Effects of new privacy law still to be determined – The Law

Reading Time: 3 minutes

Published: April 1, 2004

Q: Does a store need a privacy policy? We produce gift items and sell them directly. How does the new privacy law affect us?

A: As of Jan. 1, 2004, the Personal Information Protection and Electronic Documents Act applies to all business transactions. The goal of this federal law is to ensure that personal information is collected and used only with consent.

In a previous column, I pointed out that the law is written in general terms. Thus it tells us that an organization, which includes businesses, may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Read Also

yogurt popsicle

Food can play a flavourful role in fun summer activities

Recipes – popsicles are made with lactose-free milk and yogurt so are perfect for those who can’t tolerate milk, while everyoneelse will also enjoy them

Consent to the collection ofpersonal information is required; however, the law is vague, stating that the form of the consent may vary depending upon the circumstances and type of information.

Nothing that I have found from the privacy commissioner’s office provides any greater detail.

In my opinion, any organization or business that collects personal data should consider privacy issues. What information is collected? Is it necessary to keep all of it? Is the information shared with anyone? In my view, if one collects only the names, addresses and phone numbers of customers or members, then the law places minimum requirements on that organization. The schedule to the act states that a magazine keeping a subscriber list and contacting subscribers when the subscription is about to expire is reasonable.

It seems to me that a store with a list of customers or an organization keeping member contact information would be similar to a magazine keeping a list of subscribers.

Nevertheless, if you keep a mailing list or customer-member list, it might be prudent in any mailing to advise them that “names, addresses, telephone numbers and credit card information is collected for the purposes of providing any goods and services and notifying customers of future services.”

Equally important, you should ensure that customers know they have a right to remove their names from your database.

Specific consent will be required if you seek more detailed information. So, a credit application seeking banking, income and employment or business information should clearly indicate that this information is being used to determine credit rating.

The customer should consent in writing that he understands the information will be used to determine creditworthiness. Similarly, in my view, a survey of customers to determine buying preferences should be accompanied by written consent. If credit information or buying preferences will be shared with third parties, then the consent should indicate that the customer agrees to his information being passed to third parties.

What about the buying and selling of mailing lists? The act clearly states that its rules apply to “the selling, bartering, or leasing of donor, membership or other fundraising lists.” The act does not specifically address what consent should be obtained to the trading of lists. In my view, a prudent owner should make clear that individuals can have their names removed from any mailing list and give them the option to request that their name not be shared with anyone else.

As a qualifier, the act states that rules are subject “to purposes a reasonable person would consider appropriate in the circumstances.” Further, the privacy commissioner’s office has assured me its goal is to educate and mediate disputes. I suspect that the full force of the law will be applied only in cases of blatant misuse of personal data.

What I have offered here is my view. It will take rulings by the privacy commissioner and the courts to determine the full effect of the law.

I will keep you informed as the law unfolds. As noted in my earlier column, the federal law allows provincial privacy laws to be supreme if they contain the same protection as the federal law.

Quebec, Alberta and British Columbia have enacted comparable laws. Also as pointed out, Quebec has launched a constitutional challenge to the validity of the federal law.

Don Purich is a former practising lawyer who is now involved in publishing, teaching and writing about legal issues. His columns are intended as general advice only. Individuals are encouraged to seek other opinions and/or personal counsel when dealing with legal matters.

explore

Stories from our other publications