What to consider when reading a privacy policy

March 2017

Many of our run-of-the-mill daily activities, such as shopping and banking online or using social media or mobile apps, involve sharing our personal information.

It is important to understand why an organization is asking for our information and what they will do with it.

Under Canada’s federal private sector privacy law, organizations that collect personal information must inform users about their privacy practices. One of the ways in which they may provide this information is through a privacy policy.

A good privacy policy should tell you—clearly, specifically and in plain language—what you need to know in order to understand how the organization will handle your personal information.

Here are some tips on reading and better understanding privacy policies.

What to look for in a privacy policy

These steps should help you to get the information you need in order to make an informed decision about whether to share your personal information. If you aren’t comfortable with the information you receive from the company, you may wish to reconsider using their service.

• Contact person: Is there somebody I can contact if I have questions about the organization’s privacy practices? How can I contact that person? What is the process for raising a privacy concern with them?
• Collection: What personal information is being collected about me (e.g. name, credit card number, location)? How is this relevant to the product or service being provided? Will this information be collected once, or on an on-going basis?
• Use: How will the personal information be used (e.g. payment processing, identity verification, marketing, analytics)? Is it possible to opt out of any secondary uses such as marketing?
• Disclosure: To whom will the information be disclosed? Under what circumstances, and for what purposes? (e.g. to third party advertisers for serving targeted ads, to a cloud computing company for storage, to respond to a warrant from law enforcement)
• Retention: How long will the information be kept? Has the organization indicated that it has security measures or procedures in place to protect the information?
• Access: How can I access the personal information the company has about me, and update it or correct mistakes if I find any? Are there any costs involved in making an access request?

If a privacy policy is not clear, or if you have a question or a concern about an organization’s privacy practices, you should be able to contact their privacy officer, or another person designated to be responsible for the organization’s privacy issues.