Top five mistakes when drafting website privacy policies
Many organizations remain very broad in their website privacy policies on the use made of the information collected. Recent bill S-4, the Digital Privacy Act, the federal government’s latest attempt to reform PIPEDA was proclaimed last month and proposes a revised “valid consent” provision (PIPEDA, s. 6.1), by shifting from a subjective standard to a more objective standard. To make the consent meaningful, the purposes must now be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. An individual’s consent to the collection, use or disclosure of his or her personal information is valid only “if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
Given that this section aims to ensure that privacy policies of organizations covered by PIPEDA clearly and directly inform individuals about their practices, organizations should review their policies to ensure compliance with this new requirement.
Since many organizations have similar website policies, and since most of these policies include similar mistakes in the way that they are drafted, I have detailed below the top five mistakes that are most commonly made when drafting website privacy policies:
- Providing a wrong definition of “personal information”
Section 2 of PIPEDA defines personal information as “information about an identifiable individual (…)” and substantially similar provincial laws have similar definitions. Many website privacy policies provide a definition of personal information which is different than the definition provided by PIPEDA. It is always risky to do so, since the law still governs information which qualify as “personal” and organizations have a legal obligation to be transparent and explain their practices with regard to such information.
The definition of “personal information” used in some website policies may also be more stringent than “information about an identifiable individual” (for example, a policy specifying that personal information is “any information that can be used to identify, locate or contact you”), in which case the organization could be said to having committing contractually to collect and use this additional type of information in the way described in the policy, although it does not have a legal obligation to do so.
- Presuming that technical information is not personal information
Many website privacy policies will exclude information collected using electronic means and will not consider it personal information (or PII): “When you visit our website, our servers automatically record non-personally identifiable information that your browser sends”.
Information is about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information (see Gordon v. Canada (Health)). Also, in Canada, an Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual and there have been a few decisions issued by the Office of the Privacy Commissioner of Canada (OPC) on this issue in PIPEDA Case Summary #25, PIPEDA Case Summary #315, PIPEDA Case Summary #319, and PIPEDA Case Summary #2009-010. The OPC also prepared in 2013 (Technology Analysis Branch of the OPC) a report entitled “What an IP Address Can Reveal About You” which explains the type of personal information that may be collected through or connected to IP addresses.
Bottom line, the situation is much more nuanced than “information collected using electronic means is not personal information” and some of this information collected may well be considered personal information if the organization has the ability to link it back to online users or if this information will be used in Online Behavioral Advertising (OBA), as discussed below.
- Presuming that OBA profiles are not personal information
In many website privacy policies, profiles used for OBA purposes is considered as non personal information (i.e. “We may also use this non-personally identifiable information to help us show advertisements that are more likely to be relevant to you”). The rationale is probably that the name of the individual behind the OBA profile is not necessarily known to the organization operating the website. Still, the OPC has articulated the view in its Policy Position on Online Behavioral Marketing Guidelines in June 2012 that OBA profiles should be considered personal information:
Taking a broad, contextual view of the definition of personal information, the OPC will generally consider information collected for the purpose of OBA to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising.
Also to keep in mind is that the OPC had tended to interpret “personal information” as broadly as possible and is usually inclined to regard information as personal even if there is the smallest potential for it to be about an identifiable individual. Moreover, information will be “about” an individual when it is not just the subject of that individual, but also relates to or concerns the individual according to Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board) and Dagg v. Canada (Minister of Finance).
- Providing a wrong definition of “sensitive information”
Many website policies mention that they do not collect sensitive information “such as heath or financial information”. In Europe, Directive 95/46/EC acknowledges under article 8 that certain categories of personal information (more specifically the ones “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”) are more privacy sensitive.
In Canada, there is no such list of information which are considered sensitive by nature. Under PIPEDA, sensitivity is often contextual: “Although some information (…) is almost always considered to be sensitive, any information can be sensitive, depending on the context.” I have blogged on the issue of “what is sensitive information?” a few months ago in which I explain that one thing to keep in mind is that web browsing information should usually be considered sensitive information.
- Including a right to modify the policy by simply posting the new terms
This content has been updated on July 6, 2015 at 20 h 36 min.