The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, November 20, 2005
I've written loads of privacy statements and have probably reviewed five times as many since I started practicing privacy law. One of the first things that the writer of a privacy statement has to ask is, "who is the intended audience?" "Our customers" is invariably the reply. That's a start and gets you part-way there. I've found that not many people read privacy statements. Most are aware they exist, but don't care.
The main audience for privacy statements is almost always a subset of your customers: those who are privacy aware, those who have a specific question and those who are really upset about something. There's a secondary audience, too: regulators (such as the privacy commissioner), privacy activists and journalists who are looking for a "gotcha!". Writers of privacy statements need to keep this in mind.
Your privacy statement may make your lawyer happy and may be legally correct, but writing it in legalese and burying important provisions in the text are actually counter-productive. Nobody in your intended audience appreciate this and doing so actually undermines whatever good stuff may be in your policy.
From time to time, journalists and columnists read the privacy policies from the companies with whom they deal and are often surprised with what they find. That certainly was the case with Nicole Brodeur of the Seattle Times, who took a gander at the Starbucks privacy policy and wrote a column for today's paper:
The Seattle Times: Local News: Your life is theirs to share:Thought you were just getting a happy holiday Peppermint Mocha from Starbucks?
If you paid for it with a Starbucks card, you weren't so much warming yourself up as opening yourself up to a world where your personal information is traded like animal skins. After years of surfing, searching and shopping online, I took the time to read the coffee company's just-revised privacy policy, which opens by stressing the company's "foundation of trust."
A later paragraph made me wonder: "Unless permitted by law, no personal information is collected, without first obtaining your consent for the collection, use and sharing of that information."
Fine, but read on: "The provision of personal information to Starbucks means that you agree and consent that we may collect, use, and share your personal information in accordance with this privacy policy."
In other words, the simple act of giving personal information is implied consent for Starbucks to share that information with its "consultants, strategic partners, agents, distributors, suppliers, contractors and other companies," as well as third-party, credit-card processors, mailing houses, Web hosts and e-mail vendors.
That's a lot of people to share a couple of pounds of Christmas Blend with, isn't it?
Indeed, Starbucks is as connected as Santa. The company sees where you are surfing. It knows when you're online. It knows just what you bought for whom, so be patient as you try to "opt out." ...
The "problematic" paragraph in the policy reads:
Our website may also share information with companies that provide support services to us (such as credit card processors, mailing houses or web hosts) or that help us market our products and services (such as email vendors). These companies may need information about you in order to perform their functions. These companies are not authorized to use the information we share with them for any other purpose.
Frankly, all of this "sharing" of information is entirely reasonable (if you pay with Visa, that transaction won't process itself and Starbucks ain't your bank), but you can easily see how an upset customer or someone looking make a story can read this paragraph to suggest they throw your personal information to the four winds.
If you have the task in your organization of writing or updating your privacy statement, be very aware of who will be reading it and how it can be interpreted.
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.