Speeches

ARCHIVED - Respecting Privacy Rights in the World of Online Behavioural Advertising

Remarks at the Marketing and the Law Conference

December 6, 2011
Toronto, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good morning and thank you for inviting me. I want to tell you how much I appreciate the prominent place that privacy has on your agenda today. It speaks to the fact that many people in advertising are thinking about privacy protection issues.

I would like to take advantage of this opportunity to speak with you about some of the challenges my Office sees in the world of online behavioural advertising. While the use of this type of advertising has exploded, this is a relatively new area for privacy.

As many of you will know, my Office has had numerous discussions with industry about how to achieve the appropriate balance between the privacy rights of individuals and the needs of business in the rapidly changing digital world.

To date, we have looked at online advertising in a couple of investigations. Last year, we held public consultations on online tracking, profiling and targeting.

Since then, we have continued to follow the issue closely. While some of the discussions we’ve had have been encouraging, we have had concerns about some of what we see happening.

As a result, we’ve developed a new guidance document, which we are launching today. These guidelines will help organizations involved in online behavioural advertising ensure that their practices are fair and transparent, and in compliance with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA.

A Changing Landscape

But first I’d like to touch on how the landscape has changed by telling you a fable based on that iconic New Yorker cartoon: “On the Internet, nobody knows you’re a dog.”

The cartoon was first published in 1993, before the explosion in online tracking of Internet users.

Today, various aggregators of online data would know pretty much everything about that pioneering Internet dog.

My story is about another dog — we’ll call her Ginger ... likely without her even suspecting.

In the first place, like many humans, Ginger likes to spend a lot of time hanging out online.

Ginger frequents websites which cater to canine entertainment interests, such as squirrel-chasing. One squirrel website even offers front-of-the-line spots to users who provide details of their preferred brands of dog food — which Ginger quickly did.

Ginger has registered a preference for red squirrels so that she can be notified of relevant new opportunities as quickly as possible.

With winter coming on, Ginger was recently looking for a chic dog jacket on www.chillydogs.ca and www.ohmydogsupplies.com.

She noticed, though, that she was starting to see advertisements for dog kennels and veterinarians everywhere she went online, which made her more than a little uncomfortable.

She started to think: Maybe on the Internet they do know I am a dog.

As Ginger discovered, our daily online roaming leaves an expansive trail of digital bread crumbs that are scooped up, analyzed and amalgamated into profiles so that companies can try to sell us more of their goods and services.

Public Opinion

Increasingly, Canadians are living their lives online and they expect online services and even some goods to be “free”. Probably more than a few appreciate that they are paying for those free services and goods by letting websites sell their eyeballs to advertisers. And some people like seeing ads tailored to their particular interest.

Others don’t like seeing these super-tailored ads. They are about as uncomfortable with the notion of their online wanderings being tracked as they would be with someone following them around a shopping mall.

In other words, they find this practice downright creepy.

Industry Perspective

It’s understandable why advertisers love online behavioural advertising: It sells better.

In the early days of the Internet, online advertising was overwhelmingly generic or sometimes contextual, meaning it was tailored to a single web page being visited or to one specific search query.

The environment has become much more complex since then. Ads are based on a profile built up by tracking the online browsing activity of individuals over time. This tracking is typically carried out by a third party, unfamiliar to the users, which collects, processes and archives information from their browsing activity on various websites.

Responding to Concerns

Not surprisingly, the burgeoning use of behavioural tracking and the fact that a lot of it is taking place without the knowledge or consent of those being tracked has triggered a rash of legislative proposals in the US and a European Union directive which requires explicit opting-in for cookies in many instances.

Meanwhile, the largest web browsers have come up with different approaches to resolving the knowledge and consent issue. W3C, a consortium of web technology companies, recently published draft standards that would allow users to express preferences about online tracking.

Here at home, the Interactive Advertising Bureau of Canada has proposed an industry-wide adoption of four best practices worked out in consultation with seven major partners, including the Canadian Marketing Association and the Association of Canadian Advertisers.

Defining Personal Information

I understand there is some debate in your industry about when information becomes personal information — and is therefore offered protection under privacy law.

PIPEDA says personal information is “information about an identifiable individual.”

Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.

My Office takes the position that the information involved in online tracking and targeting for the purposes of serving behaviourally targeted advertising will generally constitute personal information as defined under Canada’s private-sector privacy law.

In the context of online behavioural advertising, the purpose behind collecting information is the creation of profiles of individuals that, in turn, permit the serving of targeted ads. There are powerful means available for aggregating disparate bits of data. The resulting advertising is potentially of a highly personalized nature.

Given all of those factors, it is reasonable to take the view that the information at issue in behavioural advertising not only implicates privacy, but also should generally be considered “identifiable” in the circumstances.

With behavioural advertising, the proposed use of the information collected — serving targeted ads — will often imply that there is a serious possibility of identification of affected individuals.

Application of PIPEDA

So, if it’s likely personal information, there are implications for you as advertisers.

We understand the importance of the digital economy — and that’s particularly vital in these challenging economic times. But growth requires consumer trust — that people trust you. That’s where privacy comes in.

From its inception, the goal of PIPEDA has always been to balance individuals’ right to privacy with business needs.

With all this in mind, it’s our position that using behavioural advertising may be reasonable — but there are some “buts.”

Accepting participation in online behavioural advertising should not be considered a term or condition for individuals to use the Internet generally. There are still other forms of advertising, such as contextual, in which privacy is not generally implicated, that web sites can rely on to generate revenue.

As well, people must be made aware of what’s happening; there must be meaningful consent; and there should be limitations on the types of information collected and used for profiling.  Safeguarding the information is also vital, as is limiting the retention of the data to the least amount of time possible.

I’ll focus now on a couple of those issues: knowledge and consent.

Knowledge

One of our concerns about the world of online behavioural advertising is that, for the most part, it’s happening invisibly. A 2009 survey by the Public Interest Advocacy Centre found only about half of respondents were familiar with tracking devices and techniques.

It’s no surprise that many people don’t know they’re being tracked — they’d have to dig down to Clause 123 of a lengthy, legalistic Privacy Policy to find out!

Information related to online behavioural advertising should not be buried in privacy policies.

What we’d like to see is something right on the web page that people will easily recognize as the place to go for information about online behavioural advertising practices.

This information should be presented in a manner that is accessible, easy-to-read, and accurate.

My Office welcomes the IAB initiative as a good beginning in providing more information to consumers. A major educational campaign would seem to be warranted to educate Internet users about the purpose of the “i” icon, since some people are wary about clicking on anything unfamiliar.

Consent

Consent is another major issue.

There has been a great deal of discussion in international privacy circles about opt-in versus opt-out consent in the context of online behavioural advertising.

Over the years, the approach we’ve taken in applying PIPEDA in relation to other types of marketing is that opt-out is acceptable under certain conditions.

In keeping with that approach, our view is that opt-out consent can be used for behavioural advertising if the following conditions are met:

  • Individuals must be made aware of the purposes for online behavioural advertising practices in a manner that is clear, obvious and understandable. I’ll stress again: the purposes cannot be buried in a privacy policy — individuals should not have to hunt for it; it should be provided in obvious ways;
  • Individuals must be informed of these purposes at or before the time of collection and they should be provided with information about the parties involved in the advertising ecosystem; (One of the concerns we have with the IAB’s initiative is that the “i” icon alerts someone only after their information has been collected and used in some fashion.)
  • Individuals must be able to easily opt-out of the practice, ideally at or before the time the information is collected;
  • The opt-out should take effect immediately and it should be persistent;
  • The information collected and used must be limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as health information); and
  • Information collected and used should be destroyed as soon as possible or anonymised.

Restrictions

I would also flag what we consider to be a couple of “no-go” zones.

The first relates to tracking technologies that individuals can’t turn off. As I mentioned before, any collection or use of an individual’s web browsing activity requires that person’s knowledge and consent.

If an individual can’t say No to the technology being used for tracking or targeting, then you shouldn’t use that technology for behavioural advertising purposes.

So, in the current online behavioural advertising environment, that means no use of web bugs or web beacons, no super cookies, no pixel hacks, no device fingerprinting and no to any new covert tracking technique of which the user is unaware and can’t reasonably decline.

If these technologies evolve to adequately address privacy issues, we’d obviously change our position.

Additionally, if declining to consent to such tracking renders a service unusable, we would also consider this unacceptable.

Another restricted area involves the online tracking of children.

Our concern arises from the fact that children are not likely able to provide the meaningful consent required under PIPEDA for the tracking of their online activities.

As a result, organizations should not knowingly track children. Websites targeted at children should not allow tracking for behavioural advertising purposes.

This is an increasingly important issue as we see the average age of first-time Internet users dropping. I recently saw a report that 40 per cent of children aged two to four have used a smart phone, tablet or video iPod.

A Reasonable Approach

I doubt there is much in our list of dos and don’ts that is surprising to this audience.

I believe the approach we’re taking — as prescribed under Canadian law — is reasonable. PIPEDA is principles-based and it allows industry to be innovative and to grow while respecting individuals’ right to privacy. At the same time, it ensures that Canadians’ privacy rights are appropriately respected.

As we highlight in the new guidance document, we understand that there are a number of challenges associated with balancing privacy in the online environment.

To best address these complexities, all stakeholders in the advertising community, including website operators and browser developers, have a role to play to ensure that the issues of transparency and meaningful consent are addressed.

The browser developers have a key role to play, especially when it comes to collection of personal information — because this is where people can exercise their choice before their browsing data is ever collected.

Future Directions

As I mentioned at the outset, it’s clear that we are in the early days of online behavioural advertising. 

Looking ahead, we can expect to see plenty of change — and likely some new challenges for privacy as well.

We’ve recently learned, for example, that Visa has taken out patents to market its transaction information for targeted advertising by combining it with information from social networking websites, credit bureaus, search engines, wish lists and so on.

You’ve probably also heard about privacy concerns related to the co-mingling of data from websites with information gathered by aggregators of online tracking data. Researchers from AT&T and the Worcester Polytechnic Institute have documented how popular web sites automatically forwarded personal information to data tracking aggregators — apparently without meaningful consent.

My Office is very concerned about this issue and it’s something we’re examining closely.

Conclusion

Clearly, these issues are global. My data protection colleagues in other countries have concerns about behavioural advertising as well.

All of us see the need for some kind of meaningful consent. We want people to understand what’s going on before their information is collected. And we expect the advertising industry to live up to the privacy laws of the countries where they operate.

In the months to come, we’ll be watching to see that our guidance is being followed. If we see troubling trends, we will take enforcement action.

You may think this sounds theatrical. But it is based on experience. We’re currently in the final stages of an investigation of a social networking site targeted at youth. Our findings will address — among other issues — online behavioural advertising, including third-party tracking cookies. You can expect to hear us speaking to that in the next few weeks.

I’d like to close my remarks by coming back to the important issue of trust. If you are upfront with consumers about your practices; if you give them choices; if you respect their privacy rights; you will win their trust. Addressing privacy concerns in online behavioural advertising is absolutely critical for consumer confidence.

Thank you very much for your attention. At this point, I’d like to invite two members of my Office who are playing key roles on this file to come up and join me. Barbara Bucknell is an analyst with our Policy branch and Andrew Patrick is an information technology research analyst.

We would welcome any questions …