As public concern over Internet privacy has grown in recent years, one of the first responses is invariably to focus on the need for improved disclosure through easily accessible website privacy policies. The policies provide information on how personal information is collected, used, and disclosed to third parties.

While few visitors read the policies from start to finish, it is important for websites to ensure that they are accurate, since misleading statements can lead to liability. The need for accuracy is particularly true if you’re say, the Prime Minister of Canada. Yet a reader recently noticed that the Prime Minister’s Office website may be incorrectly stating its use of cookies, which are small files that may be placed on user’s computer hard drive by a website to monitor usage or identify repeat visitors.

Cookies can be used for a single visit to track how a user arrived at the site or which pages they visit. Alternatively, some cookies are “persistent” since they remain on the user’s hard drive for months or years, often storing information such as language preferences or repeat visit data.

In 2003, the Privacy Commissioner of Canada was asked to rule on the privacy issues associated with cookies in a complaint against Air Canada. The commissioner ruled that “information stored by the temporary and permanent cookies qualified as personal information for the purposes of the Act.”

The Prime Minister’s website features a prominent “Important notices” on its front page, which directs visitors to the site’s privacy policy. It states:

We do not regularly use “cookies” to track how our visitors use the site. Whenever we enable “cookies” to facilitate your transactions, we will first inform you.

Notwithstanding the assurances that no cookies track how visitors use the site, the site currently inserts at least five cookies on a user’s computer. Two cookies expire at the end of the visit, one lasts for the day, another remains on the computer for six months, and one stays on the computer for two years.

The site does not provide explicit information on the cookies, but it appears that several are related to Google Analytics, a commonly used service that analyzes website traffic and visitors. The cookies on the Prime Minister’s site can be used to track the time of the visit, repeat visits, how the visitor arrived at the site (search engine, link from another site), and how long the visitor stays on the site.

An additional cookie may be linked to a Twitter feed on the site. The Twitter cookie allows that service to track users who are logged into their account at the time and have not requested to stop tracking in their preferences.

The Prime Minister’s website is not the only site that has adopted this language but appears to use regularly use cookies. Two related sites – a site devoted to the Speech from the Throne and one on the government’s Economic Action plan - both use the same policy language and insert similar cookies.

The source of the problem appears to be the use of an old sample Treasury Board privacy policy that was designed for sites that do not use cookies. Given that these sites use cookies, the policies are inaccurate and should obviously be replaced.

The failure to properly disclose the site’s privacy practices points to three issues. First, the use of sample privacy policies may often create problems since websites collect and use personal information in different ways.

Second, websites should regularly revisit their privacy policies to ensure that they reflect current practices.

Loading... Loading... Loading... Loading... Loading... Loading...

Third, given the ease with which Internet users can be tracked online, the government should consider incorporating do-not-track provisions into its privacy legislation, thereby ensuring that user privacy choices are respected.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at www.michaelgeist.ca.