I’ve written a lot of Websmithian blogs over the past few years and apologize at the outset for coming up with such a boring title for this one! Nevertheless, I’ve learned that pretty well every website design and build project I’ve been involved in since the conception of Websmithian really should have one of these. Admittedly, I’m a little late to the game in writing and telling you about them.
So, here’s what I’ve learned and how I can help you:
Some years back, our federal government came up with Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. (I’m not sure if you’d say that ‘pip ee dah’ or ‘pipe dah’ – or perhaps some other way. No matter.) With the internet becoming part of all of our daily lives and businesses recording more and more information about its customers, it was inevitable that legislation was required to put some rules on it. This is especially true when the data are all in electronic format and can be copied and moved in a matter of milliseconds.
PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. That obviously applies to businesses but, somewhat strangely, doesn’t include non-profit organizations and political parties. Go figure. Just about every website in the world collects some sort of information about its visitors, either passively or actively. It might passively record where the visitor came from, their IP address, and other types of data that are often recorded by tools such as Google Analytics. Actively, data might be collected via online forms, ecommerce transactions, newsletter signups, and other situations where the visitor is willingly providing their personal information.
An excellent – and relatively brief – webpage on the Government of Canada’s website outlines PIPEDA and what constitutes “personal information.” Most of you will, in some way, be recording such information through the website I’m making for you.
In short, you are responsible for indicating, on a page or in a document, to the visitors of your website what information you are recording about them, how you’re recording it, what safeguards you’re going to employ to ensure it remains private, and how you’re going to use the information. You’ve also got to indicate how long you’re going to keep that information before erasing it and you’re going to give them access to the information – and the right to have you immediately delete it – if they ask you to do so.
Doing Business in Canada
If the majority of the visitors to your website are Canadians and most or all of your business is done in Canada, then fortunately a Privacy Policy is pretty well the only legal-type document your website needs to have. As you’ve probably noticed, many websites these days warn you that they use cookies and ask you to acknowledge your awareness of that fact. Fortunately, we still don’t need to do that in Canada. We also don’t have to post messages on our Canadian websites that pertain to GDPR (General Data Protection Regulation), which is a law enacted by the European Union, or similar laws enacted in California and elsewhere.
Many Canadian websites have a Terms and Conditions page. Such a document basically sets the rules for using your website. This is a necessity if, for instance, you allow visitors to post comments and engage the website in similar ways. It also spells out your rights to the content that is on your website, disclaims your liability from content errors, and limits your liability from content submitted by a third party (e.g. a commenter), that might be offensive.
Obviously, an ecommerce-based website should have a T&C page, as should any that publishes blog posts and allows visitors to publicly comment. Otherwise, you don’t need one, nor do you need any statement about cookies on your Canadian website.
That being stated, anyone who’s lived for more than a couple of decades in any country knows that laws change and what I’m stating here is only valid and applicable at the time of writing.
How Does One Get a Privacy Policy?
There are a number of ways to put together a PP for your website:
- Find somebody else’s, copy it, then edit it for your own purposes.
- Have your lawyer create one for you.
- Use an online service to generate a PP.
I would obviously not recommend option one. There are just too many potential “gotchas” there that, if your PP was ever challenged – legally or otherwise – might not be all that good for your situation!
Lawyers love work like this because they essentially take an off-the-shelf PP and then edit it – which is essentially what you would you’d have been doing in option one. The obvious advantage here is that it’ll be airtight and it’s more your lawyer’s problem if there’s an inaccuracy. The biggest disadvantage is that, if the laws change – even one iota – you’re going to be going back to your lawyer for a rewrite and another stiff bill!
Fortunately, many online tools have been developed to generate pretty good quality PPs that are probably as high in quality as what your lawyer would provide to you, for a fraction of the cost. I’m going to go into more depth about these in the next section.
Online Privacy Policy Generators
If you Google “privacy policy generator Canada” you’ll find a good selection of online resources for this task. All of these basically function in the same way: You go through a few dozen questions that you respond to through an online form. When you’re done, you pay the company that runs the software. This is typically $30-50. Once the transaction is complete, a PP document is automatically generated for you. I then post it on your website and build links to it from logical places and you’re in business!
Similar to the situation I described above in the lawyer scenario, if PIPEDA changes or other federal or provincial acts come into being, you’ll have to go back and generate a new PP. Of course, it’s going to cost you once again to do this. And, once again, someone is going to have to upload this new document to your website and potentially edit any hyperlinks leading to it.
But there’s another style of PP generator out there that I like a lot better. Fundamentally, it takes you through the same arduous question-and-answer process so that the tool can know about you and what your PP circumstances and needs are. However, when it comes time to generate the PP it does so – but it doesn’t provide you with a downloadable document. Instead, it posts the PP on the service’s website and it’s that online document that I will link to from your website.
Why is this better? It’s better because, if something changes in Alberta or Canada over the next few years, then the service will automatically update your PP to reflect the changes in legislation! You’ll have your butt covered continually and you won’t have to do any work to your website to link to the new PP. Everything will happen automatically.
Fortunately, I’ve secured a deal with one of the most reputable services in the world, Iubenda, who are based in Italy. For a bit more cost than Iubenda’s one-year subscription, I can provide you with a lifetime subscription. And, I’ll even help you fill-out and submit the form. Contact me if you need more details.
Summary
Yes, CYA (covering your ass) remains one of the biggest concerns of Canadian businesses and organizations that have any online presence in our country through a website. Many visitors to your website – paranoid or not, they’re all potential customers – will get an added degree of assurance that the personal information they’re about to provide to you will be taken care of securely and only used for the purposes intended. Additionally, if anything ever arises from your website’s operations as they’re related to acquiring data about visitors, you’ll already have an accessible, clear, and legal document on your website to back you up.
