Wednesday, January 29, 2014
Report of Findings Use of sensitive health information for targeting of Google ads raises privacy concerns January 14, 2014 The Privacy Commissioner of Canada
Report of FindingsUse of sensitive health information for targeting of Google ads raises privacy concerns
January 14, 2014
See also: News Release – Google ads sparked by web surfing on health sites violate privacy rights, investigation finds
Complaint under the Personal Information Protection and Electronic Documents Act (the Act)
On January 24, 2013, our Office accepted a complaint concerning the delivery of tailored advertisements, through Google Inc.’s (Google) AdSense service, relating to medical devices based on sites visited online.
More specifically, the complainant alleges that, since he had searched online for medical devices for sleep apnea [specifically, a Continuous Positive Airway Pressure (CPAP) device that is used during sleep], various websites that display advertisements from Google’s AdSense service often served him advertisements for CPAP devices. The complainant views his online activities relating to sleep apnea as sensitive information that should not be used for the delivery of targeted advertisements and should require his express consent.
Google was notified of the complaint on May 2, 2013. Representations were received from Google from June 20, 2013 through to December 6, 2013. On August 20, 2013, based on the results of our investigation, our Office issued a Preliminary Report of Investigation to Google (Preliminary Report). In our Preliminary Report, we made recommendations to Google with the aim of ensuring that it was meeting its obligations under the Act with respect to the issues our Office investigated. This Report of Findings reflects those recommendations and Google’s response.
The complainant alleges to have been “followed” by advertisements for CPAP devices for up to a month following his online search using the Google search engine. The advertisements were displayed on websites that were unrelated to the search topic. The complainant was signed in to his Google account while performing the online search for sleep apnea devices.
In his initial representations, the complainant provided our Office with a screen capture of a CPAP advertisement displayed on a comic strip website.
The complainant indicated that he leaves his browser open continuously. He also indicated that he shuts down his computer every few days and then opens a new browser once he restarts his computer.
The complainant is of the view that he did not provide Google with consent to display his personal medical information in browsers. He feels that regardless of the fact that he was signed into his Google account, Google should never track users while they perform searches for medical conditions or other sensitive personal interests.
The complainant maintains that he was unable to locate contact information in order to attempt to resolve his concerns with Google directly. As such, he submitted the current complaint to our Office.
Summary of Investigation
A technical analysis was conducted by our Office to test and verify the complainant’s allegation.
For the testing, an interest in CPAP was induced by performing a Google search on the topic and then visiting the top 20-40 sites listed in the search results. To assess whether online behavioural advertising (OBA) was taking place, our Office then visited 9 different sites (test sites) that were unrelated to CPAP or sleep apnea (e.g., sites about news, weather, or reference information). These sites displayed Google advertisements.
The assessment of OBA was carried out by visiting the home page and a few subordinate pages for each test site. If an advertisement related to CPAP was displayed, a screen shot was taken and the presence of OBA was noted. The testing confirmed that CPAP ads were being delivered using OBA. That the content of the advertisements was generated using OBA became clear to our Office, given that CPAP related advertisements were seen immediately after CPAP-related sites were visited, and ads related to CPAP were prevalent on many of the test sites. In our Office’s view this eliminated the possibility of CPAP advertisements being delivered as a coincidence.
To test the persistence of the ads, the computers used for the testing were restarted repeatedly over a period of days, and the testing resumed where our Office had left off. Ads continued to be displayed after the computers were restarted.
The test sites were chosen arbitrarily and there is no reason to believe that the advertisements for CPAP devices would be limited to these sites hosting unrelated content.
The testing also confirmed that Google was the responsible party that placed the ads. We confirmed this using a free web browser plugin popular for web development and debugging. This tool allowed us to examine the instructions and code involved with placing the CPAP advertisements on test sites.
Our Office has issued two documents on OBA since 2011: Privacy and Online Behavioural Advertising (the OBA Guidelines), and Policy Position on Online Behavioural Advertising (the OBA Policy Position).
Our Office differentiates between certain types of advertising on the Internet. In our view, OBA involves an advertising service placing an advertisement on a webpage based on tracking data collected across multiple unrelated websites. This practice refers to using information about where a user has been. For example if a user has visited websites about pets in the past, then ads related to pets might be shown on various web sites, even sites that are not related to pets (e.g., an online newspaper). In contrast, we view contextual advertising as advertising using information about a user’s current visit to a website in order to serve a targeted advertisement to the user on that site. For example, if a user is visiting a website about pets, then ads related to pets might be shown to the user while visiting that website.
The Original Information provided by Google
Google’s advertising system is made up of two principle means of targeting ads online: interest based advertising and contextual advertising.
Interest based advertising (or OBA) involves the use of browser cookies and is based on the behaviour of the user. There are two types of interest based ads:
Ads based on categories of interests: There are several hundred customized categories of interest. Google’s automated system can add interest categories based on the user’s browsing of websites that are in Google’s publisher network. Users can view and edit the interest categories associated with their advertising cookie in the Ads Settings page and also have the ability to opt-out of interest based ads on that page. There are no interest categories related to ‘health’.
Ads based on remarketing: Remarketing allows an advertiser to build a custom list of users to which to target ads, based on user visits to that advertiser’s website, its customer lists, or other advertiser determined criteria.
Contextual advertising is advertising that is targeted based upon the page content, sometimes also called keyword advertising.
In its original representations to our Office, Google maintained that none of the ads delivered to the complainant involved OBA. Google further stated that, while the appearance of such ads may have led to the mistaken impression that they were placed as a result of interest-based or user profile targeting, that was not the case. Instead, such ads were based on recent or related page content that appeared out of context to the user.
Google explained that a technical issue with its keyword advertising system caused the complainant’s experience and took steps to remedy it.
Application of the Act
In making our determinations on this issue, we applied Principles 4.3 and 4.3.6 of Schedule 1 of the Act.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4.3.6 states that the way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.
With regard to the facts of this complaint, advertisements were delivered by Google to the complainant based on the context of the sites visited by the complainant, which appeared when the complainant visited unrelated websites. In our view, the delivery of such advertisements were consistent with the description of remarketing as highlighted above, as advertisements were ultimately placed on a webpage based on the complainant’s visits to other websites. This fits within our Office’s definition of OBA. As such, we consider Google’s delivery of ads that follow an individual user through his or her online activities to be OBA.
Even if our Office did accept Google’s position that the delivery of ads was not based on OBA, and instead based on recent or related page content, this does not concord with the complainant’s experience. The complainant indicated that he was followed over a period of a month, which is inconsistent with Google’s claim that advertisements are delivered based on pages recently visited during the same browsing session. Our technical analysis confirmed this, also showing that advertisements related to CPAP devices appeared for a week, representing the longest test period.
Our Office is of the view that meaningful consent is required for the delivery of OBA. As stated in our Office’s OBA guidelines, implied or opt-out consent for OBA purposes may be acceptable provided that the information collected and used is limited, to the extent practicable, tonon-sensitive information (avoiding sensitive information such as medical or health information).
The complainant was searching information related to a medical device used to treat sleep apnea. Given that this complaint relates to personal health information (i.e. online activities and viewing history of health related websites), our Office is of the view that such information is sensitive. Therefore, implied consent for the collection or use of the complainant’s sensitive personal health information for the purpose of delivering ads based on the complainant’s online behaviour is not appropriate, and express consent is required.
Since Google did not seek express consent in the circumstances, we are of the view that in this context, Google has contravened Principles 4.3 and 4.3.6 of the Act.
Our Office completed an additional round of testing prior to issuing the Preliminary Report and found that CPAP advertisements were still being delivered in a manner consistent with the results of the testing outlined above and the complainant’s allegations.
In our Preliminary Report, we recommended that Google confirm that it will bring itself into compliance with the Act and align its advertising with our Office’s OBA Guidelines. More specifically, we recommended that Google ensure that no sensitive interests will be used to deliver advertisements without express consent.
Revised Response from Google
In response Google provided additional written representations and also met with our Office. These discussions are summarized below.
Google indicated that it also observed that the ads in question continued to appear and concluded that the technical issue with its keyword advertising system did not account for the complainant’s experience with CPAP related advertising. It was caused instead by “remarketed ads”, a form of interest-based advertising.
Google provided our Office with the following technical account of its involvement in the execution of a remarketing ad campaign placed through Google AdWords. In order for remarketing to take place, an advertiser copies code from Google’s advertiser-facing interface and inputs that code on a webpage or pages related to the remarketing campaign. When a user visits that page, the code will run, making a request to Google’s system to add the user’s advertising cookie ID to the advertiser’s designated remarketing list. The user list is stored by Google. If there is no existing advertising cookie, Google will attempt to set one. If the user has opted out of interest-based advertising, there is no cookie ID to collect.
Advertisers also use Google’s services to develop the advertisement. An advertiser uses Google’s online tools to create a remarketing campaign. The information about the campaign (name, scope, advertising creatives, etc.) are input into this interface and stored by Google. When that user visits another webpage that uses Google’s advertising products, he or she will see an ad served by Google. If the remarketing campaign wins the automated auction2 process amongst the available advertising inventory, the user will be shown an ad from that remarketing campaign.
Google stated that remarketing criteria and user lists are determined by the advertiser directly. Google requires all advertisers using this platform to agree to specific policies, which prohibit all forms of interest based advertising involving sensitive categories, including the use of user lists based on “health or medical information”. According to Google, it is up to each remarketer to determine the application of Google’s policies to any proposed remarketing. Google indicated that, despite its policies and guidance, certain advertisers or third party buyers can use remarketing products in error.
Google does allow remarketing for sites that are medical in nature so long as they do not imply that the users have a particular medical condition or disease.
Interest based ads delivered via AdSense often include an AdChoices icon
(). Once a user clicks on the icon, they are linked to a page that explains Google’s delivery of ads. At the bottom of the page there is a section for users to submit feedback to Google (see below).
Leave feedback on the website or ad you just saw
The issues(s) were with: the ads
To send us feedback about an AdWords ad, please viste the AdWords ad feedback form.
Google revealed that it had received certain user complaints relating to the advertiser (the Advertiser) delivering the CPAP ads in the context of this complaint. Google further indicated that these complaints would have been reviewed and determined to be compliant with its policies, and therefore permitted to continue. However, after the involvement of our Office, Google took action to reject the Advertiser’s use of remarketing by applying its remarketing and interest based advertising policy.
Our Office repeated testing on a number of occasions since Google rejected the Advertiser’s use of remarketing and we continue to see the ongoing delivery of CPAP and sleep apnea ads from other advertisers. Our Office has raised this with Google and has been reassured that corrective action is ongoing to control the delivery of such ads.
Google indicated that when there is an issue regarding compliance with its policies, it endeavours to review the products and website(s) in question and determine the appropriate treatment for that advertiser. For cases involving a compliance issue, advertisers will typically receive a warning to fix the problem without getting their account suspended. However, in other cases when policies are broken repeatedly, or if the issue is considered very serious, Google can suspend an advertiser's account.
From our perspective, this online advertising ecosystem is complex and appears challenging to control given the existence of bad actors and the sheer volume of monitoring given the “billions of ads submitted to Google every year”3. Google has indicated that while it endeavors to obtain 100% compliance with its policies, some malicious advertisers continuously work to subvert or avoid its compliance mechanisms.
Google provided our Office with information on how it monitors and prevents abuses to its advertising system. Our Office recognizes that this information is sensitive and confidential, and if released, could enable malicious advertisers to attempt to subvert Google’s policy enforcement efforts or could be competitively harmful. For these reasons, we have not disclosed the specifics of Google’s compliance monitoring in this Report of Findings.
It is our view that the tools that Google had in place at the time of the complaint for monitoring were not scalable and had demonstrable shortcomings.
Based on the above-noted discussions we had with Google during the course of our investigation, our Office made further recommendations to Google that it should develop a more formalized and rigorous system for reviewing advertisements and addressing instances of non-compliance.
Google’s Proposed Remedial Measures
Google accepted our recommendations and undertook the following initiatives:
Google rejected all active remarketing campaigns involving CPAP devices. Specifically, Google periodically searched for remarketing campaigns that contained terms such as “CPAP” or “sleep apnea” within Google advertising products and rejected any new campaigns that violated its policies. Google continues to conduct these searches.
Google recognized that clarity in communicating its policies to advertisers was key given that advertisers create remarketing campaigns based on their own content. Google therefore committed to revising its public interest-based advertising policies to add additional information about medical devices — including CPAP devices in particular. Google agreed to revise its policies by the end of December 2013.
Google will develop new training for internal teams (including ads policy specialists and sales staff) to keep up to date with sensitive category ads policy, improve recognition of potential policy violations, and better understand how and when to escalate complaints and issues. According to Google the training will be rolled out in stages, with full coverage for its new training implemented by the end of March 2014.
Google has increased monitoring of existing remarketing campaigns, to better identify advertisers that have created campaigns that violate its policies. In particular, Google has increased searches of active remarketing campaigns for keywords relating to CPAP devices or other topics identified as potentially related to sensitive categories.
Google has committed to reviewing and upgrading its automated review systems. According to Google this system will be developed by the end of June 2014.
Our Office expects that, once implemented, Google’ proposed remedial measures as set out above will meet our recommendations and bring it in compliance with the Act. Accordingly, we conclude that the allegation iswell-founded and conditionally resolved.
In the course of our investigation, we also raised with Google the complainant’s claim that he was unable to locate contact information in order to submit his complaint to Google. Although Google does have contact information available we encouraged them to take steps to increase transparency in this regard. Google confirmed that they share our interest in improving transparency and indicated that they were reviewing possible improvements.
 Google uses an automated auction process that determines the ads that appear to users, based on bids submitted by advertisers.
 Official Blog: Making our ads better for everyone. March 14, 2012.