The Personal Information Protection and Electronic Documents Act ("PIPEDA") was introduced in 2001 to protect Canadians from inappropriate collection, use and disclosure of their personal data by organizations in the course of commercial activities. Five years later, it is not clear to what extent organizations are in fact respecting the legislation. This study was designed to shed some light on that question, by assessing the compliance of retailers with certain key provisions of PIPEDA.
We assessed the compliance of 64 online retailers with the PIPEDA requirements for Openness, Accountability and Consent. We also assessed the compliance of 72 online and offline retailers with the PIPEDA requirement for Individual Access. The results of our assessment indicate widespread non-compliance in all four areas.
A number of policies we examined were misleading, suggesting for example that no secondary use or sharing of personal information would take place without the consumer's explicit consent, but then assuming such consent unless the consumer exercised an often inconspicuous or incomplete opt-out.