Modern commerce involves personal information. Customer transactions with your company are no longer centered on a simple exchange of money for goods and services. These interactions have evolved to include a client’s personal information, such as their name, address, credit card number and potentially even their spending habits. Storing and using this information is what helps your business remain relevant in today’s marketplace and technology-savvy consumers know this. It is this re-invented relationship with your customer that makes it important for your business (small or large) to have a corporate policy structured and focused on safeguarding that personal information.
In Canada, private companies are required to comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) which regulates how you may collect, use, store and disclose the personal information you gather as you conduct your business. Some provinces and industry sectors are subject to even further regulations.
In this digital era, where there is so much information at our fingertips, it can often be difficult to discern what is considered “personal information”. The first step in drafting a privacy policy is to decide what kind of data your company collects about a consumer and identify the reasons for doing so. That exercise will be shaped by the type of business you run, the interactions you have with your customers and the platform in which you conduct business (i.e. “brick and mortar” vs. e-commerce).
PIPEDA sets out a list of fair information principles that, if followed, will ensure a company stays “on the right side” of privacy law. The majority of these guidelines focus on values you imagine should be prioritized when handling sensitive personal information: accountability, accuracy, consent and safeguards. Ensuring your business considers and weighs each of these principles when creating and tailoring its privacy policy is essential.
At any point a customer can file a complaint to the Office of the Privacy Commissioner of Canada (“OPC”) if they are concerned about your company’s privacy practices (whether founded or not!). Following the guidelines above and ensuring your privacy policy is readily available to your clients (a great way to do this is on your website) can be a huge factor in mitigating any potential damages in the event litigation is commenced or complaints are made to the OPC.
Don’t get me wrong; it is perfectly legal for your business to collect personal information. In fact, opening a client file and storing this data may help you provide better customer service. You just need to remember you have an obligation to ensure you are using, storing and disclosing this personal information in a responsible manner. At the end of the day, the more you actively protect your customer’s information, the greater the trust and potential loyalty they will have for your company. It’s not just legally savvy – it’s business savvy!
Leave a comment