Be careful with the secrets you reveal to on-line retailers. You just don’t know where your personal data could end up and how it might be used.
This was the warning issued by Ottawa-based Canadian Policy and Public Interest Clinic (CIPPIC) following its release of a survey that showed “widespread non-compliance with federal privacy laws.” Some companies need to be hit in the pocket for them to appreciate that non-compliance with privacy rules has a cost.Philippa Lawson>Text
Funded by the Privacy Commission of Canada, the survey questioned 64 online retailers on their observance of legal requirements for accountability, openness and consent in collecting customer data.
It also polled 72 online and offline retailers on their compliance with “individual access” – the PIPEDA requirement to inform individuals of the existence, use and disclosure of their personal information upon request, and to give individuals access to that information.
The survey report is titled Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up?
Its findings are hardly encouraging.
While 94 per cent of retailers surveyed did have privacy policies, these tended to be lengthy, ranging from 1,000 to 2,000 words. In most cases, policies were not conspicuously visible to consumers.
The survey also found 48 per cent of the retailers share information with other companies for purposes beyond those necessary for the transaction or service originally sought by the customer. Furthermore, only one of these companies restricted data sharing to its affiliates.Yet 34 per cent did not offer consumers a choice regarding this practice during the registration or ordering process.
Some 78 per cent of the sample companies rely on opt-out methods to obtain consumer consent to secondary use or disclosure of their personal information.
In at least 18 cases, the assessors were not sure whether consent to secondary use or disclosure was mandatory because the privacy policy was either unclear or non-existent. Thus 39 per cent of the companies were found in violation of PIPEDA’s rules.
According to CIPPIC the survey confirms that the five-year-old Personal Information Protection and Electronic Documents Act (PIPEDA) is ineffective.
The Ottawa-based public policy organization seeks tougher rules to rein in offending retailers.
“This light-handed approach has not been successful… alternatives should be considered,” said the study
“It’s time to beef up the enforcement regime,” said Philippa Lawson, executive director and general counsel for CIPPIC.
The CIPPIC survey did not cover recommendations to PIPEDA, which is scheduled for parliamentary review this year, but Lawson suggested imposing fines on violators.
“Some companies need to be hit in the pocket for them to appreciate that non-compliance with privacy rules has a cost.”
Ed Cartwright, senior director of communications at the Toronto-based Canadian Marketing Association (CMA), said the CIPPIC survey “confirms findings” of an earlier CMA study but added there was no need to strengthen existing laws.
“We’re not surprised by the results considering that privacy laws were only applied to the private sector two years ago and businesses still need to understand them better,” Cartwright said.
The PIPEDA rules came into effect for government offices and bodies in 2001 but legislation covering private businesses was laid down only in 2004 he said. “I disagree that the Act needs to be beefed up. Rather, what we need is more education for businesses.”
On the issue opt-out consent, Cartwright said the inclusion of this feature in privacy policy statements “is a must for our members. We have our code of ethics and any member found not complying faces expulsion.”
However, CMA “does not seek out” violators but relies instead on a “complaint driven” scheme where companies receiving complaints are investigated.
In conjunction with its main survey report, CIPPIC also released a companion document titled “On the Data Trail: How Detailed Information about You Gets into the Hands of Organizations with Whom You Have No Relationship.”
This document says retailers gather consumer information from a variety of sources. These include warranty/registration cards, rebate and special offer responses, contest entry forms, coupons and online registration forms, and even data from Statistics Canada.
Anne-Marie Hayden, spokesperson for the Privacy Commission said the findings show that “we can’t rely on complaints to the Commission alone to ascertain compliance with PIPEDA.”
However Lawson said the Privacy Commission has the mandate to publicly name companies that are breaking privacy laws “but is not using what little teeth it has.”
She said the Commission has the ability to hear complaints from consumers and decide whether they are founded or not but does not have the enforcement tools.
“The issue of enforcement is a primary concern that should be looked into when PIPEDA is reviewed.”
Lawson also said consumers need “avenues for recourse.”
As present consumers seeking restitution have to go to the federal courts “which is costly and can be onerous.” Two bad things can happen to a consumer, she said. “The Commission can hear the case and decide in favour of the retailer, in which case nothing happens. Or, the Commission can decide in favour of the consumer, in which case nothing happens as well.”
Hayden, however, said the Commission can recommend remedial action to companies facing complaints. “If they don’t take any action, we take the case to the federal courts.”
On the complaints that PIPEDA was weak, Hayden said the upcoming review “will be an opportunity to look at what works and what doesn’t.”