Drafting a Privacy Policy: What You Need to Know

March 16, 2022

By Mark Lahn

Each year, more businesses are leveraging a variety of tools to collect and store personal information about their customers. In light of the increasing prevalence of data breaches, how and why a business collects personally identifiable information is becoming more important.

In this article, we discuss frequently asked questions about privacy policies and what your organization can do to implement the best privacy practices.

What is a privacy policy?

A privacy policy is a document that explains how an organization collects, stores, and uses personally identifiable information about an individual. Personally identifiable information includes any factual or subjective information about that individual such as name, birthdate, opinions about the individual, video or pictures where the individual can be identified, etc.

One of the core principles of privacy law is that an individual has knowledge and consent of the information a company stores about them. Privacy policies are one piece in the toolkit to allow an organization to meets its obligation under relevant privacy legislation.

What laws govern privacy in Ontario?

In Ontario, privacy is currently governed under the following pieces of legislation:

  • Provincial Legislation:
    • Freedom of Information and Protection of Privacy Act (FIPPA)
    • Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
    • Personal Health Information Protection Act (PHIPA)
  • Acts of the Federal Government:
    • Personal Information Protection and Electronic Documents Act (PIPEDA

Each of these pieces of legislation imposes differing obligations on an organization and is only applicable to certain entities, so identifying the applicable legislation is key.

Is a privacy policy required by law?

Yes, privacy policies are required by law in Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) depending upon the type of organization. This Act applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.

Principle 4.1.4 of Schedule 1 of the Act specifically requires an organization to implement policies and practices to give effect to the principles enumerated in the Act such as developing information to explain the organization’s privacy policies and procedures. The development and publishing of a privacy policy would help meet this requirement.

Does my company need a privacy policy?

If your organization engages in commercial activities and collects, uses, or discloses personal information in the process, then you are advised to draft and communicate a privacy policy to meet your obligations under the Information Protection and Electronic Documents Act (PIPEDA).

An organization is not limited to an incorporated entity and also applies to partnerships and persons acting as a sole proprietor who are engaging in the above listed activities.

What are the consequences of not having a privacy policy?

Non-compliance with PIPEDA or another privacy legislation may result in a complaint being made to the Privacy Commissioner. The Privacy Commissioner may investigate the practices of an organization and initiate court proceedings. This could result in damages being awarded or compelling an organization to comply with the Act.

PIPEDA and other pieces of privacy legislation also do not prohibit private court actions being commenced by an individual.

Can I write my own privacy policy?

Because of the unique nature of every organization and the data it collects, it is generally not recommended that you draft your own privacy policy or use a privacy policy generator without enlisting the services of a lawyer. While it may appear to be a simple document, there are a variety of questions that must be asked to ensure the policy best protects you. Privacy policies are also copyrighted documents, so it is not legal to copy a document being used by another company without consent.

What content should be in a privacy policy?

While this list is not exhaustive, a privacy policy should generally contain:

  • How personal information is defined
  • What personal information an organization collects
  • Why the information is collected
  • How this information is safeguarded from misuse and theft
  • Which third parties personal information may be shared with and why
  • Who to contact with any questions or complaints

This document should be written in plain language and be easy to navigate so that the average customer is generally aware of how information about them will be used.

The Office of the Privacy Commission of Canada has released an article on Ten tips for a better online privacy policy and improved privacy practice transparency which contains helpful information on developing the most effective privacy policy. These suggestions include avoiding boilerplate templates by being specific about the data you collect. Working with a lawyer to develop this policy is a great way to achieve these objectives.

How do I get a privacy policy?

If you contact Weilers, a lawyer at our firm will sit down with you to understand why and how your business collects personal information and which third parties you may share information with. Once you have retained our services, we can draft a policy for you that is perfectly suited to your needs.

Visit our contact page to schedule a consultation with one of our experienced business lawyers.

About the Author

Mark Lahn is an associate lawyer at Weilers. Prior to becoming a lawyer, he worked in the technology sector and assisted businesses with the implementation of the EU General Data Protection Regulations (GDPR) framework. Mark is focused on providing practical and solutions focused legal advice across a variety of business matters including employment, privacy,  litigation, and general corporate affairs. Click here to schedule a consultation with Mark.