Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides his thoughts on privacy policies.

I’ve worked on a lot of privacy policies. When a business collects personal information through its website a privacy policy will be necessary.  However though a privacy policy is necessary it is generally by itself not sufficient to meet an organizations privacy obligations.  This is because in the advent of a privacy violation, the privacy commission will investigate the organizations actual information handling practices, not just its stated intentions.  As a practical matter while most companies state “we take your privacy seriously” they actually take their compliance obligations even more seriously.  It’s not that the companies are necessarily bad actors (although some are), there are simply responding to incentives.  As Bruce Schneier has aptly noted “All major websites run on advertising, and the more personal and targeted that advertising is, the more revenue the site gets for it. As long as we users remain the product, there is minimal incentive for these companies to provide any real privacy.” So the challenge for regulators, businesses and academics is to protect privacy in ways that reconcile this inherent tension.  Not easy, but that’s why it’s a good research topic!  Since privacy law is based on individual consent and facilitated by notice and choice approaches, privacy policies are the cornerstone to a company’s stated data handling practice.

Do I need a privacy policy?

Under Canada’s federal private sector privacy law, organizations that collect personal information must inform users about their privacy practices. A privacy policy serves as a legal document that informs users how their personal information is collected, used, stored, and protected.

A well-drafted privacy policy helps protect your business from potential disputes and liabilities. By clearly outlining how data is handled, you mitigate the risk of misunderstandings or legal challenges from customers who may feel their privacy rights have been violated. This document serves as a safeguard, demonstrating that your business takes data privacy seriously.

What should I include in a privacy policy?

A well-structured privacy policy should address the following key elements:

  • What data is collected (e.g., names, emails, IP addresses, payment details)
  • How the data is used (e.g., marketing, analytics, customer support)
  • Third-party sharing (if data is shared with advertisers, partners, or service providers)
  • Security measures taken to protect user information
  • User rights regarding their data, including access and deletion requests
  • Contact information for privacy-related inquiries

Do customers read privacy policies?

The short answer to this question is no.   There is a lot of academic research to support the view that privacy policies are not read by consumers.  This is something of a paradox because if you were to ask consumers if they care about their privacy they would say emphatically “yes”.  So this begs the questions why bother with a privacy policy at all?  A privacy policy is written for the most part to protect business interests. It is important to have a privacy policy as this communicates to customers how their data is collected used and disclosed.  It is the document that privacy regulators will look to when investigating a privacy complaint so it is important that the privacy policies reflect the businesses actual data handling practices.

Can I create my own privacy policy online with Chat GPT?

I’m quite sympathetic to this view.  If you’re starting up, the last thing you will want to do is spend a lot of money on lawyers!  ChatGPT can be a viable solution for privacy experts that are knowledgeable on the current law and have experience writing privacy policies. However, it is  not a great solution for people who are inexperienced, nor for small businesses that do not know which privacy laws apply to them and what the disclosures requirements of those privacy laws are. The Office of the Privacy Commissioner of Canada provides some useful resources. This would be a useful starting point.

Final thoughts

A privacy policy is one of the key ways and organization provides information on its privacy data handing practices.  Privacy policies are necessary and while you could write one yourself, there is an increase risk that of not complying with privacy laws applicable to your business.  You would also miss the opportunity to really understand how the information generated by your business can provide actionable insights in ways that do not violate the privacy rights of customers.  Such insights can transform a compliance obligation into a competitive and commercial advantage.

A good first step would be to speak to someone understands privacy policies – like an privacy specialist or lawyer.

Rajen Akalu
647 299 5079
rajen@akalulaw.com