By Terry McQuay

In May 2005, Nymity completed the most extensive privacy policy research project of its kind. Responding to the advancement of private-sector privacy laws in Canada, the firm identified privacy policy best practices, as defined by 18 of the world’s leading authorities, and then completed detailed analyses of the leading Canadian firms in the banking, telecommunications, insurance, retail, and consumer-services industries. The result of the project was the creation of a National Privacy Policy Index.

Nymity is a Toronto-based privacy risk-management firm that provides solutions to help organizations identify, quantify, mitigate, and monitor business risk associated with privacy. Its premier offering is PrivaWorks, a Web-based privacy risk management toolkit that incorporates the index.

Best-Practice Privacy Policies Result From Transparency

Nymity identified more than 130 privacy-policy best practices, detailing each in its National Privacy Policy Index. In general, best-practice online privacy policies provide details of the organization’s policies and practices regarding the collection, use, and disclosure of personal information. They define how an organization provides access and maintains security safeguards. They define consumers' rights and obligations, while providing notice of data disclosures and cross-border data transfers. Detailed policies include a short notice, a “frequently asked questions” section, and a definitions section, and they provide relevant examples throughout. The policies reference customer agreements and any other documents that outline customers' obligations.

Nymity’s research identified a number of business liabilities that result from poor privacy policies:

• Increased number of complaints
• Reduced revenue, as consumers may refuse to provide personal information or may provide false personal information
• Consumer frustrations with privacy concerns
• Findings of noncompliance from privacy commissioners in Canada
• Increased risk for becoming the target of privacy advocacy organizations
• Charges of deceptive business practices

Effective privacy policies mitigate business risk by accomplishing the following:

• Providing the details required to comply with privacy laws
• Reducing the number of privacy complaints
• Providing a framework to successfully manage complaints
• Demonstrating accountability to consumers, business partners, and the commissioners' offices
• Building consumer trust, as consumers who read privacy policies want specifics on the organization's information-handling practices
• Providing notice in a corporate consent strategy
• Outlining consumer obligations and expectations
• Serving as notice of business practices related to data disclosures

After analyzing the privacy policies of a wide range of firms, Nymity found that the Canadian banking and telecommunications industries had already adopted many, if not most, of the policy considerations identified in the National Privacy Policy Index. Three factors account for their success in this realm:

• Both the Canadian banking and telecommunications industries have been subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law, since 2001.
• Most organizations in these two industries had complied voluntarily with the Canadian Standards Association’s 10 privacy principles long in advance of PIPEDA.
• For the last four years, most of the privacy complaints that have reached the federal privacy commissioner’s office have involved the banking and telecommunications industries.

As Nymity’s research findings demonstrate, organizations should be motivated to update their privacy policies -- not just to mitigate business risk but also to build consumer trust.

Terry McQuay is president of Nymity.

 

Wiley Rein LLP