Legal services provided by P.J. Richer Law Corp

Articles

Privacy Laws and your business

Author: Philippe Richer

Privacy laws: can I be more boring? Before your eyes glaze over and you skip back to your Facebook page, bare with me. Ignoring privacy laws in our connected world can have consequences for business owners. The topic came to mind recently at a seminar I attended on Facebook Marketing. While some may turn their nose at the idea, Facebook is at the forefront of advertising to people based on their specific circumstances. It has the added feature of being affordable to small businesses: you can advertise for as little as $2day. The ability to develop a target audience based on your current client email list is one of the most interesting features. You upload your email list to Facebook, and the company develops an audience with similar attributes. This does not offend CASL which states that you cannot send commercial emails to your email list unless you have consent. (This is a big problem for businesses that built large email lists before CASL.) But you could potentially use those email addresses to develop a “look alike” audience on Facebook. You aren’t sending them emails. You are simply asking Facebook to develop an audience based on your current list’s attributes.

How Does Your Privacy Policy Align With Privacy Laws?

Under the Personal Information Protection and Electronic Document Act (PIPEDA), all companies must comply with the ten principles to protect personal information. The principles are outlined in detail in Schedule I of the law (the full text is found here). For the sake of brevity, they are:

  1. Accountability: An organization is responsible for the information it collects.
  2. Identifying purpose: The reason for collecting personal information must be specified.
  3. Consent: You need it.
  4. Limiting Collection: You cannot collect more information than needed.
  5. Limiting Use: You cannot use the information for any other purpose than those identified.
  6. Accuracy: No need to explain.
  7. Safeguards: You must protect collected information.
  8. Openness: Privacy policies must be readily available to anyone.
  9. Individual Access: Individuals must have access to the information you collect about them.
  10. Challenging Compliance: You must have procedures in place to deal with challenges.

In our example above, to use your email list to create a “look alike” audience on Facebook, you must have the individual’s consent (principle no. 3) to use their email address in developing the new audience (principle no. 2). Finally, your privacy policy (principle no. 8) must also state that you may use the information collected to market your products or services.

Consent

Unlike CASL, obtaining consent is less rigorous under PEPIDA. If the information collected is “sensitive,” then you must obtain express consent. However, you can rely on implied consent if the information collected is less sensitive. While this may sound like you have more wiggle room to rely on implied consent, you should do so cautiously. The Commissioner’s office states,

“[A]lthough an email address may not at first blush be considered to be a sensitive piece of personal information, the existing or presumed social connections between people derived from the use of the email address… could be considered sensitive in certain unique contexts.”

Practical Considerations

Running a business is fraught with potential traps, obstacles, and challenges. Trying to make sense of the myriad of federal and provincial laws that affect business owners and managers can make your head spin. The best time to obtain consent seems to be when you record the personal information in question. If you do it online, you should have a checkbox that allows individuals to opt-out. If you are collecting client information when they call, on delivery of service, or when they attend your place of business, you may wish to standardize the “on boarding” process with a pre-printed form outlining your policy and giving them an opportunity to opt-out. At the same time, you could obtain their consent under CASL.

Disclaimer – Legalese

This article is presented for informational purposes only. The content does not constitute legal advice or solicitation and does not create a solicitor-client relationship (this means that I am not your lawyer until we both agree that I am). If you are seeking advice on specific matters, please contact Philippe Richer at 204.925.1900. We cannot consider any unsolicited information sent to the author as solicitor-client privileged (this means confidential).

Scroll to Top