Website Privacy Policies

A Website Privacy Policy outlines what personal information is being collected by your business, how your business collects it, why your business is collecting it, who has access to it, and how long your business will retain it for. Personal information is simply defined as information about an identifiable individual.

A Privacy Policy also outlines if your business shares this personal information with any third parties, as well as any steps you take to ensure the security of such information.

In Canada, any business that collects or uses personal information of customers must have a privacy policy in place. The law that requires this is called the Personal Information Protection and Electronic Documents Act (PIPEDA). Businesses must comply with their own privacy policies and failure to do so can result in fines or sanctions from privacy regulators in Canada.

Here are some key sections that should be included in your Website Privacy Policy. These should be adapted based on your specific business practices.

• What information you collect: This clause sets out what personal information your website collects.
• What you do with the information you collect: This clause informs the user about what happens to their personal information after it is collected. For example, your business may use a name and address to ship products purchased online. Always ensure that only essential information that is necessary to fulfil a stated purpose is collected.
• How you keep the collected information safe: Personal information must be kept secure and only accessible by authorized personnel. Such personnel should be required to take appropriate security measures to protect personal information from unwanted disclosure. Have policies in place to protect against data breaches and cybercrime. If loss or misuse occurs, your business could be held responsible.
• Whether your website uses third-party services: It is important to disclose information about third-party services used by your website because the Privacy Policies of these third parties may be different. Users are entitled to know who has access to their personal information and what policies apply to those service providers. For example, a website might use a third-party credit card processor to process payments. This should be disclosed in the Privacy Policy so that the user can see who has access to their credit card information and how they handle such information.

While you may choose to download a  generic Website Privacy Policy online as a cost-saving measure, we recommend against doing this. This is because these standard, generic Privacy Policies will likely not be sufficient to reflect your actual business practices. This means it will be a non-compliant policy or a policy that you cannot or do not comply with, thus opening the door to sanctions from privacy regulators.

Moreover, copying another site’s Privacy Policy could constitute copyright infringement. As such, it is a good idea to have custom a Privacy Policy created for your website or business.

As a best practice, your Privacy Policy should be linked in your website’s footer. You also provide a link to your Privacy Policy in locations where you request to collect your customer’s personal information such as sign-up forms and check-out pages.

You should update your Privacy Policy anytime there has been a material change to any of your business practices regarding personal information or privacy. For example, you should update your Privacy Policy when you collect new types of personal information that you did not collect in the past, if you start using collected personal information in a new way, if you change how long you retain personal information for, or if you start sharing personal information with a new third-party service provider.

Your Website Privacy Policy can be changed at any time. However, you should take reasonable steps to inform your user of any changes you make. Specifically, any time you make material changes to Privacy Policy, you should notify your users about the changes. You can do this by sending an email notification or setting up a website pop-up notification advising the users of the changes.

While there are online resources for creating Website Privacy Policies, having a lawyer-drafted Privacy Policy offers significant benefits. A lawyer ensures your policy is compliant with current data privacy laws and regulations, which can vary by location. They also tailor the policy to your specific data collection practices, safeguarding you from potential legal issues. This not only protects your business but also fosters trust with users by demonstrating transparency and responsible data handling.