British Columbia Online Privacy Practices

The Office of the Information and Privacy Commissioner for British Columbia has published another document to help businesses improve online privacy practices. This comes after an August 2013 report from Global Privacy Enforcement Network (GPEN) that shows B.C. companies have work to do to make their privacy policies clear and accessible to the public.

GPEN is an organization that enforces privacy laws at the national and sub-national level. Agencies in the following countries and regions have been accepted as members of GPEN: Canada (British Columbia), Australia (Victoria, Queensland), the European Union (Bulgaria, Berlin, Czech Republic, France, Germany, Ireland, Italy, Netherlands, Poland, Slovenia, Spain, Switzerland), Israel, Korea, New Zealand, United Kingdom (Guernsey) and the United States.

As part of their mandate, GPEN partners assessed more than 2,000 private sector websites to see what companies were telling users about the amount and type of personal information being collected, used and disclosed. The Internet sweep was meant to replicate the consumer experience by spending a few minutes per site checking for performance against a set of common indicators.

On a smaller scale, the Office of the Privacy Commissioner did the same and examined more than 250 websites doing business in the province, including charities, private colleges, law firms, credit unions, retailers, property management companies and health care organization.

  Global results B.C. results
Total number of websites searched 2,186 254
Number of sites where no privacy policy was found 464 (23%) 114 (45%)
Number of sites where concerns arose about locating the privacy policy on the website 493 (22.5%) 25 (10%)
Number of sites where concerns arose about contact information of privacy policy 419 (19%) 16 (6%)
Number of sites where concerns arose about readability of privacy policy 688 (31.5%) 135 (96%)
Number of sites where concerns arose about relevance of information in privacy policy 620 (28%) 85 (61%)
Total number of sites for which one or more concern was identified 1,091 (50%) 253 (99%)
Average word count of privacy policy 1,659 N/A


The results of both examinations indicate among other things that

  • 45 percent of B.C. businesses did not have the required privacy policy posted on their website, which is more than double the global average of 21 percent
  • there was not enough information to users about the type and amount of personal information they collect
  • the policies were written in technical or legalistic language, making it difficult for the average user to understand what they were consenting to

Commissioner Elizabeth Denham said,

“B.C. businesses should be open and transparent about how they collect, use and disclose personal information, and to provide meaningful information about their personal information practices in clear and plain language. Customers must be able to make informed decisions about how their personal data will be used and to take steps to protect their privacy.”

The Personal Information Protection Act require B.C. organization to develop and put into practice policies and procedures to protect the personal information that they collect, use and disclose.

To develop policies and procedures that protect personal information, organizations must first identify the reasonable purposes for which their organization collects, uses and discloses personal information. This allows the organization to determine what information it needs to fulfill its business purposes and ensure that personal information is collected, used and disclosed only for the reasonable purposes that they have identified.

To this end, and to help businesses comply with the Personal Information Protection Act, the Office of the Privacy Commissioner has published a new guidance document to help companies write clear, transparent and complete online privacy policies. The guide in PDF format is called Practical Suggestions for your Organization’s Website’s Privacy Policy.

Once drafted, organizations need to communicate their privacy policies to customers and employees. They should make information available explaining their policies and procedures, such as in brochures, contracts and on websites.

Comments are closed.