1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canadian Advertisers Self-Regulate Online Behavioural Advertising

Call to Action on OBA

The Office of the Privacy Commissioner (OPC) is aware of the challenges associated with balancing privacy in the online advertising environment, and wants the ad industry to step up.  On the day Privacy Commissioner of Canada Jennifer Stoddart announced the publication of a new set of guidelines on Privacy and Online Behavioural Advertising in late 2011, she said that:

[t]o best address these complexities, all stakeholders in the advertising community, including website operators and browser developers, have a role to play to ensure that the issues of transparency and meaningful consent are addressed.

The following year, the OPC followed up with more specific expectations in its Policy Position on Online Behavioural Advertising.

Industry Response: Self-Regulation

Led by the Digital Advertising Alliance of Canada (DAAC), the advertising industry has responded with the Canadian Self-Regulatory Program for Online Behavioural Advertising, with a website geared to consumers and companies alike at http://youradchoices.ca/.  The Program is not quite “made-in-Canada”, nor should it be, considering the need to integrate data governance solutions across borders.  It is based on the U.S. Digital Advertising Alliance (DAA) OBA Ad Choices program and principles.  It also shares some common principles and approaches with the European Advertising Standards Alliance (EASA) OBA Framework.  For consistency and broad consumer recognition, the “Ad Choices” program in participating countries use the identifying icon consisting of a lower case letter “i” within a blue triangle.

The DAAC Program has been tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The non-profit industry body Advertising Standards Canada (ASC) will be responsible for monitoring compliance, dealing with complaints, initiating investigations, and publishing reports.  The OPC will no doubt be watching closely – particularly as the program takes its first steps in Canada – to come to its own conclusions on whether industry self-regulation is meeting its expectations under PIPEDA and its OBA guidelines.  However, once the Program has matured and proved itself, there is precedent for a regulator to stand down and consider the self-regulatory body to be at least the “first resort” for complaints in the area.  The Canadian Radio-television and Telecommunications Commission (CRTC) generally takes this position with the ASC’s review of advertising standards.

The Canadian Self-Regulatory Program for Online Behavioural Advertising incorporates the following principles:

  1. Education [both individuals and businesses]
  2. Transparency [clear, meaningful, prominent notice to consumers]
  3. Consumer Control [the ability to exercise choice with respect to the collection, use and disclosure of data for OBA purposes]
  4. Data Secutity  [safeguards, data retention, and treatment of OBA data]
  5. Sensitive Data  [children and sensitive personal information]
  6. Accountability [accountability program is managed and operated by the ASC in accordance with its Online Behavioural Advertising Compliance Procedure]

Self-regulation does not, however, cover the whole OBA territory.  Certain types of activities are expressly excluded from the Program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

While legal compliance may have been the main driver for the implementation of the new Program, the DAAC also points to the benefits for consumers:

As an online consumer, you can find out more about online behavioural advertising and how it helps provide you with more relevant ads on the websites that you visit. You’ll learn how online behavioural advertising supports the content, products and services that you use on the web, what online ad choices you have, and how to use browser controls to enhance your privacy.

In short, while the Office of the Privacy Commissioner has noted that some consumers find OBA “creepy”, the DAAC and its member associations know that many consumers don’t mind OBA as long as it’s transparent:  they don’t want to see irrelevant ads, and they’re OK with the idea of the right ads “finding them”.

It’s early days for the DAAC Program.  As it rolls out and expands, Canadians will become increasingly familiar with the Ad Choices icon appearing on web pages.  Advertisers – and the OPC – have a lot at stake in that little blue icon.

, , , , ,

Canadian Advertisers Self-Regulate Online Behavioural Advertising

M-Commerce Privacy & Security

I recently had the pleasure of presenting on privacy and security issues in mobile e-commerce (“M-Commerce”) at the 7th Managing Privacy Compliance Seminar organized by Federated Press.

In my presentation, I described some important issues to consider in designing privacy compliance programs for mobile e-commerce. The topics included:

            • Main takeaways from recent Canada and U.S. guidelines
            • Dealing with Address Book Information
            • Online Behavioural Tracking and Analytics
            • Geolocation Data
            • Collecting Information from Children
            • Transparency and Accountability in Design
            • Consent, Representations and Disclaimer

Learn more by viewing the Slideshare presentation below.

Privacy and Security in Mobile E-Commerce

View more presentations from FMC Law.
This presentation contains examples of the kinds of issues companies dealing with privacy and security in mobile e-commerce could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique. 
M-Commerce Privacy & Security

The Fake Facebook Profile and the Veiled Victim

The Supreme Court of Canada determined yesterday, in A.B. v. Bragg Communications, that a 15-year old can proceed anonymously to pursue the identity of her Facebook cyberbully. 

The 15-year old, A.B., found out that someone had posted a face Facebook profile with her picture, a modified version of her name, and other identifying particulars.  The profile also included demeaning comments about A.B.’s appearance, and sexually explicit references.  

Facebook provided the IP address associated with the Nova Scotia account holder.  The Internet provider, Eastlink, agreed to provide more specific information about the address – if a court authorized it to do so.  A.B. brought an application for such an order, and along with the application requested (i) permission to seek the identity of the Facebook cyberbully anonymously (the “anonymity request”), and (ii) a publication ban on the content of the fake Facebook profile. 

While Eastlink did not oppose the privacy requests, the Halifax Herald and Global Television did.  The Nova Scotia court granted the order requiring Eastlink disclose the information about the identity of the cyberbully.  However, it denied A.B.’s anonymity request and the publication ban, on the basis that she had not proved specific harm to her that would outweigh restricting access to the media.  Put simply, the media’s right to access and report on the facts of the case outweighed A.B.’s right to privacy.  This was upheld at the Court of Appeal.

A unanimous Supreme Court overturned this, stating that:

If we value the right of children to protect themselves from bullying, cyber or otherwise, if common sense and the evidence persuade us that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and if we accept that the right to protection will disappear for most children without the further protection of anonymity, we are compellingly drawn in this case to allowing A.B.’s anonymous legal pursuit of the identity of her cyberbully.

The Supreme Court noted that the Canadian Newspapers decision had established that the limits imposed by prohibiting identity disclosure [in a criminal sexual assault case] on the media’s right to freedom of the press are minimal: the media can be present at the hearing, and report facts and the conduct of the trial, without revealing the complainant’s identity. 

In yesterday’s A.B. decision, the Supreme Court placed great emphasis on the inherent vulnerability of children, and the importance of protecting their privacy in the context of cyberbullying.  In the view of the Supreme Court, if we accept that, then surely we must accept the need to prohibit identity disclosure in this case, just as the Court did in the criminal context in Canadian Newspapers.

The Supreme Court allowed A.B.’s appeal in part:  her identity would be protected, and the identifying information in the fake Facebook profile.  The non-identifying information in the profile could be disclosed. 

This decision provides further direction for those conscious of the protection of the privacy of children, and wondering about the specific content of those obligations.  Unlike the United States, Canada has no Children’s Online Privacy Protection Act (COPPA), and while there are set age and child-specific standards in Canadian criminal laws, we have no set age or child-specific standards in our federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) .  The Supreme Court noted that:

Recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law.  This results in protection for young people’s privacy under the Criminal Code, R.S.C., […] the Youth Criminal Justice Act […], and child welfare legislation, not to mention international protections such as the Convention on the Rights of the Child […], all based on age, not the sensitivity of the particular child.  

The Supreme Court has sent a message that in contexts where children may be particularly vulnerable – even when the child is 15 years old, and the context is Facebook – the law will protect their privacy on an objective basis based on age, not individual maturity or temperament.

, , , , ,

The Fake Facebook Profile and the Veiled Victim