1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canadian Privacy Compliance: Time for your Online Checkup

In a previous post on online behavioural advertising (OBA), we wrote about the Office of the Privacy Commissioner’s “call to action” to stakeholders in the advertising industry on OBA, and we discussed the industry’s response to that call: self-regulation.

2012 – Call to Action: the Privacy Commissioner’s Expectations 

In its 2012 Policy Position on Online Behavioural Advertising, the Office of the Privacy Commissioner (OPC) stated that it “may” be acceptable to rely on implied or opt-out consent when tracking and targeting individuals for OBA purposes, “provided that”:

  • Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their OBA practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
  • Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;
  • Individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected;
  • The opt-out takes effect immediately and is persistent;
  • The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
  • Information collected and used is destroyed as soon as possible or effectively de-identified.

2013 – Industry Response: Self-Regulation

In response, the industry developed and launched the Canadian Self-Regulatory Program for Online Behavioural Advertising (the “Ad Choices program”), an initiative tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The initiative is led by the Digital Digital Advertising Alliance of Canada (DAAC), and is monitored and administered by the non-profit industry body Advertising Standards Canada (ASC). A growing number of brands and media companies have registered for the program.

We noted in our previous post that the OPC would no doubt be watching to see whether and how industry self-regulation meets its expectations under PIPEDA and its OBA guidelines.  We also noted, however, that the self-regulatory solution was not designed to cover all OBA activities.  For example, certain types of activities are expressly excluded from the Ad Choices program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

Ongoing OPC Guidelines, Investigations and “Sweeps”

The OPC is not staying on the sidelines – it continues to take a keen interest in OBA and online consent more broadly.  For example, in January 2014, the OPC found that Google ads triggered by web surfing on health sites violated privacy rights.  As a result, Google committed to several measures, including closer monitoring of potential violations by advertisers.  In May 2014, the federal, British Columbia and Alberta Privacy Commissioners issued new guidelines for online consent, calling for transparent and dynamic privacy notices, and greater protections for personal information belonging to children and youth.

In 2015, the OPC is investigating websites visited by Canadians for compliance with OBA requirements.

The OPC has in past years conducted investigation and enforcement “sweeps”.  In 2013, the OPC led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.  The sweep targeted privacy policies, and the OPC published the initial results of its investigations under the headings “The Good, the Bad, and the Ugly“. In 2014, the OPC again participated in the GPEN Sweep, investigating the transparency of privacy practices for 151 mobile apps that were made in Canada or frequently downloaded by Canadians.  The Results of the 2014 Global Privacy Enforcement Network Sweep are an overall, anonymous mobile app “report card”, ranking transparency to users, ease of access/reading on the small screen, and whether privacy information is available before download.

An OPC “report card” on OBA is expected to be released sometime in the Spring.


In the news:  see the recent Globe & Mail article “Watchdog to study ‘privacy compliance’ among Canadian advertisers” 


Canadian Privacy Compliance: Time for your Online Checkup

Privacy is permanent…not temporary

A few days ago, the UK data protection watchdog (ICO) released a warning to organisations that employ temporary or agency workers. The ICO warned that employers must ensure that a temporary worker, who is involved in the handling of personal data, has been provided with adequate data protection training.

This warning follows the telling off given by the ICO to the Great Ormond Street Hospital Children NHS Foundation Trust (GOSH), after 3 out of their 4 recent data breaches involved temporary staff sending letters (containing medical information) to the wrong address.

Sally Anne Poole (the ICO’s Enforcement Group Manager) said in a News Release issued by the ICO:  “This time of year often coincides with a rise in the number of temporary workers being employed across the UK. However the temporary nature of their employment doesn’t absolve employers of their legal responsibilities for making sure people’s information is being looked after correctly.

So what does this mean for employers? Well, it means you will need to invest in proper data protection training for temporary or agency workers as well as for your full time staff. This can be a costly exercise, especially where a temporary worker is only taken on for limited period.

Employers could consider developing a “one pager” of data privacy “do’s and don’ts” which can be provided to temporary workers when they start. Or perhaps, the temporary worker agency could provide data protection training to workers, so that they are “data protection ready” when they start their placement with an organisation. But it is ultimately the employer who remains responsible for making sure that its staff (permanent and temporary) are adequately trained in data protection to ensure that the information they hold about people is being looked after correctly.

The Chief Executive of GOSH has signed an Undertaking by which GOSH promises the ICO that “temporary staff are provided with sufficient data protection training before they carry out work that involves regular contact with personal data, especially sensitive personal data“. According to GOSH’s undertaking, the ICO decided not to serve an “Enforcement Notice” on GOSH due to the “remedial action” that was taken. It is not clear what this “remedial action” was, but since a warning has now been released by the ICO, it seems prudent for employers to make sure their training policies are adequate and the scope of such training is expanded to cover all employees (full time or part time) that handle personal data, so as to avoid being next in line.

Thank you to Danielle van der Merwe for assisting in writing this post.


Privacy is permanent…not temporary

Canadian Advertisers Self-Regulate Online Behavioural Advertising

Call to Action on OBA

The Office of the Privacy Commissioner (OPC) is aware of the challenges associated with balancing privacy in the online advertising environment, and wants the ad industry to step up.  On the day Privacy Commissioner of Canada Jennifer Stoddart announced the publication of a new set of guidelines on Privacy and Online Behavioural Advertising in late 2011, she said that:

[t]o best address these complexities, all stakeholders in the advertising community, including website operators and browser developers, have a role to play to ensure that the issues of transparency and meaningful consent are addressed.

The following year, the OPC followed up with more specific expectations in its Policy Position on Online Behavioural Advertising.

Industry Response: Self-Regulation

Led by the Digital Advertising Alliance of Canada (DAAC), the advertising industry has responded with the Canadian Self-Regulatory Program for Online Behavioural Advertising, with a website geared to consumers and companies alike at http://youradchoices.ca/.  The Program is not quite “made-in-Canada”, nor should it be, considering the need to integrate data governance solutions across borders.  It is based on the U.S. Digital Advertising Alliance (DAA) OBA Ad Choices program and principles.  It also shares some common principles and approaches with the European Advertising Standards Alliance (EASA) OBA Framework.  For consistency and broad consumer recognition, the “Ad Choices” program in participating countries use the identifying icon consisting of a lower case letter “i” within a blue triangle.

The DAAC Program has been tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The non-profit industry body Advertising Standards Canada (ASC) will be responsible for monitoring compliance, dealing with complaints, initiating investigations, and publishing reports.  The OPC will no doubt be watching closely – particularly as the program takes its first steps in Canada – to come to its own conclusions on whether industry self-regulation is meeting its expectations under PIPEDA and its OBA guidelines.  However, once the Program has matured and proved itself, there is precedent for a regulator to stand down and consider the self-regulatory body to be at least the “first resort” for complaints in the area.  The Canadian Radio-television and Telecommunications Commission (CRTC) generally takes this position with the ASC’s review of advertising standards.

The Canadian Self-Regulatory Program for Online Behavioural Advertising incorporates the following principles:

  1. Education [both individuals and businesses]
  2. Transparency [clear, meaningful, prominent notice to consumers]
  3. Consumer Control [the ability to exercise choice with respect to the collection, use and disclosure of data for OBA purposes]
  4. Data Secutity  [safeguards, data retention, and treatment of OBA data]
  5. Sensitive Data  [children and sensitive personal information]
  6. Accountability [accountability program is managed and operated by the ASC in accordance with its Online Behavioural Advertising Compliance Procedure]

Self-regulation does not, however, cover the whole OBA territory.  Certain types of activities are expressly excluded from the Program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

While legal compliance may have been the main driver for the implementation of the new Program, the DAAC also points to the benefits for consumers:

As an online consumer, you can find out more about online behavioural advertising and how it helps provide you with more relevant ads on the websites that you visit. You’ll learn how online behavioural advertising supports the content, products and services that you use on the web, what online ad choices you have, and how to use browser controls to enhance your privacy.

In short, while the Office of the Privacy Commissioner has noted that some consumers find OBA “creepy”, the DAAC and its member associations know that many consumers don’t mind OBA as long as it’s transparent:  they don’t want to see irrelevant ads, and they’re OK with the idea of the right ads “finding them”.

It’s early days for the DAAC Program.  As it rolls out and expands, Canadians will become increasingly familiar with the Ad Choices icon appearing on web pages.  Advertisers – and the OPC – have a lot at stake in that little blue icon.

, , , , ,

Canadian Advertisers Self-Regulate Online Behavioural Advertising

Homework for the Privacy Commissioner of Canada: Guidelines to Follow

The House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled its Report, entitled “Privacy and Social Media in the Age of Big Data” on April 23, 2013.

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

  • Guidelines for social media and data management companies regarding accountability and openness
  • Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent
  • Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.

Homework for the Privacy Commissioner of Canada: Guidelines to Follow

M-Commerce Privacy & Security

I recently had the pleasure of presenting on privacy and security issues in mobile e-commerce (“M-Commerce”) at the 7th Managing Privacy Compliance Seminar organized by Federated Press.

In my presentation, I described some important issues to consider in designing privacy compliance programs for mobile e-commerce. The topics included:

            • Main takeaways from recent Canada and U.S. guidelines
            • Dealing with Address Book Information
            • Online Behavioural Tracking and Analytics
            • Geolocation Data
            • Collecting Information from Children
            • Transparency and Accountability in Design
            • Consent, Representations and Disclaimer

Learn more by viewing the Slideshare presentation below.

Privacy and Security in Mobile E-Commerce

View more presentations from FMC Law.
This presentation contains examples of the kinds of issues companies dealing with privacy and security in mobile e-commerce could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique. 
M-Commerce Privacy & Security