In November, the Online Interest-Based Advertising Accountability Program (Accountability Program) issued a Compliance Warning to website publishers that permit third parties to collect information for interest-based advertising on their websites, but are not yet providing consumers with notice of this practice on every webpage where data is being collected. This notice must link to an explanation of their practises and provide an easy-to-use choice mechanism.

The Compliance Warning, which can be viewed in full here, explains what website owners must do to come into compliance with this requirement of the Self-Regulatory Principles for Online Behavioural Advertising. It warns that strict enforcement will begin on January 1, 2014. Businesses which do not comply with this standard will not be eligible for BBB Accreditation.

Businesses must consult with their information technology services, website designers, and/or development team to discover whether third parties are collecting information on their websites. Businesses should also ensure that their contracts do not permit the collection of data for interest based ads, or for selling to other businesses for such use.

This warning comes with a reminder that all BBB Accredited Businesses are expected to retain full control of their websites, in order to make any changes required to be in full compliance with the Better Business Bureau Code of Advertising and Code of Business Practices. This includes, but is not limited to, the modification of any false or misleading advertising, as well as the addition of a privacy policy where sensitive information is being collected from site users. Businesses who fail to ensure their websites are in full compliance with all Codes and Standards may not be considered for Accreditation.

Canada has two federal privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act gives individuals the right to access and request correction of personal information about themselves held by these federal government organizations, while PIPEDA sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. PIPEDA also gives individuals the right to access and request correction of the personal information these organizations may have collected about them.

Oversight of both federal Acts rests with the Privacy Commissioner of Canada, who is authorized to receive and investigate complaints. In addition, the BBB Code of Advertising and Code of Business Practices promotes the enforcement of Canada’s privacy laws by outlining that all BBB Accredited Businesses must safeguard the information they collect from consumers and be transparent about how the collected information is used.

Here are some tips for a better online privacy policy and improved privacy practice transparency, set-forth by the Office of the Privacy Commissioner of Ontario:

Make your privacy policy about your business. Outline the information your organization collects and why (including secondary purposes such as marketing), how you will use such information and under what circumstances you will disclose it. Other organizations’ privacy policies may serve as useful references for style, formatting, and/or approach, but your policy should be unique to your organization.

Be specific and provide meaningful information. Avoid talking in generalities. This is your opportunity to avoid any potential confusion. Make clear what personal information is collected (such as identification documents/numbers, date of birth, video surveillance images or cookies) for what purpose (such as identity verification, security or marketing). If you disclose personal information to “third parties”, explain who those parties are, or what services they provide.

Privacy Choices. Tell customers about any choices you offer regarding the collection, use or disclosure of their information (such as opting out of the use of personal information for marketing purposes). Clearly explain how they can exercise those choices.

Provide a clear explanation of how people can obtain access to their personal information held by your organization. Also include how they can request correction or deletion of this information.

Explain how cookies are used. People look to your online privacy policy not only to learn about how their information is collected by your website (such as cookies, and IP addresses), but also how the information they submit will be used and/or disclosed.

Keep your Privacy Policy Updated. Your privacy policy should reflect your current data collection methods and privacy management practises. You should always state when the last update took place.

Include Your Contact Information. If consumers have questions or concerns about your privacy policy, your information should be readily available for them. 

Make privacy information easy to find. Place the link to your privacy policy somewhere prominent, such as your home page or the pages where personal information is collected.

Keep it simple. Explain your practises in ways that are easy to understand. Consider providing plain language summaries of complex subjects. Also consider removing any unnecessarily lengthy content.

For more information about PIPEDA and the Privacy Act, please contact the Office of the Privacy Commissioner of Ontario at http://www.priv.gc.ca/. There you will find a useful selection of guidance documents further outlining the privacy responsibilities of businesses and organizations.