9 Out Of 10 Ontario Dentist Websites Violate Federal Laws
A website represents a vital part of any business’ forward facing interaction with its customers and the public. Dental clinics are no different. The ones that don’t have a website are the rare exception rather than the rule.
The reason why I picked dentists for this write up is the following:
- It is a medical professional that almost everyone, young and old has a relationship with.
- Most good ones have a website.
- Lastly, most of their websites are incredibly basic. They do not collect credit card information or other (seemingly) sensitive personal information.
These sites contain the same standard things. High-resolution photos featuring porcelain white smiles and carefully written content about the quality service and friendly staff. An exhaustive list of all the wonderful services they offer. These are all things that should be there.
The vast majority also encourage prospective customers to get in contact with them via a ‘Contact Us’ page that features a pre-set form. This seems like a convenient and timely option. We have all seen them, a call for a name, phone number and email address right above a button to submit that information.
With all the focus on providing dental services, so many are unknowingly leaving themselves exposed to serious legal action.
The reason is the lack of two vitally important things for any website. This is particularly true for one that collects user information in any capacity. The first is a set of clearly outlined Terms & Conditions. The second and more important item from a legal perspective is a clear and specific Privacy Policy. You are collecting that information without their informed consent.
If you are a dentist reading this right now, chances are extremely high that you have absolutely no idea of the danger your own website is putting you in. If you visit your dentist’s website or are looking for one, go with a dentist that has a plan for how your visit and information is handled.
Any Canadian dentist missing these on their website right now is opening themselves to being sued. They are non-compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) and other similar provincial privacy laws. And that’s a very dangerous position to be in.
- How is user information being retained and disposed of? Do users know?
- How then are they providing informed consent? (legal requirement)
- What happens in the case of collecting information for patients under the age of 18?
- What happens if someone hacks your website and there is a data breach?
- How are you actively limiting collection?
- How are you safely disposing of user data?
- Who is accountable if things go sideways?
WHAT ARE WEBSITE TERMS & CONDITIONS?
Website Terms & Conditions give information about a website by outlining two fundamental things. The first is to give information about the website, particularly the website owner. The second is to clearly outline how users are supposed to treat and use the website and its content. This includes acceptable uses, prohibited uses, security, and disclaimers. Doing so limits the website owner’s liability.
One such example is if someone posts defamatory or illegal content on a website that doesn’t have clearly outlined Terms & Conditions related to those things. Many dental websites have comment and review sections. As unfair as it may seem, It can be very problematic for the website owner as the ultimate responsibility for the site’s content is theirs.
Another form of protection that having strong Terms & Conditions provides an ideal place for making any disclosures required by law. The most important of those relate to the privacy and protection of user information. It is vital. This what we alluded to before with the ‘Contact Us’ page.
WHAT IS A PRIVACY POLICY
In Canada, citizen’s personal information is protected by PIPEDA and related provincial policies. As such, website owners must obtain an individual’s consent whenever they collect, use or disclose that person’s personal information. Individuals should feel secure in that their information will be protected by appropriate safeguards. They must be able to see the who, what, when, where and how of their information when visiting your site.
While large media websites and other similar websites have iron clad policies and pop-ups, how many dentist websites (if any) have you seen that do?
We can tell you that 9 out of 10 do not. Most have never even considered the need for one. And it represents a ticking time bomb.
The thing is, privacy policies are mandatory across most of the globe. Good Terms & Conditions reference them and every website owner must include them. It is foolish to do without.
A Privacy Policy is a legal agreement explaining what types of personal information you gather from website visitors, how this information is used, and how you keep it safe.
WHAT’S THE BIG DEAL
If you own a website, no one is accusing you of selling data for ads or collecting things maliciously. You are simply trying to serve and inform.
The thing is, if people are visiting your website it is mandatory that you have a privacy policy in place.
One thing 99% of website owners don’t know is that just being a hosted website (an active website) means that you are collecting user information including IP addresses simply by them visiting your site. This, when combined with any other individual information, is treated as personal information as well. That puts the website owner on the hook.
These policies required by law. In accordance with PIPEDA, the 10 principles every business website must comply with are as follows:
- Accountability – having someone who is responsible for the privacy and personal information of your users and clients
- Identifying Purposes – the reasons why user information is required
- Consent – up front agreement and consent
- Limiting Collection – collect only what you need
- Limiting Use, Disclosure, and Retention – limit the uses of the information and dispose of it quickly
- Accuracy – keep information as accurate as possible
- Safeguards – protect information as much as possible
- Openness – transparency about what you collect and do with it
- Individual Access – users have a right to access their info, you should have a process in place
- Challenging Compliance – give customers a way to challenge how their information is being collected and used.
Having a website without those items outlined is like driving a car without insurance. Things don’t go bad until they do. And when they do, there is hell to pay. It’s the things you don’t know and don’t do that can get you in hot water.
WHAT CAN THEY DO
The most important thing you can do as a website owner is to get a Privacy Policy in place ASAP. You should also have Terms & Conditions drafted that reference that policy.
Protect yourself and your business. Something is always better than nothing, but having one that actually covers you should be considered 100% mandatory.
Would you rather a loved one get dental work done by a professional or that they do it themselves via YouTube videos and Google searches?
People work hard to be experts.
That is not to say that creating one yourself is impossible. Along with the 10 principles above, the Office of the Privacy Commissioner of Canada has hundreds of pages of policy compliance information, best practices and suggestions. There are many hours of wormholes to be found. If you have the time to spare it could be an interesting side project.
All websites are vulnerable to privacy breaches. All websites collect some form of user information.
As a business owner, you have to be responsible. You have to have plans and safeguards and communicate them clearly. Failure to do so could result in thousands of dollars in legal fees and a reputation as a business that doesn’t value and protect user privacy and information. That is a tough burden to carry.