Many Internet sites are now posting privacy policies to convince customers that they have a privacy-friendly site and business operation. This is in response to the dictates of some large companies that are insisting on an adequate privacy policy before the company will advertise on that Web site.

The response is also a reflection that privacy and security are fundamental to consumer acceptance of e-commerce.

I have had an opportunity to review some of the privacy policies of Web sites. Often these guidelines only describe the use of the personal information and the non-disclosure to third parties, except as described in the privacy policy. The policies, with few exceptions, do not provide for access to one’s own personal information, a requirement that is fundamental to all legislated and credible voluntary data protection schemes, nor are the other data protection principles addressed.

A notable exception in this regard is one of the national Internet access providers that claims to have adopted the Canadian Standards Association’s Model Code for the Protection of Personal Information (CAN/CSA Q830-96). This privacy policy is significantly stronger than anything I have seen on a North America Web site, with the possible exception of those sites that have a legislated obligation to protect privacy.

Among those with a failing grade, I have noticed that responsible and well-meaning organizations sometimes cross the line to collect or use personal information in inappropriate ways.

For example, I noticed one site that asks for information about year of birth and gender. Provision of the information about gender is mandatory in order to take advantage of the site’s services, as the site owners believe this information is necessary and useful to understand the demographics of their customers. Be that as it may, it is inconsistent with all privacy codes to make the provision of personal information a condition of service when the personal information is not required for the actual provision of that service.

In another example, a training site claims in the contractual and employer benefits sections of their site that they will make information about your course registration and the course descriptions that you have browsed available to your employer. There might be certain circumstances where this disclosure is appropriate. For example, the employer may be paying for the course and the employee may be collecting her salary while attending the course. However, this same disclosure would be a serious invasion of the individual’s privacy for those students that are taking the course without employer support. Those individuals may be gaining expertise in technology that is not used by the employer. In those cases, the assumption by most employers would be that the individual is preparing to change jobs. But the actual reason doesn’t matter – the Web site has no business disclosing the information to the employer without the individual’s consent.

In yet another example, a Web site claims to conduct surveillance of their system using authorized systems administrators. No reason for the surveillance is given. I have previously commented on surveillance (please see “Think carefully before venturing into surveillance territory,” CWC, June 4, 1999, In that case, there was even less justification for surveillance because there is no employee-employer relationship as discussed in that column.

I’m not suggesting that businesses are setting out to develop privacy-hostile practices; they just seem to get caught up in a race to leverage information without first considering the privacy implications. Web site owners need to improve their understanding of privacy and to conduct formal privacy reviews to avoid situations as noted above. This is especially true if they are to avoid contravening the proposed private sector privacy legislation.

Boufford, ISP, is president of e-Privacy Management Systems Inc., a consulting firm specializing in privacy and IT in Lakefield, Ont. He is also a national board member of the Canadian Information Processing Society. He can be reached at or