Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act ("PIPEDA") was introduced in 2001 to protect Canadians from inappropriate collection, use and disclosure of their personal data by organizations in the course of commercial activities. Five years later, it is not clear to what extent organizations are in fact respecting the legislation. This study was designed to shed some light on that question, by assessing the compliance of retailers with certain key provisions of PIPEDA.

We assessed the compliance of 64 online retailers with the PIPEDA requirements for Openness, Accountability and Consent. We also assessed the compliance of 72 online and offline retailers with the PIPEDA requirement for Individual Access. The results of our assessment indicate widespread non-compliance in all four areas.

While almost all companies we assessed had a privacy policy and were thus aware of the need to respect customer privacy, many failed to fulfill even basic statutory requirements such as providing contact information for their privacy officers, clearly stating what they do with consumers' personal information, and responding to access to information requests. A significant proportion of the policies we examined were unclear on key points such as whether or not consumer information is shared with other companies. Many failed to provide a clear and conspicuous method for consumers to opt-out of unnecessary uses and disclosures of their personal information, often relying on a clause buried deep in a lengthy privacy policy that consumers are unlikely to review.

A number of policies we examined were misleading, suggesting for example that no secondary use or sharing of personal information would take place without the consumer's explicit consent, but then assuming such consent unless the consumer exercised an often inconspicuous or incomplete opt-out.



Home Security Auditing Secure Auditor Suite 24/7 Support Center Buy Online
About Us Security Assessment Secure Oracle Auditor Knowledge Base
Resources Network Designing Secure Windows Auditor
Careers System Hardening Secure Cisco Auditor