Top five mistakes when drafting website privacy policies

Privacy policy heading printed on a vintage typewriter

Many organizations remain very broad in their website privacy policies on the use made of the information collected. Recent bill S-4, the Digital Privacy Act, the federal government’s latest attempt to reform PIPEDA was proclaimed last month and proposes a revised “valid consent” provision (PIPEDA, s. 6.1), by shifting from a subjective standard to a more objective standard. To make the consent meaningful, the purposes must now be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. An individual’s consent to the collection, use or disclosure of his or her personal information is valid only “if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”

Given that this section aims to ensure that privacy policies of organizations covered by PIPEDA clearly and directly inform individuals about their practices, organizations should review their policies to ensure compliance with this new requirement.

Since many organizations have similar website policies, and since most of these policies include similar mistakes in the way that they are drafted, I have detailed below the top five mistakes that are most commonly made when drafting website privacy policies:

  1. Providing a wrong definition of “personal information”

Section 2 of PIPEDA defines personal information as “information about an identifiable individual (…)” and substantially similar provincial laws have similar definitions. Many website privacy policies provide a definition of personal information which is different than the definition provided by PIPEDA. It is always risky to do so, since the law still governs information which qualify as “personal” and organizations have a legal obligation to be transparent and explain their practices with regard to such information.

The definition of “personal information” used in some website policies may be less stringent than “information about an identifiable individual”, in which case the organization may be breaching the applicable laws since it is not being transparent about how it collects and use certain type of information which are considered as “personal information” under applicable laws. Moreover, in Canada, certain provincial data protection laws do not provide for an “employee business contact” exemption and publicly available information is still considered as “personal information”, so this type of information should not be automatically excluded from the application of a website policy. Also, the following type of statement: “We do not and cannot use cookies to retrieve your personally identifiable information, like name or Social Security or credit card numbers” wrongly implies that personal information is usually a name, a social security or a credit card number, which is not the case, as it is much more broadly defined.

The definition of “personal information” used in some website policies may also be more stringent than “information about an identifiable individual” (for example, a policy specifying that personal information is “any information that can be used to identify, locate or contact you”), in which case the organization could be said to having committing contractually to collect and use this additional type of information in the way described in the policy, although it does not have a legal obligation to do so.

  1. Presuming that technical information is not personal information 

Many website privacy policies will exclude information collected using electronic means and will not consider it personal information (or PII): “When you visit our website, our servers automatically record non-personally identifiable information that your browser sends”.

Information is about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information (see Gordon v. Canada (Health)).  Also, in Canada, an Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual and there have been a few decisions issued by the Office of the Privacy Commissioner of Canada (OPC) on this issue in PIPEDA Case Summary #25PIPEDA Case Summary #315,  PIPEDA Case Summary #319, and PIPEDA Case Summary #2009-010. The OPC also prepared in 2013 (Technology Analysis Branch of the OPC) a report entitled “What an IP Address Can Reveal About You”  which explains the type of personal information that may be collected through or connected to IP addresses.

Bottom line, the situation is much more nuanced than “information collected using electronic means is not personal information” and some of this information collected may well be considered personal information if the organization has the ability to link it back to online users or if this information will be used in Online Behavioral Advertising (OBA), as discussed below.

  1. Presuming that OBA profiles are not personal information 

In many website privacy policies, profiles used for OBA purposes is considered as non personal information (i.e. “We may also use this non-personally identifiable information to help us show advertisements that are more likely to be relevant to you”). The rationale is probably that the name of the individual behind the OBA profile is not necessarily known to the organization operating the website. Still, the OPC has articulated the view in its Policy Position on Online Behavioral Marketing Guidelines in June 2012 that OBA profiles should be considered personal information:

Taking a broad, contextual view of the definition of personal information, the OPC will generally consider information collected for the purpose of OBA to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising.

Also to keep in mind is that the OPC had tended to interpret “personal information” as broadly as possible and is usually inclined to regard information as personal even if there is the smallest potential for it to be about an identifiable individual. Moreover, information will be “about” an individual when it is not just the subject of that individual, but also relates to or concerns the individual according to Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board) and Dagg v. Canada (Minister of Finance).

  1. Providing a wrong definition of “sensitive information”

Many website policies mention that they do not collect sensitive information “such as heath or financial information”. In Europe, Directive 95/46/EC acknowledges under article 8 that certain categories of personal information (more specifically the ones “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”) are more privacy sensitive.

In Canada, there is no such list of information which are considered sensitive by nature. Under PIPEDA, sensitivity is often contextual: “Although some information (…) is almost always considered to be sensitive, any information can be sensitive, depending on the context.” I have blogged on the issue of “what is sensitive information?”  a few months ago in which I explain that one thing to keep in mind is that web browsing information should usually be considered sensitive information.

  1. Including a right to modify the policy by simply posting the new terms 

Many website privacy policies reserve the right to change their website privacy policy from time to time and mention that any changes will be posted on the website, implying that it is the online user’s responsibility to refer back to the privacy policy from time to time to ensure that it hasn’t been modified.

Online users give their personal information based on the promise made by the organization (through their website privacy policy) that their information will be used by the organization a certain way. It is debatable whether an organization can legally change its policy in a way which will affect the information previously collected (on a previous promise, for instance not to disclose this information) without obtaining a more stringent consent (a click, etc.) from the affected users. In the event of a complaint, depending on the business model of the organization, the sensitivity of the information already collected and the type of changes made to the policy, certain courts may consider such consent to such future changes as non-binding and may find that the modifications to the policy may only be valid for information collected going forward.

 

This content has been updated on July 6, 2015 at 20 h 36 min.