Skip to content
Harrison Pensa LLP
Digital network concept with interconnected person icons on a dark background, symbolizing communication and connectivity.

23 January, 2025

Does your business meet customer privacy expectations?

Jan 28 is Data Privacy Day. Frankly, from a high-level perspective, privacy is a bit of a mess.

At one extreme, businesses and governments in some places don’t care about privacy, and get away with egregious collection, use, and sale of personal information and sloppy security. This isn’t just in surveillance states like China. In the United States, for example, police make extensive use of license plate cameras that are not allowed in Canada. U.S.-based data brokers collect and sell ridiculous amounts of information about people. 

At the other extreme, there are places that have overly prescriptive detailed privacy laws that are well-intentioned but impractical and expensive to comply with. They are the privacy compliance equivalent of using a sledgehammer to kill a fly in a china shop. Examples are the GDPR in Europe, and Quebec’s privacy law. 

Quebec’s privacy law is so prescriptive and onerous that small businesses outside of Quebec may choose not to sell their products and services there because potential sales won’t be high enough to pay for compliance. 

In the United States, there is no generally applicable Federal privacy law. Privacy in the U.S. is covered by a growing number of State privacy laws — but, of course, they all don’t contain the same requirements. 

Multi-jurisdiction compliance

The trend in privacy laws is moving away from the Canadian PIPEDA approach that sets out privacy principles with mediation-based enforcement. Most newer privacy laws have detailed prescriptive requirements, with enforcement based on potentially massive fines for violating technicalities. This makes multi-jurisdiction compliance difficult and costly. One might ponder when it comes to privacy laws whether we are better with an approach that emphasizes effective protection, rather than an approach that mandates granular details. But it seems that the ship has sailed on that one. 

Speaking of PIPEDA, Bill C-27 that included the CPPA that was going to replace PIPEDA died when Parliament was prorogued. So it’s back to the drawing board on that one. While PIPEDA isn’t terrible, and the CPPA wasn’t a perfect replacement, PIPEDA is a bit tired in places. 

Basic privacy principles businesses and organizations should follow when dealing with personal information include: 

  • bake privacy in rather than tack it on 
  • don’t collect more personal information than one needs 
  • use personal information only to provide the services it is needed for 
  • don’t give or sell personal information to anyone else 
  • get rid of it when you are done with it 
  • secure it 
  • educate staff so they understand their obligations

I often tell clients to look at privacy from the perspective of customer expectations. If a customer is ever surprised at what you do with their information, you have failed.

The bottom line is that businesses and organizations might be subject to multiple privacy laws. In addition to tending to the basics, they need to determine what laws apply, what is needed to comply, and perhaps whether it is prudent to avoid certain jurisdictions.

For individuals, it can be a difficult and time-consuming task to read and understand the privacy policies of every business or organization one deals with. At a bare minimum, try to deal only with legitimate and reputable entities. Look at privacy choices offered and allow only what is needed to obtain the service. Don’t overshare, use good password hygiene, and be skeptical of anything that might be sketchy.

David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn, Bluesky, and Twitter.

Image credit: ©Masque – stock.adobe.com

A headshot of David Canton.
About the author

David Canton

Consultant
  • Business Law & Financial Services,
  • Data Protection,
  • e-Commerce,
  • Information Technology,
  • Intellectual Property,
  • SaaS,
  • Software Licenses,
  • Technology and Privacy Law
Meet David

Get connected

Sign up for our newsletter to stay up to date with current events, news and articles

Newsletter Sign-Up (Posts)

CASL
This field is for validation purposes and should be left unchanged.
Loading...