13 Aug 2013

Initial results from our Internet Privacy Sweep: The Good, The Bad, and The Ugly


You might recall, a few weeks back our Office led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.

We sought to replicate the consumer experience by spending a few minutes on each site, assessing how organizations communicated their privacy practices with the public.  The sweep was meant to assess transparency online and was not an assessment of organizations’ privacy practices in general. It was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches.

After searching over 300 sites that day, our Office is still poring over the reports we’ve created, but we wanted to share some of our preliminary results with you.

The good:

We found several positive examples of transparency when it came to sharing privacy practices. The best policies were oriented towards the consumer, providing information that real people would actually want to know and would find helpful. Here are a few of our favourites:

Tim Horton’s outlines the different types of personal information they collect and use in relation to a number of activities – for example, when people shop online, enter contests, or register for a payment card. Overall, we found their policy uncluttered and straightforward – click on the screenshot to read this excerpt:

Collection and Use of Personal Information  Tim Hortons collects and uses personal information from customers and others (an "Individual") as follows:     Tim Hortons may collect and maintain personal information such as an Individual's name, contact information, payment card information and purchase history when an Individual subscribes for services or purchases products on our website, in one of our stores or at a kiosk.      Tim Hortons may collect personal information from an Individual where the Individual submits an application for programs operated from time-to-time by Tim Hortons, such as the Tim Hortons Scholarship Program (the "Programs") or for an employment opportunity (such as that contained in a resume, cover letter, or similar employment-related materials). We use submitted personal information as is reasonably required to assess the Individual's eligibility in the Programs and to advertise and promote the Programs or to assess the Individual's suitability for employment at Tim Hortons as well as to process the application and respond to the Individual.     When participating in a contest or promotion, we may collect personal information, such as a contest winner's name, city of residence, and prize winnings in order to award prizes and promote such contests. This information may be published in connection with contests.      From time to time, we may obtain an Individual's consent to use the Individual's contact information to provide periodic newsletters or updates, announcements and special promotions regarding Tim Hortons products and services.

Tripadvisor’s Privacy Policy takes the extra step of offering a detailed explanation of its Instant Personalization feature, which uses information provided by Facebook to give the user a more customized experience. Their explanation not only details what information is collected and how it’s used, but also provides instruction on how to enable or disable the feature – take a look at this screenshot:

We have partnered with Facebook to provide Instant Personalization on TripAdvisor for members of Facebook. If you have Instant Personalization set to “enabled” in your Facebook privacy settings and you are logged into Facebook, then TripAdvisor will be personalized for you when you visit the Web site, even if you are a first-time user of TripAdvisor’s Web site. For example, we will show you reviews that your Facebook friends have posted on TripAdvisor and places they have visited. In order to provide you with this personalized experience, Facebook provides us with information that you have chosen to make available pursuant to your Facebook privacy settings. That information may include your name, profile picture, gender, friend lists and any other information you have chosen to make available.  When you first visit TripAdvisor, you will see an option to turn off Instant Personalization in just one click. If you decide to turn it off at a later date, you can do so by first logging into Facebook and clicking on the disable link on this page, or by scrolling over the “Learn More” link on the top of the page on TripAdvisor and clicking on “How to turn off personalization”. You can also turn off Instant Personalization by editing your privacy settings on Facebook. Please note that, if you have Facebook friends who are using TripAdvisor, they may also have shared information about you with us through Facebook. If you wish to prevent that sharing, you can do so by editing your Facebook privacy settings.   Learn more about Instant Personalization on Facebook or read TripAdvisor’s Instant Personalization FAQ’s.

Also going that extra step is Allstate, which has established an anonymous and confidential reporting system through a third party for its customers to report privacy breaches with discretion.  Promoting and facilitating two-way communication about privacy with consumers is a key element of transparency, so it’s heartening to see that a company like Allstate is thinking about how their consumers might want to communicate with them about privacy concerns.

As part of our ongoing commitment to privacy, we have established an anonymous (optional) and confidential reporting system, so that customers can report any breaches of privacy.  All comments made through this reporting mechanism are considered important to Allstate.  Accordingly, they will be reviewed in a timely manner and, rest assured, with the utmost discretion.    To report any issue relating to privacy concerns, please go online or mail:  ClearView Connects™  P.O. Box 11017 Toronto, Ontario M1E 1N0  1-866-505-9915

Privacy policies that cover both online and in-store practices made our list of bouquets as well. IKEA Canada’s privacy notice points out IKEA’s use of closed circuit television (CCTV) cameras in its stores and parking lots and references their separate CCTV Surveillance Policy, which can be obtained by contacting their privacy officer. Given that many stores and parking lots use CCTV monitoring technology, this example shouldn’t be as rare as it is!

For security, safety and liability purposes, we use CCTV cameras in our stores and adjoining areas such as parking lots. Information recorded by such cameras is retained for a short period (approximately 90 days), unless needed in connection with an investigation. Notices advising of the use of such cameras are posted in our stores. By visiting a store, you consent to our use of such cameras and the recording of your information. For further information regarding CCTV use in our stores, please see IKEA’s CCTV Surveillance Policy, a copy of which may be obtained by contacting our Privacy Office, as provided at the end of this Notice.

The bad:

Approximately 20 percent of sites we reviewed either listed no privacy contact, or made it difficult to find contact information for a privacy officer.

For example several sites, including theloop.ca and tsn.ca, linked to Bell Media’s Privacy Policy which reads in part:

QUESTIONS, COMMENTS OR SUGGESTIONS? If you have questions, comments or suggestions about this Privacy Policy or Bell Media's privacy practices that were not answered here, send us an email.

And that e-mail address is….?

Well, we couldn’t find it.

Many of the websites we looked at spent thousands of words regurgitating PIPEDA but providing very limited information of actual interest to readers. Just as the good examples made an effort to provide clear and useful information to the consumer, the not-so-good stuck to a more legalistic approach and merely claimed compliance to legislation.

For instance, take a look at GlaxoSmithKline’s explanation of how they seek consent for the collection, use and disclosure of individuals’ personal information, below. While their privacy policy hews closely to the language found in Canadian privacy legislation, it’s not all that helpful to a consumer who wants to know when their consent might be sought.  We’ve highlighted the text that appears almost verbatim from Schedule 1 of PIPEDA :

3.PRINCIPLE 3 - CONSENT The knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate. 3.1 The way in which we seek consent, including whether it is express or implied consent, may vary depending on the sensitivity of the information and the reasonable expectations of the individual. An individual may withdraw consent at any time, subject to legal and contractual restrictions and reasonable notice. 3.2 GSK will typically seek consent for the use or disclosure of personal information at the time of collection, but in certain circumstances consent may be sought after collection but before use. 3.3 GSK will only ask individuals to consent to the collection, use or disclosure of personal information as a condition of the supply or purchase of a product, if such use, collection or disclosure is required to fulfil an identified purpose. 3.4 In certain circumstances, as permitted or required by law, we may collect, use or disclose personal information without the knowledge and consent of the individual. These circumstances include: Personal Information which is subject to solicitor-client privilege or is publicly available as defined by regulation; where collection or use is clearly in the interests of the individual and consent cannot be obtained in a time way; to investigate a breach of agreement of a contravention of the law; to act in respect to an emergency that threatens the life, health or security of an individual; for debt collection; or to comply with a subpoena, warrant or court order.

Huh?

GlaxoSmithKline also offer readers an Internet privacy policy which, in some ways does a better job than their privacy code at explaining how a consumer’s information might be collected and used. However we found this policy, like others we saw during our sweep, focused on the use of cookies and other technical information collected via their site, while not providing enough information relevant to how the organization was collecting and using other types of information about the consumer.

The ugly:

About one out of every ten sites we looked at did not appear to have a privacy policy.

Another 10 percent had a privacy policy that was hard to find – sometimes exceedingly difficult to find, since it was buried in a lengthy Legal Notice or in the Terms and Conditions.

While almost 90 percent of the sites we swept had some sort of privacy policy or privacy notice, some policies offered so little transparency to customers and site visitors that the sites may as well have said nothing on the subject.

For example, A&W Canada, which collects personal information such as photos, addresses and dates of birth for various initiatives, has a 110-word privacy policy tacked on to the very end of the Terms and Conditions that offers nothing but a blanket promise of compliance with the law. While they do provide some other detail with respect to their privacy practices elsewhere on the site, and it is possible for visitors to their site to learn more by contacting their privacy officer through the e-mail address provided, we think organizations can do better. Individuals shouldn’t have to jump through hoops and provide their own personal contact information just to learn what an organization is going to do with their information.

Privacy Policy A&W Food Services of Canada Inc. is committed to protecting the privacy of personal information. Personal information obtained in the course of conducting our business will not be collected, used or disclosed except in compliance with governing legislation, including Canada’s Personal Information Protection and Electronic Documents Act and British Columbia’s Personal Information Protection Act. For further information on our Privacy Policy, contact our Privacy Officer at privacyofficer@aw. We may revise this Privacy Policy from time to time. You are responsible for checking this Policy when you visit our site to review the current policy. If you do not agree with the Policy, you should cease use of the site immediately.

Paternity Testing Centers of Canada, which collects and processes highly sensitive DNA samples of its clients, has a privacy statement so short it would fit in a tweet: “Paternity Testing Centers of Canada care about our clients and ensure that every test performed is strictly confidential.”

Confidentiality Uncertainty about parentage can have life-long psychological consequences. DNA paternity testing is the most advanced and accurate method available for resolving these parentage questions. Paternity Testing Centers of Canada can perform both Legal (court approved) and Non-legal tests. With advanced DNA technology, paternity testing is accurate, rapid and an affordable means for obtaining conclusive answers with respect to parentage. Paternity Testing Centers of Canada care about our clients and ensure that every test performed is strictly confidential.

We wanted to provide you with some preliminary results that stood out to us from our sweep.  Once we’ve completed a review of the results from our Office and the other jurisdictions that participated in the sweep, we will determine any appropriate follow-up action, in conjunction with our international sweep partners.


9 Responses

A&W, Bell Media rapped over internet privacy policies | AMP Web Agency Says:

[...] by Privacy Commissioner Jennifer Stoddart and her staff and released Tuesday, along with a blog post highlighting « good, » « bad, » and [...]

Canadian Online NewsA&W, Bell Media rapped over internet privacy policies » Canadian Online News Says:

[...] by Privacy Commissioner Jennifer Stoddart and her staff and released Tuesday, along with a blog post highlighting “good,” “bad,” and “ugly” [...]

A&W, Bell Media rapped over internet privacy policies | Breaking News Says:

[...] by Privacy Commissioner Jennifer Stoddart and her staff and released Tuesday, along with a blog post highlighting “good,” “bad,” and “ugly” [...]

James Bird Says:

Very interesting to read the preliminary results; I’m looking forward to reading a more complete review.

A&W, Bell Media rapped over internet privacy policies Says:

[...] by Privacy Commissioner Jennifer Stoddart and her staff and released Tuesday, along with a blog post highlighting “good,” “bad,” and “ugly” [...]

Privacy Policies Put Under the Microscope | Osler Insights: A Blog on Technology, Innovation and Outsourcing Says:

[...] blog post on the OPC’s website (http://blog.priv.gc.ca/index.php/2013/08/13/initial-results-from-our-internet-privacy-sweep-the-good…) provides specific examples of privacy policies categorized as “The Good, The Bad and The [...]

01-15 August 2013 | Privacy News Highlights Says:

[...] in how some online organizations provide information about their privacy practices.” The OPC’s blog includes key details as well as screenshots from the sweep. “While we did see some good examples [...]

Don Says:

My privacy is mine only!!!!!!!!!!!!!

Office of the Privacy Commissioner » Blog Archive » An update on our Internet privacy sweep Says:

[...] month, we released the initial results of our Internet privacy sweep. You can read the original blog post to see what we observed. (We should note here that the screenshots and references in that blog post [...]

Leave a Reply

If you wish to leave a reply, you will be asked to provide your name and e-mail address. Your e-mail address is required for the purposes of limiting spam and contacting you should we have questions about your comment.





To learn more about why this information is collected and how it will be used, please read our Blog Comment Policy.