December 6, 2000

Small Biz needs to gear up for privacy law

Key provisions of Canada's new privacy law come into effect on January 1, 2001. But most businesses that collect personal data, even those not affected by its provisions should prepare themselves immediately according to one government expert.

"The legislation will have less of an impact on smaller businesses than on bigger ones," says Sharon Maloney general counsel and vice-president (government relations) at the Retail Council of Canada. "But companies that sell over the Internet, engage in inter-provincial trade or who do business in provinces with existing or forthcoming legislation such as Quebec, Ontario or B.C., will also have to deal with privacy issues."

Maloney advises companies that collect personal information, even those not directly affected by the act, to comply with its provisions immediately. Many companies are accumulating large databases, which in an era of one-to-one marketing may contain potentially valuable information. But those databases will be worthless if companies have not obtained the consumer's consent to use that information.

Unfortunately businesses have not been as fully briefed on the implications of privacy legislation and their responsibilities, as they were when other legislation such as the GST was implemented, says a document made available by the council.

Titled Canada's New Privacy Law: No Off-the-Shelf Answers, the document, which is available on the council's Web-site at:, deals with the concerns of retailers in adapting to the legislation. But the information also applies to most other businesses concerned with privacy.

"There is growing consumer awareness of the privacy issue," says Maloney. "Companies are going to be fielding questions from people concerned about the use of their private data, and they should get the answers ready."

Canadian consumers have been demanding greater privacy protection - particularly in an era of the Internet economy -- for some time. One RCC/IBM study identified privacy and security concerns as the key factors in consumer's decisions about whether to shop online.

Other studies confirm these results. In fact many business groups - normally opposed to federal regulation - actually pushed to have the bill implemented in order to build consumer confidence in the Net. Many businesses have pushed ahead in implementing privacy procedures ahead of the legislation.

Canadian companies that market across the country already deal with the requirements of the Quebec government, the only province with existing privacy legislation. These provisions stipulate consumers must have a chance to opt out of consenting to any use of most personal data.

Newspapers and magazines that rent other companies their subscriber lists usually include a small print text box in each publication, informing the public what action to take that if they want their name removed from the list. Ontario has similar legislation in the works.

In Canada, the Personal Information Protection and Electronic Documents Act, (formerly Bill C-6) came into effect on January 1 of this year for companies engaged in inter-provincial trade that buy or exchange their customers personal data.

Crown corporations and all federally-regulated institutions, including chartered banks and broadcasting and telecommunications companies are also affected. For most other public companies, the implementation date will fall three years later. The provisions are based on the Canadian Standard's Association's Moral Code for the Protection of Personal Information, which now forms the core of the legislation.

The provision requires that marketers obtain consent to collect use or transfer information about an individual, or to use that information for purposes other than the original purpose that it was collected for. It also requires that companies identify what the information will be used for, collect only information that is necessary for those purposes and that they give individuals access to all information collected about them.

The provisions are often unclear can be pretty constraining. For example if a bicycle shop collected customer information in its database over the last two years for the purpose of sending out ad material to its customers, it could continue doing so after the legislation went into effect. But since the customers never gave consent to have their personal information provided to third parties, that customer list could not be sold. What's more, the act requires that customer consent be documented, which could prove to be a regulatory burden.

For consent to be valid, the purposes for which personal data are being accumulated and used must be clearly understood. This consent may be either implied - in the case of basic information such as name address, E-mail on so on. In these cases a small "opt-out" bullet should be sufficient. In the case of personal medical or financial information express consent is required.

The Privacy commissioner of Canada's office is in the process of preparing information on how businesses can cope with the legislation. This info should be available on their Web-site early next week at:


E-mail can be sent to Diekmeyer at


Home | Gazette articles | Eye on Ottawa | Book reviews
E-mail can be sent to Diekmeyer at
© 2000 Peter Diekmeyer Communications Inc.