Week 8 - Privacy Law in Canada.pptx

Full Transcript

Week 8 Privacy Law in Canada (Ch. 18) Main Topics and Learning Outcomes 18.1 - Describe the data privacy laws in Canada 18.2 - Describe Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada...

Week 8 Privacy Law in Canada (Ch. 18) Main Topics and Learning Outcomes 18.1 - Describe the data privacy laws in Canada 18.2 - Describe Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada 18.3 - Discuss the role of the Office of the Privacy Commissioner in Canada 18.4 - Summarize the marketer's challenges with PIPEDA and handling of personal data 18.5 - Describe the use of Canada's National Do Not Call List (DNCL) Class Discussion 1. What measures do you take to ensure the security of your data when using online services? 2. Can you describe a time when you or someone you know experienced a data breach? What were the consequences? 3. In your opinion, what are the most common vulnerabilities that lead to consumer data breaches? Database Breaches – Tip of the Iceberg  Updated on January, 2024 by information is beautiful - https://informationisbeautiful.net/visualiz ations/worlds-biggest-data-breaches-hack s/  An interactive link that shows the global impact of data breaches. Class Activity  Has your data been breached?  Video - Firefox Monitor  Go to Firefox Monitor - https://monitor.firefox.com/  Check your email account…check’em all!  Any breaches? Are there any that are significant? Who Monitors Canadians’ Privacy? In Canada  The Office of the Privacy Commissioner of Canada (federal) - https://www.priv.gc.ca/en/  Each province has a Privacy Commissioner, too!  Information and Privacy Commissioner of Ontario - https://www.ipc.on.ca/  Competition Bureau - https://www.priv.gc.ca/en/for-individuals/ Class Discussion  Credit cards, personal data…What about facial recognition technology? Is it personal data?  How do you perceive the use of AI facial recognition technology in public and private spaces, and what concerns do you have regarding your data privacy?  What potential risks does AI facial recognition pose to personal data security, and how can individuals mitigate these risks? PIPEDA  Personal Information Protection and Electronic Documents Act  Enforced by the Office of the Privacy Commissioner of Canada (enforces The Privacy Act)  PIPEDA applies to organizations that collect, use, or disclose personal information for commercial activity. It applies across Canada, but some provinces have similar legislation (BC, AB, and QC).  Video - PIPEDA and Your Business Role of the Privacy Commissioner  Investigate all complaints but will discontinue if the complainant’s issue is trivial or frivolous.  Seek to educate companies on compliance matters.  Resolve issues outside of the Federal Court.  Companies that obstruct the Commissioner’s investigation or destroy records will face a maximum penalty of $100,000 per case. Personal Information PIPEDA Protected  PIPEDA defines personal information as “information about an identifiable individual.”  Applies only to personal information. Not Protected  Your corporate information, such as name, title, business address, and telephone number (your business card info that is publicly disclosed). Why? Shared freely inside your company and outside. PIPEDA Mandates The business must clearly state intentions and practices for the use of your personal information. Three requirements: 1. Individuals must consent to the collection, usage, or disclosure of their personal information for commercial activity. 2. Limits the collection of personal information to what is necessary to identify the person  Sensitive questions are not permitted – What are examples of sensitive questions? 3. Requires personal info to be collected by fair and lawful means. PIPEDA Challenges for Companies  Poorly designed websites that allow hackers to access backdoors to consumer and business data.  A business must clearly state its intentions and needs for consumer data and allow consumers to say “no.”  PIPEDA limits the retention of personal data and requires data to be destroyed or rendered anonymous after the initial purpose is complete. Example: A contest entry. Once the draw is complete, records are destroyed.  Be careful with handling consumer data! Data breaches are far too common. Additional Requirements under PIPEDA The user has the right to: 1. Access to their personal information from within the company. 2. Ability to correct and update their information. 3. Access to an organization’s privacy policies and practices. Ten Principles of PIPEDA 1. Accountability – Must ensure compliance with how personal data is used under PIPEDA. 2. Identifying Purposes – Data is used to identify the user and only that user. 3. Consent – The user must consent to the collection of personal information by the company. 4. Limiting Collection – User data is collected only for an intended purpose. 5. Limiting Use, Disclosure, and Retention – Consent is needed if a business wishes to use personal information for other uses. Companies can only retain data for identification purposes. Afterwards, the data is destroyed or rendered anonymous. Ten Principles of PIPEDA (cont.) 6. Accuracy – Data must be accurate, complete, and current as necessary for the identified purpose. 7. Safeguards—Companies need to implement physical, organizational, and technological safeguards to protect users' data (e.g., databases, data security, encryption). 8. Openness – Company policies allow the user full access to their data. 9. Individual Access – The user must be given access to personal information and the ability to correct inaccuracies. 10. Challenging Compliance – Organizations must ensure compliance and be prepared to be challenged by users or courts. Consent – Opt-in/Opt-out Language needs to be clear on consent and cannot be vague. Examples:  Opt-out—If you do not want to be contacted by us in the future, please check the box below (you check it, not the marketer). Your opt-out must be within a reasonable timeframe, not four months. Say 24-72 hours.  Opt-in – I would like to receive more information about your products.  Against the law! You cannot pre-check the opt- in box.  Must provide alternatives to consenting to company policies (in the past, Ticketmaster Be privacy proficient: Get meaningful consent  Video - Consent Exceptions to PIPEDA A business may need to disclose personal info without the person’s consent:  If the person breaches an agreement or contract or has violated a law in Canada or within a province.  The business is compelled to provide due to a subpoena, warrant, or order issued by the court.  The business must disclose if the information can aid in an emergency threatening a person’s life, health, or security.  Company discloses to an institution that conserves records of historical or archival importance. Other exceptions are where the person’s data is collected by a public source (i.e. telephone directory) or data gathered from a third party regarding the delivery of flowers. Bill C-27 – Digital Charter Implementation Act  Bill C-27 contains three proposed Acts related to consumer privacy, data protection, and AI systems. The proposed Acts are:  The Consumer Privacy Protection Act (CPPA)  The Personal Information and Data Protection Tribunal Act (PIDPTA) – Updates for PIPEDA  The Artificial Intelligence and Data Act (AIDA).  In Parliament but still in the process to becoming new laws (still a few years away)  Been in process since 2022 Why Bill C-27?  There is a need to protect Canadian’s personal data  Other jurisdictions enforce tough laws to protect consumers’ data, ensure businesses use personal data for intended purposes, and safeguard it from nefarious actors.  Tough new laws around the world:  EU – General Data Protection Regulation (GDPR) Many countries are mirroring GDPR to tough rules on businesses that handle consumer data  California – California Consumer Privacy Act (CCPA)  Quebec – Law 25 Is Your Data the New Currency? The New Marketing Reality Collecting a Child’s Information  PIPEDA is largely silent on marketing to children, but some provinces have legislation in place (BC and AB).  Most companies follow the CMA (Canadian Marketing Association) Code of Ethics and Standards of Practice on marketing to children under 13 (need a parent or guardian consent).  Do children understand consent? CMA’s Code of Ethics and Standards of Practice – Children and Teens Summary of Consent Provisions for Marketing to Children and Teenagers Age Type of Information Opt-in Consent Requirement Under 13 Any personal info Parent or guardian 13, 14, and 15 Contact info Teenager 13, 14, and 15 Personal info beyond contact Teenager and parent or info guardian 16 and over Any personal info Teenager Transferring Personal Data Out-of- Country Companies may store consumer data in other countries. Why? If they do:  They must clearly state their privacy policy and make users aware.  Transferring data out of Canada is not a violation of PIPEDA. Once transferred, your data is still protected by PIPEDA and subject to the data privacy laws of the other country.  When doing business online with an organization outside of Canada, look Behavioural Advertising & PIPEDA  You search “baby strollers,” and you begin seeing banner ads for diapers.  You search “Mexico” and begin receiving vacation ads.  Target knew a father’s daughter was pregnant before he did! HOW???  Is it legal? Is it illegal?... Yes!  Your online presence is tracked (i.e., cookies) through Google Maps and electronic devices, and then advertisers aggregate your data habits—presto! Online advertising tailored to you.  However, some cases were too sensitive (someone researching STI remedies, medical remedies, sensitive health matters). Cookies – The Marketing Reality  Google extends their deadline for third-party cookies on Chrome to 2025.  Why did Google delay it? Not the first time!  Do other browsers gather third-party data?  First-party and second-party cookies are the new reality. Gone are the days of easily and cheaply buying third-party data. Marketers need to realize the shift and adapt.  Video - What's The Difference Between First, Second a nd Third Party Data? Canada’s Anti-Spam Legislation (CASL)  Pertains to commercial electronic messages (email, text, SMS).  Must provide an unsubscribe mechanism.  Strict legislation to protect the public and violators can face penalties of $10 million, plus an individual can seek damages of $200 - $1 million per day (class action lawsuits would be HUGE!) Privacy and Telemarketers Do Not Call List (DNCL) is managed by the CRTC (Canadian Radio-television and Telecommunications Commission).  User can register on DNCL  Telemarketers must maintain a “do not call” list, and when the request is made, it must be implemented within 14 days. Compliance is mandatory and guided by the CRTC.  Violations of the DNCL is $1,500 per person and $15,000 per company that received the offending calls.  Are you registered??? https://www.lnnte-dncl.gc.ca/index-eng Exemptions to DNCL  Canadian registered charities  Political parties, riding associations, and candidates  Newspaper of general circulation soliciting subscriptions  Organizations conducting market research, surveys or public opinion polls Exemptions to DNCL  Organizations with whom a consumer has an existing business relationship. However, the “existing business relationship” is defined as: 1. Consumer has purchased, leased, or rented a product or service from the telemarketer in the last 18 months. 2. Consumer has a written contract that is still in effect or has expired within the last 18 months. 3. Consumer has asked a telemarketer about a product or service within the last six months.

Use Quizgecko on...
Browser
Browser