Tag Archive for: technology

Fed Budget 2021: Electronic Filing Payments, Certifications

Federal Budget 2021: Electronic Filing, Payments and Certification

Budget 2021 proposes a number of measures that would better facilitate CRA’s ability to operate digitally, while also enhancing security.

Notices of Assessment (NOA)

Budget 2021 proposes to provide CRA with the ability to send certain NOAs electronically without the taxpayer having to authorize CRA to do so. This proposal would apply in respect of individuals who file their income tax return electronically and those who use the services of a tax preparer that files their return electronically. Taxpayers who file their income tax returns in paper format would continue to receive a paper NOA from CRA. This measure would come into force on Royal Assent of the enacting legislation.

Correspondence with Businesses

Budget 2021 proposes to change the default method of correspondence for businesses that use CRA’s My Business Account portal to electronic only. However, businesses could still choose to also receive paper correspondence. This measure would come into force on Royal Assent of the enacting legislation.       

Information Returns – T4A and T5

Budget 2021 proposes to allow issuers of T4A (Statement of Pension, Retirement, Annuity and Other Income) and T5 (Statement of Investment Income) information returns to provide them electronically without having to also issue a paper copy and without the taxpayer having to authorize the issuer to do so. This measure would apply in respect of information returns sent after 2021.

Electronic Filing Thresholds

Budget 2021 proposes a number of measures that would limit the ability to file paper returns, including:

  • persons or partnerships that file more than 5 (reduced from 50) information returns of a particular type (e.g. T4 or T5 slips) for a calendar year would be required to file them electronically;
  • professional tax preparers would be required to file electronically where they prepare more than a total of 5 (reduced from 10) corporate or income tax returns for a calendar year. The exception for trusts would be removed; and
  • professional tax preparers that file electronically would only be permitted to file a maximum of 5 (reduced from 10) paper returns of each type per calendar year.

These measures would apply in respect of calendar years after 2021.

The mandatory electronic filing thresholds for returns of corporations under the Income Tax Act, and of GST/HST registrants (other than for charities or Selected Listed Financial Institutions) under the Excise Tax Act would be removed, resulting in most corporations and GST/HST registrants being required to file electronically.

Electronic Signatures

Budget 2021 proposes to allow electronic signatures on certain prescribed forms, as follows:

  • T183, Information Return for Electronic Filing of an Individual’s Income Tax and Benefit Return;
  • T183CORP, Information Return for Corporations Filing Electronically;
  • T2200, Declaration of Conditions of Employment;
  • RC71, Statement of Discounting Transaction; and
  • RC72, Notice of the Actual Amount of the Refund of Tax.

This measure would come into force on Royal Assent of the enacting legislation.

Electronic Payments

Budget 2021 proposes that electronic payments be required for remittances over $10,000 under the Income Tax Act and that the threshold for mandatory remittances for GST/HST purposes be lowered from $50,000 to $10,000. Budget 2021 also proposes to clarify that payments required to be made at a financial institution include online payments made through such an institution. This measure would apply to payments made on or after January 1, 2022.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Avisar Charter Professionals - Cybersecurity

Preserve Cybersecurity While Working Remotely

Most organizations have moved their workforces to some form of remote work as a result of the COVID-19 pandemic. Surprisingly, remote work has proven effective for many organizations, and they are now contemplating updating their remote work policies to allow employees more flexibility in a post-COVID-19 world. However, from a cybersecurity standpoint, remote work presents unique challenges and risks.

Employees may be accessing sensitive corporate data from their personal devices, or they may be using company-issued devices for corporate and unauthorized personal use. In both instances, hackers will prey on these distracted employees: sending them phishing emails in hopes of gaining access to the organization’s network, or stealing credentials which they sell to criminals who may then launch cyberattacks.

Technical Tips For a More Secure Network

That said, there are some basic steps organizations can take to improve their cybersecurity posture. Here are few technical steps you can use as a good starting point.

The extra step in the MFA process could be an email or text message confirmation, a biometric method, such as facial recognition or a fingerprint scan, or something physical like a USB fob.

  • Updates and patches. During the pandemic, most IT departments were focused on moving a large portion of the organization’s workforce to remote work. This may have put other IT tasks on hold, such as patching and implementing non-critical updates. 

Hackers will take advantage of this delay to access networks and potentially steal data. Thus, implementing any updates and patches as quickly as possible should be a priority.

  • Securing home routers. Employees working from home are relying on the Internet and Wi-Fi access at their residence. Did they change their router password after it was first installed? If not, their home network may be vulnerable.

It is important to take simple steps to protect home networks and prevent hackers from having access to connected devices. While changing a router password is a good first step, your employees should take additional measures. For example:

  • Ensure that firmware updates are installed, so that security vulnerabilities can be patched.
  • Make sure the encryption is set to WPA2 or WPA3.
  • Restrict inbound and outbound traffic.
  • Use the highest level of encryption available.
  • Switch off WPS.

Employees needing help with these measures should connect with your IT department.

Passwords should be unique for every account and should comprise a long string of upper- and lower-case letters, numbers and special characters. Additionally, organizations should consider implementing shorter periods for password resets, for example, going from a 90-day to a 30-day reset cycle.

Help Your Employees Stay “Cyber-Vigilant”

While implementing strong technical safeguards is essential to having a strong cybersecurity posture, the most important risk to organizations remains its people when they fall victim to phishing campaigns. Phishing emails are sent by hackers to steal information that can be used in further targeted phishing attacks, credit card and wire fraud, and in installing malicious software on the victim’s device or on the networks they access.

During this pandemic, there has been a marked increase in the number of phishing campaigns that target remote workers in a bid to steal their personal information or gain access to company accounts.

The key to avoiding this vulnerability lies in employee training and reminders to constantly be vigilant. For example:

  • If an email appears unusual or requests immediate action (even when it comes from a “known” source), your employees should have the reflex to pause and proceed carefully.
  • If the email contains a URL, they should know to hover their cursor over the link to validate the source, and to not open any unexpected attachments.
  • If they suspect that they may have inadvertently fallen for a hacker’s ruse, their reflex should be to immediately report the incident to IT, rather than trying to resolve the issue themselves or ignoring it.

The pandemic has shown that remote work is an effective way for organizations to continue operating, so it is likely that some form of remote work will be part of how organizations operate in the future. That said, being aware of the risks and taking some basic steps can significantly reduce your chances of becoming a victim of a cyberattack while working remotely.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Protecting Your Business From Identity Theft

When we think about fraud committed against individuals, many of us immediately think of identity theft. Identity theft is the taking of a victim’s private information (such as their social insurance number or birthdate) to use for financial gain.

Examples of identity theft include applying for and using a credit card with the stolen information. Our awareness of identity theft as a crime has increased significantly over the past few years, because the issue has been regularly featured on the news and in popular culture, and the risks have been frequently highlighted by financial literacy organizations (such as CPA Canada).

What is business identity theft?

Though many people are well aware of the risks of individual identity theft, what is not as commonly known is that identity theft can just as easily happen to a business. Identity theft for a business has the same definition as for an individual: acquiring a business’s private information to use for financial gain.

Why does business identity theft happen?

Any person(s) committing fraud, including identity theft, will typically need to have all three of the following factors: incentive, rationalization and opportunity.

What information is needed to commit business identity theft?

For individual identity theft, a person’s social insurance number (SIN) and birthdate are key pieces of information to acquire. For a business, the key information to protect against identity theft is your company’s business number (BN) and/or provincial tax identification number. In Ontario, that would be your Business Identification Number (BIN). Other key information that may be used for business identity theft include:

  • legal corporate / business name
  • mailing address
  • supplier names
  • customer names
  • employee information (e.g., email addresses and phone numbers)

What are examples of business identity theft schemes?

There are several ways in which a business identity thief can use the acquired information for financial gain. Examples include:

  • transferring funds out of the business bank accounts
  • opening and using a corporate credit card
  • applying for and receiving a loan from the bank
  • making large business purchase orders
  • filing false tax returns to receive refund amounts from the government

Consequences of Business Identity Theft?

The consequences of identity theft for a business, much like for an individual, is lost time and money. Examples include:

  • loss of revenue and cash from the business if fraudulent purchases are made
  • reputational damage if the fraudulent use of the business’s identity is carried out in ways that are antithetical to the business
  • tax liabilities to the government if fraudulent corporate tax returns are filed

Mitigating the Risk of Identity Theft

To mitigate business identity fraud, there are both preventative and detective actions that can be taken. Preventative actions help to protect against the theft occurring in the first place. Detective actions help to discover the business identity theft before significant losses have occurred.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Cyber Securirty - Risk Mitigation

Cyber Security: Mitigating the Risks to Cyber Attacks

Cyber attacks come in a variety of forms and with a variety of intentions. Whether for money or pure disruption, organizations are at risk of both the intrusion and the potential breach of regulatory obligations.

Identifying Cyber Risks

Nearly 90% of cyber incidents are phishing attacks. While the technological maturity level of an organization can greatly influence the response rate, statistics show that upwards of 30% of the targets of a phishing attack open malicious emails.

Up to 12% were found to take the next step and open the included website or attachment. As a result, your user base is often one of the weakest points in your environment.

Getting on The Right Track

Organizations can significantly reduce their cyber risk with the implementation of a consistent IT methodology with security in mind. Start by taking an inventory of your organization’s hardware and software.

By simply removing unsanctioned hardware and software from access to your network, you immediately improve your defences. Manage this going forward by restricting the administrative privileges needed to install new applications and to configure hardware options.

As part of your IT methodology, establish a consistent configuration base of all your devices. Add rigour to how these units are configured, and ensure that proper security protocols are used. In many cases, simply making changes from the manufacturer’s default settings will help reduce exposure.

Once you have established your configuration, employ change-control procedures to assess and monitor their upkeep. Work in a regular patching process to ensure that all your devices are up to date with the latest changes from the manufacturer, which often include security improvements. Many attacks focus specifically on out-of-date software versions.

As discussed earlier, many attacks are buoyed by fooling users into clicking a dangerous link or downloading malicious applications. As such, do not underestimate the importance of educating your user base. Be sure to highlight what to look for, enforce a critical thinking approach, and reassess as needed. Phishing email drills can be very eye-opening and can help to reinforce preparedness.

Getting the Right Help

Cyber security is an increasingly complex and important topic. As such, it is often difficult for smaller organizations to stay on top of their security needs. They may not have the proper in-house skills to set the right IT methodology in place or manage it going forward. There is certainly a cost-benefit consideration to hiring the needed technical help versus bringing it in externally.

Do not hesitate to look for help. There are numerous consulting companies that can be engaged to conduct an initial cyber security review or assessment of your current environment. These companies can either direct you as to where to make the most important improvements or take over the responsibility as part of an outsourcing agreement.

Responsibility to Protect

Currently, in Canada, it is not against the Criminal Code to fail to implement cyber security measures. However, there are a number of civil and liability obligations that are relevant.

Most notably, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) is relevant to all personal information involved in commercial activities. PIPEDA calls for the protection against loss or theft, modification, copying, unauthorized access, or even disclosure of personal information. This means that the organization itself has a duty to protect the data in its realm.

PIPEDA is not the only regulatory component to be concerned with. Several provinces have passed similar legislation that requires the keepers of data to safeguard this information. Various industry regulators have also implemented regulations around not only the protection of data but also the reporting of intrusive events. For example, the Canadian Securities Administrators (CSA) requires market participants to implement a security framework (relative to their scale).

Cyber attacks are a part of the new reality in our increasingly connected commercial paradigm. Your industry, your scale and the sensitivity of your data will dictate how much you need to do to mitigate the inevitable intrusions. The basic steps above will help to reduce simple or widespread cyber attacks. However, do not underestimate the importance of an effective IT methodology to fully mitigate risks associated with cyber attacks.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Antivirus Preparedness: What To Look For In An Antivirus Solution

Finding a good antivirus solution is kind of like searching for insurance coverage. We know we need it, but few of us really understand how it works. Here is a simple discussion outlining what antivirus software is, the threats out there and what to look for in selecting a security solution.

What Is Antivirus Software?

Antivirus software are programs that are specifically designed to deal with various forms of malicious software (often referred to as malware) that can infect your computer and cause data corruption, breach of privacy or many other forms of malintent. Typically, antivirus software is used to both prevent and remove the offending malware. Given that there are constantly new kinds of malware being released, a key aspect of antivirus software is the frequency and completeness with which it is updated.

The term antivirus has become synonymous with protection against a variety of threats, and not just viruses as the name suggests. It is worth understanding, at least at a high level, what the various forms of these threats are.

WHAT THREATS SHOULD YOU BE CONCERNED ABOUT?

There are several different threats present in our modern environment. These are normally categorized by the method by which they are transmitted and/or by the malicious activity of the offending code and are collectively called “malware”. A few of the most prominent types of threats are listed below. This is by no means a complete list:

  • Viruses – usually an executable file that has the capability of replicating itself, causing several different malicious intents. Executing the infected file activates or triggers the virus to act.
  • Worms – similar to viruses in that they can replicate themselves, however, they differ in that they do not require the execution of a file to trigger their activity and are transmitted by taking advantage of gaps in existing security protocols.
  • Trojan horses – a type of malicious software or code that – as you can probably guess by the name – masquerades as legitimate software, and fools users into downloading it. Once downloaded and activated, a Trojan horse typically will open pathways for other malicious software to enter your PC.
  • Spyware – malicious programs that, once they have found their way onto your computer, collect various pieces of data about you, your transactions and/or any data that resides on your PC. Once this personal data has been collected, the spyware will transmit it back somewhere to be collected by hackers, who could potentially steal your identity.
  • Ransomware – probably the scariest of all the threats listed. In this case, the malicious software seeks out your important files – such as photos, documents, and videos – and encrypts them. Once these are all locked up, large sums of money are requested by the hackers to release your own files back to you.

Selecting An Antivrius Software

Here are some important things to consider when evaluating an antivirus solution:

Comprehensive coverage – With the many different threats that are out there, it is vital that you are looking for more than just antivirus coverage, but also for other forms of defence. Things like a firewall, internet browsing protection and even identity protection are key elements to have.

Ease of use – No tool is worth anything if it won’t be used. Complicated pieces of software may provide a little better protection, but if it is not easy to understand, frustration will result. Look for easy-to-use screens, good documentation and options around how the product is configured.

Performance impact – This is probably one of the biggest complaints about robust security solutions. They can use a fair amount of your PC’s resources to run the checks, scans and updates necessary to keep you protected. If you find that you see consistent slowness in your PC, regardless of the product used, it may be time to upgrade.

Reliability – Reliable security software products have a few common elements. First, they are frequently updated, meaning that the provider is constantly adapting to new threats. Second, they have tools to automate the scanning process, and are highly configurable; so you can customize when they are run, and what files are investigated. They will also have a high malware detection rate (look for a number higher than 95%). The high detection rate indicates that few viruses are missed, and conversely that most are caught. Lastly, they should guard against being unintentionally uninstalled, as some malware has been known to uninstall the antivirus software that is present. This is easily prevented by adding required confirmations to the uninstall process.

FREE VERSUS PAID

This is a common debate. There are some good low- or no-cost antivirus products available, however, most research does point to the paid product as having a better long-term rate of malware detection. The paid software is updated more frequently, is more robust in terms of functionality and comes with better support. Free solutions, while less feature-rich, may provide less interruption to your PC – however, remember that, at the end of the day, those interruptions are saving you from harm.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Online Transactions: know What’s Happening To Your Data

Online purchasing transaction security is not absolute. There are not really “safe” and “unsafe” options anymore, meaning only alternatives remain that have varying degrees of security. However, understanding how your data is stored and used is an important first step.

WHAT ARE THE RISKS OF PURCHASING ONLINE?

The risks of conducting transactions online are real and require constant vigilance. Online transactions are open to “normal” procurement risks, but also have a unique set of other hazards. Beyond being exposed to such things as fake websites, inflated user reviews, or the possibility of never actually receiving what was bought, purchasers can be exposed to much more sinister dangers. Credit card fraud and identity theft are real possibilities. It is not all doom and gloom though. The key is understanding these risks and what is being done to protect you and your personal data.

WHAT INFORMATION CAN ONLINE RETAILERS STORE?

The storing of personal data is controlled more by the industry than by federal or provincial laws. The Payment Card Industry Data Security Standard (PCI DSS) was implemented by the major credit card companies as a means of ensuring compliance amongst the retailers, online or otherwise. Deviation from compliance is met with stiff fines. Per PCI DSS direction, brick and mortar stores are required to keep customer data only until they have been successfully authenticated. Online retailers face similar restrictions. However, when it comes to saving data for repeat transactions, customer data can be saved if it is properly encrypted and guarded. Due to the complex nature of storing and managing customer data in this manner, this function is often off-loaded to third-party providers.

The actual data that is stored by online retailers, per the PCI DSS, is the customer’s:

  • name
  • account details
  • credit card number (a.k.a. Primary Account Number or PAN)
  • the expiration date

Not to be stored are the customer’s:

  • PIN number
  • the security code (CVV).

Further, access to the stored data is to be restricted, and the full PAN must be concealed. Policies must also be in place to destroy the customer’s data once it is no longer required.

WHERE IS PERSONAL INFORMATION STORED?

To understand how your online personal data is stored, it is important to understand that there are two different areas in which your data is stored. First, many people store personal details within their internet browsers (Google Chrome, Firefox etc.). This allows for increased convenience – you don’t have to enter addresses, credit card numbers and other details each time you want to shop online.

Websites can store these details in the form of cookies, or as part of the autofill functionality. Cookies are stored on your computer and accessed by the website when you navigate there, and can store account numbers, even credit card numbers. Recently, browsers have significantly expanded their use of autofill functionality. A large amount of personal data is stored within the browser setting files, and can be accessed to speed up the process for people filling out online forms.

Secondly, retail partners themselves maintain personal data in the form of customer accounts, complete with address, credit card, buying patterns and many other sensitive details. We have all signed up for customer accounts to take advantage of promotions, newsletters, points, or just to speed the checkout process. Online transactions are usually brokered by a Payment Service Provider (PSP). These PSPs tokenize the consumer’s payment details and are usually certified by the relevant agencies. The certification details are often available on the seller’s website. Tokenization means that the data is encrypted as randomized characters and transmitted as such. Interception of this data is meaningless, as the credit card numbers, addresses and other details have been scrambled.

HOW DO YOU SECURE YOUR INFORMATION?

If we think about the two different places where customer data is stored, it makes sense that we will have two different approaches to securing our personal data.

First, make a habit of reviewing and deleting the cookies saved on your computer, especially if other people use your computer. To stop new cookies from being created with your data, simply use the “Guest” option on websites as much as possible. This is usually available on most websites and refers to the option of entering only the personal data needed to conduct the immediate transaction. Much less data is stored for future recovery, or misuse. If you choose to save some of your data, use the autofill functions. This not only speeds up data entry later, but also stores it more securely than with cookies.

Finally, in terms of data stored by online retailers, staying informed and proactive on what data you have out there is important. Take a minute to read the retailer’s security policy and understand their policies in terms of customer data retention, and if they use professional third-party partners to guard your data. Consider whether you really need to create an account with the retailer to speed future transactions. Maybe you will prefer to manage this data yourself.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Privacy And Online Behavioural Advertising

Online behavioural advertising (OBA) is becoming an increasingly popular form of advertising. If your business engages in OBA, it is important to understand the privacy risks associated with this practice.

If you have ever surfed the internet to look up a particular topic such as “Caribbean vacations” or “laptops” only to find that this same topic reappears in advertisements on other websites, then you likely have been the target of OBA.

While there are many benefits to OBA and online advertising generally, such as allowing businesses to compete with international and online companies, it carries with it certain privacy risks that businesses should be mindful of when engaging in this type of advertising.

WHAT IS ONLINE BEHAVIOURAL ADVERTISING?

The Office of the Privacy Commissioner of Canada (OPC) defines OBA as “tracking consumers’ online activities, across sites and overtime in order to deliver advertisements targeted to their inferred interests.”[1]

As people use the internet, they leave behind a rich trail of personal information. Some of this is deliberate, such as the posting of photos and comments. However, other times it is not. Through the use of certain technologies, businesses can keep track of your web browsing activity such as search terms used, web pages visited, advertisements viewed, articles read, purchases made and even your location. Businesses are tapping into this abundant source of information and using sophisticated data analytics to build personal profiles of individuals in order to deliver specific advertising to them that is tailored to their interests.

PRIVACY ISSUES

In Canada, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [(PIPEDA) or equivalent privacy legislation in certain provinces] governs the collection, use or disclosure of personal information.

Personal information is defined as “information about an identifiable individual” [s. 2(1)]. The OPC has stated that it will generally consider information collected for the purpose of OBA to constitute personal information.[2]

Pursuant to privacy legislation, an individual’s consent is required for the collection, use or disclosure of personal information. Privacy legislation does recognize that the form of consent can vary. For example, express (opt-in) consent is typically appropriate for sensitive information and implied (opt-out) consent for less sensitive information. The OPC has stated that implied consent may be a reasonable form of consent for OBA, provided that certain conditions are met including, but not limited to:

  • making the individual aware of the practice in a clear and understandable manner before collection occurs; and
  • providing them with the ability to easily opt out of the practice with immediate and persistent effect.[3]

However, the OPC has cautioned that its 2011 OBA Guidance does not render opt-out consent the default for all OBA and that careful consideration of all the circumstances must be taken into account. On April 7, 2015, the OPC published its findings that a mobility company’s Relevant Advertising Program (RAP), which consisted of using customers’ network usage and account / demographic information to serve targeted advertising, violated PIPEDA.

While the RAP providers did not have access to information that identified particular customers, and while the company gave customers the option to opt out of the RAP, the OPC nevertheless found that “the sheer breadth of information being used or contemplated for the RAP… renders such information more sensitive when compiled” and therefore express opt-in consent was appropriate for the use of such sensitive information.

In addition to the sensitivity of the information, the OPC also considered the reasonable expectations of the company’s customers. It found that the company used its customers’ information for the purpose of delivering its primary paid services and therefore its customers would reasonably expect it to obtain express opt-in consent for the use of their information for the new secondary purpose of OBA.

As a result of the OPC’s findings, class action lawsuits were launched in Ontario and Quebec against the mobility company and its affiliate claiming $750 million in damages for, among other things, breach of privacy (the tort of intrusion upon seclusion) arising from the unauthorized use of consumers’ personal information for the RAP.

BUSINESS TAKEAWAYS

The following four strategies will help businesses comply with their obligations under privacy law when engaging in OBA.

Obtain appropriate consent (express or implied). Given the OPC’s findings against the mobility company, businesses using OBA should consider whether seemingly innocent, non-identifying pieces of information they are collecting could be considered sensitive information when compiled together. If so, this would require express consent.

Provide clear information regarding OBA practices. Privacy legislation requires that businesses obtain meaningful consent. Accordingly, businesses should provide users with clear information regarding their OBA practices. This should include what information is collected for OBA, how it is collected and what it is used for. This information should be easily accessible – such as by way of advertising icons – rather than buried in a website’s extensive privacy policy. 

Provide user-friendly opt-out mechanisms. Businesses using OBA should provide users with a user-friendly ability to opt-out of the OBA practice. Again, this could be in the form of advertising icons placed directly on the advertisement which, if clicked, provide a choice to opt-out.

Safeguard information. Once information is collected, businesses should have in place adequate physical, organizational and technical measures for safeguarding the information that is appropriate to its level of sensitivity.

[1]       Guidelines on Privacy and Online Behavioural Advertising published December 2011 (2011 OBA Guidelines).

[2]       2011 OBA Guidelines and the OPC’s Policy Position on Online Behavioural Advertising published December 2015 (2015 Policy Position).

[3]       2011 OBA Guidelines and 2015 Policy Position.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.