Fixing leaky faucets: Raising the bar of privacy protection

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

“Web leakage” research and follow-up work by the Office of the Privacy Commissioner of Canada has resulted in improvements to the privacy practices of some popular Canadian websites.

You may recall that our Office’s technologists tested 25 sites last year and found a significant number were “leaking” registered users’ personal information – including names and email addresses– to third-party sites such as advertising companies.

The research project prompted extensive discussions with the operators of 11 sites where concerns or questions were identified.

Positive changes

In the end, we’re happy to say that the initiative has resulted in a number of positive changes for Canadians:

  • Several organizations have taken measures to stop unintentional or unnecessary disclosures of personal information.
  • Many also agreed to take steps to ensure they provide consumers with clear, accessible information about their privacy practices.

All of the organizations cooperated with our Office and we were able to resolve our concerns in each and every case.  Here is a summary of the results of our work with the 11 sites:

  • In three cases, the site operators had been previously unaware that personal information was being disclosed to third parties, but took steps to ensure the disclosures stopped.
  •  In a further three cases, websites that had been intentionally sharing information such as email addresses to third parties, but agreed to stop after we questioned the practice.  Another organization was looking at whether its site could be re-designed to prevent sharing with two of its online service providers.
  • One organization acknowledged that personal information was being shared with  third-party service providers in order to manage its website – even though its privacy policy states personal information is not made available to third parties.  The organization is in the midst of making changes to its privacy policy to provide greater clarity.
  •  In other cases, our discussions with organizations confirmed that no information was being disclosed to third parties beyond that found in our research – for instance, postal codes.  As a result, we determined the disclosed information was not personal information.

Of course, our initiative involved a very small sample of sites and “web leakage” concerns are not confined to the organizations identified in our research.  All web site operators and third parties should review the personal information they share and test own sites to check whether data is unintentionally leaking.

Issues beyond “web leakage”

During our work, it became apparent that organizations’ privacy practices, such as the legitimate sharing of information with third parties, were not always disclosed in a meaningful way to consumers.

Commissioner Stoddart has expressed concern about privacy policies that are too long, too convoluted, and, as a result, tend to be largely ignored by users.

Organizations should have clear, descriptive privacy policies.  Our Office has also started looking at other practices that could also be adopted to help inform people about how their personal information will be handled.  For example, we like just-in-time notifications – providing explanations of privacy practices when data is collected.

To that end, we were pleased that several organizations committed to improve the way in which they tell consumers about their personal information handling practices.  For example, some are reviewing their privacy policies and exploring more innovative ways – such as just-in-time notices – to provide privacy information.

All of these steps will go a long ways to help ensure these organizations have obtained informed consent for the collection, use and disclosure of personal information online – as required under Canadian privacy law.

And since the issues we identified have been addressed, the Privacy Commissioner has decided not to exercise her power to name these organizations.

Given our study has revealed systemic issues in this area, our Office is developing a guidance document on best practices with respect to how organizations obtain informed consent from Canadians for the collection, use and disclosure of personal information in the online world. We expect to publish the guidance document later this year.

Date modified: