Be careful with the secrets you reveal to on-line retailers. You just don’t know where your personal data could end up and how it might be used.

This was the warning issued by Ottawa-based Canadian Policy and Public Interest Clinic (CIPPIC) following its release of a survey that showed “widespread non-compliance with federal privacy laws.”

Funded by the Privacy Commission of Canada, the survey, entitled Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up?, questioned 64 online retailers on their observance of legal requirements for accountability, openness and consent in collecting customer data.

It also polled 72 online and offline retailers on their compliance with “individual access” – the PIPEDA requirement to inform individuals of the existence, use and disclosure of their personal information upon request, and to give individuals access to that information.

The survey’s findings are hardly encouraging.

While 94 per cent of retailers surveyed did have privacy policies, these tended to be lengthy, ranging from 1,000 to 2,000 words. In most cases, policies were not conspicuously visible to consumers.

The survey also found 48 per cent of the retailers share information with other companies for purposes beyond those necessary for the transaction or service originally sought by the customer. Furthermore, only one of these companies restricted data-sharing to its affiliates. Yet 34 per cent did not offer consumers a choice regarding this practice during the registration or ordering process.

Some 78 per cent of the sample companies rely on opt-out methods to obtain consumer consent to secondary use or disclosure of their personal information.

In at least 18 cases, the assessors were not sure whether consent to secondary use or disclosure was mandatory because the privacy policy was either unclear or non-existent. Thus 39 per cent of the companies were found in violation of PIPEDA’s rules.