Among North American and European companies, Canadian firms have the strongest and most consistent privacy policies, according to a recent Forrester Research report. Canadian and European privacy laws tend to be more holistic, while the United States is stronger in healthcare and financial services.

“I know European countries like Germany and the United Kingdom have strong privacy laws in place, but I was surprised to see how consistently better Canada was doing,” says Jennifer Mulligan, analyst and lead report author.

A major difference is employee training, she says. Many privacy issues are really personnel issues, and many privacy mistakes are made by individuals. “People can make mistakes with [social networking] sites like Facebook, or they can take data home with them.” With strong privacy policies, “people are shown how they need to handle information. Then firms ensure they are handling it right.”

Canadian firms have more mature privacy programs compared to companies elsewhere. They also have more consistent training and do a better job at tracking deviations from privacy policy, according to the study. When asked if they had a formal privacy program with representatives from multiple departments, 84 percent of Canadian companies answered positively. The lowest positive response came from France, with 47 percent. When asked whether they train employees, 86 percent of Canadian companies answered affirmatively. The lowest, France, had 64 percent. In terms of tracking privacy policy exceptions, 81 percent of Canadian companies answered “yes,” compared to the lowest, (again) France, with 50 percent.

Outside the United States, people also tend to have greater control over their private information. In Europe, many privacy laws and policies are based on Organization for Economic Cooperation and Development codes. A major principle is that a person’s information belongs to him or her alone, says Mulligan. People are more enlightened about how companies use their information; they also have easier access to information that is held on them and more power to ask companies to alter or delete that information. As an example, Mulligan cites recent efforts by the U.K. information commissioner to ensure that Facebook and other social networking sites completely delete a customer’s information on request.

European companies are also more protective of their employees’ information. “The U.S., in comparison, is just getting around to protecting employee data such as Social Security and payroll information,” says Mulligan.

American laws tend to side with corporations. Companies have more freedom to sell their customers’ information. Customers more frequently have an “opt out” choice when it comes to information sharing, compared to an “opt in” choice abroad. “In the U.S., we look at customer data as a rich source of information for marketing purposes,” says Susan Jayson, executive director of the Ponemon Institute, a privacy research center.

One benefit of the American model is that it can allow for more creativity and innovation, says Mulligan. For example, “We see a lot of businesses like Google making money with the information people have given them. In the U.S., there’s more innovation but a greater risk companies will overstep their bounds.”

One privacy area in which the United States leads is data breach notification, says Jayson. The state of California has been setting a good example, she says. U.S. companies are also more likely to encrypt sensitive data.

Among all surveyed companies, regulations were the biggest driver of privacy policy, according to the study. For small- and medium-sized businesses, however, competition was a greater motivator than for other enterprises. Twenty-seven percent said competition was a very important privacy policy driver, compared to just 19 percent of all businesses. “Privacy is a very hot topic, and because smaller, more agile companies can make sweeping changes more quickly than larger companies, they can make their privacy efforts a key business differentiator,” states the report.