In Canada, the Personal Information Protection and Electronic Documents Act (or PIPEDA), governs the collection and use of personal information and how it's protected.
If your business is operating from Canada, learn the best practices to implement for your PIPEDA-compliant Privacy Policy and/or privacy practices.
The PIPEDA Act requires covered organizations and other entities (businesses) to get a user's consent when collecting, using or disclosing that user's personal information.
Whatever personal information you collect from users may only be used for the express purpose for which it was collected and nothing more.
Any additional use outside the original scope requires further consent from the user. Also, users must be assured that the information collector (the business, the website, the mobile app) will reasonably protect their information.
Any commercial activity that uses, collects, or discloses some kind of personal information is covered by the regulations of the PIPEDA Act in Canada.
Commercial activity means any particular transaction, act, conduct, or any regular course of conduct that is commercial in character, including selling, bartering or leasing of donor, membership or fundraising lists.
This would inherently include websites, mobile apps, Facebook apps, desktop apps. If all these platforms are operated in any of those capacities specified above, it's covered by the Canada's Act.
Shopify is based in Canada and their Privacy Policy informs users about what personal information Shopify might be collecting and how they are using that information:
For example:
If a business isn't generating any revenue from a website or mobile app, they still might be covered. If the personal information being gathered from users is used for future website and app development or to improve the experience of users on the website or mobile app, then the website/mobile app's commercial success is indirectly benefiting.
Therefore, it's covered.
Personal information can be a nebulous term. It could be anything that someone finds to be private in nature.
PIPEDA statutorily defines "personal information" to include any factual or subjective information, recorded or not, about an identifiable individual. This includes:
As you can see, PIPEDA's scope of coverage is comprehensive.
Specific exceptions are excluded from coverage, such as personal information collected solely for artistic, journalistic, or literary purposes and information collected by designated governmental agencies.
Canada's PIPEDA Act forms a base rule that there's an overarching obligation to maintain responsibility for the guarding of personal information and the fair handling at all times through the entire organization and in all third party dealings.
Businesses are compelled that any collection, use or disclosure of personal information must only be for a reasonable purpose.
Alongside this base rule, Schedule I of PIPEDA lays 10 Fair Information Principles that businesses must follow to remain in compliance with the Act:
Accountability
Businesses must be accountable. To fulfill this principle, assign an individual from your business to be responsible for active compliance with Canada's PIPEDA Act.
A business should take extra precautions to protect the personal information it collects from users. As a business owner, you should develop a series of policies to keep the collected information protected.
Accountability goes farther than just a business owner's own actions.
Any third parties that personal information is shared with obligates the original information collector to be responsible for any mishandling from that interaction.
Shopify (which started in Canada and has a local presence there) informs users that any third-party that Shopify might partner with is required to have a similar Privacy Policy as their own:
It reads:
Shopify may use third party service providers to provide certain services to you and we may share Personal Information with such service providers. We require any company with which we may share Personal Information to protect that data in a manner consistent with this policy and to limit the use of such Personal Information to the performance of services for Shopify.
Identify Purposes
The purpose of collecting a piece of personal information must always be clear.
At the point of collecting any type of information, mention why the information is being gathered and what its purpose will be.
Your Privacy Policy should include mentions why certain types of personal information are collected and what's the purpose of the collection.
That's how HootSuite, a Canada-based business, informs users in their Privacy Policy about what personal information is collected from users when new users are creating an account:
The same applies if you develop a mobile app or a desktop app. Your Privacy Policy should make clear what kind of personal information your app is collecting and why.
Rover, a company based in Toronto, Canada, develops a beacon platform for retailers to use that involves a mobile app as well. Its Privacy Policy informs users about what personal information might be collected and its use:
The more clear the purpose of the information use, the better.
Consent
Under Canada's PIPEDA, informed consent must be meaningful and clear.
Before getting consent from a user, you should explain how the information you'll collect will be used. This shouldn't be done in a deceptive manner.
This requirement can create certain difficulties on mobile apps because of its screen limitations. No reasonable person will actually read and consent to a 50-page consent agreement or 10-page Privacy Policy on their smartphone screen.
Here's how eBay designed their Privacy Policy on its iOS app:
While the full Privacy Policy of eBay isn't shown on the mobile screen, a user can read the Privacy Policy summary and learn the highlights of eBay's privacy practices on their mobile.
According to PIPEDA, consent should be asked not only before obtaining a piece of information but also to be continually updated and asked. There are several exceptions to this, but these exceptions should rely on after every other step has been implemented.
Limit Collection
Personal information shouldn't be collected haphazardly and users mustn't be misled on the reasons for which the information is being collected.
The scope of information that's gathered should be narrow and tailored to the exact requirements needed.
Nothing more or less.
Limit Use, Disclosure And Retention
Businesses must only use personal information only for the purpose the user agreed upon and must keep the personal information as long as necessary to achieve its purpose.
Once that information is no longer necessary for the purpose it was gathered, it must be destroyed, erased or rendered anonymous.
Information that isn't necessary and is stored all time without purpose poses a potential breach of data.
Datacratic (based in Canada), in their Privacy Policy, informs users that no personal information is collected while users are browsing their website unless users voluntarily choose to provide certain personal information:
It reads:
Daatacratic does not collect any personally identifiable information about you when you visit the Website unless you voluntarily provide this information, for example by contacting us through our email forms (including sending us queries or responding through the Website to our job postings.) Personal information collected in these cases may include your name, contact details, email address, telephone number and your resume.
Accuracy
All uses of users' information must be done accurately and appropriately. Personal information records must be kept complete, organized, and as up to date as possible.
Regularly used personal information must be regularly kept up to date.
Safeguards
Personal information that's collected through a website or mobile app must be protected from theft, loss, unauthorized access, disclosure, use, copying or modification regardless of how the information is stored.
The sensitive nature of the information collected, the amount of it and the extent of any breaches of safeguards are all taken into account when considering whether a business has met its duty.
Open Access
The policies must be clear and easily understood by a reasonable layperson.
Checkfront (based in Canada) provides a very easy to read Privacy Policy for users to learn what information is begin collected and how is it used:
Individual Access
Individuals whose personal information has been used or given have a right to access that information.
Businesses, once requested, must inform users of all information the business has on them and provide full and accurate disclosure on how it's being used.
Challenging Compliance
Finally, businesses must provide some form of complaint procedure for users.
All complaints must be investigated to some capacity and corrective action must be taken if warranted.
How should a business move forward and improve their website or mobile app, while adhering to these regulations imposed by PIPEDA?
Below are a series of questions broken into categories that should be considered before you make the decision if your website or mobile app is market ready.
Consider what information is going to be collected from users:
As maintaining accountability is one of the Fair Information Principles and one of the more important ones, a clear chain of command for responsibility is critical:
Before you publish your Privacy Policy, consider the following:
How the information is collected, used, disclosed and retained must be identified to all parties involved: business, users, third parties, and so on. Key questions to consider here are:
In accordance with PIPEDA, scrutinizing every detail about the regular uses and removal of users' private information will allow the business to be certain that their actions are in compliance with the formal regulation.
Another crucial Fair Information Principal is consent. Appropriately asking for consent from a user is important:
These are some simple questions that can help you when you begin drafting your Privacy Policy.
It's important to note that businesses need to receive legitimate consent from a user regarding the business' privacy practices (and thus consent the terms from its Privacy Policy). This is called a clickwrap agreement.
Otherwise, the consent to abide by the Privacy Policy might no longer be enforceable.
Accurate record keeping of information is another important aspect that must be considered:
Remember: any miscommunication about the personal information could result in breaching PIPEDA.
Implementing safeguards to protected the personal information you collect is mandatory:
When the user either requests to access what information was collected or complains about your Privacy Policy, the business must be able to respond appropriately: