MICHAEL GEIST
Thursday, December 7, 2000
In less than four weeks, Canada's new privacy legislation takes effect. Yet a major new study of leading Canadian Web sites indicates that Canadian business is not ready for the new law. In fact, the study suggests that public privacy fears may be well-founded, since at least 25 per cent of the sites surveyed collected significant personal data without disclosing their privacy policies.
The study, conducted between May and September at the University of Ottawa by myself and Gabriel Van Loon, a third-year law student, examined 259 leading Web sites based in or targeting Canada. Our findings paint a troubling snapshot of the state of Canadian privacy and e-business practice.
The central obligation of the new privacy legislation, the Personal Information Protection and Electronic Documents Act, is to force data collectors to provide transparent privacy policies that tell Web users who is collecting their data, why it is being collected, and how it will be used. A disappointing 41 per cent of the sites failed to disclose their privacy policies. Canadian-based sites fared even worse, with half of them failing to comply with the new law.
Even sites with privacy policies failed to provide a complete picture of their data collection activities. For example, 26 per cent used cookies to track their users, yet failed to reveal that practice.
The new privacy legislation requires data collectors to appoint a contact person to respond to public queries and enable users to update their personal information.
Sites in the survey fared poorly on both counts, with 57 per cent of the privacy policies failing to identify privacy contacts and 90 per cent omitting information on updating personal details.
Data collection practices are also a source of concern. The vast majority of the sites require users to opt out of data collection, with most collecting personal data unless the user expressly indicates otherwise. In fact, only 10 per cent of sites surveyed use an opt-in clause, whereby the user would provide their positive consent to collect personal data.
Particularly troubling was the finding that Canadian-based sites perform much worse than sites outside the country that target Canadian users. These so-called dual-origin sites, primarily from the United States, are frequently much more advanced than their Canadian counterparts. For example, while 66 per cent of Canadian-based sites did not provide privacy contact information, only 33 per cent of dual-origin sites failed to do so. Similarly, while 49 per cent of Canadian-based sites failed to disclose whether they share information with third parties, that number dropped to 14 per cent among dual-origin sites, mainly from the United States. The finding is in keeping with the perception that major U.S. sites that would be likely to target Canada are increasingly sensitive to privacy and consumer e-commerce concerns.
In comparing different sectors of the Canadian economy, the study found that certain sectors perform much better than others. Regulated sectors, such as banking and health care sites, offer users better privacy protection across a range of issues, including data retention, user access, contact information, and security precautions. By comparison, Canadian culture, media, and government sites repeatedly performed poorly on virtually every aspect of the privacy analysis.
The disappointing results yield a number of conclusions:
Many Canadian firms are not privacy compliant. Although the law will apply only to federally regulated businesses such as banks and broadcasters as of Jan. 1, many others will still be bound by it since personal information that travels across provincial or national borders also falls under its jurisdiction.
Despite the absence of privacy legislation, U.S. sites targeting the market north of the border typically provide better privacy protections than their Canadian counterparts. This finding may reflect the heightened awareness of public privacy concerns among U.S. e-businesses, which have sought to appease consumer concerns by posting privacy policies on-line.
The federal regulation is likely to have a significant impact on Canadian privacy practices. The stronger performance of regulated sectors, which are already subject to privacy requirements under other legal frameworks, suggests that regulation can be an effective method of ensuring increased privacy protection.
Privacy advocates and many concerned Canadians will ring in the new year by closely monitoring Canadian business privacy activities. Should businesses fail to improve upon their poor showing in this study, the Canadian Privacy Commissioner's office will be a very busy place and the new legislation will be put to the test very quickly.
Michael Geist is a law professor at the University of Ottawa Law School and director of e-commerce law at the law firm Goodmans LLP.
mgeist@uottawa.ca
