You might recall, a few weeks back our Office led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.
We sought to replicate the consumer experience by spending a few minutes on each site, assessing how organizations communicated their privacy practices with the public. The sweep was meant to assess transparency online and was not an assessment of organizations’ privacy practices in general. It was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches.
After searching over 300 sites that day, our Office is still poring over the reports we’ve created, but we wanted to share some of our preliminary results with you.
We found several positive examples of transparency when it came to sharing privacy practices. The best policies were oriented towards the consumer, providing information that real people would actually want to know and would find helpful. Here are a few of our favourites:
Tim Horton’s outlines the different types of personal information they collect and use in relation to a number of activities – for example, when people shop online, enter contests, or register for a payment card. Overall, we found their policy uncluttered and straightforward – click on the screenshot to read this excerpt:
Also going that extra step is Allstate, which has established an anonymous and confidential reporting system through a third party for its customers to report privacy breaches with discretion. Promoting and facilitating two-way communication about privacy with consumers is a key element of transparency, so it’s heartening to see that a company like Allstate is thinking about how their consumers might want to communicate with them about privacy concerns.
Privacy policies that cover both online and in-store practices made our list of bouquets as well. IKEA Canada’s privacy notice points out IKEA’s use of closed circuit television (CCTV) cameras in its stores and parking lots and references their separate CCTV Surveillance Policy, which can be obtained by contacting their privacy officer. Given that many stores and parking lots use CCTV monitoring technology, this example shouldn’t be as rare as it is!
Approximately 20 percent of sites we reviewed either listed no privacy contact, or made it difficult to find contact information for a privacy officer.
And that e-mail address is….?
Well, we couldn’t find it.
Many of the websites we looked at spent thousands of words regurgitating PIPEDA but providing very limited information of actual interest to readers. Just as the good examples made an effort to provide clear and useful information to the consumer, the not-so-good stuck to a more legalistic approach and merely claimed compliance to legislation.
Paternity Testing Centers of Canada, which collects and processes highly sensitive DNA samples of its clients, has a privacy statement so short it would fit in a tweet: “Paternity Testing Centers of Canada care about our clients and ensure that every test performed is strictly confidential.”
We wanted to provide you with some preliminary results that stood out to us from our sweep. Once we’ve completed a review of the results from our Office and the other jurisdictions that participated in the sweep, we will determine any appropriate follow-up action, in conjunction with our international sweep partners.