Perusing the daily news could give anyone the idea that only the big players like Google and Facebook and the likes of Bell and Air Canada have to bother with privacy laws.
But thinking that way could be a serious mistake, because any business, small or large, has privacy obligations that they ignore at the risk of considerable liability, either by way of fines or lawsuits, possibly of the class action variety. And if the Liberal government’s proposed introduction of a Digital Charter is any indication, it appears that privacy protection will become even more stringent with the imposition of heftier fines and broader penalties.
So just what are your obligations?
Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), applies to the collection and handling of personal information in the course of any business activity.
- identify the reason for the collection of personal information
- explain how you will use the information
- tell your users and customers how you will update them when your policy changes
- inform them of just how long you will hang on to the information
You will also need to implement procedures that demonstrate you have obtained meaningful consent for the collection of personal information. Whether the consent you have collected is considered “meaningful” will depend on whom you are collecting the information from. Special consideration should be given, for example, if information is being collected from youth. Bear in mind, however, that you cannot require anyone to consent to the collection of information beyond what is necessary to providing your goods and services.