Canadian Privacy Compliance: Time for your Online Checkup

In a previous post on online behavioural advertising (OBA), we wrote about the Office of the Privacy Commissioner’s ”call to action” to stakeholders in the advertising industry on OBA, and we discussed the industry’s response to that call: self-regulation.

2012 – Call to Action: the Privacy Commissioner’s Expectations 

In its 2012 Policy Position on Online Behavioural Advertising, the Office of the Privacy Commissioner (OPC) stated that it “may” be acceptable to rely on implied or opt-out consent when tracking and targeting individuals for OBA purposes, “provided that”:

  • Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their OBA practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
  • Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;
  • Individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected;
  • The opt-out takes effect immediately and is persistent;
  • The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
  • Information collected and used is destroyed as soon as possible or effectively de-identified.

2013 – Industry Response: Self-Regulation

In response, the industry developed and launched the Canadian Self-Regulatory Program for Online Behavioural Advertising (the “Ad Choices program”), an initiative tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The initiative is led by the Digital Digital Advertising Alliance of Canada (DAAC), and is monitored and administered by the non-profit industry body Advertising Standards Canada (ASC). A growing number of brands and media companies have registered for the program.

We noted in our previous post that the OPC would no doubt be watching to see whether and how industry self-regulation meets its expectations under PIPEDA and its OBA guidelines.  We also noted, however, that the self-regulatory solution was not designed to cover all OBA activities.  For example, certain types of activities are expressly excluded from the Ad Choices program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

Ongoing OPC Guidelines, Investigations and “Sweeps”

The OPC is not staying on the sidelines – it continues to take a keen interest in OBA and online consent more broadly.  For example, in January 2014, the OPC found that Google ads triggered by web surfing on health sites violated privacy rights.  As a result, Google committed to several measures, including closer monitoring of potential violations by advertisers.  In May 2014, the federal, British Columbia and Alberta Privacy Commissioners issued new guidelines for online consent, calling for transparent and dynamic privacy notices, and greater protections for personal information belonging to children and youth.

In 2015, the OPC is investigating websites visited by Canadians for compliance with OBA requirements.

The OPC has in past years conducted investigation and enforcement “sweeps”.  In 2013, the OPC led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.  The sweep targeted privacy policies, and the OPC published the initial results of its investigations under the headings “The Good, the Bad, and the Ugly“. In 2014, the OPC again participated in the GPEN Sweep, investigating the transparency of privacy practices for 151 mobile apps that were made in Canada or frequently downloaded by Canadians.  The Results of the 2014 Global Privacy Enforcement Network Sweep are an overall, anonymous mobile app “report card”, ranking transparency to users, ease of access/reading on the small screen, and whether privacy information is available before download.

An OPC “report card” on OBA is expected to be released sometime in the Spring.

 

In the news:  see the recent Globe & Mail article “Watchdog to study ‘privacy compliance’ among Canadian advertisers“