Last week, the Privacy Commissioner of Canada reported
on research undertaken by her office during the summer to assess
whether websites in Canada are inappropriately "leaking"
the personal information of registered users. Researchers
tested 25 sites and identified "significant privacy
concerns" with six of them. Researchers also had
questions about the practices of an additional five sites.
The Commissioner reported that the user information being leaked
varied from website to website, but such leaks generally included
one or more of a user's name, email address, postal code and
The organizations receiving the information were reported as
falling into three main categories: advertising companies,
analytics companies and electronic flyer services.
The six websites in respect of which the Commissioner identified
"significant privacy concerns" were cited for a lack of
transparency. The organizations operating these websites were
disclosing information to third parties, "apparently without
the knowledge or consent of the people affected." The
Commissioner also noted that, in some cases, it did not appear that
the disclosures were in keeping with the organizations' own
More Factual Information Required
The Commissioner has not concluded that the disclosures
summarized in her report violated federal privacy law.
Rather, she has requested information from 11 organizations that
will allow her to assess whether current practices need to be
modified to ensure compliance with privacy law.
It remains to be seen how many of these organizations will be
expected to modify their practices. Given that two
organizations were reported to have disclosed nothing more than
postal codes, it is far from clear that modifications will be
required in each case.
The Commissioner has not publicly named the 25 organizations
that were tested or the 11 organizations who have been asked to
provide information about their privacy practices. While the
Commissioner's decision to keep the website names confidential
has been criticized, there are strong arguments that can be
made in support of it.
Naming names when an official investigation has not been
conducted and a finding has not been made would be premature.
It may be that, in at least some instances, websites are able to
provide a valid and satisfactory explanation of the disclosures
they have made (e.g., disclosure pursuant to a proper consent or a
valid exception to consent – such as a transfer to a
service provider for processing).
Naming names without all of the relevant facts would not be in
the public interest and, as a result, is not allowed under
PIPEDA. Once the Commissioner has received the information
she has requested, she will be in a position to assess whether the
public interest would be served by doing so. The Commissioner
alone will be in a position to make that assessment.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).