When writing your policy, be sure to use plain language! This does not have to be legally written but ore importantly, easily understood by users of your site.
In Alberta in Nov 2020, The Commissioner proposed that the Office of the Commissioner be granted authority to levy administrative monetary penalties and that it be required to create rules for such penalties. She also recommended that fines for offenses be increased to mirror those in other Canadian jurisdictions.
What should be included:
Avoid talking in generalities and “catch-all” terms (ie 'your information). Instead, make clear what personal information is collected (e.g. identification documents/numbers, date of birth, video surveillance images or cookies- as applicable) for what purpose (e.g. identity verification, security or marketing).
Consent: If you disclose personal information to “third parties” (including support/tech consultants or outside third parties), explain who those parties are, or what services they provide. You must provide clarity of how/who this information is distributed to.
Your policy should include how this information is used or the disclosure of their information (e.g. opting out of the use of personal information for marketing/newsletter purposes), and clearly explain how they can exercise those choices. NOTE: Newsletters fall under CASL rules in Canada which customers should be able to opt-out of receiving.
Provide a clear explanation of how people can obtain access to their personal information held by your organization, and how they can request correction or deletion of this information. This should be kept in your digital records in case you are audited as well.
How is this governed?
Online behavioural advertising may be considered a reasonable purpose under the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA defines personal information as “information about an identifiable individual”. Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.
In Alberta, you may need to note if any or all information is collected in compliance with section 33 (c) of the Freedom of Information and Protection of Privacy (FOIP) Act.
If you have questions or concern, you may contact: https://www.alberta.ca/personal-information-protection-act-overview.aspx