questin (anther 11 (18%) were unclear). Yet, ten f these cmpanies (34% f thse that clearly share) did nt ffer cnsumers a chice regarding this practice during the registratin r rdering prcess. The methds used by many nline retailers t btain cnsent frm cnsumers d nt meet the requirements fr valid cnsent. Of thse cmpanies relying n pt-ut cnsent, 50% did s merely via a link t an ften lengthy privacy plicy as part f the registratin r rdering prcess. In these cases, the majrity (52%) failed t bring the link t the privacy plicy t the custmer s attentin. Of thse cmpanies that included an pt-ut in their privacy plicy, 60% buried it incnspicuusly in the ften lengthy plicy. Ten cmpanies in ur sample ffered fewer pt-ut ptins during the registratin r rdering prcess than via their privacy plicies, withut any indicatin t cnsumers that additinal pt-ut ptins were available via the privacy plicy. This misleading practice was exacerbated by the fact that nne f these cmpanies bthered t bring their privacy plicy t the attentin f cnsumers during the registratin r rdering prcess. Of thse cmpanies relying n pt-ut cnsent, 50% did nt ffer an immediate pt-ut ptin as part f the transactin; rather, cnsumers have t cnsent against their will initially and then take additinal steps t pt-ut. In seven cases (11%), the retailer clearly required cnsent t a secndary purpse in rder fr the cnsumer t transact. In nne f these cases did the cnsumer receive any value in exchange fr such cnsent. In an additinal 18 cases, Assessrs were nt sure whether cnsent t a secndary use r disclsure was mandatry, due t lack f clarity in the privacy plicy r an absence f a written privacy plicy. Thus, ptentially 39% f cmpanies we assessed are vilating PIPEDA s refusal t deal sectin. Principle 4.9 Individual Access A large prprtin f cmpanies are failing t cmply with the PIPEDA requirement t infrm individuals f the existence, use and disclsure f their persnal infrmatin upn request, and t give individuals access t that infrmatin. One-third (35%) f the cmpanies we tested did nt respnd at all t access requests. Of the cmpanies that did respnd, 42% failed t prvide details abut the Requestr s persnal infrmatin they had n file;

37% prvided n accunt r an inadequate accunt f hw they use the persnal infrmatin; and 58% did nt give a list f cmpanies t whm they have r may have disclsed persnal infrmatin abut the Requestr; despite being specifically asked fr this infrmatin by the Requestr.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback