A report by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) provides the results of the first Canadian survey assessing the compliance of retailers with data protection laws. The results show widespread non-compliance with federal laws requiring openness, accountability, consent, and individual access to personal data.
CIPPIC is based at University of Ottawa’s Faculty of Law, common law section. The CIPPIC clinic focuses on legal issues arising from the use of new technologies.
“We were very disappointed with what we found”, said Philippa Lawson, executive director of CIPPIC and co-author of the report, entitled Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up?
“A surprising number of companies in our sample failed to comply with some basic legal requirements respecting consumer privacy. Far too many companies are unclear about how they use customer data, whether they disclose it to third parties, and how the customer can stop unnecessary uses and disclosures”, she said.
“Particularly distressing were the misleading policies we encountered, suggesting for example that no secondary use or sharing of personal information would take place without the consumer’s explicit consent, but then assuming such consent unless the consumer exercised an often inconspicuous opt-out”, she added.
The study, funded by the Office of the Privacy Commissioner of Canada, assessed the compliance of 64 online retailers with specific legal requirements for accountability, openness and consent. It also separately assessed the compliance of 72 online and offline retailers with the requirement to provide individuals with access to their personal information, upon request. Among other things, the study found that:
— It is unreasonably difficult for consumers to get answers to basic questions about company data protection policies over the phone;
— A significant proportion of privacy policies are unclear, even when tested by people with university education;
— Even more policies are incomplete, often failing to identify third parties with whom the company shares customer information or to describe the type of information shared;
— The vast majority of companies rely on “opt-out” methods of obtaining consumer consent, but many fail to bring the opt-out option to the customer’s attention or require the customer to go to unnecessary effort in order to exercise the opt-out;
— Many companies bury notice of their secondary uses and disclosures of customer data, along with notice of the consumer’s right to opt-out, in lengthy privacy policies that few consumers would have the time to read and understand;
— Many companies that use or share customer data for unnecessary purposes do not offer consumers a choice regarding such unnecessary uses or disclosures;
— A number of companies suggest that they do not use or share consumer information without the consumer’s explicit consent when in fact they do;
— Few companies provide complete responses to written requests for specific information about what personal information the company holds about the individual, how it is used, and to whom it is disclosed.
“The results of our study suggest that current data protection laws do not provide sufficient incentive for companies to comply”, said Lawson. “Far too many companies are still failing to meet basic legal obligations under the act, five years after it was introduced. It’s time to consider beefing up the enforcement regime.”
The federal Personal Information Protection and Electronic Documents Act, known as “PIPEDA”, is scheduled for Parliamentary review this year. CIPPIC’s study was designed with a view to informing that review.
In a companion report entitled “On the Data Trail: How Detailed Information About You Gets Into The Hands Of Organizations With Whom You Have No Relationship”, CIPPIC exposes the many ways in which consumer information is gathered and traded in the marketplace.
That study found, among other things, that detailed personal information about individual consumers is collected from a variety of sources including product warranty/registration cards, rebate and special offer responses, contest entry forms, online registration forms, payment processing centers, and surveys that consumers are often enticed to complete in exchange for coupons or other benefits. It is then compiled into lists that are rented or sold to marketers.
Detailed demographic information about geographically defined groups, available from Statistics Canada as well as private sources such as credit bureaus and market research companies, is also widely used for target marketing purposes.
