The importance of having a privacy policy in Canada and what makes a good one

Privacy policy documents cannot simply be copy and pasted.  You might be asking, “When was the last time an internet or  mobile application user read a privacy policy before accepting it?”  It may seem trivial but if you are a business owner who runs a website or online application and collects user data, not having a poorly written privacy policy could lead to a significant fine of up to $100,000 as per PIPEDA.  By law, businesses need to be accountable for the user information they collect. 

What is PIPEDA? 

Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all private organizations in Canada that collect, use or disclose personal information in a commercial activity.  PIPEDA also applies if you are a Canadian organization undertaking business outside the country.  In addition to PIPEDA, there are province-specific privacy laws that must to be taken into consideration as well. 

How do I find out if I am collecting user information in accordance with PIPEDA? 

As per the Office of the Privacy Commissioner of Canada, the following information is all considered personal information: 

  • age, name, ID numbers, income, ethnic origin, or blood type; 
  • opinions, evaluations, comments, social status, or disciplinary actions; and 
  • employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs). 

What makes a good privacy policy? 

A good privacy policy outlines all aspects of a business in simple plain language. It provides transparency on the information being collected and the third parties involved to the user. The policy will explain privacy choices users have with respect to data collection, data storage, data access and data opt-out.  A strong privacy policy will be very detailed. 

Should I get the privacy policy reviewed by a lawyer? 

Yes. A lawyer review protects and future-proofs your business with regards to data privacy compliance. Reviewing with a lawyer also ensures that provincial privacy laws and other business/industry-specific policies are added to the document.  Privacy policies should be reviewed regularly to ensure the language remains up-to-date with changing laws.  

CEO Law is a technology-enabled law firm that is challenging traditional law’s status quo. As part of our document generation solution, you can create customized legal documents (including a privacy policy) for a fraction of the price that it would typically cost a lawyer to draft them. A list of available documents can be found here. 

Leave a Reply