Jump to Left NavigationJump to Content Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada Government of Canada
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewAbout UsFAQsSite Map
Our Mandate
Commissioner's Findings
Settled and Early Resolution Cases
Incident Summaries
Key Issues
Media Centre
Resource Centre
Privacy Legislation
Privacy Impact Assessments
Fact Sheets
Privacy Quiz
Proactive Disclosure
Fact Sheets

Protecting Your Privacy on the Internet

Canada’s new privacy law

Surfing the Net can be fun and educational.

Email is a great way to stay in touch with family and friends, Chat groups and discussion groups allow you to communicate with people with similar interests.

Most people are aware of the Internet’s benefits, but not everyone is aware of how the Internet can threaten personal privacy and the steps you can take to protect your privacy in cyberspace. There are some simple steps you can take to safeguard your own privacy, and you do have certain protections under the Personal Information Protection and Electronic Documents Act.

The Personal Information Protection and Electronic Documents Act, also known as PIPEDA, has been coming into effect in stages. In the first phase, the act applied to personal information about customers or employees in the federally regulated sector – such as banks and telecommunications companies. In the second phase, PIPEDA was extended to cover personal health information collected, used, or disclosed by these organizations.

PIPEDA entered its third and final stage of full implementation in January 2004, and now covers all personal information of customers that is collected, used, or disclosed in the course of commercial activities by private sector organizations, except in provinces which have enacted legislation deemed to be substantially similar to the federal law. To date, this has happened only in Québec, although it is expected that legislation in Alberta and British Columbia will soon be found substantially similar.

The Act applies to personal information collected, used or disclosed in the course of commercial activities, whether in the “real” world or on the Internet It also applies to personal information disclosed to another province or country for profit or gain, where the information is the subject of the transaction. The Act specifies what information a Web site can collect from you, and how. It also specifies how this information can be used. As well, it gives you control over how your personal information, including your email address, is used.

The Act also gives you the right to gain access to and correct information a Web site has about you.

Under the Act, you have the right to make a complaint to the Privacy Commissioner of Canada if:

  • You run into any difficulties obtaining your personal information;
  • An organization covered by the Act refuses to correct information you consider inaccurate or incomplete;
  • You suspect your personal information has been improperly collected, used or disclosed; or
  • You believe an organization is not following any provision of the law.

Visit the following links for discussions about how to protect your privacy when surfing the Net.

On the Web

Chat, Discussion and News Groups

Electronic mail

Resources

Glossary

Top of list On the Web

What can happen:

Many Web sites collect personal information – some are just more obvious about it.

Some Web sites ask for personal information before granting access. You may be asked for your full name, age, address, telephone number, and even questions about your personal preferences.

Other Web sites collect information in more subtle ways such as making a record of your Internet Protocol (IP) address and of the Web pages you visit.

Web sites do this by placing one or more “cookies” on the hard drive of the computer you are using. “Cookies” are small files of text that can collect and store information such as:

  • the Internet Protocol (IP) address of your computer;
  • how many times you have visited the site;
  • your preferences, such as a preferred language;
  • your user name and password;
  • items in your “shopping cart”;
  • Web sites you’ve visited;
  • any information such as your name; and
  • any unique alphanumeric character string that can be linked to your personal information

This information allows Web sites to identify you the next time you visit. This makes it unnecessary for you to identify yourself every time you visit a Web site and it allows it to provide customized information such as the sports scores of your favourite teams.

However, cookies also enable Web sites or marketing networks to create a profile of you based on the information you have provided and your browsing patterns, often for advertising purposes.

This profile may be forwarded to an advertiser who selects advertisements to pop up on your screen that appeal specifically to you. Advertisers may also use this information to send email ads for products and services they think you might like.

Once information is collected, is can be used shared – and possibly abused – in countless ways. It can be difficult to determine what happens to personal information circulating on the Internet. Media stories about hackers gaining access to supposedly secure Web sites and obtaining credit card numbers and other personal information suggest that few, if any, Web sites are completely secure. Poor information handling and security practices may cause risks to your privacy by allowing unauthorized access. So may the dishonest or disgruntled insider who has legitimate access to your information but uses it fraudulently.

Obviously, the best way to protect the privacy of your personal information is by never giving it to a Web site – but that’s not always practical. Using the Internet to shop, obtain services and get information is convenient and beneficial for many people. These activities may require the use of personal information.

The best approach minimizes the collection, use and disclosure of the personal information you submit, and ensures that it is managed according to fair information principles. Web site privacy policies are a good first step. Privacy “certification seals” offer another level of comfort and trust for users of online services. Canada ’s framework of privacy laws and regulations provides an additional layer of protection.

Organizations covered by the Personal Information Protection and Electronic Documents Act are required to inform you fully and accurately about what personal information they collect, why they collect it, what they intend to do with it and how they protect it. Organizations must always have your informed consent before they may collect, use or disclose your personal information, and you must be given meaningful options for accessing that information and for resolving privacy issues and complaints.

In a perfect world, companies would always protect your personal information. Unfortunately, this is not the case. Below are some tips on how you can do this yourself.

What you can do

  • Always read the Web site privacy policies or statements before submitting personal information, particularly sensitive financial or medical information. If you don’t fully understand part of the policy, ask for clarification. Never consent to something you do not understand.
  • Refuse some or all of the cookies that Web sites offer you. They may use this information for marketing purposes. Reduce the amount to personal information that you provide and don’t provide information that is not required. Check the opt-out provision that limits the use of the information you provide.
  • Surf anonymously by using third party software that hides your real IP address.
  • Use a disposable email address instead of your usual one when giving contact information to unknown parties on the Internet.
  • Always insist on secure, encrypted Web connections to conduct any sensitive transactions such as making Internet purchases or doing banking online.

Top of list Chat, Discussion and News Groups

What can happen:

If you take part in chat groups and other online discussion forums, then you may be posting messages to a public site that all the world can read. Anyone from the simply curious to potential employees can search for copies of your messages, which may be kept indefinitely. It is possible to find the names of chat or discussion groups in which you participate, and the names of news groups to which you subscribe. The names of those groups alone can reveal a lot about you.

What you can do:

  • Participate in chat or discussion groups under a pseudonym.
  • Be discreet. Don’t provide personal information unless absolutely necessary.
  • Use a disposable email address that can be discarded.
  • Some groups that store your old messages offer tools that allow you to delete them for good; do it!

Top of list Electronic mail

What can happen:

Email is a highly convenient and cost-effective way to communicate. Your private email address, along with the content of personal email messages, is your personal information. You should be aware of the many privacy risks to email and what you can do to reduce them.

Unwanted solicitations or junk messages, otherwise known as spam, are clogging email boxes in increasingly intrusive and offensive ways. The collection, use and disclosure or your email address without your consent is serious and growing privacy concern. It may also be a fraudulent or criminal matter.

Some of the unwanted email messages you receive may seem to “know something” about you and be specifically targeted to your interests. If so, you may have been profiled based on other personal information associated with your email address. If you have filled in an online survey, entered a contest, joined a mailing list, made an inquiry or purchase – and provided your email address – chances are that you have been profiled. Profiling is a common tactic in advertising and direct marketing, where reaching a specific type of customer is essential for success.

Email advertisers and marketers go to great lengths to personalize their email messages and to measure the response rates of direct marketing campaigns. If you click on a link within a message, this action may be registered and associated with your profile. Spammers may even include fake opt-out links in their messages – clicking on any link may confirm the email address is “live” and fits the profile of someone who responds to direct marketing pitches. Any way in which you respond that is measurable may go into your profile. This profile is worth money. I t can be sold dozens of times around the world, without your knowledge or consent, which leads to more spam – and a serious privacy concern.

Another common practice is the embedding of “Web bugs” in emails, which send messages back to the sender when previewed or opened. These bugs measure live views of the email, confirm valid email addresses, and may collect behavioural and computer information on the subject. A “Web bug” can also place a cookie on the hard drive, providing the IP address for pop-up ads.

A new very serious email scam is known as “phishing”. A fraud artist sends an email that appears to come from a reputable company or business. The message indicates a problem with the recipient’s account, and asks for account numbers and other personal information to “correct” the file. This information is then used to commit identity theft and fraud.

Some email messages introduce viruses, worms and Trojans into your computer system. Messages may contain attachments that embed malicious code into your computer to corrupt files or hijack your home page or modem. This code may spread itself to other computers using your email address book. Remote surveillance tools can be installed that monitor and transmit your online behaviour, record your keystroke pattern, or open backdoors on your computer system that allow hackers to actually take control from a distance.

Most of us have strong expectations of privacy when sending email, but the reality is that sending an email message is like sending a postcard. |t is not technically difficult for a copy to be made in transmission. And once you send an email, you have lost control over it and its contents. In this world of electronic networks and instantaneous communications, your “personal” message can be forwarded to a public forum for the entire world see with the click of a mouse. Whether in the public domain or not, email messages are often permanently archived and subject to indexed search and retrieval. Perhaps one of the most serious privacy violations occurs when someone else obtains your username and password to your email account. With this information, you incoming mail can be downloaded and read by others for years, without you ever knowing.

What you can do:

  • Be cautious when providing your email address online. Always read the privacy notice and be sure you are dealing with a legitimate entity. As a rule, don’t provide someone else’s email address online.
  • Use disposable email addresses for mailing lists, contests, etc
  • Read all your email messages offline. If possible, read them in text only format.
  • Do not respond to spam in any way. For legitimate businesses, choose to opt out as soon as possible.
  • Install and use anti-spam, firewall, anti-virus and other privacy and security enhancing software, and keep it up to date. Download and install critical security patches from your operating system.
  • Use email encryption for particularly sensitive messages.
  • Do not open attachments from unknown senders.
  • Regularly change your password for accessing you email accounts.
  • When forwarding messages, delete the previous recipients’ email addresses.

Top of list Resources

The following Web sites provide additional information about online privacy issues, including information about privacy tools such as encryption, anonymous remailers and software for anonymous browsing:

www.epic.org

www.privacyexchange.org

www.privacyrights.org

http://www.cdt.org/privacy/pet/

Coalition Against Unsolicited Commercial Email (CAUCE) Canada
www.cauce.ca

Pourriel Canada
www.pourriel.ca

Canadian Marketing Association / Association Canadienne du Marketing
www.the-cma.org

Top of list Glossary

Anonymous browsing – several companies offer software, some of it free, that allows you to create fake online names so you can browse Web sites, exchange emails and participate in chat groups anonymously.

Anonymous remailers – organizations that forward your email to its destination after removing any information that could trace it back to you.

Banner ads – Web site advertisements, often in the form of a bar or banner across the top of the screen or a button you click on for more information. When you see a banner ad appear, a cookie is usually being added to your hard drive.

Chat groups – two or more users communicating in real time with computers via the Internet. The group can consist of two people or dozens. Chat groups take place in either public or private chat rooms. The conversations can be a free-for-all or a structured discussion on a prearranged topic.

Cookies – small text files that are placed on your computer’s hard drive when you visit Web sites. Cookies collect and store information about you based on your browsing patterns and information you provide.

There are two kinds of cookies that a Web site can use. Persistent cookies are stored on your hard drive for many months or years. Per- session cookies are cached (stored in memory) during your visit to the Web site and are automatically deleted from your computer when you disconnect from the Internet.

Privacy seals – seals of approval granted by organizations such as TRUSTe, BBBOnline and WebTrust. The seals are intended to demonstrate that a Web site has adopted appropriate policies to protect personal information and to assure individuals that they are visiting a Web site they can trust. Disclaimer – keep in mind that these seals are not monitored and anyone can “stick” a seal on their Web site.

For more information, contact:

The Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa , ON
K1A 1H3
1-800-282-1376

 
 

Date published: 2003-11-06
Date modified: 2004-07-25

 Top of Page Important Notices