Posted

Canadian Privacy Commissioner to Tech Companies: “Think about privacy before you launch a new application; don’t just leave it to luck and the lawyers.”

On June 21, Canada’s Federal Office of Privacy Commissioner released its 2010 annual report on Canada’s data privacy law, the Personal Information Protection and Electronic Documents Act (known as “PIPEDA”). According to the report, in 2010 the Office of the Privacy Commissioner:

§ Received 4,793 inquiries in 2010 under PIPEDA,
§ Received 108 “early resolution” complaints of violations,
§ Received 99 formal complaints of violations, and
§ Closed a total of 249 investigations into formal PIPEDA complaints.

Among other things, the Report states, “Social media networks, which some research suggests now link together more than half of all Canadian Internet users, were of particularly pressing interest to our Office.” This is consistent with similar statements that have been made by the UK Information Commissioner’s Office, and should indicate to any game or social media company with global ambitions that the days of flying under the radar of data protection authorities are coming to an end.

The Report includes discussion of the Office of Privacy Commissioner’s investigations into the privacy practices of Facebook and issues around the launch of Google Buzz and Google’s well-known street-view wifi data collection practice. The Report also covers a previously unreported investigation of online dating site eHarmony’s privacy practices. The investigation was prompted by a complaint by an eHarmony member. According to the Report, when she requested to delete her online account after her membership ended, eHarmony’s response was to tell her that her account was inaccessible to other members, but that the personal information could not be entirely removed.

The Privacy Commissioner found that the option to “close” an account was not readily accessible on the eHarmony website, and that the website did not provide a clear explanation of what eHarmony meant by the term “close the account.” Based on recommendations from the Office of Privacy Commissioner, eHarmony is establishing a two-year retention period for personal information collected from its users, providing a “clear and efficient process” for users to request removal of their personal information, and providing users with “clear information” on the difference between deactivating and deleting an account and on its personal information retention policy.

It’s important to note that the Report stressed that the office’s interest in the privacy practices of online dating sites is not restricted to eHarmony. The Report noted that other dating sites do not have privacy policies at all and others have policies but do not specify how they handle personal information after a user is no longer active.

The fact that the Privacy Commissioner felt the need to note that some websites do not have privacy policies is somewhat shocking. Since July 1, 2004, it has been a violation of the California Online Privacy Protection Act (OPPA) of 2003 to fail to post a conspicuous privacy policy on any commercial website that collects personal information about California residents.

The 132-page 2010 annual report is available at http://www.priv.gc.ca/information/ar/201011/2010_pipeda_e.pdf.