Revised: November 2018
Every organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) is required to make information available to individuals about its personal information management policies and practices.
Some tips for being more transparent with respect to your privacy practices:
Provide information that is relevant to your users/customers
Avoid templates and boiler-plate language. Describe what personal information your organization collects and why (including secondary purposes such as marketing), how you will use such information and under what circumstances you will disclose it.
Other organizations’ privacy policies may serve as useful references for style, formatting, and/or approach, but your policy should be unique to your organization.
2. Be specific and provide meaningful information
Avoid talking in generalities and “catch-all” terms – this is your opportunity to clear up any potential confusion before issues arise. Don’t simply re-state your PIPEDA obligations.
For example, make clear what personal information is collected (e.g. identification documents/numbers, date of birth, video surveillance images or cookies) for what purpose (e.g. identity verification, security or marketing).
If you disclose personal information to “third parties”, explain who those parties are, or what services they provide.
3. It’s about more than cookies
Keep in mind that people may also look to your website for information about your offline (in-store) practices.
4. Privacy choices
Tell customers about any choices you offer regarding the collection, use or disclosure of their information (e.g. opting out of the use of personal information for marketing purposes), and clearly explain how they can exercise those choices.
Provide a clear explanation of how people can obtain access to their personal information held by your organization, and how they can request correction or deletion of this information.
6. Update your online privacy information regularly
Let people know when the information is updated (actively notifying when material changes occur), state when the last review and/or update took place, and archive previous versions.
Provide contact information
7. Make it easy to contact you
Provide people with multiple, privacy-specific contact options (ideally including email, phone number and mailing address) so that they can easily raise privacy questions or complaints, or request access to their personal information.
Make this information available in one or more prominent locations on your site.
Make privacy information accessible
8. Make privacy information easy to find
Consult our guidelines for obtaining meaningful consent to learn more about the OPC’s expectations for privacy-related communications.
9. Use plain language
Avoid writing in a ‘legalistic’ manner. Explain your practices in language that will be understood by the average visitor to your site.
Consider providing plain-language summaries or explanations for complex subjects, while linking to or otherwise including the full description.
Keep the document as short as possible, while providing the information people need to know.
10. Structure your policy for ease of reference:
You may also consider a hyper-linked table of contents, an executive summary or FAQs.
Our website includes guidelines, fact sheets and other tools to help organizations to meet their obligations under PIPEDA. A good starting point is our guide for businesses and organizations. You may also be interested in:
- Privacy and Online Behavioural Advertising
- Accessing Personal Information under PIPEDA: What businesses need to know
The Office of the Privacy Commissioner of Canada is here to help. If you have any questions, please call us at 1-800-282-1376.
- Date modified: