Print | Email

Does My Business Need a Privacy Policy for its Website?

By: Georgina Danzig, Nikita Munjal | Last updated: October 3, 2022

Customer loyalty is built on a relationship of trust-–trust that your business will provide consistent quality goods and services, but also trust that your business will safeguard the personal information customers share with you when using your website. The value of a properly drafted website privacy policy in retaining your customer’s trust in your business should not be underestimated.

What is a privacy policy?

A website privacy policy is a statement that outlines your business’s practices relating to, but not limited to, how you collect, use, disclose, and protect the information of visitors to your website. An effective privacy policy will be easy to locate on your website and clearly communicate your privacy practices to your website’s visitors.

The privacy policy is often referenced in your website’s Terms of Use – which is the section of the website that sets out the rules for using a website. Incorporating your privacy policy into the Terms of Use, ensures that when a visitor consents to the Terms of Use – their consent is implied by their use of the website – they are also consenting to the terms of your privacy policy.

Does PIPEDA apply to my business?

We have legislation in Canada that governs how private sector organizations (like businesses) use and disclose personal information in the course of commercial business. The Personal Information Protection and Electronic Documents Act (PIPEDA) governs the activities of private sector organizations (like businesses) in Canada, except in those provinces that have enacted legislation that is substantially similar to PIPEDA (namely, Quebec, Alberta, and British Columbia). PIPEDA applies when a private sector organization collects, uses, and discloses personal information obtained in the course of a commercial activity.

What is Personal Information?

Under PIPEDA, personal information is defined as information about an identifiable individual. Personal information can be used on its own or in combination with other information to identify, contact, or locate an individual. The Canadian courts and various privacy commissioners’ offices have interpreted personal information to include, for example, information about an individual’s name, age, ethnic origin, address, health information, and financial records. However, PIPEDA sets out specific exemptions where your use, collection, and disclosure of personal information is not covered by PIPEDA. One such exemption is if you use, collect, or disclose personal information for journalistic purposes. Given PIPEDA’s objective of ensuring that private sector organizations are not violating Canadian’s privacy rights, it’s unsurprising that the scope of activities considered ‘journalistic’ under this exemption are quite narrow. For your activity to be considered ‘journalistic,’ its purpose must be to inform the public on issues of public interest, involve an element of original production, and be calculated to provide an accurate and fair description of facts, opinions, and debate regarding a situation. If your business model is reliant on its activities not being governed by PIPEDA, it is important that you carefully examine how the courts and privacy commissioner offices’ have interpreted those provisions.

What is a Commercial Activity?

Commercial activity has been broadly defined to mean any particular transaction, act or conduct or any regular course of conduct that is of a commercial character. Even if your business is offering free services, in certain situations, you may still be governed by PIPEDA. The courts have found that an organization offering free services may still be engaged in a commercial activity within the meaning of the legislation. Seeking the guidance of a privacy expert can help you determine your obligations with respect to the personal information you collect, use, and disclose about your customers.

Why should my business have a privacy policy?

Implementing a privacy policy yields numerous benefits for your business. For one, it ensures that your organization is complying with the applicable laws. PIPEDA requires organizations to obtain meaningful consent from their customers. For consent to be meaningful, individuals must be able to understand the terms in the policy. This can include, for example, highlighting the key elements of the policy in plain language (as opposed to convoluted legal language), such as what personal information is being collected, which parties this personal information is being shared with, and why this personal information is being collected, used or disclosed. Drafting a privacy policy that customers can understand will boost trust in your organization’s data practices.

Another benefit to drafting a privacy policy is that it causes you to consider your organization’s privacy practices. When assessing your privacy practices, you should also consider drafting internal policies that govern, for example, how your employees dispose of personal information when storage is no longer necessary or how you will respond to access requests of personal information (that is, when an individual requests you share the personal information you have collected about them).

What should I include in my privacy policy?

Your privacy policy should be customized to your organization’s needs and reflect what functions are enabled on your website. Here are a few of the key elements an effective privacy policy should contain:

  • What personal information your organization is collecting (i.e., name, email address);
  • The purpose for which this information is being collected, used, and disclosed (i.e., to provide a service);
  • How this information is being collected (i.e., is consent being implied from use of services);
  • Who this information is being shared with (i.e., third parties);
  • How a user can withdraw their consent to the collection, use, and disclosure of their personal information;
  • What type of non-personal information is being collected, used, and disclosed; and
  • How users will be notified when the privacy policy is updated (i.e., through email, a prominent notice on the service).

Impact of Our Global Economy on Privacy Considerations

Even if your business is based in Ontario, your privacy policy may be subject to the requirements of other countries. If, for example, your business sells its products to customers located in the European Union, then you may be subject to the General Data Protection Regulation (GDPR). While there are similarities between PIPEDA and the GDPR, there are also key differences in terms of the obligations they impose on organizations, including the amount of time you can retain information. Navigating the obligations associated with the collection of personal information requires careful consideration including considerations associated with different privacy laws in different jurisdictions or countries.

Consequences Arising from a Privacy Breach

Given our increasing reliance on technology to keep us connected, more information is being shared online than ever before. Having a plan prepared in advance to respond to a breach is critical to mitigate and contain any damage arising from the breach.

Legislation mandates that organizations subject to PIPEDA, are required to:

  • Report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals;
  • Notify affected individuals about those breaches; and
  • Keep records of all breaches.

Once you have a policy drafted, you should regularly review and update your policies to reflect changes in laws or any modifications in your use, collection, or disclosure of personal information.

The office of the Privacy Commissioner of Canada has a helpful article detailing the mandatory reporting obligations which may arise in the event of a breach: Privacy Commissioner of Canada - What you Need to Know about Mandatory Reporting

Failing to protect your customers personal information or collecting personal information that your customer’s haven’t consented to provide to you, can result in significant harm, cause your customers to lose trust in you, which directly impacts your reputation and consequently, your revenue.

We Can Help

If you would like practical guidance and expertise on how to draft a privacy policy that will be suited to your business’s needs, contact us for a complimentary and confidential initial telephone appointment with a member of our team.