Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up?
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Organization
Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
Published
2006
Summary
This study was designed to examine to what extent organizations are respecting the Personal Information Protection and Electronic Documents Act (PIPEDA), by assessing the compliance of retailers with certain key provisions of PIPEDA.
Sixty-four online retailers were identified in an unbiased selection process and assessed for compliance with PIPEDA requirements for openness, accountability and consent. The assessment involved calling the company’s main telephone number and asking a few standard questions, reviewing the company’s privacy policy and ordering a product or service online. A second group of 72 online and offline retailers were assessed against the PIPEDA requirement for individual access. This assessment involved sending a standard letter to companies and reviewing responses.
The results of the study’s compliance assessment indicate widespread non-compliance in all four areas, and recommends that alternatives to PIPEDA’s current enforcement need to be considered. While almost all companies assessed had a privacy policy and were thus aware of the need to respect customer privacy, many failed to fulfill even basic statutory requirements such as providing contact information for their privacy officers, clearly stating what they do with consumer information and responding to access to information requests. The results strongly suggest that Canadian data protection legislation provides inadequate incentive for companies to give consumers meaningful control over their personal information, and to be open about their data management practices.
This document is available in the following language(s):
English only
OPC Funded Project
This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.
Contact Information
CIPPIC, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic
University of Ottawa, Faculty of Law - Common Law Section
57 Louis Pasteur St.
Ottawa, Ontario, K1N 6N5
Email: cippic@uottawa.ca
Website: http://www.cippic.ca/
Tel: (613)562-5800 x2553
Fax: (613)562-5417
- Date modified: