Think that as a small business owner you don’t need to worry about privacy laws?
Think again. Every business in Canada has to follow the regulations.
But just what are those regulations, and how do you ensure you are not breaking them?
That’s the topic of today’s article. But there’s a lot of information to cover, so I’m going to break it into two parts.
This week I’ll provide an overview of privacy laws in Canada. Next week I’ll talk about best practices to help you stay legal.
What are privacy laws?
Privacy laws protect the personal information that a business might hold about one of its customers.
For example, their address, phone number, what they bought, their credit card number, etc.
In Canada, there are actually several such laws. Some are federal, some are provincial. Some apply to specific situations or industries, others are more general. There are also some laws that, strictly speaking, aren’t privacy laws, but are so closely related that I include them in the same bucket (such as CSPAM, the Canadian Anti-spam legislation).
I’m not going to go into the names of the various laws. Instead, I’m going to give you a general overview of what such laws represent, and what the implications are for your business.
Who do the laws apply to?
The federal laws apply specifically to federal government organizations. As a small business, you generally don’t have to worry about them. However, there are exceptions. For example, if you provide services to the Government, and in any of those services you have access to customer information, you have to abide by the federal privacy laws. In such situations, the Government typically addresses your privacy obligations in the contract you have with them.
But provincial laws are different—they generally apply to all businesses that operate in that particular province. This includes businesses that are incorporated, those that aren’t, as well as self-employed persons. Provincial laws are typically the ones you need to make sure you are following.
What do the laws say?
Generally speaking, the laws state that you are not allowed to reveal any personal information about any of your customers. If you do reveal any piece of personal information, no matter how small, it is called a breach. Breaches can lead to fines, or even imprisonment.
What’s considered “personal information”?
The term “personal information” covers a broad list of data. It basically refers to any piece of data that can be attached to an individual.
For example, a person’s:
- Address
- Phone number
- Email address
- Gender
- Age
- Race
- Marital status
- Disability status
- Salary
- Banking information
- Credit card number
- Employment history
- Correspondence
- Opinions
But that’s just a partial list. Personal information can also include any information that you, as a business owner, have in your records (or brain) about the person, such as characteristics, practices, habits, finances, purchasing history, etc.
How do breaches occur?
It’s actually much easier than people realize for a breach to occur. Let’s take a look at a few scenarios to demonstrate.
Scenario 1
You have just sold your services to a new client. You tell your sister: I just sold a $1,000 package of services to Mr. X”
Is this a violation of privacy laws?
Answer: Probably. You have told your sister that Mr. X is your customer, that he purchased something from you, and that the purchase cost $1,000. All three of those pieces of information might be considered private, and may be covered by privacy laws. Think of it this way: if you are an exterminator, your sister now knows that Mr. X has pests, and potentially what type of pest if she knows what your $1,000 package all includes. Maybe he is trying to sell his house, and if news leaks out that he had the place fumigated, maybe he won’t be able to make a sale. So you can see why a breach of privacy may be a big deal.
Scenario 2
A couple comes into your store and says their son just bought some items from you. They say they are worried that he bought gaming equipment, which they specifically forbid him to buy. They want to know if he did indeed buy such equipment. You tell them what was purchased.
Is this a violation of privacy laws?
Answer: If their son is under legal age, probably not. But if the son is of a certain age (which is as low as 16 in some provinces) then probably yes. On top of this, how do you know that the couple were actually the boy’s parents? If they weren’t, then, again, you likely violated a privacy law.
Scenario 3
Your website has a contact form that asks for a visitor’s name and email address. After you have collected a number of email addresses this way, you hire a company to send out advertising emails to that list. In order to do that, you give them your list of customer email addresses.
Is this a violation of privacy laws?
Answer: Possibly. Even if you have the marketing company sign a confidentiality agreement, you may be violating the privacy of your clients. Why? Because your client didn’t give you permission to share their information. If, on the other hand, you do have an agreement in writing from your client stating they give you permission to share their information, then it might not be a breach. I say “might not” because how a privacy law pertains to any one given situation depends on a number of factors (province, type of information, any agreement between you and your client, etc.)
Scenario 4
You are talking to your client on the phone in the comfort of your living room. Your spouse is in the same room.
Is this a violation of privacy laws?
Answer: Possibly. If your spouse doesn’t work in your business, then you are revealing information to a 3rd party. In my experience, by far the easiest way to breach privacy is to talk about it when someone else can overhear. Be careful when you talk about anything to do with you clients. Is someone else in earshot? (That includes your partner, children, office mate, stranger walking past, etc).
What else do I need to know about Privacy Laws?
Privacy laws do more than just prevent you from sharing a client’s information. They can also limit the type of information you are allowed to collect, what you can do with that information, and how long you can keep it. Let’s take a look at another scenario.
Scenario 5
On your website, you have a short ebook that you give away for free. In order to get it, a visitor just has to fill out a quick online form in which they give you their email address. You send them the ebook, then add their email to your contact list. A week later you send them your monthly newsletter.
Is this a violation of privacy laws?
Answer: Probably. Why? Because the client gave you the email for one purpose: to get the free ebook. Under some privacy laws, you can only use information you have collected for the specific purpose you told the client you needed it for. If you told them it was to get the free ebook, then that’s all you can use it for. That means you can’t, then, send them a newsletter, marketing emails, etc.
The bottom line
By now you can probably see how complicated the privacy regulations can be and how they can impact your business on a daily basis.
So you want to make sure you take the time to learn what you need to do—and not do—with your customers’ information.
The good news is that these laws have been around long enough for best practices to have developed. And that will be the topic of next week’s article.