OTTAWA - All businesses — especially those operating online — should be upfront with customers about their data-collection practices as transactions move into the digital realm, Canada's privacy czar says.
Websites must explain clearly what personal information is collected, how it is used, whether it is disclosed to third parties and for what purpose, federal privacy commissioner Daniel Therrien says in his annual report on the private sector, made public Thursday.
The explanation should be readily seen, clear and useful — without the need for a law degree to understand it, he says. There should also be a designated contact to whom customers can pose questions and concerns.
"Without such transparency, customers cannot provide the meaningful consent necessary for a business to collect their personal information," Therrien says.
"Transparency helps make businesses accountable and breeds trust on the part of consumers. More and more, it will become integral to the smooth functioning of the online market."
Today's consumers can browse infinite brands and boutiques with their fingertips, all without having to leave their homes, Therrien notes.
But somewhere along the way consumers stopped simply being purchasers and became products themselves as companies began to systematically collect and analyze their personal data, he adds.
"Many online services are fiscally free with personal information taking the form of the real currency. In other words, cost-free content comes at a price of personal data rather than dollars," the report says.
"And, often as not, it's the online enterprise collecting the data, rather than the customer relinquishing it, who determines what happens next."
These days, personal data means much more than the name and address consumers knowingly submit, the report warns. It now includes information about a person's location, activities and preferences that flow automatically from smartphones and other electronic devices, often without the individual's knowledge.
Therrien is responsible for monitoring compliance with the federal privacy law governing the private sector and investigating complaints about possible violations.
In one case, the commissioner's office found Apple failed to be transparent in collecting payment information from users to create Apple IDs, even though certain apps — such as games or online news outlets — were available to download at no cost. Following an investigation, the company said it would address the issue.
In another case, Apple beefed up its privacy practices by giving users of iPhones, iPads and iPods more control over data collected about them for the purpose of serving up targeted ads.
Google came under the commissioner's scrutiny after a man who had searched online for medical devices to treat sleep apnea was shocked to see ads for such products popping up when he later browsed completely unrelated websites, the report says.
The privacy commissioner concluded sensitive health information was being used inappropriately to better target ads delivered via Google’s advertising service. Google promised to remedy the issue.
Forty-three of 67 complaints closed in 2013 with a report of finding were judged to be well-founded.
Therrien also stressed that governments — not just private companies — are interested in peoples' personal details, with information originally collected by the private sector increasingly winding up in the hands of public-sector agencies in the name of security and law enforcement.
Follow @JimBronskill on Twitter