Online behavioural advertising (OBA) is becoming an increasingly popular form of advertising. If your business engages in OBA, it is important to understand the privacy risks associated with this practice.
If you have ever surfed the internet to look up a particular topic such as “Caribbean vacations” or “laptops” only to find that this same topic reappears in advertisements on other websites, then you likely have been the target of OBA.
While there are many benefits to OBA and online advertising generally, such as allowing businesses to compete with international and online companies, it carries with it certain privacy risks that businesses should be mindful of when engaging in this type of advertising.
What is Online Behavioural Advertising?
The Office of the Privacy Commissioner of Canada (OPC) defines OBA as “tracking consumers’ online activities, across sites and over time in order to deliver advertisements targeted to their inferred interests.”
As people use the internet, they leave behind a rich trail of personal information. Some of this is deliberate, such as the posting of photos and comments. However, other times it is not. Through the use of certain technologies, businesses can keep track of your web browsing activity such as search terms used, web pages visited, advertisements viewed, articles read, purchases made and even your location. Businesses are tapping into this abundant source of information and using sophisticated data analytics to build personal profiles of individuals in order to deliver specific advertising to them that is tailored to their interests.
In Canada, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [(PIPEDA) or equivalent privacy legislation in certain provinces] governs the collection, use or disclosure of personal information.
Personal information is defined as “information about an identifiable individual” [s. 2(1)]. The OPC has stated that it will generally consider information collected for the purpose of OBA to constitute personal information.
Pursuant to privacy legislation, an individual’s consent is required for the collection, use or disclosure of personal information. Privacy legislation does recognize that the form of consent can vary. For example, express (opt-in) consent is typically appropriate for sensitive information and implied (opt-out) consent for less sensitive information. The OPC has stated that implied consent may be a reasonable form of consent for OBA, provided that certain conditions are met including, but not limited to:
- making the individual aware of the practice in a clear and understandable manner before collection occurs; and
- providing them with the ability to easily opt out of the practice with immediate and persistent effect.
However, the OPC has cautioned that its 2011 OBA Guidance does not render opt-out consent the default for all OBA and that a careful consideration of all the circumstances must be taken into account. On April 7, 2015, the OPC published its findings that a mobility company’s Relevant Advertising Program (RAP), which consisted of using customers’ network usage and account / demographic information to serve targeted advertising, violated PIPEDA.
While the RAP providers did not have access to information that identified particular customers, and while the company gave customers the option to opt out of the RAP, the OPC nevertheless found that “the sheer breadth of information being used or contemplated for the RAP… renders such information more sensitive when compiled” and therefore express opt-in consent was appropriate for the use of such sensitive information.
In addition to the sensitivity of the information, the OPC also considered the reasonable expectations of the company’s customers. It found that the company used its customers’ information for the purpose of delivering its primary paid services and therefore its customers would reasonably expect it to obtain express opt-in consent for the use of their information for the new secondary purpose of OBA.
As a result of the OPC’s findings, class action lawsuits were launched in Ontario and Quebec against the mobility company and its affiliate claiming $750 million in damages for, among other things, breach of privacy (the tort of intrusion upon seclusion) arising from the unauthorized use of consumers’ personal information for the RAP.
The following four strategies will help businesses comply with their obligations under privacy law when engaging in OBA.
Obtain appropriate consent (express or implied). Given the OPC’s findings against the mobility company, businesses using OBA should consider whether seemingly innocent, non-identifying pieces of information they are collecting could be considered sensitive information when compiled together. If so, this would require express consent.
Provide user-friendly opt-out mechanisms. Businesses using OBA should provide users with a user-friendly ability to opt out of the OBA practice. Again, this could be in the form of advertising icons placed directly on the advertisement which, if clicked, provide a choice to opt out.
Safeguard information. Once information is collected, businesses should have in place adequate physical, organizational and technical measures for safeguarding the information that are appropriate to its level of sensitivity.
The information provided on this page is intended to provide general information. The information does not take into account your personal situation and is not intended to be used without consultation from accounting and financial professionals. Allan Madan and Madan Chartered Accountant will not be held liable for any problems that arise from the usage of the information provided on this page.