Ten tips for a better online privacy policy and improved privacy practice transparency
Revised: November 2018
Every organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) is required to make information available to individuals about its personal information management policies and practices.
A good privacy policy is one of the important ways in which an organization can meet this obligation, foster public trust and strengthen customer loyalty.
Some tips for being more transparent with respect to your privacy practices:
Provide information that is relevant to your users/customers
1. Make your privacy policy about your business
Avoid templates and boiler-plate language. Describe what personal information your organization collects and why (including secondary purposes such as marketing), how you will use such information and under what circumstances you will disclose it.
Other organizations’ privacy policies may serve as useful references for style, formatting, and/or approach, but your policy should be unique to your organization.
2. Be specific and provide meaningful information
Avoid talking in generalities and “catch-all” terms – this is your opportunity to clear up any potential confusion before issues arise. Don’t simply re-state your PIPEDA obligations.
For example, make clear what personal information is collected (e.g. identification documents/numbers, date of birth, video surveillance images or cookies) for what purpose (e.g. identity verification, security or marketing).
If you disclose personal information to “third parties”, explain who those parties are, or what services they provide.
3. It’s about more than cookies
While it is advisable to explain how cookies and similar technologies may be used on your site, don’t stop there. People look to your online privacy policy not only to learn about how their information is automatically collected by your website (e.g. cookies, IP addresses), but also how the information they submit will be used and/or disclosed.
Keep in mind that people may also look to your website for information about your offline (in-store) practices.
4. Privacy choices
Tell customers about any choices you offer regarding the collection, use or disclosure of their information (e.g. opting out of the use of personal information for marketing purposes), and clearly explain how they can exercise those choices.
5. Access
Provide a clear explanation of how people can obtain access to their personal information held by your organization, and how they can request correction or deletion of this information.
6. Update your online privacy information regularly
Ensure your privacy policy and other notices reflect your current privacy management practices – review the policy regularly, particularly when new programs or information-handling practices are introduced.
Let people know when the information is updated (actively notifying when material changes occur), state when the last review and/or update took place, and archive previous versions.
Provide contact information
7. Make it easy to contact you
Provide people with multiple, privacy-specific contact options (ideally including email, phone number and mailing address) so that they can easily raise privacy questions or complaints, or request access to their personal information.
Make this information available in one or more prominent locations on your site.
Make privacy information accessible
8. Make privacy information easy to find
Place a link to your privacy policy in a prominent location on your homepage. But don’t stop there – provide further information through the use of just-in-time notifications (e.g. through hyperlinks or pop-up boxes) when and where website users may be faced with a privacy decision or question.
Within your privacy policy, it’s also important to make it easy to find key information, such as what personal information you collect, why you collect it and what you do with it.
Consult our guidelines for obtaining meaningful consent to learn more about the OPC’s expectations for privacy-related communications.
9. Use plain language
Avoid writing in a ‘legalistic’ manner. Explain your practices in language that will be understood by the average visitor to your site.
Consider providing plain-language summaries or explanations for complex subjects, while linking to or otherwise including the full description.
Keep the document as short as possible, while providing the information people need to know.
10. Structure your policy for ease of reference:
Pay attention to the ‘user-friendliness’ of your privacy policy. This may include organizing your privacy policy into relevant sections with clear headings (e.g. What Information We Collect, How We Use Your Information, How to Access your Personal Information, How to Contact Us with Privacy Questions, etc.).
You may also consider a hyper-linked table of contents, an executive summary or FAQs.
Learn more
Our website includes guidelines, fact sheets and other tools to help organizations to meet their obligations under PIPEDA. A good starting point is our guide for businesses and organizations. You may also be interested in:
- Privacy and Online Behavioural Advertising
- Accessing Personal Information under PIPEDA: What businesses need to know
The Office of the Privacy Commissioner of Canada is here to help. If you have any questions, please call us at 1-800-282-1376.
- Date modified: