Last week, the Global Privacy Enforcement Network (GPEN) released the results from their third annual Privacy Sweep. Twenty-nine privacy enforcement authorities spread across 21 countries reviewed 1,494 websites and mobile applications (apps) either targeted to or popular among children – the theme of this year’s sweep.

Canadian regulators participating in the international sweep included the Office of the Privacy Commissioner of Canada (OPC), the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner of British Columbia, who focussed their review on websites and apps based in Canada.

Among the overall findings by GPEN, 67% of the websites and apps examined collected personal information from children, such as names, photos, videos, audio, addresses and phone numbers.

“Too many developers are collecting particularly sensitive personal information such as photos, videos and the location of children, and often allowing it to be posted publicly, when there are clearly ways to avoid it,” said Privacy Commissioner Daniel Therrien in a statement. The OPC has repeatedly recommended in its publications and report of investigations that the best practice is to never collect personal information from children.

The OPC noted that many companies are developing innovative, creative and dynamic technological tools that balance the purpose of the website or app while respecting privacy protection.

The Privacy Sweep also found that 51% of websites and apps reviewed indicated they may disclose the children’s personal information to third parties. The Privacy Sweep found that 58% of websites and apps reviewed, while purporting not to collect personal information, redirected children to sites and apps that did collect personal information. The redirection was via an advertisement or a contest that sometimes appeared to be part of the website or app.

In considering parental or some form of adult supervision or control, only 31% of websites and apps reviewed had any protective control in place that would limit the collection of personal information; even less (24%) had some form of parental involvement.

The focus of privacy protection of vulnerable groups, such as youth and children, is one of Commissioner Therrien’s current privacy priorities.

The OPC also provided recommendations for companies to consider when collecting, using or disclosing personal information that may involve children, including:

1. Avoid collecting any personal information from children.
2. Instead of requiring children to disclose their name or photo or other personal information – for example to register with a website or app – companies should use protective controls such as preprogrammed avatars and usernames that children can select instead.

The goals of the GPEN Privacy Sweep include creating awareness and encouraging compliance with privacy legislation; however, GPEN and the OPC note that the results of the Privacy Sweep could lead to follow-up action being taken, including outreach and investigations.

There were two important developments in the U.S. regarding children and mobile technologies.

FTC Staff Report

On December 10, 2012, the U.S. Federal Trade Commission (FTC) released a Staff Report entitled“Mobile Apps for Kids: Disclosures Still Not Making the Grade”. The Staff Report examines the privacy disclosures and practices of mobile apps. The survey was conducted during the summer of 2012. FTC Staff tested 400 apps. Among the interesting survey results:

• 80% of the apps (319) apparently did not disclose any information about the apps privacy practices prior to download. Many of those that contained privacy disclosures “consisted of a link to a long, dense, and technical privacy policy” according to the FTC Staff Report.

• 60% of the apps (235) transmitted the device ID to the developer, an advertising network, an analytics company, or other third party. The most common transmission was to advertising networks (by a large margin). Only 20% (44) of the 223 apps that transmitted device ID, geolocation or phone number to third parties provided any privacy disclosures.

• 58% of the apps (230) contained in-app advertising, but only 15% of the apps (59) disclosed information about the presence of advertising.

• 17% of the apps (66) contained in-app purchase functionality.

The FTC Staff Report states that FTC Staff have commenced a number of investigations where FTC have identified gaps between the company practices and disclosures, which could constitute violations of the U.S. Children’s Online Privacy Protection Act (COPPA) or the Federal Trade Commission Act’s prohibition on deceptive practices.

In Canada, app developers should be aware of provincial consumer protection legislation and the federal Competition Act, which contain prohibitions on deceptive practices, as well as federal and provincial privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which required transparency with respect to an organization’s practices regarding the collection, use, retention and disclosure of personal information. In addition, app developers marketing apps with in-app advertising should be aware of Quebec’s Consumer Protection Act, which prohibits advertising to children under 13 years of age.

Amendments to the COPPA Rule

On December 19, 2012, the FTC adopted the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). Highlights from the amendments include:

• Expanded Definition of Personal Information. The new definition includes geolocation information, photos, videos and audio files that contain a child’s image or voice. Persistent identifiers such as a unique device ID or MAC address may also be personal information.

• Extension of Rule to Third Party Applications. The FTC perceived a gap or loophole to the existing COPPA Rule that permitted advertising networks, third party plug-ins and other applications to collect personal information from children without parental consent. The amended COPPA Rule provides that an organization will be considered an “operator” of a website directed to children if it is benefits from the collection of information by a third party even where the third party is not acting as its agent. This will place an obligation on the operator to obtain consent to the collection of the personal information collected by the third party. FTC Commissioner Ohlhausen dissented from the new COPPA Rule on the basis that this extension went beyond what the statute permitted.

• New Rules for Verifiable Parental Consent. The new COPPA Rule permits obtaining consent by way of electronically scanned parental consent, video conferencing, government-issued identification or payment systems that provide notice to the primary account holder of each discrete transaction.

Canada contains no equivalent to COPPA; however, the Office of the Privacy Commissioner of Canada (OPC) has focused on children’s online privacy as a priority. In the OPC’s guidance regarding online behavioural advertising, the OPC stated:

“The most obvious type of information that should not be tracked involves children’s information. Operators of web sites that are targeted at children should not permit the placement of any kind of tracking technologies on the site. It is hard to argue that young children could meaningfully consent to such practices, and the profiling of youngsters to serve them online behaviourally targeted ads seems inappropriate in such circumstances. The Canadian advertising industry has indicated that it will require its members to not knowingly target children; this is a position that the OPC endorses and encourages.”

Given the increasing focus on meaningful consent to the collection of personal information, it may be only a matter of time before Canadian privacy commissioners issue a decision regarding the collection and use of personal information about children. In the meantime, app developers hoping to offer their apps in the U.S. should take note of the new COPPA Rule.

Few dispute that the law should protect the privacy of children. In a recent decision of the Supreme Court of Canada, the court held that the “[r]ecognition of the inherent vulnerability of children has consistent and deep roots in Canadian law” and that “[t]his results in protection for young people’s privacy” in several legislative areas.

This post doesn’t address what is socially acceptable or appropriate in terms of the collection of personal information from children or the use of that information for marketing. Instead, it focusses on some of the practical legal issues when dealing with children, personal information and marketing in Canada.

“We do not knowingly collect personal information from children under the age of 13.”

It has become boilerplate for organizations in Canada to deny that they knowingly solicit, collect or use personal information from children under 13. Why? The focus on the age of 13 is probably a product of two statutes:

COPPA. Canada’s southern neighbour has a lot of influence, particularly in respect of e-commerce. The Children’s Online Privacy Protection Act (United States) requires verifiable parental consent to the collection of children under the age of 13.

Quebec. COPPA isn’t the only reason to focus on the age of 13. Section 248 of the Consumer Protection Act (Quebec) prohibits commercial advertising directed at persons under 13 years of age. The Office de la protection du consommateur takes the position that this applies to websites as well.

Special Advertising Regulations

Marketers must also be aware of special advertising rules for children even where advertising is permitted.

Broadcast Code Regulations. Television and radio broadcasters in Canada agree to adhere to the Broadcast Code for Advertising to Children (under the age of 12) as a condition of Canadian Radio-television and Telecommunications Commission licences. This requires pre-clearing of the children’s advertising.

Advertising Standards Canada Requirements. In the online world, the Canadian Code of Advertising Standards applies. The Code provides that advertising that is directed to children “must not exploit their credulity, lack of experience or their sense of loyalty, and must not present information or illustrations that might result in their physical, emotional or moral harm.”

Identifying Children and Obtaining Consent

Modulating information and consent mechanisms is difficult enough.  However, it is complicated by the fact that the application of privacy principles tend to discourage the most obvious tool to identify children – asking the user for his or her age.

Difficulty in Obtaining Consent. In Canada, the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) and its provincial counterparts requires meaningful consent to the collection, use, retention and disclosure of personal information. In order to obtain consent, the information must be presented and modulated in complexity to the developmental level of the child.

Identification Problem. Privacy advocates do not want to encourage the collection of dates of birth. However, without information on a year of birth, it is not possible to screen out the collection of personal information from children. In one case, a parent enrolled a child in a loyalty program. When the child started to receive credit card marketing materials, the parent complained but there was no practical way for the loyalty program to know the age of the person enrolling without asking.

There is no prefect solution. Instead the organization must carefully consider the target audience and modulate consent and the use of personal information based on reasonable expectations about the demographics of that target audience.

Binding Terms of Use and Contracting with Minors

In many cases, organizations attempt to incorporate consent to the collection, use, retention and disclosure of personal information into the terms of use of the website or mobile application. However, the law is complex relating to the capacity of a minor to enter into a contract and that law varies among Canadian provinces. In Ontario, for example, a person who is 18 years of age or more is presumed to be capable of entering into a contract (s. 2(1) of the Substitute Decisions Act, 1992). However, there is no presumption that a person under the age of 18 is capable of contracting. On the other hand, if necessaries are sold and delivered to a minor, the minor is required to pay a reasonable price (s. 3(1) of the Sale of Goods Act). “Necessaries” are vaguely defined as goods suitable to the minor’s condition and his or her actual requirements. Even in the case of non-necessaries, the contract with a minor may not be voidable if the minor has already received the benefit of the contract.

In British Columbia, a person is an “infant” until reaching the age of majority of 19 years (s. 1(2) of the Age of Majority Act). Section 19 of the British Columbia Infants Act, provides that a contract with an infant is not enforceable unless, among other things, it is affirmed on reaching the age of majority. However, that rule is not as blunt as it sounds, since the court may take into account the surrounding circumstances of the contract and whether any party has changed its position before fashioning a remedy.

Obtaining consent from a parent or requiring acceptance of terms of use from a parent is not necessarily the solution. In Ontario (and other common law provinces), a contract entered into by a parent on behalf of a minor may not be enforceable against the minor.

Helping Parents and Children

The Canadian Marketing Association has tips for helping parents with children’s marketing.  The Office of the Privacy Commissioner of Canada also has a great website for youth and parents.

The ICO has published a request for feedback on the GDPR rules on profiling and automated decision making. They say it’s not guidance and just initial thoughts but we think it is a good steer on what the ICO thinks are the key issues.  You can respond with feedback to the ICO by 28 April or just use this to “issue spot”.  Both would be a pretty good use of time.

Key points:

• Don’t be fooled by the “legal / similar effects” threshold in Art 22. The general GDPR rules will affect lots of business operations which involve profiling. This is not just about profiling having “legal effects” like e-recruitment.
• Consider the risk of unfair discrimination.  How do you ensure your profiling is fair. How does that algorithm actually work? Check out “Weapons of Math Destruction” by Cathy O’Neil.  What is an acceptable error rate for inferences?
• Think about raw input and output data and how to apply GDPR rights and obligations to each tranche.
• How do you validate compliance where some/all of the process is carried out by a third party / vendor?  All the fairness, transparency and data hygiene rules apply.
• Consent is mentioned as a legal basis but won’t work unless there is a genuine free choice as per the recent ICO consultation.
• Beware of inadvertently generating special category data. This usually requires explicit consent.
• Consider practical steps like identifying the “logic” of the legal effects decisioning in privacy policies and in response to DSARs.
• Get ready to justify profiling if someone exercises their right to object. The other rights also apply of course.
• Consider algorithmic auditing, seals, codes of conduct and ethical review boards to underpin profiling safeguards.
• There will be a wide range of profiling requiring a DPIA: includes location tracking, loyalty programmes, and OBA as well as more obvious ones like credit scoring. DPIAs also apply to partly automated profiling with legal/similar effects. So this goes wider than the rules in Art 22 which only applies to decisions solely by automated means.
• Do not profile children where this has legal/similar effects and is solely automated. This is a prohibition.
• ICO to publish guidance on children’s data later this year (to cover gateway conditions / age verification / parental authorisation).

The Office of the Privacy Commissioner (OPC) has released two important decisions this year on online behavioural advertising (OBA or interest-based advertising) so far this year.

On March 25, 2015, the OPC released its Report of Findings regarding an investigation into Ganz’s interactive website for children. On April 7, 2015, the OPC released its Report of Findings regarding Bell Canada’s relevant advertising program. Some might argue that this is a misplaced priority given the OPC has yet to make a convincing case of harm, but it is clearly one that has captured the attention of the OPC. At least in the case of Bell Canada’s relevant advertising program, the OPC may not have the last word. A class action has been commenced and the OPC aspects of the issue are before the Canadian Radio-television and Telecommunications Commission (CRTC).

Background on the Cases

In the Ganz Report of Findings, one of the issues was whether Ganz’s website for its Webkinz toy pets was allowing third-party advertisers to track and profile children using the website for the purposes of serving targeted advertising to children. Ultimately, it appears that the OPC was satisfied that children were not tracked for the purpose of conducting interest-based advertising. However, the OPC concluded that Ganz had not conducted sufficient due diligence with respect to the third parties that were permitted on its site as a result of its advertising program.

In the Bell Canada Report of Findings, the most contentious issues were whether Bell’s use of network usage information and account/demographic information to support sales of advertising to its customers was an appropriate use of personal information and whether express opt-in consent was required for that use. Ultimately, the OPC concluded that the use of the information for advertising programs was an appropriate purpose but concluded that express opt-in consent was required because of the potential sensitivity of the browsing behaviour being used by Bell and the OPC’s view that the reasonable expectations of consumers would be that their telecommunications service provider would seek such consent before making use of that information.

Key Points for Online Advertisers

1. Organizations must monitor and conduct due diligence regarding tracking technology on their sites.

To demonstrate accountability, organizations must ensure that they monitor tracking technology on their site. They must conduct due diligence on the third parties and ensure that third parties do not use personal information collected through cookies and other technologies contrary to the purposes identified to the users of those sites. The OPC expects to see contractual provisions or other means to prevent misuse by third-parties involved in interest-based advertising.

2. Interest-based advertising can be an appropriate use of personal information.

The OPC has now stated clearly in the Bell Report of Findings that it accepts that the objective of maximizing advertising revenue and improving a customer’s online experience through targeted advertising can be a legitimate business objective. In general the use of personal information for that purpose is not inappropriate.

3. But use of credit information for interest-based advertising is likely not appropriate.

The use of credit scores whether on an individual basis or an aggregate basis is not appropriate for targeted advertising. The use of this information may not be permitted by consumer reporting legislation for this purpose. The OPC recommended, and Bell agreed, to discontinue the use of that information.

4. Children remain a concern.

In the Ganz Report of Findings, the OPC continues to take the position that websites that are targeted at children should not permit tracking technologies for online behavioural advertising purposes. The OPC’s position is that young children are incapable of consenting.

5, Opt-Out consent must be meaningful – no rainy day retention.

If a customer opts out of Bell’s interest-based advertising program, the information must be deleted and not further collected. Bell had proposed to continue to collect the information but not use it unless the customer opted-back in. The OPC recommended against this since opt-out must mean opt-out.

6. Opt-Out consent is not a universal rule.

Previously, the OPC said in its online behavioural advertising guidance that opt-out consent would be appropriate for online behavioural advertising if the information used was not sensitive and there was an effective opt-out mechanism. However, in the Bell Report of Findings, the OPC confirmed that opt-in consent may be required if the scope of the information being collected is very broad and the reasonable expectations of the consumer would be to expect opt-in consent.

7. Broad collection creates sensitivity.

In the OPC’s view, the scope of collection could result in the information being collected being sensitive. The OPC believed that Bell could track virtually all of its customers’ online activities and, therefore, this information was, in the aggregate, sensitive.

8. The reasonable expectations of consumers are relevant to whether opt-in consent is required.

The OPC has reintroduced its primary/secondary purposes analysis through the guise of a reasonable expectations analysis. In the Bell Report of Findings, the OPC just couldn’t get past the fact that Bell is paid for Internet services. Unlike a free service, such as Facebook, Bell charged for its services.  As a result, the OPC viewed Bell as making a secondary use of personal information and commodifying customer information for purposes other than the delivery of telecommunications services.

9. Time-limited retention won’t eliminate sensitivity.

Even though Bell only kept 90 days’ worth of behavioural information, the information was, in the OPC’s view, still sensitive in the aggregate.

Conclusion

The OPC’s decision on Bell’s program is unlikely to be the final word. There are deeply problematic aspects of the decision. For reasons that go beyond the scope of this blog post but will be published separately, it is arguable that the requirement for opt-in consent is seriously flawed.

In the meantime, however, organizations in the interest-based advertising ecosystem should sit up and take notice.