Quick Start Guide
- Sign up/Sign in and choose some of our clauses called “Google Analytics” or “MailChimp” or “Facebook like button”;
- Add a French version of the policy if you need it, it will automatically mirror the English policy;
Where Do I Go with Privacy Questions in Canada
Let’s start with a short look at Canada’s organizational structure regarding privacy laws in our relevant sector private commerce.
- To start this guide I would like to point you to Canada’s Office of the Privacy Commissioner, which is overseeing compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law.
- The PIPEDA governs the information-handling practices of private-sector organizations everywhere in Canada except British Columbia, Alberta, Quebec, and the health-care sector of Ontario. (Comparable laws apply to organizations conducting business wholly within those jurisdictions.)
- Here’s the interesting part of 2): if you collect, use or disclose personal information entirely within your province’s borders, then the privacy laws of your province apply to you in most cases (since they are similar in substance).
- If local (province) laws apply to you, then you may want to check out the following acts: British Columbia’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, Québec’s An Act Respecting the Protection of Personal Information in the Private Sector
For the scope of this guide the above distinction luckily isn’t of much importance.
The regulations are similar in nature. To demonstrate this, let me link to the document Good Privacy Practices for Developing Mobile Apps that has been compiled by Privacy Commissioners of Canada, Alberta and British Columbia in a joint effort. Now that the legal framework has been laid down, let us see what the laws say regarding the disclosure of data collection practices. Here is an example of how the application of PIPEDA would work in British Columbia:
PIPEDA applies in BC in two circumstances. First, PIPEDA applies to federally-regulated businesses, for example banks, telephone companies, airlines, shipping companies and railways. Second, PIPEDA may apply to BC-based organizations when the personal information of residents from other provinces has been affected.
If the data collection stays within British Colmumbia, then British Columbia’s PIPA is applicable.
About the PIPEDA
To understand what you need to do according to PIPEDA I am quoting a list published by the Privacy Commissioner of Canada. They call it the basic outline of PIPEDA:
- If your business wants to collect, use or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
- You can use or disclose people’s personal information only for the purpose for which they gave consent.
- Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
- Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
- There’s oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people’s rights are violated.
To inform yourself more deeply about the PIPEDA, you can find a documentation called “A Guide for Businesses and Organizations – Your Privacy Responsibilities” on OPC. So how does all of that translate to you and your websites and mobile apps?
- Take appropriate measures to notify Web site users of all your organization’s online information practices, notably the use of “cookies” or other non-visible tracking tools, and explain such practices
What about your mobile app though?
The answer is probably yes. PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities”. Commercial activities are usually defined very broadly. For example in apps, even if you aren’t generating revenue from an app, you may still be covered by Canadian private sector privacy laws.
Crafting privacy policies for the web and mobile apps is a time-consuming process, we know that. In the recent Internet Sweep Day the OPC uncovered the good, the bad and the ugly on Canadian websites. Browsing the privacy officers/commissioners sites you will find some suggestions and best practices that might help you out like:
- Write your policy in plain language – Write your policy so that your intended audience can easily read and understand it.
- Be specific to your organization – Your policy should reflect your organization’s business and should not simply use the language from another organization’s policy.
- we take the most stringent privacy laws and generate our policies according to those (usually Europe)
- we host it and keep it up to date