Accounts and Personal Information
The definition of "Personal Information" encompasses many things that may not seem very personal at first. But Personal Information is an intentionally broad term. It includes anything that could be used to help identify a person. For example, an email address is Personal Information because it can be used to track down the owner of that address. Other pieces of information, like name, age, address, or phone number, are also Personal Information.
Additional Data Collection
Cookies are tiny data files that are stored on a user's computer. Cookies are used for a variety of purposes, but most commonly they are used to facilitate the saving of usernames and passwords, or to provide information to advertisers about the products or services the user has viewed online.
Third Party Applications
Many websites contain integrations with third-party service providers or other websites. These integrations increase the functionality of the website and can be very convenient. At the same time, user data can be shared with other websites, and users need to give their consent before their information is shared. Listed below are some common ways that websites can be integrated with third-party applications.
For most internet-based companies, user data is only ever stored in electronic form. But in some instances, companies print out user data and store that information on paper in their office. Users are entitled to know whether data storage will be entirely electronic, or if there are some paper-based processes. If information is stored on paper, the company will be under an obligation to take reasonable precautions to keep that data safe and confidential.
It is also important to let users know where their electronic data is stored. Each country has different laws about accessing electronic information. If you use data storage servers outside of Canada, user data may become subject to international laws. This is not uncommon, but users are still entitled to know which laws will govern the storage of their information. If all data is stored on servers located in Canada, then that data will be subject to Canadian laws.
No data storage system is perfect and security breaches are a risk in any business. Any website that collects user information must have a policy about how users will be informed in the event of a security breach. It is best to have a clear timeline for informing users of a security breach. The company should designate a senior employee to oversee its security policies, including the policy about responding to security breaches. This person is often referred to as the Chief Privacy Officer. If the GDPR applies to your business, then you must report a breach within 72 hours of becoming aware of a security breach to the supervisory authority. This is the case unless you can establish that the breach has caused no actual risks for your users or other individuals.
If, due to the nature of your business, your website collects any information about anyone under 18, you must include additional details on the precautions the company takes to protect information related to children.