January 22, 2018

Building Trust: Establishing An Effective Privacy Policy

Over the last year, high-profile data breaches affecting thousands of Canadians have raised concerns over businesses’ privacy practices. Questions surrounding companies’ handling of personal information are becoming more prominent in the minds of consumers. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the privacy practices of many businesses in Canada, sets out personal information handling requirements built on pillars of accountability and consent.

In particular, PIPEDA requires compliance with the ten key privacy principles of the Model Code for the Protection of Personal Information developed by the Canadian Standards Association.  One of the fundamental principles is openness and requires organizations to provide information to the public about policies and practices relating to the management of personal information. The openness principal requires businesses to include information on who is accountable for the organization’s policies and practices and to whom complaints can be forwarded. Details on gaining access to personal information, a description of the type of personal information held by the organization, and disclosure of personal information made available to related organizations, must also be provided.

While establishing a privacy policy is an obligation under PIPEDA, it is also key to building trust with consumers. A company’s approach to privacy can either build or hamper consumer confidence in a company. In fact, various studies have established a link between a company’s privacy policy and consumer trust. Yet, many businesses do not dedicate sufficient resources or time to developing an effective privacy policy.

In 2013, the Office of the Privacy Commissioner of Canada (OPC), the mandated guardian of privacy in Canada responsible for enforcing PIPEDA, participated in an international privacy sweep which involved assessing the online privacy policies of Canadian businesses. The sweep found major shortcomings in the privacy policies of Canadian businesses, ranging from no privacy policy at all to lengthy and overly legalistic policies. Five years later, businesses’ privacy policies remain a key area of concern in the minds of stakeholders and from the perspective of the OPC.

Finding information on a business’s privacy practices usually involves scrolling to the bottom of the business’s website homepage and clicking on a link that takes you to the business’s privacy policy. Oftentimes, consumers skip over online privacy policies due to their length and complexity. Yet, privacy laws require consumers to understand what they are consenting to and online privacy policies are often a key (and only) mechanism for obtaining informed consent.

When privacy policies are overly technical, legalistic, or lengthy, they hinder the intention behind establishing a privacy policy in the first place. By the same token, when privacy policies are a few sentences in length, they cannot possibly provide a consumer with sufficient information to make a meaningful decision regarding consent. There is an obvious balancing act between establishing a clear, user-friendly privacy policy and ensuring that sufficient information about the collection, use, and disclosure of information is provided.

In finding the appropriate balance between user-friendliness and providing sufficient information, practical guidance can be gleaned from reviewing the published summaries of investigations conducted by the OPC on businesses’ privacy practices. For instance, in one investigation, a web-based company learned that it must identify specific retention periods and the reasons for such retention periods (for instance, disclosing the fact that contact information is retained for 7 years to comply with the Income Tax Act). In another investigation, an airline company learned that it must inform customers through its privacy policy that it may provide personal information to third parties contracted to perform functions on its behalf (in the case of the airline company, information was shared with a third party to conduct surveys on behalf of the airline). Such lessons can be useful for businesses trying to determine what information to include and what level of detail is required in their privacy policies.

Beyond information contained in OPC investigations, the OPC has published a wealth of information, including guidelines on establishing an effective privacy policy as well as a helpful privacy toolkit for businesses.  Most recently, consultations wrapped up on OPC guidelines for obtaining meaningful online consent. In its draft guidelines, the OPC has developed seven key guiding principles for online consent, which include:

(1) emphasizing key elements about the collection, use, and disclosure of personal information;

(2) allowing individuals to control the level of detail regarding information practices by presenting information in a layered format;

(3) providing consumers with a clear option to say “yes” or “no”;

(4) being innovative (i.e. no one-size-fits all approach);

(5) considering the consumer’s perspective by making the information user-friendly;

(6) ensuring the effectiveness of consent processes, and

(7) making consent an ongoing process.

The development of these guidelines stem from recognition that establishing privacy policies and obtaining meaningful consent from consumers is becoming increasingly challenging in this digital age.

While determining how to present information on privacy practices may be somewhat challenging and, at times, unclear, what is clear is that a business’s privacy policy should not be a standard, one-size-fits-all document lacking real substance. A privacy policy should reflect a business’s actual practices, mechanisms, and measures put in place on the collection, use, and disclosure of customer information.

An important component and starting point for businesses integral to the development of a privacy policy is the appointment of a privacy officer. Businesses governed by PIPEDA are required to appoint an individual responsible for privacy management – this is an element of the accountability principal contained in the Model Code for the Protection of Personal Information. A privacy officer should not simply be a title without substance or integrity. Instead, a privacy officer’s role is vital to establishing accountability within an organization. Developing a privacy program involves training employees and ensuring that procedures are in place to protect personal information and respond to complaints. In turn, a business’s privacy policy is its declaration to consumers that it has implemented an effective privacy program and has carefully considered the manner in which personal information will be handled.  Accountability, as established through the development of a privacy program, goes hand in hand with openness, achieved through the availability of a company’s privacy policy.

When accountability and openness related to privacy practices are not built into the fabric of an organization, the risk of a privacy breach and related erosion of consumer confidence, is high. Privacy breaches and the ineffective response to a privacy breach can destroy consumer confidence and cause serious damage to a brand. Take, for instance, the recent example of the Uber 2016 data hack involving the personal information of millions of users across the globe, which was only disclosed in late 2017 after an initial cover-up by the company.  Uber’s failure to disclose the data breach has led to government investigations, lawsuits, and the erosion of consumer trust.

Growing concerns over the handling of Canadians’ information have led to OPC recommendations to strengthen enforcement mechanisms, including disclosure of breaches and fines for non-compliance.  While such measures, if introduced, may persuade more businesses to ensure they are compliant with privacy laws, the biggest incentive for business should be their long-term viability which depends, in large part, on consumer trust. Businesses depend on consumer confidence to forge ongoing loyalty to a brand.  One poorly handled data breach can destroy a brand.

Given the importance of privacy in an increasingly digital world, companies ought to carefully consider their privacy policies. Establishing an effective privacy policy that is backed up by meaningful internal procedures and practices makes sense from a business perspective. Developing a clear privacy policy is a mechanism for building trust with consumers; it is an opportunity for a business to show that it values, and understands the importance of, the privacy of its consumers.