Privacy And Online Behavioural Advertising
Online behavioural advertising (OBA) is becoming an increasingly popular form of advertising. If your business engages in OBA, it is important to understand the privacy risks associated with this practice.
If you have ever surfed the internet to look up a particular topic such as “Caribbean vacations” or “laptops” only to find that this same topic reappears in advertisements on other websites, then you likely have been the target of OBA.
While there are many benefits to OBA and online advertising generally, such as allowing businesses to compete with international and online companies, it carries with it certain privacy risks that businesses should be mindful of when engaging in this type of advertising.
WHAT IS ONLINE BEHAVIOURAL ADVERTISING?
The Office of the Privacy Commissioner of Canada (OPC) defines OBA as “tracking consumers’ online activities, across sites and overtime in order to deliver advertisements targeted to their inferred interests.”[1]
As people use the internet, they leave behind a rich trail of personal information. Some of this is deliberate, such as the posting of photos and comments. However, other times it is not. Through the use of certain technologies, businesses can keep track of your web browsing activity such as search terms used, web pages visited, advertisements viewed, articles read, purchases made and even your location. Businesses are tapping into this abundant source of information and using sophisticated data analytics to build personal profiles of individuals in order to deliver specific advertising to them that is tailored to their interests.
PRIVACY ISSUES
In Canada, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [(PIPEDA) or equivalent privacy legislation in certain provinces] governs the collection, use or disclosure of personal information.
Personal information is defined as “information about an identifiable individual” [s. 2(1)]. The OPC has stated that it will generally consider information collected for the purpose of OBA to constitute personal information.[2]
Pursuant to privacy legislation, an individual’s consent is required for the collection, use or disclosure of personal information. Privacy legislation does recognize that the form of consent can vary. For example, express (opt-in) consent is typically appropriate for sensitive information and implied (opt-out) consent for less sensitive information. The OPC has stated that implied consent may be a reasonable form of consent for OBA, provided that certain conditions are met including, but not limited to:
- making the individual aware of the practice in a clear and understandable manner before collection occurs; and
- providing them with the ability to easily opt out of the practice with immediate and persistent effect.[3]
However, the OPC has cautioned that its 2011 OBA Guidance does not render opt-out consent the default for all OBA and that careful consideration of all the circumstances must be taken into account. On April 7, 2015, the OPC published its findings that a mobility company’s Relevant Advertising Program (RAP), which consisted of using customers’ network usage and account / demographic information to serve targeted advertising, violated PIPEDA.
While the RAP providers did not have access to information that identified particular customers, and while the company gave customers the option to opt out of the RAP, the OPC nevertheless found that “the sheer breadth of information being used or contemplated for the RAP… renders such information more sensitive when compiled” and therefore express opt-in consent was appropriate for the use of such sensitive information.
In addition to the sensitivity of the information, the OPC also considered the reasonable expectations of the company’s customers. It found that the company used its customers’ information for the purpose of delivering its primary paid services and therefore its customers would reasonably expect it to obtain express opt-in consent for the use of their information for the new secondary purpose of OBA.
As a result of the OPC’s findings, class action lawsuits were launched in Ontario and Quebec against the mobility company and its affiliate claiming $750 million in damages for, among other things, breach of privacy (the tort of intrusion upon seclusion) arising from the unauthorized use of consumers’ personal information for the RAP.
BUSINESS TAKEAWAYS
The following four strategies will help businesses comply with their obligations under privacy law when engaging in OBA.
Obtain appropriate consent (express or implied). Given the OPC’s findings against the mobility company, businesses using OBA should consider whether seemingly innocent, non-identifying pieces of information they are collecting could be considered sensitive information when compiled together. If so, this would require express consent.
Provide clear information regarding OBA practices. Privacy legislation requires that businesses obtain meaningful consent. Accordingly, businesses should provide users with clear information regarding their OBA practices. This should include what information is collected for OBA, how it is collected and what it is used for. This information should be easily accessible – such as by way of advertising icons – rather than buried in a website’s extensive privacy policy.
Provide user-friendly opt-out mechanisms. Businesses using OBA should provide users with a user-friendly ability to opt-out of the OBA practice. Again, this could be in the form of advertising icons placed directly on the advertisement which, if clicked, provide a choice to opt-out.
Safeguard information. Once information is collected, businesses should have in place adequate physical, organizational and technical measures for safeguarding the information that is appropriate to its level of sensitivity.
[1] Guidelines on Privacy and Online Behavioural Advertising published December 2011 (2011 OBA Guidelines).
[2] 2011 OBA Guidelines and the OPC’s Policy Position on Online Behavioural Advertising published December 2015 (2015 Policy Position).
[3] 2011 OBA Guidelines and 2015 Policy Position.
Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.
Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.