A recent study released by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) found some retailers aren’t complying with Canada’s federal privacy law governing the private sector.
The study, funded by the Privacy Commissioner’s Office, looked at 64 online retailers focusing on the Personal Information Protection and Electronic Documents Act (PIPEDA) in the areas of openness, accountability, consent and individual access to personal data. Retailers were selected at random and include major vendors such as Deals outlet.ca (HBC), Ebay and Rona and smaller stores such as AV Deals, GPS Central and MyMusic.com. CIPPIC did not identify which retailers failed to meet legal requirements.
While the report found violations of PIPEDA across the above four areas, Philippa Lawson, who edited the report and is CIPPIC’s executive director and general counsel, said she found the most troubling violation was the fact that some were collecting information on people without their consent. “Worse than that, in some cases we found they were being misleading and that’s what troubled me the most.”
CIPPIC found blatantly misleading statements in at least 11 per cent and possibly as high as 39 per cent of the cases. CIPPIC prepared the report with the intention of informing a panel scheduled to review PIPEDA later this year. Critics of the law say it doesn’t have enough teeth to go after offenders or give the Commissioner the power to fine companies or make binding orders.
“We chose a very light-handed, complaints-based approach that isn’t working,” Lawson said, adding the law gives the Commissioner the power to publicly shame companies but that she isn’t using that enough.
But Ed Cartwright, a spokesperson for the Canadian Marketing Association (CMA), said the real problem lies in the lack of education for retailers, particularly in the small and medium business market.
“Some small- and medium-sized businesses don’t know there’s a privacy law out there,” he said. “There hasn’t been much outreach on the education side.”
Some of the key findings from the compliance assessments include: 94 per cent of retailers have privacy policies with 92 per cent posting them on their Web sites; 63 per cent of privacy policies exceed 1,000 words with 35 per cent over 2,000 words; 93 per cent of retailers were using consumer information for their own marketing purposes; between one-half and two-thirds of retailers share consumer information with other companies; and 78 per cent of retailers rely on opt-out methods to obtain consumer consent.
“It’s incumbent on the company that they clearly notify the consumer and give them a clear and easy way to opt out,” said Lawson, adding a common tactic employed by retailers is to automatically check the “yes” box for the consumer to receive more information on the company.
In the Canadian Marketing Association’s (CMA) code of ethics, the opt-out notice has to follow three guidelines: Easy to see, easy to read and easy to understand, said Cartwright.
Cartwright said the results of the study mirror a report the CMA did for the Privacy Commissioner a year ago on how small and medium businesses in Canada are complying with PIPEDA. The CMA accounts for 800 corporate members across the country including banks, retailers and packaged goods firms.
Cartwright said the CIPPIC study is not reflective of online retailing in general as it only takes into account a small sample of retailers.
The study also separately assessed the compliance of 72 online and offline retailers with the requirement to provide individuals with access to their personal information upon request. For this part of the study, CIPPIC, which is based at the faculty of law at the University of Ottawa, had law students send letters to the companies asking them what information they have about the consumer, how they’re using it and who they’re disclosing it to.
A companion report found that detailed personal information about consumers collected from rebates, coupons and surveys is often compiled into lists that are rented or sold.