Musings on writing a website Privacy Policy

I like doing things properly. I created a mailing list so I can easily share my thoughts with people I know when I’m gone, but that means I now collect data. Hence my 1-person website and blog now needs a privacy policy, and I have a research topic for my weekend.

A friend of mine is also starting up a blog and asked me for some best practices. I can’t say I know enough to produce best practices, but hopefully between this and an online template they will have enough background info to understand the policy they’ll write.

A background on information protection legislation

PIPEDA, the Personal Information Protection and Electronic Documents Act governs how the private sector (including me) collect, use, and disclose personal information. Somewhat uniquely, Part 1 of PIPEDA which covers Protection of personal information in the private sector must be reviewed by parliament every five years, something I like to see in legislating an ever changing digital sphere.

Generally, this law gives individuals several rights.

You have a right to know why an organization wants, uses, or discloses your information, and to only use it for purposes you consent to.

You have the right to know who in the organization is responsible for protecting your personal information (hence organizations having “privacy officers”), and the right to file a complaint if you believe your privacy rights have been violated.

You can expect that the personal information an organization holds about you to be accurate, complete, and up-to-date, and you have the right to ask for corrections. This is an interesting line to read. I have a friend going through a name change process, and she’s had no end to trouble getting her name switched in various databases, which may be in violation of PIPEDA.

Organizations are required to supply you with the product or service even if you refuse consent unless that information is essential to the transaction.

Organizations must have personal information policies that are clear, understandable, and readily available. Having had to email organizations for clarification after failing to comprehend their privacy policies, this is definitely not well followed.

Organizations must notify you if there is a privacy breach.

Organizations must collect information by fair and lawful means. I always appreciate reminders that “crime is a crime”.

Fortunately for me, you don’t have an automatic right to sue if I fail to meet the law’s obligations. Instead, you can take a complaint to the Office of the Privacy Commissioner of Canada who will produce a report and recommendations on the matter. Then you can take this report to the courts should you desire.

Note that in Alberta, where I currently sit while writing this post, the Personal Information Protection Act (PIPA) which supersedes PIPEDA, having been declared a “substantially similar law”. The Alberta law has some different scope around implied consent, broader applications to employees, and the Privacy Commissioner of Alberta has some power to enforce compliance with privacy laws beyond what the Privacy Commissioner of Canada does. Alberta is also specific about penalties for breaking PIPA. As an individual should I refuse or fail to follow PIPA the government can fine me up to $10 000, and “in case of a person other than an individual, to a fine of not more than $100 000”.

While reading this law, I stumbled across a particularly entertaining bit of legalese for when a person is not an individual:

“The term ‘individual’ applies when the entity appears as a living, breathing human being. The term ‘person’ is applicable when it appears as an entity that is a legal person. This includes individuals and corporations, and any other entities with personhood.”

Government of Alberta, Responsibilities for Protecting Personal Information

Corporations having personhood is one of my favourite bizarre ways we organize society. If anyone understands the history of it, I’d love a phone call or a comment below.

As a living, breathing human being, these laws mean that if you actively give me (or anyone else) your information:

You are consenting to it’s use for the reasonable purpose it was collected for.

You can also consent if you do not ‘opt out’ in a reasonable time when you are notified that your information is being collected.
You do have the right to withdraw your consent which must be followed immediately.

I am not handling the backend of my website myself however, and my service provider Dreamhost is based out of the United States, which opens a whole other can of worms. Sending information outside of Canada means I have to declare the country, and the purpose for which the service provider is authorized to collect, use, or disclose information, where you can find their policies, and the person who can answer questions on your behalf.

You also have a right to your own information. While sending you back your own email address would be an amusing bit of folly, at my job as a swim instructor I remember being told that every note that I make on a swimmer can be requested. If someone wanted to be a real nuisance they could FOIP (Freedom of Information and Privacy request) their child’s swimming records, and pool staff would have to flip through thousands of scanned documents to pull up notes on swimming skills.

Final thoughts

Overall I’d call the privacy regulations in Alberta an excellent privacy law for 2004. It’s definitely not 2004 anymore, and the regulations have not kept up with the times.

I have concerns about enforcement and the consent based model. The maximum $100 000 fine is a slap on the wrist to a large corporation, and it allows for substantial risk-taking with regards to privacy.

Secondly, it’s way too easy when browsing the internet to click “agree” to things without reading them thoroughly, and I expect many people don’t know what they’ve agreed to. I’d prefer additional legislation to prevent egregious breaches of privacy and sale of information even if the consumer clicks “agree”, and a right to be forgotten similar to the EU.

Bill C-27, the Digital Charter Implementation Act, has been proposed to address these shortfalls. It would add auditing and enforcement powers, and increase the maximum fine to the tune of $25 million or 5% of global revenues, whichever is larger. As of my writing of this article, the bill has completed its second reading by the House of Commons and is being reviewed by committee.

Applications to a small blogger

Diving into privacy policy was as interesting as it was unnecessary. You have no real way to know that I won’t sell your email except for trusting me as a person. If you suspected me of something, dragging me to an ombudsmen would be an incredible hassle. Any breach in the United States is even worse and would likely leave you no recourse. Writing this policy is mostly a gesture of good faith, and I doubt anyone would notice if it didn’t exist.

This brings back to my friends question on best practices. Generally, I’m aiming to be as clear as possible about what information is collected and why, how users will be notified about changes of policy, and where the information ends up. I also read down the requirements of the both acts and went through a couple online templates. With all that being said, my privacy policy is available here: Privacy Policy

A Footnote on GDPR

The European Union has a much more comprehensive privacy policy, the General Data Protection Regulation (GDPR). As a consumer, I love this policy. It provides top of the line protections when I browse websites, provides controls over my own data, and creates a default ‘messing with data is illegal’ stance.

For writing a blog however it’s a menace. A main sticking point is that I must demonstrate I am GDPR compliant to be GDPR complaint which is a massive legal hurdle. To do this I’ll need appropriate records and measures to prove I am following these laws. There are only 6 lawful bases to collect data, I am closest to meeting the ‘With Consent’ reason (as I do ask), and possibly have ‘Legitimate Interests’ (for spam prevention) but I lack the paperwork to back this up. My emailing list is likely complaint, but my comment fields (which collects IP addresses for spam prevention, and leaves cookies to save your information for posting future comments) probably requires modification to state that it does drop a cookie and records your IP.

Anyhow I expect GDPR compliance will be another weekend research endeavour, so that’s some fun for future Kent. While I appreciate the EU’s dedication to privacy, for now I’m just going to hope I don’t get any Europeans trying to join my mailing list or commenting on my blog.