The Office of the Privacy Commissioner (OPC) has released two important decisions this year on online behavioural advertising (OBA or interest-based advertising) so far this year.
On March 25, 2015, the OPC released its Report of Findings regarding an investigation into Ganz's interactive website for children. On April 7, 2015, the OPC released its Report of Findings regarding Bell Canada's relevant advertising program. Some might argue that this is a misplaced priority given the OPC has yet to make a convincing case of harm, but it is clearly one that has captured the attention of the OPC. At least in the case of Bell Canada's relevant advertising program, the OPC may not have the last word. A class action has been commenced and the OPC aspects of the issue are before the Canadian Radio-television and Telecommunications Commission (CRTC).
BACKGROUND ON THE CASES
In the Ganz Report of Findings, one of the issues was whether Ganz's website for its Webkinz toy pets was allowing third-party advertisers to track and profile children using the website for the purposes of serving targeted advertising to children. Ultimately, it appears that the OPC was satisfied that children were not tracked for the purpose of conducting interest-based advertising. However, the OPC concluded that Ganz had not conducted sufficient due diligence with respect to the third parties that were permitted on its site as a result of its advertising program.
In the Bell Canada Report of Findings, the most contentious issues were whether Bell's use of network usage information and account/demographic information to support sales of advertising to its customers was an appropriate use of personal information and whether express opt-in consent was required for that use. Ultimately, the OPC concluded that the use of the information for advertising programs was an appropriate purpose but concluded that express opt-in consent was required because of the potential sensitivity of the browsing behaviour being used by Bell and the OPC's view that the reasonable expectations of consumers would be that their telecommunications service provider would seek such consent before making use of that information.
KEY POINTS FOR ONLINE ADVERTISERS
1. Organizations must monitor and conduct due diligence regarding tracking technology on their sites.
To demonstrate accountability, organizations must ensure that they monitor tracking technology on their site. They must conduct due diligence on the third parties and ensure that third parties do not use personal information collected through cookies and other technologies contrary to the purposes identified to the users of those sites. The OPC expects to see contractual provisions or other means to prevent misuse by third-parties involved in interest-based advertising.
2. Interest-based advertising can be an appropriate use of personal information.
The OPC has now stated clearly in the Bell Report of Findings that it accepts that the objective of maximizing advertising revenue and improving a customer's online experience through targeted advertising can be a legitimate business objective. In general the use of personal information for that purpose is not inappropriate.
3. But use of credit information for interest-based advertising is likely not appropriate.
The use of credit scores whether on an individual basis or an aggregate basis is not appropriate for targeted advertising. The use of this information may not be permitted by consumer reporting legislation for this purpose. The OPC recommended, and Bell agreed, to discontinue the use of that information.
4. Children remain a concern.
In the Ganz Report of Findings, the OPC continues to take the position that websites that are targeted at children should not permit tracking technologies for online behavioural advertising purposes. The OPC's position is that young children are incapable of consenting.
5, Opt-Out consent must be meaningful – no rainy day retention.
If a customer opts out of Bell's interest-based advertising program, the information must be deleted and not further collected. Bell had proposed to continue to collect the information but not use it unless the customer opted-back in. The OPC recommended against this since opt-out must mean opt-out.
6. Opt-Out consent is not a universal rule.
Previously, the OPC said in its online behavioural advertising guidance that opt-out consent would be appropriate for online behavioural advertising if the information used was not sensitive and there was an effective opt-out mechanism. However, in the Bell Report of Findings, the OPC confirmed that opt-in consent may be required if the scope of the information being collected is very broad and the reasonable expectations of the consumer would be to expect opt-in consent.
7. Broad collection creates sensitivity.
In the OPC's view, the scope of collection could result in the information being collected being sensitive. The OPC believed that Bell could track virtually all of its customers' online activities and, therefore, this information was, in the aggregate, sensitive.
8. The reasonable expectations of consumers are relevant to whether opt-in consent is required.
The OPC has reintroduced its primary/secondary purposes analysis through the guise of a reasonable expectations analysis. In the Bell Report of Findings, the OPC just couldn't get past the fact that Bell is paid for Internet services. Unlike a free service, such as Facebook, Bell charged for its services. As a result, the OPC viewed Bell as making a secondary use of personal information and commodifying customer information for purposes other than the delivery of telecommunications services.
9. Time-limited retention won't eliminate sensitivity.
Even though Bell only kept 90 days' worth of behavioural information, the information was, in the OPC's view, still sensitive in the aggregate.
The OPC's decision on Bell's program is unlikely to be the final word. There are deeply problematic aspects of the decision. For reasons that go beyond the scope of this blog post but will be published separately, it is arguable that the requirement for opt-in consent is seriously flawed.
In the meantime, however, organizations in the interest-based advertising ecosystem should sit up and take notice.
For more information, visit our Privacy and Data Security blog at www.datagovernancelaw.com
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
Learn more at www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.