As was widely reported, on January 15, 2013, the Office of the Privacy Commissioner of Canada (OPC) issued a Report of Findings regarding interest-based advertising or online behavioural advertising through Google's AdSense service.
Reports of the case frequently suggested that the Canadian law does not permit the use of "health information" for interest-based advertisements. This is debatable but, in any event, that wasn't really what the case was about. The issue appears to have been whether Google exercised sufficient due diligence in monitoring its customers.
What the complaint was about
Accordingly to the Report of Findings, the complainant searched for a particular type of medical device for sleep apnea. Importantly, the complainant was signed into his Google account when he made those searches. Subsequently, the complainant began to see targeted advertising on other sites relating to his searches.
Google participates in the AdChoices program and advertisements often include the AdChoices icon indicating that there page involves interest-based advertising or OBA. By clicking on the icon users can opt-out of interest-based advertising.
Although the complainant browses while signed into this Google account (and appears not to have opted-out), the complainant argued, according to the Report of Findings that "he did not provide Google with consent to display his personal medical information in browsers."
Contextual advertisements versus OBA
Previously, the OPC has distinguished between contextual advertising, which is advertising based on the content of a page, with interest-based or online behavioural advertising (OBA), which is based on "tracking" user interests across websites.
Initially, Google disputed that the advertising was OBA and instead was based on recent or related page content that, according to the Report of Findings, "appeared out of context to the user". However, subsequently Google appears to have conceded that the advertisements were placed as a result of a Google customer's AdWords remarketing program.
The AdWords remarketing program allows Google customers to install code on their websites provided by Goggle. This code installs a cookie ID in the user's web browser unless the user has opted-out of interest-based advertising or OBA. The Google customer can then design an advertising campaign that the user will see on other webpages that uses Google's advertising products. This is interest-based advertising or OBA.
Although Google requires advertisers to agree to specific policies that prohibit OBA based on "health or medical information", the customers could use the products in violation of these policies since the customer is in control.
But is health information really off-limits?
The OPC (perhaps incorrectly) equated implied consent with "opt-out" consent. Leaving aside that debate, it appears that the OPC is reinforcing previous guidance that express consent should be used when conducting interest-based advertising using sensitive information.
Principle 4.3.6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states:
Importantly, however, subsection 5(2) of PIPEDA states that "[t]he word "should" [...] indicates a recommendation and does not impose an obligation." Whether a court would agree that express consent is always required even if the Ad Choices program is prominently used (and the website Privacy Notice is clear) is open for debate.
What does the future hold in this case
To remedy this situation, Google undertook initiatives to:
- reject remarketing campaigns involving the sleep apnea treatment devices;
- clarify its policies to advertisers;
- develop new training for internal teams;
- increase monitoring of advertiser's remarketing campaigns;
- upgrade automated screening systems;
The bottom line is that the practice of Google's customers did not comply with Google's policies and the OPC was not satisfied with Google's due diligence in enforcing its policies. Whether health information is always off limits to interest-based advertising is not at all clear. The OPC suggests it is absent express consent; however, whether this view will ultimately prevail on the current wording of PIPEDA is uncertain, particularly if an organization prominently draws its practices to the attention of the consumer and provides an immediate opt-out mechanism.
For more information, visit our Data Governance Law blog at www.datagovernancelaw.com
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
Learn more at www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.