Thursday, December 8, 2011

Privacy and Online Behavioural Advertising the Office of the Privacy Commissioner of Canada,


Privacy and Online Behavioural Advertising

Online behavioural advertising involves tracking consumers’ online activities over time in order to deliver advertisements targeted to their inferred interests. Behavioural advertisers often use sophisticated algorithms to analyze the collected data, build detailed personal profiles of users, and assign them to various interest categories. Interest categories are used to present ads defined as relevant to users in those categories.
While advertising may help subsidize the delivery of free online content desired by most users, it is nevertheless essential that online advertising practices respect an individual’s privacy rights and consent choices.
Online behavioural advertising may be considered a reasonable purpose under thePersonal Information Protection and Electronic Documents Act (PIPEDA), provided it is carried out under certain parameters, and is not made a condition of service.
The following guidelines were developed to help the various types of organizations involved in online behavioural advertising ensure that their practices are fair, transparent and in compliance with PIPEDA. Any future complaints concerning online behavioural advertising would be assessed based on the specific facts of each individual case.

PIPEDA and Personal Information

PIPEDA defines personal information as “information about an identifiable individual”. Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.
A prominent strategic element of online behavioural advertising comes from the tailoring of advertisements based on an individual’s browsing activities, which could include purchasing patterns and search queries. Given the scope and scale of information collected, the powerful means available for aggregating disparate pieces of data and the personalized nature of the activity, it is reasonable to consider that there will often be a serious possibility that the information could be linked to an individual.
As such, we take the position that the information involved in online tracking and targeting for the purpose of serving behaviourally targeted advertising to individuals will generally constitute personal information.

PIPEDA and User Choice

PIPEDA requires an individual’s knowledge and consent for the collection, use, or disclosure of personal information. PIPEDA also requires that the purposes for which an individual’s information is to be collected, used or disclosed be explained in a clear and transparent manner. In addition, PIPEDA does recognize that the form of consent can vary: for example, express consent (opt-in) when dealing with sensitive information, and implied consent (opt-out) when the information is less sensitive. It is important to note that the sensitivity of information depends on the nature of the information and the context in which it is being collected, used or disclosed.
While obtaining consent in the online environment is not without its challenges, it is possible. Opt-out consent for online behavioural advertising could be considered reasonable providing that:
  • Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their online behavioural advertising practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
  • Individuals are informed of these purposes at or before the time of collection and  provided with information about the various parties involved in online behavioural advertising;
  • Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
  • The opt-out takes effect immediately and is persistent;
  • The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
  • Information collected and used is destroyed as soon as possible or effectively de-identified.

Restrictions

Inability to Decline
Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes. At present, this could include, for example, so-called zombie cookies, super cookies and device fingerprinting. Further information related to online tracking technologies can be found on our Web Tracking with Cookies fact sheet.

Tracking of Children

PIPEDA requires meaningful consent for the collection, use and disclosure of personal information. It is difficult to ensure meaningful consent from children to online behavioural advertising practices. Therefore, as a best practice, organizations should avoid tracking children and tracking on websites aimed at children.

Addressing the Challenges

By putting in place privacy-sensitive frameworks, organizations will promote consumer trust in their online activities.  Addressing the privacy concerns raised by online behavioural advertising is central to establishing and maintaining consumer confidence in the online world.

Related OPC Documents

The OPC has a number of related resources available on our website: