Since I’ve come across a great resource by the information and privacy commissioner of British Columbia regarding B.C.’s access and privacy laws (and the ongoing interest in iubenda’s privacy policy by Canadians) I thought I’d write a quick comprehensive guide to privacy policies online and in mobile applications.
Quick Start Guide
- Sign up/Sign in and choose some of our clauses called “Google Analytics” or “MailChimp” or “Facebook like button”;
- Add a French version of the policy if you need it, it will automatically mirror the English policy;
- Generate the self-updating privacy policy with a few clicks;
- Add the privacy policy to your site by embedding or linking to it;
Where Do I Go with Privacy Questions in Canada
Let’s start with a short look at Canada’s organizational structure regarding privacy laws in our relevant sector private commerce.
- To start this guide I would like to point you to Canada’s Office of the Privacy Commissioner, which is overseeing compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law.
- The PIPEDA governs the information-handling practices of private-sector organizations everywhere in Canada except British Columbia, Alberta, Quebec, and the health-care sector of Ontario. (Comparable laws apply to organizations conducting business wholly within those jurisdictions.)
- Here’s the interesting part of 2): if you collect, use or disclose personal information entirely within your province’s borders, then the privacy laws of your province apply to you in most cases (since they are similar in substance).
- If local (province) laws apply to you, then you may want to check out the following acts: British Columbia’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, Québec’s An Act Respecting the Protection of Personal Information in the Private Sector
For the scope of this guide the above distinction luckily isn’t of much importance.
The regulations are similar in nature. To demonstrate this, let me link to the document Good Privacy Practices for Developing Mobile Apps that has been compiled by Privacy Commissioners of Canada, Alberta and British Columbia in a joint effort. Now that the legal framework has been laid down, let us see what the laws say regarding the disclosure of data collection practices. Here is an example of how the application of PIPEDA would work in British Columbia:
PIPEDA applies in BC in two circumstances. First, PIPEDA applies to federally-regulated businesses, for example banks, telephone companies, airlines, shipping companies and railways. Second, PIPEDA may apply to BC-based organizations when the personal information of residents from other provinces has been affected.
If the data collection stays within British Colmumbia, then British Columbia’s PIPA is applicable.
About the PIPEDA
To understand what you need to do according to PIPEDA I am quoting a list published by the Privacy Commissioner of Canada. They call it the basic outline of PIPEDA:
- If your business wants to collect, use or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
- You can use or disclose people’s personal information only for the purpose for which they gave consent.
- Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
- Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
- There’s oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people’s rights are violated.
To inform yourself more deeply about the PIPEDA, you can find a documentation called “A Guide for Businesses and Organizations – Your Privacy Responsibilities” on OPC. So how does all of that translate to you and your websites and mobile apps?
Privacy Policy for Canadian Websites – required
Private sector privacy legislation requires organizations to build privacy policies that outline how they collect, use and disclose their customers’ personal information. It also means that this privacy policy should be posted on a website if that organization has one. From a PIPEDA self assessment guide:
- If your organization has a Web site, post your privacy policy on it. Make sure the policy covers all collections, uses, and disclosures of personal information made via the Web site itself; and
- Take appropriate measures to notify Web site users of all your organization’s online information practices, notably the use of “cookies” or other non-visible tracking tools, and explain such practices
What about your mobile app though?
Privacy Policy for Mobile Apps – required
In Canada, there is an expectation and a legal requirement that app users are to be informed of what information is being collected, used and disclosed about them, as a matter of transparency and openness, and for their consent to be meaningful. Given the popularity of apps, you can expect increased scrutiny of the privacy practices in your industry in the years ahead – both by regulators and the market itself, driven by increasingly informed, discerning and influential consumers. The above paragraph are the first words in the guide for app developers that I had linked to earlier in this post. You are required to include a privacy policy into your app. It may be helpful to read through this documentation here to see what else you need to think about privacy-wise when you develop an app.
But Do “I” Need a Privacy Policy?
The answer is probably yes. PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities”. Commercial activities are usually defined very broadly. For example in apps, even if you aren’t generating revenue from an app, you may still be covered by Canadian private sector privacy laws.
What Should a Privacy Policy Look like in Canada?
Crafting privacy policies for the web and mobile apps is a time-consuming process, we know that. In the recent Internet Sweep Day the OPC uncovered the good, the bad and the ugly on Canadian websites. Browsing the privacy officers/commissioners sites you will find some suggestions and best practices that might help you out like:
- Make your policy easy to find – Your privacy policy should be accessible from a clearly labeled link on your home page.
- Write your policy in plain language – Write your policy so that your intended audience can easily read and understand it.
- Be specific to your organization – Your policy should reflect your organization’s business and should not simply use the language from another organization’s policy.
- Update your policy regularly – The activities of your business will change over time. You should reflect these changes in your website privacy policy and inform visitors to your website when you have made changes to your policy.
Iubenda’s Privacy Policy Generator
The way iubenda’s privacy policy generator (for websites, mobile apps and Facebook apps) works, is:
- we take the most stringent privacy laws and generate our policies according to those (usually Europe)
- we host it and keep it up to date
- you tell us what you do on your website, our generator helps you craft a beautiful privacy policy.
Moreover, we offer our generator in five languages, among them French and English. Take a look at how we can help you craft a beautiful and meaningful privacy policy. Privacy Policy Generator »