A study released this week by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) found retailers were not compliant Canada’s federal privacy law governing the private sector.
The study, funded by the Privacy Commissioner’s Office, looked at 64 online retailers focusing on the Personal Information and Electronic Documents Act (PIPEDA) in the areas of openness, accountability, consent and individual access to personal data. Retailers were selected at random and include major retailers such as Deals outlet.ca (HBC), Ebay and Rona and smaller retailers such as AV Deals, GPS Central and MyMusic.com. CIPPIC did not identify which retailers failed to meet legal requirements.
While the report found violations of PIPEDA across the above four areas, Philippa Lawson, who edited the report and is CIPPIC executive director and general counsel, said she found the most troubling area of non-compliance to be consent.
“They’re just not getting the individual consent in many cases,” said Lawson. “Worse than that, in some cases we found they were being misleading and that’s what troubled me the most.”
CIPPIC found blatantly misleading statements in at least 11 per cent and possibly as high as 39 per cent of the cases.
This week’s release of the study comes ahead of PIPEDA’s review later this year by the Privacy Commissioner for the first time since it was introduced in 2001 (PIPEDA did not apply to retailers until Jan. 1, 2004). The report was created with the intention of informing the review panel. Critics of the act say it doesn’t have enough teeth to go after offenders or give the Commissioner herself the power to fine companies or make binding orders.
“The current laws are not providing retailers with incentives to comply,” said Lawson. “We chose a very light-handed, complaints-based approach that isn’t working.”
Lawson added the law gives the Commissioner the power to publicly shame companies into compliance but that she isn’t using that enough.
Ed Cartwright, a spokesperson for the Canadian Marketing Association (CMA), however, said it’s not a matter of PIPEDA not having enough legal muscle, rather the education level of retailers, particularly in the small and medium business market.
“It points to the need for more education,” said Cartwright. “Companies are having a problem still complying with the legislation.”
Some of the key findings from the compliance assessments include 94 per cent of retailers have privacy policies with 92 per cent posting them on their Web sites; 63 per cent of privacy policies exceed 1,000 words with 35 per cent over 2,000 words; 93 per cent of retailers were using consumer information for their own marketing purposes; between one-half to two-thirds of retailers share consumer information with other companies; and 78 per cent of retailers rely on opt-out methods to obtain consumer consent.
“It’s incumbent on the company that they clearly notify the consumer and give them a clear and easy way to opt out,” said Lawson.
A common tactic employed by retailers is to automatically check the “yes” box for the consumer to receive more information on the company, Lawson added.
In the Canadian Marketing Association’s (CMA) code of ethics, the opt out notice has to follow three guidelines: easy to see, easy to read and easy to understand, said Cartwright.
“Some small and medium sized businesses don’t know there’s a privacy law out there,” he said. “There hasn’t been much outreach on the education side.”
Cartwright said the results of the study mirror a report CMA did for the Privacy Commissioner a year ago on how small and medium businesses in Canada are complying with PIPEDA. The CMA accounts for 800 corporate members across the country including banks, retailers and packaged goods companies.
Cartwright added the CIPPIC study is not reflective of online retailing in general as it only takes into account a small sample of retailers.
The study also separately assessed the compliance of 72 online and offline retailers with the requirement to provide individuals with access to their personal information upon request. For this part of the study, CIPPIC, which is based at the faculty of law at the University of Ottawa, had law students send letters to the companies asking them what information they have about the consumer, how they’re using it and who they’re disclosing it to.
A companion report found that detailed personal information about consumers collected from rebates, coupons and surveys is often compiled into lists and rented or sold to marketers.