Privacy Laws and your business
Privacy laws: can I be more boring??? Before your eyes glaze over and you skip back to your Facebook page, bare with me. Ignoring privacy laws in our connected world can have consequences for business owners. The topic came to mind recently at a seminar I attended on Facebook Marketing.
While some may turn their nose at the idea, Facebook is at the forefront of advertising to people based on their specific circumstances. It has the added feature of being affordable to small business: you can advertise for as little as $2\day.
The ability to develop a target audience based on your current client email list is one of the most interesting features. You simply upload your email list to Facebook and the company develops an audience with similar attributes.
This does not offend CASL which states that unless you have consent, you cannot send commercial emails to your email list. (This is a big problem for businesses that built large email lists prior to CASL.) But you could potentially use those email addresses to develop a “look alike” audience in Facebook. You aren’t sending them emails. You are simply asking Facebook to develop an audience based on your current list’s attributes.
Under the Personal Information Protection and Electronic Document Act (PIPEDA), all companies must comply with the 10 principles for the protection of personal information. The principles are outlined in detail in Schedule I of the law (the full text is found here)
For the sake of brevity they are:
- Accountability: An organization is responsible for the information it collects.
- Identifying purpose: The reason for collecting personal information must be specified.
- Consent: You need it.
- Limiting Collection: You cannot collect more information than needed.
- Limiting Use: You cannot use the information for any other purpose than those identified.
- Accuracy: No need to explain….
- Safeguards: You must protect collected information.
- Openness: Privacy policies must be readily available to anyone.
- Individual Access: Individuals must have access to the information you collect about them.
- Challenging Compliance: You must have procedures in place to deal with challenges.
Unlike CASL, obtaining consent is less rigorous under PEPIDA. If the information collected is “sensitive”, then you must obtain express consent. However you can rely on implied consent, if the information collected is less sensitive.
While this may sound like you have more wiggle room to rely on implied consent, you should do so cautiously. The Commissioner’s office states:
[A]lthough an email address may not at first blush be considered to be a sensitive piece of personal information, the existing or presumed social connections between people derived from the use of the e-mail address… could be considered sensitive in certain unique contexts
Running a business is fraught with potential traps, obstacles, and challenges. Trying to make sense of the myriad of federal and provincial laws that affect business owners and managers can make your head spin.
The best time to obtain consent seems to be when you record the personal information in question. If you do it online, you should have a checkbox that allows individuals the option to opt out. If you are collecting client information when they call, on delivery of service, or when they attend your place of business, you may wish to standardize the “on boarding” process with pre-printed form outlining your policy and giving them an opportunity to opt-out. At the same time, you could obtain their consent under CASL.
Disclaimer – Legalese
I appreciate the irony of this disclaimer, but while I am critical of the rules, I must still play by them, so here goes….This article is presented for informational purposes only. The content does not constitute legal advice or solicitation and does not create a solicitor client relationship (this means that I am not your lawyer until we both agree that I am). If you are seeking advice on specific matters, please contact Philippe Richer at email@example.com, or 204.925.1900. We cannot consider any unsolicited information sent to the author as solicitor-client privileged (this means confidential).
Philippe Richer is President of TLR Law Group. TLR has been located in the St. Boniface neighbourhood, in Winnipeg, since 1996. The office serves the middle class and small business within the province. With a focus on estates, wills, real estate, and corporate law, he leads his team in providing accessible legal services. Philippe also authored the business law course for the Knowledge Bureau and instructed the français juridique class at the faculty of Law at the University of Manitoba.