Cmpliance with Canadian Data Prtectin Laws: Are Retailers Measuring Up? EXECUTIVE SUMMARY The Persnal Infrmatin Prtectin and Electrnic Dcuments Act ( PIPEDA ) was intrduced in 2001 t prtect Canadians frm inapprpriate cllectin, use and disclsure f their persnal data by rganizatins in the curse f cmmercial activities. Five years later, it is nt clear t what extent rganizatins are in fact respecting the legislatin. This study was designed t shed sme light n that questin, by assessing the cmpliance f retailers with certain key prvisins f PIPEDA. We assessed the cmpliance f 64 nline retailers with the PIPEDA requirements fr penness, accuntability and cnsent. We als assessed the cmpliance f 72 nline and ffline retailers with the PIPEDA requirement fr individual access. The results f ur assessment indicate widespread nn-cmpliance in all fur areas. While almst all cmpanies we assessed had a privacy plicy and were thus aware f the need t respect custmer privacy, many failed t fulfill even basic statutry requirements such as prviding cntact infrmatin fr their privacy fficers, clearly stating what they d with cnsumers persnal infrmatin, and respnding t access t infrmatin requests. A significant prprtin f the plicies we examined were unclear n key pints such as whether r nt cnsumer infrmatin is shared with ther cmpanies. Many failed t prvide a clear and cnspicuus methd fr cnsumers t pt-ut f unnecessary uses and disclsures f their persnal infrmatin, ften relying n a clause buried deep in a lengthy privacy plicy that cnsumers are unlikely t review. A number f plicies we examined were misleading, suggesting fr example that n secndary use r sharing f persnal infrmatin wuld take place withut the cnsumer s explicit cnsent, but then assuming such cnsent unless the cnsumer exercised an ften incnspicuus r incmplete pt-ut. The fllwing are key findings frm the cmpliance assessments: General Practices Almst all nline retailers have privacy plicies (94% f ur sample), and mst pst them n their websites (92%). Privacy plicies tend t be lengthy: 63% f thse in ur sample were ver 1000 wrds lng, and 35% were ver 2000 wrds lng. The vast majrity f nline retailers (at least 93% f ur sample) use persnal cnsumer infrmatin ( cnsumer infrmatin ) fr their wn marketing purpses.
A large prprtin f nline retailers (1/2 t 2/3 f ur sample) share cnsumer infrmatin with ther cmpanies fr purpses beynd thse necessary fr the transactin r service in questin. Only ne-third f ur sample stated that they d nt d s. Only ne f the 29 cmpanies in ur sample that admitted t sharing cnsumer infrmatin with ther rganizatins, restricted its data-sharing t affiliates. A large majrity f retailers (78% f ur sample) rely n pt-ut methds t btain cnsumer cnsent t secndary uses r disclsures f their persnal infrmatin. Principle 4.1 Accuntability Online retailers are ding a pr jb f ensuring that frnt-line staff are aware f the existence f the privacy plicy, knw wh is respnsible fr it, and can direct inquirers t bth the plicy and the respnsible fficer. 68% f cmpanies we cntacted tk ver five minutes, and 22% tk ver ten minutes, t answer the questins: D yu have a privacy plicy?, Hw can I get it? and Wh in yur cmpany is respnsible fr privacy matters? 56% f cmpanies we cntacted by phne culd nt prvide the name f an individual respnsible fr privacy when asked. Mrever, 30% f privacy plicies we reviewed did nt prvide cntact infrmatin fr a persn respnsible fr cmpliance with the plicy. Few f the retailers we tested (nly 14%) prvided cnsistent cntact infrmatin fr designated privacy fficers in their privacy plicies and ver the phne. Principle 4.8 - Openness It is unreasnably difficult fr cnsumers t acquire infrmatin ver the phne abut cmpanies plicies and practices with respect t the management f persnal infrmatin. As nted abve, 68% f cmpanies we cntacted tk ver five minutes, and 22% tk ver ten minutes, t answer the questins: D yu have a privacy plicy?, Hw can I get it? and Wh in yur cmpany is respnsible fr privacy matters? Fur cmpanies (6%) in ur sample had n privacy plicy whatsever. While mst nline retailers make their privacy plicies accessible nline, 63% f cmpanies in ur sample culd nt r wuld nt prvide a cpy by mail, fax r email when requested t d s. A significant prprtin f privacy plicies fail the test f clarity, even when tested by peple with university educatin. Althugh 87% f plicies reviewed were cnsidered generally understandable by Assessrs, many fewer were fund t be clear n key pints nce Assessrs lked mre clsely. Specifically, Assessrs fund that cmpanies were unclear abut the purpse f cllectin in
22% f cases, abut what persnal infrmatin they cllect in 27% f cases, abut hw they use the infrmatin in 30% f cases, and abut t whm they disclse the infrmatin in 45% f cases. An even higher prprtin f privacy plicies were incmplete: 30% did nt prvide cntact infrmatin fr a privacy fficer; 38% made n reference t the cnsumer s right t access his r her persnal infrmatin held by the cmpany; 27% did nt describe the type f cnsumer infrmatin held by the cmpany; 18% did nt describe what the cmpany des with cnsumer infrmatin; 34% f thse that admitted t sharing cnsumer infrmatin with ther rganizatins did nt describe the type f infrmatin that they share; 86% f thse that admitted t sharing did nt indicate with whm they share cnsumer infrmatin; and the remaining 14% prvided examples nly. Principle 4.3 Cnsent Nt surprisingly, the vast majrity f nline retailers we surveyed (78%) rely n ptut methds, at least in part, t btain cnsumer cnsent fr secndary uses and disclsures f their persnal infrmatin. Only 8% use pt-in methds exclusively, and a surprising 14% d nt bther t get cnsent thrugh any means when custmers register r rder n their site, even thugh they admit t secndary uses r disclsures r are unclear n this pint. Under PIPEDA, cnsent must be infrmed. Yet, 17% f the privacy plicies reviewed were unclear abut whether the cmpany uses cnsumer infrmatin fr marketing purpses, and 18% were unclear abut whether the cmpany shares cnsumer infrmatin with ther cmpanies. A further 6% f cmpanies did nt have privacy plicies at all. In 31% f the cases we reviewed, the cmpanies prvided n ntice via the privacy plicy r therwise during the registratin r rdering prcess. Mrever, during the registratin r rdering prcess, the majrity f the 64 cmpanies we assessed (53%) prvided ntice t custmers nly via a link t the privacy plicy, requiring cnsumers t visit the privacy plicy and read thrugh it fr an understanding f what the cmpany des with their persnal infrmatin. Of these, 56% failed t bring the link t the privacy plicy t the custmer s attentin during the registratin r rdering prcess. We fund a number f misleading privacy plicies. In particular, f the 60 privacy plicies assessed, 18% suggest that the cmpany uses pt-in cnsent when in fact it relies n pt-ut cnsent. This misleads cnsumers int thinking that their infrmatin will nt be used fr secndary purpses when in fact it will.
Twenty-nine cmpanies (48% f ur sample) admitted t sharing cnsumer infrmatin with ther cmpanies fr purpses ther than the transactin in questin (anther 11 (18%) were unclear). Yet, ten f these cmpanies (34% f thse that clearly share) did nt ffer cnsumers a chice regarding this practice during the registratin r rdering prcess. The methds used by many nline retailers t btain cnsent frm cnsumers d nt meet the requirements fr valid cnsent. Of thse cmpanies relying n pt-ut cnsent, 50% did s merely via a link t an ften lengthy privacy plicy as part f the registratin r rdering prcess. In these cases, the majrity (52%) failed t bring the link t the privacy plicy t the custmer s attentin. Of thse cmpanies that included an pt-ut in their privacy plicy, 60% buried it incnspicuusly in the ften lengthy plicy. Ten cmpanies in ur sample ffered fewer pt-ut ptins during the registratin r rdering prcess than via their privacy plicies, withut any indicatin t cnsumers that additinal pt-ut ptins were available via the privacy plicy. This misleading practice was exacerbated by the fact that nne f these cmpanies bthered t bring their privacy plicy t the attentin f cnsumers during the registratin r rdering prcess. Of thse cmpanies relying n pt-ut cnsent, 50% did nt ffer an immediate pt-ut ptin as part f the transactin; rather, cnsumers have t cnsent against their will initially and then take additinal steps t pt-ut. In seven cases (11%), the retailer clearly required cnsent t a secndary purpse in rder fr the cnsumer t transact. In nne f these cases did the cnsumer receive any value in exchange fr such cnsent. In an additinal 18 cases, Assessrs were nt sure whether cnsent t a secndary use r disclsure was mandatry, due t lack f clarity in the privacy plicy r an absence f a written privacy plicy. Thus, ptentially 39% f cmpanies we assessed are vilating PIPEDA s refusal t deal sectin. Principle 4.9 Individual Access A large prprtin f cmpanies are failing t cmply with the PIPEDA requirement t infrm individuals f the existence, use and disclsure f their persnal infrmatin upn request, and t give individuals access t that infrmatin. One-third (35%) f the cmpanies we tested did nt respnd at all t access requests. Of the cmpanies that did respnd, 42% failed t prvide details abut the Requestr s persnal infrmatin they had n file;
37% prvided n accunt r an inadequate accunt f hw they use the persnal infrmatin; and 58% did nt give a list f cmpanies t whm they have r may have disclsed persnal infrmatin abut the Requestr; despite being specifically asked fr this infrmatin by the Requestr.