Canadian E-commerce and Privacy Study 2000: A Failure to Communicate, (93 pp.) (highlights available at link) (2000)
Professor Michael Geist & Gabe Van Loon
University of Ottawa, Faculty of Law, Common Law Section
1. Goals of the Study
This study’s primary objective was to evaluate pre-determined features on selected Web sites of interest to Canadians in order to develop an e-commerce “status report.” Corporate privacy statements and practices were the primary focus, though other factors relating to security, domain names, and general e-commerce practices were also examined. The chief reasons for performing this type of evaluation included:
- Assessment of potential corporate compliance issues with respect to Canadian privacy legislation.
- Addressing public concerns in the area of Internet privacy by providing an objective report on the actual status of corporate practices.
- Comparison of Canadian and international corporate approaches to online privacy, and correlate with external factors such as government regulation and pressure from consumer advocates.
2. Basic Methodology
Sites were selected based on consideration of a number of factors, including:
- On-line user traffic surveys (Media Matrix)
- Search engines including Meta-Crawler and Google
- Lists compiled by sites such as AltaVista
- The off-line yellow pages (under different business categories)
- The 2000 Globe and Mail Report on Business listing of top Canadian companies
- The e25 ranking of the top 25 e-businesses in Canada from Bain & Company and the Globe and Mail
- Linking from major Canadian portals
The evaluators completed a two-page evaluation form for each site. Most evaluations were quantifiable to facilitate comparisons between sites and categories of sites. Sites were assessed on a pre-determined absolute scale. In 40 separate categories, sites were given rankings dependant on the presence or absence of certain factors or groupings of factors. The data from the individual forms was collated and compiled in a spreadsheet.
3. Study Timing and Size
The survey was conducted from May to September 2000. Analysis was performed from September to November 2000. All sites were visited on repeated occasions to ensure validity and currency.
A total of 259 sites were studied. The majority of the sites (194) analyzed were of Canadian origin, as defined by corporate ownership and/or target audience. However, a number of sites of “dual-origin” are also included in the evaluation (42). These sites may be based outside Canada but appear to target a Canadian audience by including significant Canadian content. A small number of major “foreign” sites (23) that surveys suggest are of interest to Canadians but do not have customised Canadian content were also included.
A complete list of all sites surveyed is contained at Appendix A. For comparison purposes, the sites are divided into 34 categories, and the categories are grouped into 5 sectors. The sectors and categories are as follows:
1. E-commerce Group
ISPs, Music, Auction, Groceries, Hardware, General E-Commerce, Traditional Retail, Software, Auto, Auto Rentals, Travel Agents
2. Sensitive Info Group
Banks, Brokers, Insurance, Financial, Career, Online Recruiting, Health
3. Services Group
Telecommunications, Legal, Real Estate, Travel Agents, Airlines, Trains, Buses
4. Culture and Government group
Museum, Events, Sports, Hobbies, Government, Education
5. Canadian Media group
Magazines, newspapers, TV & radio
1. PRIVACY AT RISK &endash; THE TIE BETWEEN DATA COLLECTION AND ABSENT PRIVACY POLICIES
- 27% of sites do not have privacy policies but collect significant personal data
- Canada/Dual Origin split – 32% vs. 10%
- Particularly bad for Canadian services (46%), culture (49%)
2. THE MISSING POLICIES
- only 15% of sites have policies specifically targeted toward children
- 58% of sites do not provide privacy warning before collecting personal information
- only 21% of sites make their privacy policies easily accessible
3. THE INADEQUATE POLICIES/C-6 COMPLIANCE
- 46% of privacy policies do not contain a statement of purpose relating to information collection
- 94% of sites do not provide information on data retention policies
- 62% of privacy policies do not provide access to previously submitted information
- 57% of privacy policies do not provide contact information
- 90% of privacy policies do not provide information on updating personal information
- 40% of sites do not indicate whether they share information with third parties
4. THE DISAPPOINTING POLICIES
- only 10% of sites use opt-in for first party information
- only 3% of sites use opt-in for third party information
- 24% of sites request more than just name and email address without opt-out in conjunction with online services
5. THE DIFFERENCE BETWEEN CANADIAN SITES & DUAL ORIGIN
significant variation between Canadian only and Dual Origin sites on the following issues:
- statement of purpose (55/46)
- cookies (29/19)
- no access to previously submitted information (68/44)
- no contact information provided (63/33)
- no ability to update previously submitted information (94/76)
- no statement regarding accessibility (51/17)
- no statement regarding sharing information with third parties (49/14)
- no child specific privacy provisions (91/71)
- statement indicating no sharing with third parties (29/40)
6. REGULATION MAKES A DIFFERENCE &endash; SENSITIVE INFORMATION SECTORS DO BETTER
sector fares better than others for:
- contact information
- information updating
- use of ADR
7. IS PRIVACY NOT PART OF CANADIAN CULTURE &endash; THE POOR SHOWING OF CULTURE AND MEDIA SECTORS
consistently poor showing for the culture, government & media sectors:
- statement of purpose
- access to information
- updating information
- contact information
- disclosure of policies
8. DISAPPOINTING USAGE OF ADR & SEAL PROGRAMS
- low use of seals
- noise with seal programs &endash; no dominant program
- no use of ADR except where regulatory compliance
9. WHOSE LAW APPLIES?
- only 20% of sites employ jurisdiction clause
- of the dual origin sites, Canadian jurisdiction only half of the time
10. WHAT’S IN A NAME &endash; LACK OF CONFIDENCE IN DOT-CA
- 41% of Canadian sites use dot-com
- 35% of Canadian sites use both dot-com and dot-ca
- only 16% of e-commerce sites use dot-ca
The pre-configured two-page evaluation form that was used for this study took into account the following factors and contained the following elements:
- A brief description of the nature of business, the URL of the site, the “home base” of the site
- Top level domain name choices
- A listing of the type of personal information collected on the site. Separate listings were made regarding off-line and on-line information collection. Off-line information collection relates to activities such as retail purchases, travel bookings, and financial services that potentially require the provision of a mailing address. On the other hand, on-line service information collection relates to services that can be conducted completely on-line such as comment forms, email subscriptions, and chat room sign-ups.
- Accessibility of the statement:
- Is access to the privacy statement clearly evident to the user?
- Is it available directly on the site, or does it have to be downloaded?
- Is a direct link to the privacy statement available on every page on the site, most pages, active e-commerce pages, or just the home page?
- Is the statement easy to understand, or written using legal or technical terms?
- Comprehensiveness of statement:
- Are the purposes for which personal information is collected clearly stated?
- What issues are dealt with?
- Is there any reference to dispute resolution mechanisms?
- Are retention times of personal information indicated? (The degree of comprehensiveness will be dependent on the nature of the business)
- Can consumers access their own personal information to update / modify it?
- Is there any reference to security procedures that are in place to prevent information theft or misuse? What type of security measure is utilised?
- Substantive nature of policy:
- With reference to the comprehensiveness of the policy, it may detail very clearly what a company does with personal information, but this could still involve anything up to and including complete disclosure to third parties.
- Fair warnings to consumers:
- If information is about to be collected, are consumers given details at that specific time, in an easily accessible manner?
- Presence of external audits/ quality assurance
- CA WebTrust, BBBOnline, TRUSTe
- Contact information:
- Is a contact name or address provided relating to the privacy statement?
- Specific accommodation made for children
- Summary and Comments
- For assessors to fill in more “subjective” commentary – not captured in other categories of analysis
Where possible, the survey form was designed to have enhanced quantifiability. For example, a sliding scale was used in the “statement of purposes for information collection” category. The clearest privacy statements ranked “0” whereas statements that did not include a statement of purposes for information collection would rank “4”. Such scales were based on readily identifiable characteristics of Web sites.
The following steps were taken to locate privacy policies on the Web sites surveyed:
- Use of restricted site-specific search engine
- Use of external search engine
Portals, ISPs, Search Engines (13)
Software Companies (4)
Hardware Companies (5)
General E-Commerce (13)
Traditional Retail On-Line (14)
Automobile Rentals (7)
Travel Agents (14)
Sensitive Info Group
Financial Services (4)
On-line Recruiting (2)
Telecommunications and Cable (10)
Legal Services (4)
Real Estate (5)
Travel Agents (14)
Trains and Buses (3)
Culture and Government group
Museums and Galleries (5)
- www.headlinesports.com (same as www.thescore.ca)
Hobbies and Interest (4)
- http://www.hc-sc.gc.ca/ (Health Canada)
- http://pm.gc.ca/ (Prime Minister’s Page)
- http://www.oag-bvg.gc.ca/ (Auditor General of Canada)
- www.dfait-maeci.gc.ca/ (Department of Foreign Affairs)
- www.hrdc-drhc.gc.ca (Department of Human Resources and Development)
Canadian Media Group
- www.mbnet.mb.ca/ (Canadian Dimensions Magazine)
- www.sharenews.com (“Canada’s largest ethnic newspaper”)
Television and Radio (10)
- www.infinit.com/ (TVA network)
Children/Youth Content (3)