On December 6, the Office of the Privacy Commissioner of Canada released guidelines for organizations engaging in online behavioural advertising to help address the privacy concerns raised by this activity.  Specifically, these guidelines are intended to ensure that these practices are engaged in fairly, transparently and in compliance with the Personal Information Protection and Electronic Documents Act ("PIPEDA").

Briefly, online behavioural advertising is described as the tracking of consumer's online activities, over time, in order to deliver advertisements targeted to the consumer's inferred interests. Because the Privacy Commissioner is of the view that there is a serious possibility that the information collected through online behavioural advertising could be linked to an individual, the Privacy Commissioner has taken the position that PIPEDA applies. Accordingly, an organization must obtain an individual's consent before behavioural information is obtained or used.

Importantly, opt-out consent for online behavioural advertising, as opposed to the more challenging burden of opt-in consent, could be considered reasonable provided that the Privacy Commissioner's guidelines are followed.

Consent must be Meaningful and Informed

  • The practices should be transparent and the purposes must be clear, understandable and obvious to the individual. Communication methods such as online banners, layered approaches and interactive tools are recommended. 
  • Individuals should be informed of the purposes for the practice and the various parties involved at or before the time of information collection
  • As a best practice, organizations should avoid tracking children and tracking on websites aimed at children. 

Opting-Out must be a Real Option

  • Individuals should be able to easily opt-out of the practice, ideally at or before the time the information is collected.
  • An individual's choice to opt-out should be implemented immediately and on an ongoing basis. 
  • If an opt-out mechanism is not available due to the technology used, or because doing so would render a service unusable, an organization should not utilize that type of technology for online behavioural advertising purposes. 

The Information Collected must be Limited

  • To the extent practicable, only non-sensitive information should be collected and used. Sensitive information, such as medical or health information, should be avoided. 
  • Any information collected or used should be destroyed as soon as possible or effectively de-identified. 

As outlined above, these guidelines are intended to assist organizations in complying with the requirements of PIPEDA. Complaints, however, will still be addressed on a case-by-case basis.  Therefore, it is important for organizations engaging in online behavioural advertising to be alive to the potential privacy issues and to take a proactive role in developing practices that will ensure their continued success online.

The full guidelines can be viewed at: http://www.priv.gc.ca/information/guide/2011/gl_ba_1112_e.cfm#contenttop

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.