Investigation into the personal information handling practices of Ganz Inc.

PIPEDA Report of Findings #2014-011

October 7, 2014


Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Executive Summary

  1. On March 7, 2012, our Office initiated a complaint against Ganz under subsection 11(2) of the Act.
  2. Ganz is a privately-held Canadian partnership engaged in the manufacture and distribution of toys, gifts, collectibles and home décor products.
  3. In April 2005, Ganz introduced the concept of web-enabled plush toys called “Webkinz” (“Pets”) and launched the accompanying ‘Webkinz World’ website at www.webkinz.com (the “Website”).
  4. The Website is aimed at children between the ages of 6 and 13 years of ageFootnote 1.
  5. Children can open a free account on the Website to join the ‘Webkinz World’, without the purchase of a physical or virtual Pet.
  6. Physical versions of the Pets are sold through retailers and independent third-party distributors. Virtual versions are available through Ganz’s online store.
  7. Physical Pets come with a ‘Secret Code’ that enables an owner to sign into their account and play with a virtual version of the Pet they purchased.
  8. The Website allows users to: (i) care for their virtual Pet; (ii) manage its well-being; (iii) play games with virtual Pets owned by other users; (iv) complete tasks and earn virtual money called ‘Kinzcash’ to purchase virtual items; (v) find out about new Pets, items and games; (vi) trade Webkinz items; and (vii) chat online in a protected environment.
  9. We opened a complaint against Ganz having reasonable grounds to believe that Ganz was collecting, using and retaining the personal information of children through its user registration process for the Website, without fully explaining its purposes for doing so, or obtaining appropriate knowledge and consent, contrary to certain provisions of Schedule 1 of the Act.
  10. On May 18, 2012, we expanded the scope of the complaint. We did so having reasonable grounds to believe that Ganz was allowing third-party advertisers to track and profile children using the Website for the purposes of serving targeted online behavioural advertising (“OBA”). We considered that by enabling advertisers to do so, Ganz was failing to explain to users what personal information was being collected, what purposes it was being used for and to whom it could be disclosed. We also believed that Ganz did not obtain knowledge and meaningful consent for the collection, use and disclosure of children’s personal information on the Website.
  11. Ganz was notified of the complaint on June 11, 2012 and cooperated fully with our investigation.
  12. Representations were received from Ganz between July 2012 and June 2014.
  13. A site visit was made to Ganz’s head office in December 2012. Testing of the Website was also conducted at various stages of the investigation.
  14. While we conducted our investigation, Ganz made a number of unilateral changes aimed at improving the privacy practices on its Website.
  15. Based on the results of our investigation, we issued a Preliminary Report of Investigation to Ganz on November 21, 2013 (the “Preliminary Report”). In our Preliminary Report, we made 11 recommendations to Ganz with the aim of ensuring that it was meeting its privacy obligations under the Act.
  16. Ganz asserted that it did not knowingly collect the personal information of children under 13 years of age. As a result of our investigation, we reached the conclusion that Ganz was indeed collecting such information during the registration process.
  17. Taking this and other investigative results into account, our principal recommendations centred on:
    1. The need for greater clarity during the account registration process, e.g.: communicating to children the need to involve their parents in the registration process; obtaining parental consent to the opening of an account by a child; and clarifying who is agreeing to the Website’s terms and policies; in language appropriate to the Website’s user base;
    2. The reinstatement of French language policies and terms for francophone users to support appropriate knowledge and meaningful consent;
    3. Changes required to the Privacy Policy to:
      1. better reflect the Website’s actual practices regarding the collection, use and disclosure of personal information; and
      2. inform individuals how such practices differ between the various Ganz websites governed by the same Policy;
    4. The enhancement of Ganz’s due diligence procedures to ensure a better understanding of the activities of advertising networks and other third-parties on the Website and to prevent the tracking and profiling of children using and visiting the Website; and
    5. The need for Ganz to improve and better communicate the Website’s data retention and destruction policies and procedures, particularly in respect of archived, inactive, user accounts.
  18. Following the issuance of our Preliminary Report, Ganz proposed to limit its collection of information at registration to elements from which it would not be able to identify an individual registrant. By doing so, it would cease collecting “personal information”, and avoid the need for express parental consent.
  19. Notwithstanding this decision, we were of the view that the other issues examined during our investigation required changes from Ganz.
  20. With respect to the issue of openness, we found the content of certain of Ganz’s policies and communications material confusing, specifically the differences between the privacy practices described and the actual practices on the Website. Part of this confusion arises from the fact that the Ganz Privacy Policy is a global policy that applies to several different Ganz website properties. In the same vein, we also identified the need for Ganz to use simpler language and methods to communicate its privacy practices to its young users and their parents.
  21. The issues surrounding the activities of advertising networks and other third-party advertisers on the Website also remain relevant. While our investigation did not reveal the presence of OBA on the Website, our testing did reveal that advertisers appeared to be tracking children using or visiting the Website, somewhat to the surprise of Ganz.
  22. With regard to data retention and destruction recommendations, though future Website user accounts may not contain personal information, Ganz continues to manage and store personal information about a large number of existing active and inactive user accounts.
  23. To address our concerns and recommendations, Ganz agreed to adopt a series of remedial measures, including steps to:
    1. Improve its communication with children and their parents during the registration process, using language and methods appropriate to the Website’s user base;
    2. Reinstate and update the French versions of the Website’s policies and terms;
    3. Revise its Privacy Policy to accurately reflect the Website’s actual privacy management practices regarding the collection, use and disclosure of users’ information and to differentiate these from the practices of other Ganz websites;
    4. Enhance its due diligence procedures to better understand and respond to the activities of advertising networks and third-party advertisers on its Website; and
    5. Improve its data retention and destruction procedures, including the deletion of inactive user accounts after seven years, and better communication to users about the options to archive or delete accounts.
  24. Ganz committed to implementing the measures to address our recommendations on a five, six and nine month timeframe, depending on the specific recommendation.
  25. Our Office expects that, once implemented, Ganz’s proposed measures will meet our recommendations and bring the organization into compliance with the Act. Accordingly we conclude that the matters raised by our investigation are well-founded and conditionally resolved.
  26. The following reflects the findings of our investigation, our analysis of Ganz’s privacy practices, our subsequent recommendations to Ganz and Ganz’s response to our recommendations.

Section 1 – Identifying Purposes, Collection and Meaningful Consent

Issues

  1. As regards this aspect of the investigation, we examined:
    1. Whether the purposes for which Ganz collects personal information on the Website are being identified, at or before the time the information is collected, as required by Principle 4.2 of Schedule 1 of the Act;
    2. Whether Ganz is obtaining the knowledge and meaningful consent of users for the collection, use and disclosure of their personal information during account registration for the Website, as required by Principles 4.3;
    3. Whether Ganz is obtaining the knowledge and consent of users to the collection, use and disclosure of their personal information where users register or access an account through the French language version of the Website, by both advising users of the purposes for which the information will be used and stating it in a manner that users can reasonably understand, as required by Principle 4.3.2; and
    4. Whether Ganz requires users to consent to the collection, use or disclosure of personal information beyond that which is required to fulfill Ganz’s purposes and as a condition of using the Website, in contravention of Principle 4.3.3.

Summary of Investigation

Account Registration
  1. During the investigation, Ganz stated repeatedly that the safety, security and privacy of children using its Website were important to it. Ganz acknowledged that when it designed the Website, it did not seek to prevent direct registration by children under the age of 13. Ganz stated that it wanted to allow individuals of any age to open an account without asking for, or collecting, their personal informationFootnote 2.
  2. Ganz stressed the need to collect sufficient information from users to allow virtual world accounts to function. As such, it required registrants to provide some basic information to create user names and passwords, open and manage accounts, allow users to interact with their Pets and save earned and purchased items.
  3. We tested the Website’s registration process in order to better understand the information collected from users, how it was collected and Ganz’s purposes for doing so.
  4. Our initial testing took place in the summer and fall of 2012. At the time, users registered a new account through the ‘Webkinz Adoption Centre’, by either opening a free account, or opening an account using a Pet Secret Code.
  5. As part of our testing, we sought to register various Webkinz accounts through the Website. During the registration process, Ganz used a child-friendly avatar called ‘Miss Birdy’ (the “avatar”) to guide registrants through the registration process, using a combination of simple oral instructions and text in talk “balloons”.
Information Collected During Registration
The original registration process: prior to April 24, 2013
  1. We were initially required to confirm our country of residence to ensure that activities on the site occurred within an appropriate time zone.
  2. Later in the process we were asked to provide our: (i) real first name; (ii) date of birth; (iii) gender (optional); (iv) country of residence (re-confirmed); and (v) state, province or territory of residence.
  3. We also had to create a user name and password for each account. We were warned by the avatar not to use our first and last names, or any Secret Code, within our chosen user names. The Website’s User Agreement and Privacy Policy contained similar warnings.
  4. Each time we signed-up for a free account, we were asked to choose between a virtual dog or cat, and then provide a name for the Pet.
  5. We also opened ‘Secret Code’ accounts through a similar registration process. However, rather than choose between a virtual dog or cat, we were asked to input an eight digit code attached to each purchased Webkinz Pet.
  6. We asked Ganz if it tracked where or how a Pet was purchased through the Secret Codes. Ganz confirmed that it could not. It explained that Secret Codes were generated in batches prior to production. Each Secret Code indicated only the type of Pet purchased, e.g. a unicorn. When the Secret Code was registered to a user’s account, the site created a virtual version of the Pet purchased.
The registration process after April 24, 2013
  1. The revised registration process required individuals to first open a free account. Once a free account was opened, a user could ‘adopt’ any purchased Pets into the account by inputting the relevant Secret Codes.
  2. Under the updated process, we were asked to provide our real first name, date of birth, gender (optional) and our country of residence for each account. When providing this content, we were asked to give our real information, as it would be needed for security purposes. We were no longer required to provide a state, province or territory of residence.
  3. Ganz explained that the collection of the state, province or territory was no longer necessary, as its ad server recognized whether an IP address belonged to a particular state or province and could determine whether or not to serve advertisements to a user or visitor. By way of examples, it explained that certain advertising campaigns might only be shown to users resident in the United States and third-party advertisements were blocked for children under the age of 13 in the province of Québec. This seemed to suggest an additional purpose for collecting location information from purely determining time zones to changing the advertisements seen on the Website.
  4. As before, we were asked to create a user name and password for each account. Again, we were warned by the avatar not to use our first and last names, or any Secret Code, within our chosen user names.
  5. In a change from the original process, we were required to provide a parental email address. A note explained that a notification email would be sent to the email address provided. Ganz confirmed that these addresses were kept secure and used for account management purposes while an account is active.
The registration process after September 2013
  1. When responding to our Preliminary Report, Ganz confirmed that it had reduced the information required from users in September 2013 by making the user date of birth and parental email address information optional, rather than mandatory.
  2. Below is a table highlighting the information Ganz collected during the registration process at different points in time:
Original From April 24, 2013 From September 2013
username username username
password password password
real first name real first name real first name
date of birth date of birth date of birth(optional)
gender (optional) gender (optional) gender (optional)
country country parent’s email (optional)
state/province parent’s email country
virtual pet name virtual pet name virtual pet name
virtual pet gender virtual pet gender virtual pet gender
secret code (for each pet purchased) secret code secret code
Purposes for collecting registrant information
  1. In our initial testing, the Website explained why Ganz requested confirmation of gender, through a link placed next to the gender field:
    • We ask your gender so that we have the correct information about who is using our site. Using this knowledge, we can make sure that Webkinz World is the most fun place to play for our specific audience. Gender does not affect your Webkinz play experience. All members play on the same site.

  2. The April 24, 2013 update introduced additional links to help registrants understand why Ganz collects their date of birth, the country from where they are accessing the Website, and the email address of a parent or guardian.
  3. On opening the “Parent’s Email” link, a window appeared which stated:
    1. “Why do we require a Parent’s email address?

      For security purposes, we require a parent’s email address when creating a new account.

      If you ever forget your user name or need to reset your password, we will be able to send your information to that address, using the recovery links on the log in page.

      This email address will not be shared with any third parties.

      This email address will be saved on our system in a scrambled format to protect your privacy.

      A parent can choose to opt into receiving promotional emails from Ganz and Webkinz using their Parent’s Account found in the Parents’ Area

  4. Ganz explained that in collecting information from registrants, it chose those elements that would be sufficient to open and manage an account, while being easy for children to remember. For Ganz, collecting minimal information also reduced the possibility of Ganz identifying its users. However, this approach of minimizing the collection of information limited the range of possible security questions that could be asked for verification purposes. Ganz explained that it used a child’s date of birth as one security question when parents phoned Ganz with questions about their child’s account.
  5. Further information regarding Ganz’s collection of registrant information, and its purposes for doing so, are included within the Webkinz Privacy Policy. Further details of that document’s content are described in Section 2 of this Report of Findings.
User Names
  1. We asked Ganz how it prevented children from using their real names when creating user names on the Website.
  2. Ganz stated that user names on the Website are not used as screen names. Only the name of a Pet as chosen by a user is displayed. Furthermore, children are warned not to incorporate their real name when creating a user name, both by the avatar during registration, and through Ganz’s User Agreement and Privacy Policy.
  3. Ganz explained that it did not actively screen user names against lists of commonly-known first and last names. It claimed this was impractical and incompatible with its mission to avoid associating identifiable information to users.
  4. Ganz added that if its Customer Support team noticed that a user name incorporated part, or all, of a user’s real name, the team would require the user or parent to change the user name to resolve the problem, before closing the inquiry.
  5. To examine the prevalence of real first and last names within user names, we asked Ganz to provide us with a list of 200 free and secret code accounts created by users in April 2012.
  6. The results indicated that approximately 16% of the user names listed (for those aged 13 or under) appeared to contain combinations of letters and numbers which could be viewed as including first names, initials and last names, or last names.
  7. During the course of the investigation, Ganz challenged these results, stating that such incidents were much lower. In doing so, it pointed to, among other things, the difficulty in knowing if a first or last name is actually linked to an individual child user, the prevalence of children using variations on celebrity names and fictitious ‘pen names’ when creating user names, and different cultural naming conventions. It also pointed to the need for caution due to the possible unreliability of some of the information provided by users, e.g., some of the dates of birth.
User information sent “in the clear”
  1. Our initial testing also revealed that user information was being sent to Ganz over the Internet “in the clear” (i.e., in a plain text, unencrypted form). This meant that there was a risk of interception of the information entered by children as it travelled across the network.
  2. We were pleased when Ganz addressed the matter in its Website update of April 24, 2013. In subsequent testing, we identified that most log-in information was being sent encrypted using a custom method. Three pieces of information continued to be sent in the clear, until this too was encrypted later in the year.
Other information collected
User IDs
  1. Ganz allocates a unique and randomly-generated User ID to each new account. User IDs are for Ganz’s internal use only. They are never disclosed to users or their parents and accordingly, are not searchable by users or the public. Ganz added that User IDs are used to reference a user’s account within Ganz’s internal transaction logs, but are not linked to user biographical information collected during registration. Access to such information is on a “need to know” basis and is limited to staff in certain roles and teams.
IP Addresses
  1. We asked Ganz if it collected Internet Protocol (“IP”) addresses when users register for an account for the first time. It replied that IP addresses are not collected or associated with users at initial account registration.
  2. Ganz explained that IP addresses are also not collected or associated with individuals merely visiting the Website, i.e. users who are not logged into an existing account.
  3. We asked Ganz if it logged IP addresses when an existing user logs into their account and if the IP address would be linked to the user’s registration information.
  4. Ganz confirmed that when a user logs into an existing account, they collect the user’s user name, password, language selection, and IP address. This information is collected for the purposes of user recognition and the delivery of appropriate content and is not linked to user registration information such as first name, gender and date of birth.
  5. Ganz checks the IP address and uses it to: (i) assess the approximate geographical location, so as to serve country-specific first party and third party advertisements, and (ii) to block advertisements from being served to a particular geographical region to comply with local laws.
Contact information – resolving customer account inquiries and problems
  1. Ganz acknowledged that when parents contact Customer Support about their child’s Website account, parental personal information such as telephone numbers and email addresses are captured in order to address an account problem. However, on visiting Ganz’s head office we noted the prompt, automatic, erasure of such information once its Customer Support team had resolved issues.
User consent
  1. During our testing of the various registration processes, we examined how users were expected to review, understand and consent to the Website’s terms and policies. The following is a summary of what we found.
User consent prior to April 24, 2013
  1. When we signed-up for an account, we were asked to read and accept the terms of the Ganz User Agreement (the “User Agreement”), the Privacy Policy and Ad Policy.
  2. The first User Agreement we examined (dated January 19, 2011) directed users under 18, or the age of majority, to get a parent or guardian to accept the terms:
    • PLEASE READ THIS USER AGREEMENT (the “User Agreement”) CAREFULLY. BY CLICKING THE “I ACCEPT” BUTTON BELOW OR THROUGH YOUR CONTINUED USE OF THIS WEBSITE, YOU AGREE TO BE BOUND BY ALL OF THE TERMS AND CONDITIONS OF THIS USER AGREEMENT. IF YOU ARE UNDER THE AGE OF 18 OR THE AGE OF MAJORITY IN YOUR JURISDICTION, YOUR PARENT OR LEGAL GUARDIAN MUST AGREE TO THE TERMS OF THIS USER AGREEMENT BEFORE YOU MAY USE THE WEBSITE. IF YOU, AND IN THE CASE OF MINORS, YOUR PARENT OR LEGAL GUARDIAN, DO NOT AGREE TO BE BOUND BY ALL OF THE TERMS AND CONDITIONS OF THIS USER AGREEMENT, YOU ARE NOT PERMITTED TO USE OR ACCESS THIS WEBSITE…[Emphasis by Ganz].

  3. The Privacy Policy was easily accessible at the bottom of each page of the Website. Children seeking to register for an account were directed to have a parent or guardian review the Privacy Policy and then accept it by agreeing to the terms of the User Agreement.
  4. In our view, the Privacy Policy and User Agreement were rather lengthy and complex documents. They were clearly directed at the parents of those children opening accounts, rather than the children themselves. Despite this, we noted that the Website’s avatar did not direct us (applying as a child) to get a parent or legal guardian to review the documents with us.
User consent after April 24, 2013
  1. As part of the revised registration process, we noted that we were required to check a box with the statement: “I agree to the Webkinz World User Agreement, Privacy Policy and Chat Rules.” Links were provided to each document, so that we could view them before confirming our acceptance of their content.
  2. We examined the revised User Agreement (dated March 13, 2013). Apart from the introductory text, the content remained directed at the parents and legal guardians of children opening an account.
  3. The introductory text continued to direct children to get a parent or guardian to accept the terms, although the content had changed from the January 2011 version:
    • READ BEFORE USING THE SERVICE:

      Please note that all persons under the age of majority in their jurisdiction are required to have a parent or legal guardian read and accept the Agreement on their behalf and take full responsibility for compliance with the Agreement…

      BEFORE YOU OR A CHILD AUTHORIZED BY YOU (FOR WHOM YOU ARE A PARENT OR LEGAL GUARDIAN) MAY ACCESS OR USE THE SERVICE, READ THE FOLLOWING CAREFULLY.

      BY CLICKING THE “I ACCEPT” BUTTON BELOW OR BY YOUR CONTINUED USE OF THE SERVICE, YOU ACKNOWLEDGE THAT YOU ARE 18 YEARS OF AGE OR OLDER, HAVE THE RIGHT AUTHORITY AND CAPACITY TO ENTER INTO THIS AGREEMENT, OR ARE OF THE LEGAL AGE REQUIRED TO FORM A BINDING CONTRACT IN YOUR JURISDICTION IF THAT AGE IS GREATER THAN 18 AND YOU HAVE READ, UNDERSTOOD AND AGREE TO BE BOUND BY THE AGREEMENT.

      IF YOU DO NOT AGREE TO BE BOUND BY THE AGREEMENT, DO NOT SET UP AN ACCOUNT, PURCHASE A SUBSCRIPTION OR OTHERWISE USE THE SERVICE. PLEASE PRINT A COPY OF THE AGREEMENT FOR YOUR RECORDS. [Emphasis added by Ganz].

  4. The on screen instructions and avatar did not direct us to get a parent or legal guardian to review the User Agreement, Privacy Policy and Chat Rules, or to accept the content.
  5. We also examined the Privacy Policy, which was also revised as part of the April 2013 Website update. It continued to be incorporated by reference into the User Agreement and its content remained aimed at the parents or legal guardians of children seeking to open an account.
  6. Under the revised registration process, a notification email was sent to the parental email address we provided. We were also directed to have our parent check their inbox (or their spam/junk email folder) to view the email.
  7. We noted that there was no change to this consent process following the Website’s September 2013 update.
Parental notification
  1. The notification email informs parents that their child has created a new Webkinz World account. It provides the user name and password of the child’s account and states that the parent’s email address will be used to recover the account’s user name and password, and any information regarding account changes. The sending of the user name and password in an email represented, in our opinion, a security risk as it was sent “in the clear” and could potentially be intercepted by a third-party.
  2. We noted that Ganz enables parents and guardians to create a Parent’s Account. A Parent Account can be opened at any time and allows a parent to control aspects of their child’s account including chat room permissions, blocking third-party advertising, and the deletion of the child’s account.
  3. Furthermore, the email informs a parent of the information collected from their child during registration. Links are provided to the User Agreement and Privacy Policy and the parent is asked to read and discuss these documents with their child.
  4. We asked Ganz if it required an email response from a parent to approve the opening of their child’s account and would the child be blocked from continuing until confirmation was received. Ganz stated that it did not require confirmation from parents and did not take measures to prevent children from completing the registration process in the absence of a reply.
Privacy Policy – French language versions
  1. In April 2012, we examined the French language version of the Website. We noted that visitors were presented with a warning screen in French.
  2. The warning stated that the Webkinz World site was in the process of being translated and that when you play on the site, you would see certain features and sections in French and some remaining in English. It added that additional sections would be translated in the coming months. If a visitor encountered any problems in playing on the site, they could visit the translated ‘Help’ section, or ‘Webkinz Guide’.
  3. We examined the “Conditions d’utilisation(User Agreement) and the “Politique de confidentialité” (Privacy Policy). We noted that the User Agreement was translated into French, but that the Privacy Policy was not. This concerned us as we wondered how francophone users or their parents could provide meaningful consent to the Website’s terms if relevant information was not available in a readily understandable form.
  4. Ganz believed that the French Privacy Policy disappeared from the Website during an update to the site in early 2012. When we brought the matter to Ganz’s attention, immediate steps were taken to bring back the French Privacy Policy.
  5. In April 2013, Ganz informed us that it intended to offer the Website in English only. We revisited the Website and were presented with a message indicating that the new content of the Website would only be offered in English and had not been translated into French:
    • ATTENTION!

      Pour l’instant, le nouveau contenu du Webkinz World™ n’est offert qu’en anglais seulement; il n’est pas traduit en français. Pour obtenir les nouvelles conditions d’utilisation du site webkinz.com, veuillez consulter la version anglaise du site.

      [Warning! For the moment, new content from Webkinz WorldTM is only offered in English and has not been translated into French. To access the new user agreement for the webkinz.com site, please refer to the English version of the site.]

  6. Clicking on the new registration tab entitled “s’inscrire”, we were taken to the English language version of the account registration process. Similarly, on clicking the “connexion” tab for existing users, we were directed to the English language account sign-in page.

Application of the Act

  1. In making our determinations on these issues, we applied subsection 2(1) of the Act and Principles 4.2, 4.3, 4.3.2 and 4.3.3 of Schedule 1 of PIPEDA.
  2. In subsection 2(1) of the Act, “personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
  3. Principle 4.2 states that the purposes for which information is collected shall be identified by an organization at or before the time the information is collected.
  4. Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
  5. Principle 4.3.2 requires an organization to make a reasonable effort to ensure that an individual is advised of the purposes for which their information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  6. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.

Analysis

Is Ganz collecting “personal Information” on the Website?
  1. Taking into account the Website’s original collection of information from registrants, we find that Ganz was collecting the personal information of individuals using the Website.
  2. The heart of the definition of “personal information” under PIPEDA is “information about an identifiable individual”. In light of how our Office and the courts have interpreted what consists of information about an identifiable individual, we remain of the view that information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.
  3. We acknowledge that Ganz did warn registrants not to include real names within any user name they create during the original registration process. Yet our review of user names conducted in April 2012 identified a number of user names that appeared to contain real first names, initials and last names, or last names.
  4. In looking at the all the information that Ganz initially collected during the registration process, and the fact that Ganz collected, from time to time, other contact information and allocated unique User IDs to all user accounts, our view was that there was a serious possibility that Ganz could identify some of the children using its Website. While one piece of information might not create a serious possibility of identification, a combination of different information elements collected by Ganz could.
  5. This view was further solidified for us when, after April 24, 2013, Ganz started to collect parental email addresses at registration. In doing so, Ganz collected, in some instances, the full name of the parent, e.g. janedoe@gmail.com. This raised the further serious possibility that Ganz could identify some of the children who had registered Website accounts.
  6. As a result of the above, our Preliminary Report expressed our view that Ganz was collecting the personal information of children under the age of 13.
  7. Ganz responded that to be "personal information", information has to be about an identifiable individual, and that the notion of identifiability has to be rooted in reality. It further pointed out that for an individual to be "identifiable", the information must have some precise connection to an individual, i.e., a unique connection to one person.
  8. Ganz claimed that taking into account the five items of information it collects at registration (three of them optional), it could not realistically identify, or re-identify, users.
  9. Ganz questioned our Office’s claim that combining a user name (which may contain a real name) a user’s date of birth, their gender (on an optional basis) and a parental email address (which may also contain a real name) could lead to the identification of some of its users. It felt that this position was reliant upon a series of assumptions which, in its opinion, made the possibility of identifying individual users remote.
  10. Ganz also questioned our Office’s view that Ganz had been “collecting” users’ real names in their entirety. It confirmed that it had always asked for users’ real first names for security purposes. However, it had never sought to obtain full names. Indeed, it had deliberately designed its registration process to avoid such collection, so as to protect children using its service. If users included their real full names within their user names it was contrary to Ganz’s explicit instructions. In addition, Ganz stated that whenever it had become aware of user names containing apparent real names, it had taken immediate steps to address this by arranging for such user names to be changed and this continued to be its practice.
  11. In considering Ganz’s response, we took into account the fact that the Website is very popular amongst children; the Website has millions of users with accounts. Therefore, even if a relatively small percentage of user accounts contained real user names, the personal information of a significant number of children would be collected. In our view, even though Ganz did not expressly seek to collect full names, our investigation revealed that Ganz was aware that it was receiving such information in certain cases and continued to hold on to such information over a long period of time. In our view, this amounts to a “collection” of personal information for the purposes of the Act.
  12. We recognize that in making the collection of certain information optional, Ganz thereby reduced the amount of personal information it collected. However, this optional information continues to be provided by some users and therefore, Ganz continues to collect such personal information in that regard.
  13. To further reduce the collection of such personal information, we are of the view that Ganz needs to take additional active measures to prevent users, as much as reasonably possible, from including their real names or other personal information in their chosen user names.
Are the purposes for the collection of user personal information identified by Ganz?
  1. Prior to the April 2013 update, Ganz provided users with notice about why it collected gender information on the registration screens. Other information about the collection of information and Ganz’s purposes for doing so were mentioned only in the Privacy Policy, which while accessible, was a lengthy and detailed document.
  2. After the April 2013 update, Ganz provided more links explaining why it collects a user’s date of birth, country of origin, and a parental email address, in a more accessible manner and at the time the information is collected.
  3. If a parental email address is provided by a user, a notification email is sent by Ganz to the parent informing them what information has been collected from their child when opening an account and directs the parent to review the Privacy Policy for further information on the purposes for such collection.
  4. Ganz continued to take steps to improve the disclosure of its practices in this regard in order to comply with Principle 4.2 of Schedule 1 of the Act. In our Preliminary Report, we encouraged Ganz to continue its efforts, particularly with respect to the need to ensure that the language and tools used are appropriate for children using its Website.
Is consent obtained during account registration informed and meaningful?
  1. The consent provisions of PIPEDA do not expressly speak to age-based consent. Principle 4.3 states that the knowledge and consent of an individual are required for the collection, use and disclosure of personal information. Principle 4.3.2 requires organizations to ensure that individuals are advised of the purposes for which the information will be used and that consent obtained from individuals is meaningful. Meaningful consent means that the individual concerned can reasonably understand how the information will be used or disclosed prior to providing consent.
  2. Meaningful consent becomes a more difficult notion where personal information is being sought from children. Can a child reasonably understand what they are being asked to consent to?
  3. Principle 4.3.6 of Schedule 1 states that consent can be given by an authorized representative (such as a legal guardian or a person having a power of attorney). However, it does not specify under what circumstances this can or should occur.
  4. In PIPEDA Report of Findings #2012-001, we recognized that there was value in users of a Canadian social networking website aimed at teenagers and young adults involving their parents in their online transactions. However, we concluded that PIPEDA did not require parents to provide consent on behalf of their teenager in the context of that website. We concluded in that case that in order to ensure meaningful consent was obtained, the information handling practices of the organization had to be explained in such a way that its teenage users could understand how their personal information would be handled by the website.
  5. Ganz’s Website is aimed at children under 13, a younger demographic group than the one at issue in PIPEDA Report of Findings: #2012-001. Children under the age of 13 have arguably a less sophisticated understanding of online marketing and social media interactions.
  6. In our original testing, children could register for a free or Secret Code Website account without parental notification or involvement.
  7. After April 24, 2013, Ganz required each user to provide the email address of a parent or guardian during registration.
  8. We acknowledged Ganz`s proactive steps in notifying parents of their children’s efforts to register on the Website and the information collected from them. We were also encouraged by Ganz’s efforts to encourage parents to take an ongoing interest in what their children were doing on the Website, both through extensive parent-oriented information and enhanced parental control options.
  9. However, we noted that while Ganz informed parents of new accounts being opened by their children, it did not require express consent from the parent to do so, e.g., through the clicking of a link. Indeed, in the absence of any such consent, children could freely continue with the account registration process.
  10. The advice to involve a parent during the registration process is brought to the attention of children during registration only if they click on the link, read, and understand the User Agreement. The User Agreement states that:
    • Please note that all persons under the age of majority in their jurisdiction are required to have a parent or legal guardian read and accept the Agreement on their behalf and take full responsibility for compliance with the Agreement.
  11. We considered it questionable as to whether a child under the age of thirteen opening an account would be able to find this provision in the User Agreement, understand the text, and act accordingly.
  12. Throughout our testing of the Website, we noticed that no child-friendly directions were given to children to involve parents in the registration process, either through the avatar or another simple method appropriate to the Website’s very young user base.
  13. We also noted that it was not clear whether the individual seeking to create an account was also the same person agreeing to the terms of opening such an account. Ganz indicated to us that it did not seek to prevent direct account registration by children under 13 years of age. Rather, Ganz allowed players of any age to open an account.
  14. Yet, Ganz stated that parents of users were expected to agree to the User Agreement, Privacy Policy and Chat Rules, documents that are all written in a language intended for adult readers.
  15. We noted that the account registration check box and declaration stated “I agree to the Webkinz User Agreement, Privacy Policy and Chat Rules”. We found this confusing as there was nothing to indicate that parents or guardians were expected to confirm their agreement. A child creating an account could easily believe that as the individual creating the account, he or she would be expected to check the box and agree to the terms.
  16. Taking into account the above, we took the view that Ganz was not obtaining meaningful consent as required by Principles 4.3 and 4.3.2 of Schedule 1 of the Act.
  17. We were equally of the view that since young children were involved in providing their personal information to the Website during the registration process, it was important that a parent or other legal guardian provide the appropriate consent on behalf of their child in order to open an account.
  18. Furthermore, we were of the view that Ganz’s communications with its users and their parents or guardians should be consistent with the Website’s actual practices and use appropriate methods and language that can be easily understood by both groups, so as to ensure that any consent provided is reasonably informed.
Is Ganz requiring users to provide more information than is necessary?
  1. Throughout our investigation, we noted that Ganz had given considerable thought about the information it requested from users and their parents when providing the Webkinz service. It claimed that it was not collecting users’ personal information.
  2. Ganz claimed that it collected the minimal amount of user information necessary to be able to initiate and manage a Webkinz World account. Indeed, some of the information that was initially required later became optional. Ganz pointed out that, unlike other children’s websites, it did not seek to collect other personal information from users such as their last names, personal interests or further contact information such as cellphone numbers.
  3. While Ganz examined users’ IP addresses when accessing existing accounts, it did so only for purposes such as user recognition and the delivery of appropriate content. During our testing, we did not find any evidence that Ganz linked IP addresses to users’ biographical information collected at registration.
  4. Ganz also took some steps to limit the potential collection of other information by reminding users that they should be careful to avoid using their real name within their user name. Ganz indicated that it took steps to remove any apparent real names, if they came to its attention, e.g. when resolving an account inquiry or problem.
  5. Ganz also indicated that it took steps to use additional contact information obtained by its Customer Support team, only for the defined and limited purpose of resolving service issues. It demonstrated to us that it took immediate action to delete such information once the purpose for its collection was served.
  6. We reviewed the purposes for the collection and use of users’ personal information cited in the Ganz Privacy PolicyFootnote 3. Ganz stated that the collection and use of users’ information on the Website was less extensive than that described in the Privacy Policy. The Privacy Policy was, in fact, a global document intended to describe the organization’s privacy practices across several Ganz websites, most of which were aimed at adults or teenagers and involved the collection and use of personal informationFootnote 4. We felt that this practice would serve to confuse users as to the actual privacy practices of the Website.
  7. In responding to our Preliminary Report, Ganz explained that, in September 2013, it had further amended its registration process to make the collection of registrants’ parental email addresses and dates of birth optional. It also expressed its intention to reduce the information collected from individuals at registration, such that it would not be collecting any “personal information” under the Act.
  8. Taking into account Ganz’s ability to reduce its collection of user information over time, we remain of the view that Ganz was originally collecting more personal information from users than was required to fulfil its purposes of opening and administering Website accounts, and that therefore, Ganz was in contravention of Principle 4.3.3.
Ganz’s Privacy Policy – French language versions
  1. Our review of the French version of the Website revealed that it did not have or link to a French Privacy Policy. We considered this a contravention of Principles 4.2 and 4.3.2 of Schedule 1 of the Act, as it was our view that Ganz had not taken adequate steps to notify its francophone users why it was collecting, using or disclosing their personal information.
  2. Ganz took immediate steps to address the issue and reinstate the French Privacy Policy which Ganz believed had disappeared from the Website earlier in 2012. While we were encouraged by this prompt response, we were somewhat concerned that the absence of the Privacy Policy had gone unnoticed for several months.
  3. Our review of the April 24, 2013 update of the Website raised new concerns, when we were informed that Ganz had ceased to translate content for the French language version of the Website.
  4. While users could avail themselves of the French version of the Website, we noted that Ganz had introduced a warning in French that informed francophone users and their parents of the new language limitations of the Website.
  5. Despite this warning, we were concerned that some existing francophone users would now be unable to understand Ganz’s collection, use and disclosure of their personal information relating to the updated Website. When a new deletion option was incorporated within a July 1, 2013 update, it became apparent to us that francophone users of the Website could become increasingly excluded and left uninformed about Ganz’s privacy practices.
  6. In our view, the action taken by Ganz after April 24, 2013 represented new contraventions of Principles 4.2, 4.3.2 and 4.8.2 (c) of Schedule 1 of PIPEDA.

Recommendations

  1. Taking into account all of the above, we made four recommendations to Ganz:

Recommendation 1

Ganz should more explicitly direct children (in a form and language appropriate to the user base of the Website) to involve a parent or guardian in the review of Ganz’s Privacy Policy, Terms of Business and Ad Policy with the child, at or before the time an individual is required to consent to the opening of the account.

Recommendation 2

Ganz should, through means of a simple mechanism, obtain the consent of parents or guardians to the collection, use and disclosure of their children’s personal information, prior to allowing the opening of a Website account.

Recommendation 3

Ganz should amend the check box declaration making it clear that where a child is seeking to open an account, it is their parent or legal guardian who is required to agree to the Webkinz World User Agreement, Privacy Policy and Chat Rules, not the child.

Recommendation 4

Ganz should reinstate and update the French User Agreement and Privacy Policy to accurately reflect its privacy handling practices under the revised version of the Website. This will enable new Francophone users of the Website, and their parents, to understand how Ganz collects, uses and discloses their personal information and to ensure that existing users continue to be able to provide informed consent to their ongoing participation on the Website.

Ganz’s proposed measures

  1. In its formal response to our Office’s Preliminary Report, Ganz agreed to implement a series of measures to address all of these recommendations.
  2. For recommendation 1, Ganz agreed to add language to the registration process and use its avatar to prompt children to have their parents or guardians review and ‘accept’ the terms of the documents.
  3. Concerning recommendation 2, our Office engaged in further discussion with Ganz, until we were satisfied with Ganz’s proposed measures. Ganz stated that it would cease collecting a user’s first name, date of birth and parental email address. It claimed that in doing so, Recommendation 2 would be rendered irrelevant in that it would no longer collect users’ personal information, since it would be eliminating any possibility of being able to identify them.
  4. In addition to the above, Ganz proposed to modify the flow of the registration process so that when parents agree to the terms of its User Agreement and the Privacy Policy, the parent would be advised of the Website’s policy against including real names and other personal information in user names. The parent would then be given the opportunity to review their child’s chosen user name and change it if necessary, before confirming compliance with the policy.
  5. Regarding recommendation 3, Ganz agreed to make the changes responsive to recommendation 1, and also address the fact that the check box and declaration are directed towards the adult(s) responsible for the child signing-up for an account.
  6. To address recommendation 4, Ganz agreed to reinstate and update the French User Agreement, Privacy Policy and Ad Policy to reflect the revised English versions.
  7. Ganz agreed to make changes to address Recommendations 1, 3 and 4 within five months of the date of issue of our Report of Findings, and Recommendation 2 within six months of the date of issue of our Report of Findings.

Conclusion

  1. We are satisfied that Ganz’s proposed measures will, once implemented, adequately address all four recommendations. Therefore, we find the aspect of this complaint pertaining to Ganz identifying the purposes for which it is collecting personal information, and to Ganz obtaining meaningful consent from individuals seeking to register for a Webkinz Account, as being well-founded and conditionally resolved.
  2. In accepting Ganz’s proposed measures to address recommendation 2, we took into account the structure of its Website, the further reduction in the information collected from its users, its minimal retention of certain user information such as contact information and IP addresses, Ganz’s use of technology to protect its users’ privacy and its commitment to continually review and update its privacy policies and practices on a pro-active basis.
  3. Once Ganz has implemented the measures at registration, it will only collect a user’s gender (on an optional basis), country of residence, the user name (using a more robust method to reduce the possibility of collecting real full names), password, name and gender of virtual Pets and secret codes.
  4. Ganz will continue to collect IP addresses (for very limited time periods and purposes) and allocate User IDs (which are not linked to user biographical information), and may collect personal information when parents communicate with Ganz in respect of their child’s account. However, we are satisfied that in the context of its particular service and Website, Ganz has minimized the information it is collecting at registration to the point that there is no serious possibility that it can identify one of its users through the information it collects at registration.
  5. We recognize that our findings in this case are based on Ganz’s current capacity to identify, or not identify, an individual. If Ganz were to change the information it collects from users, or if technological capabilities, Website structure and information management practices evolve over time such that there would be a serious possibility that an individual could be identified, then the issue of whether Ganz collects “personal information” could be revisited.

Section 2 – Openness of Practices

Issues

  1. In our investigation, we examined whether Ganz is fully and accurately describing the personal information under its control. In particular, Ganz’s Privacy Policy states that it does not collect the personal information of users under the age of 13.

Summary of Investigation

  1. During the course of our investigation, we reviewed the July 9, 2012, April 24, 2013 and November 20, 2013 versions of the Ganz Privacy Policy.
  2. Ganz confirmed that the Privacy Policy is not specific to the Website. Rather, it is applicable to several different Ganz websites: webkinz.com, amazingworld.com, nakamas.com, webkinzfriends.com, tailtownsfriends.com, ganzworld.com, ganz.com, ganzestore.com, ‘Webkinz Friends’ on Facebook and iPad, TailTownsFriends on Facebook and Webkinz game apps on iTunes.
  3. The Privacy Policy does not explicitly state that it applies to the websites listed above. Instead, it states that the Privacy Policy is applicable to “personally identifiable information” (“PII”) of all users collected, stored or distributed through any website, mobile game or application on which it is posted.
  4. Ganz stated that regardless of the specific website to which individuals are directed, it always seeks to follow consistent privacy practices: (i) it collects the minimum information required to provide any services; (ii) it keeps data for a reasonable period of time only; and (iii) it avoids collecting personal information from children under 13.
  5. Ganz conveyed its position that the Privacy Policy was compliant with the Act. It explained that the Privacy Policy was easy to locate throughout the Website and accessible to users at the points of: registration, information-gathering and where consent is granted.
Personal information
  1. The Privacy Policy is explicit in stating Ganz’s position regarding the collection of the personal information of young users of the Website:
    • We don’t knowingly collect personal information from children under 13.

      Some parts of the Service offered by Ganz are not intended for children under the age of 13 and we do not knowingly collect information from children under this age through the Service.

      For the portions of the Service that appeal directly to children under the age of 13, we incorporate into this Privacy Policy the following additional children’s privacy provisions. When your child is asked to provide personal information, we will provide you with an opportunity to consent to their disclosure of personal information in accordance with applicable law…

  2. This section of the Privacy Policy explains information which may be collected from parents or their children to enable use of Ganz services, which includes use of the Website. In summary, the information collected may include:
    1. A child’s user name and password for registration purposes;
    2. Aggregate information regarding participation in surveys and feedback;
    3. IP addresses for routine systems administration;
    4. Email communications: for very limited and one time responses;
    5. Mail communications: if a child wants to contact them by mail, it may be possible using a designated form. The form may be used to collect information from the child with the consent of the parent;
    6. Chatting on the Service: Ganz has both scripted online chat (“Kinzchat”) for children and unscripted but moderated chat (“Kinzchat Plus”) for older users; and
    7. Names, email addresses and other personal information of a child or adult/parent for various reasons concerning child safety and security, the integrity of the service and cooperation with judicial and law enforcement authorities.
  3. Notwithstanding the above, the Privacy Policy goes on to state that Ganz may collect personal information when users interact with the website:
    • This policy applies to all information that identifies a particular individual.

      …Ganz collects personal information that is voluntarily provided by you when you order a product, enter promotions, answer our polls or surveys, register on the Service, or communicate with us by mail, telephone or electronically. Ganz also collects personal and non-personal information automatically as described below. The type of information we collect and maintain may include your name, mailing address, email address, telephone number, gender, date of birth, purchase history, chat room communications, complaints you may have about our products or services, a record of promotions offered to you, and your Ganz product preferences. Other information, such as your IP address, system information (including operating system, browser type, available software and hardware) whether you were referred to us by a search engine (including the search term(s) used to find us) and how much time you spend using the Service are collected to improve the service and messaging efficiency, learn more about where our users come from and understand how our users use and ways to improve our Service…

  4. The Privacy Policy also sets out how Ganz uses and discloses the personal information collected from its users by: (i) providing users with the products and services they requested; (ii) understanding users through enhanced products, customer service and directing promotional efforts of interest; (iii) investigating and responding to user inquiries, complaints and concerns; (v) soliciting users’ opinions on products and services; (vi) sharing information with other users of the Ganz group (with the option for parents to opt-out of providing their child’s information); (vii) investigating misuse or unauthorized use of the service; and (viii) disclosing information in emergencies when personal safety is at risk.
  5. We asked about the apparent differences and contradictions between the Privacy Policy’s initial reference to the collection of only non-personal information from children using the Website, and the above reference to the collection of users’ personal information such as contact details.
  6. Ganz responded that it adopts a cautious approach to its privacy obligations. The Privacy Policy was written in such a way as to be addressed to users’ parents and present the full range of the potential collection, use and disclosure of personal information of individuals by the various Ganz websites on which it is posted.
  7. Ganz claimed that, in practice, the Website does not collect, use or disclose children’s personal information. Ganz acknowledged that in this instance, the content of its Privacy Policy did not represent the actual experience of child users on the Website and was more applicable to the collection, use and disclosure of the personal information of older users on other Ganz websites.

Application of the Act

  1. In making our determination on these issues, we applied Principles 4.2, 4.3.2, 4.4.1 and 4.8.2 (c) of Schedule 1 of the Act.
  2. Principle 4.2 states that the purposes for which information is collected shall be identified by an organization at or before the time the information is collected.
  3. Principle 4.3.2 requires an organization to make a reasonable effort to ensure that an individual is advised of the purposes for which their information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  4. Principle 4.4.1 adds that organizations shall not collect personal information indiscriminately. Both the amount and type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations are required to specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Principle 4.8).
  5. Principle 4.8.2(c) states that information made available under the Openness principle shall include...a description of the type of personal information held by the organization, including a general account of its use.

Analysis

  1. Ganz’s Privacy Policy has consistently stated that Ganz does not “…knowingly collect personal information from children under 13.” However, based on the information we obtained and extensive testing of the Website, our Office is of the view that Ganz collects the personal information of children using its Website.
  2. We acknowledge that Ganz’s Privacy Policy provides lengthy and comprehensive descriptions of the personal information that the various Ganz websites may collect, use or disclose and appears to adequately describe Ganz’s purposes for doing so, in compliance with Principle 4.2.
  3. However, the Privacy Policy does not state which Ganz websites the Privacy Policy generally applies to, or the extent to which the organization’s personal information handling practices differ with regard to each website.
  4. We accept that Ganz’s intention in including the ways it may collect, use or disclose users’ personal information across several websites is educational in nature and out of an abundance of caution. Yet we believe that this information-laden and cross-site approach could cause confusion for users of the Website and their parents.
  5. By not setting out what user information is actually collected, used or disclosed through the Website, Ganz could confuse users and their parents into believing that either more information is collected, used or disclosed than is really the case, or that certain pieces of personal information are collected, used or disclosed by other Ganz websites and not the Website, which could be inaccurate.
  6. Our view is that this lack of explanation of the scope and application of Ganz’s collection, use and disclosure of personal information across its website properties, and in particular the Website, is a contravention of Principles 4.3.2 and 4.4.1, as well as the corresponding Openness Principle 4.8.2 (c) of Schedule 1 of PIPEDA.

Recommendation

181. As a result of the above, we made the following recommendation to Ganz:

Recommendation 5

Ganz should, where appropriate, revise its Privacy Policy to more accurately reflect the Website’s actual collection, use and disclosure of the personal information of children and their parents.

As the Privacy Policy represents Ganz’s handling of personal information across many Ganz websites, the Privacy Policy should be revised to accurately explain which websites it applies to. In addition, the Policy should explain in simple terms, how Ganz collects, uses and discloses such personal information from site to site, so that users can elect whether to participate in each website on a more informed basis.

Ganz’s proposed measures

  1. Ganz agreed to update its governing documents, including its general Privacy Policy, to more clearly communicate its practices. It agreed to do so within five months of the date of issue of our Report of Findings.

Conclusion

  1. We believe that Ganz’s proposed measure will, once implemented, address the recommendation. Therefore, we find the aspect of our complaint dealing with the Openness of practices as being well-founded and conditionally resolved.

Section 3 – Cookies and Online Behavioral Advertising (OBA)

Issues

  1. This Section relates to our investigation into: (i) the tracking and profiling of users and visitors to the Website for the purposes of OBA through the use of cookie-based advertisement targeting technology; and (ii) whether Ganz is obtaining the knowledge and meaningful consent of users and visitors for the collection, use and disclosure of their personal information for the purposes of serving OBA.

Summary of Investigation

Advertising on the Website – General
  1. In explaining its advertising model, Ganz stated it did not collect personal information for advertising purposes, nor did it provide such information to third-parties so that they can profile or target users with OBA.
  2. We examined the Website and noted extensive promotion by Ganz of its own child-oriented products and services to users and visitors (“first-party advertising”) and some advertising of child-oriented films, cereal and toys by external advertisers (“third-party advertising”).
  3. Ganz informed our Office that third-party advertisers placing advertisements on the Website are introduced through either: (i) advertising agencies (referred to by Ganz as “premium advertising”), or (ii) advertising networks.
  4. During our site visit to Ganz’s offices, Ganz’s digital advertising team explained its process for working with such third-party advertisers.
  5. Ganz indicated that it pre-screened advertising agencies seeking to place premium advertising on its Website, before entering into any kind of agreement. All agencies are educated about its pre-teen audience and the limitations it places on advertisements appearing on the Website. Ganz explained that advertisers are required to commit to an advertising service agreement. This requires that advertisers comply with Canadian advertising and privacy legislation and agree not to profile children viewing the advertisements for the purposes of serving OBA. Advertisements are vetted for compliance against Ganz’s standards before placement, and reviewed periodically once launched.
  6. Ganz explained that it also pre-screened advertising networks before entering into any advertising agreements. It stated that it had rejected advertising networks which: (i) had not agreed to shelter users of the Website from targeted OBA either by the networks themselves or the advertisers using their services, and (ii) had not allowed the individual screening and vetting of all advertisements offered for use on the Website.
  7. Ganz explained that it rejected advertisements linked to contests, because entering contests usually requires visitors to provide their personal information to an advertiser. Ganz was concerned that it could not ascertain what advertisers could subsequently do with such personal information after a contest ended. It also declined all advertisements which would lead its users to website landing pages requiring disclosure of user personal information, or which contain objectionable content.
  8. We investigated both forms of third-party advertising on the Website. Taking into account the results of our investigation, this section of the Report of Findings focusses on advertising placed by third-party advertising networks.
Cookies on the Website
  1. During our investigation, Ganz stated that it did not use cookies on its Website, either to track users for the purposes of building profiles about them, or serving them OBA. It also stated that it prohibited third party advertisers, advertising agencies or advertising networks from using cookies for these purposes.
  2. We reviewed the Website and conducted testing to search for the presence of cookies that could be used to build profiles of users and deliver OBA.
First party cookies
  1. In our initial review, we identified cookies placed by Ganz (“first-party cookies”) and “third-party cookies” placed by analytics companies, advertising agencies, and advertising networks. The types of cookies found included session cookies, persistent cookies, and Flash cookies.
  2. Ganz explained that it used first-party cookies for the purposes of administering and managing the Website. Examples of such uses included recording the appropriate language for the user, the identification of registered users, restricting advertising or serving country or provincial -specific advertising, frequency-cappingFootnote 5 of Ganz advertisements, and identifying users who had opted out of third-party advertisements.
  3. Our testing of Ganz’s first party cookie practices were consistent with its assertions and did not reveal the profiling or the serving of OBA to its own users.
Third-party cookies
  1. Our testing determined that third-party cookies could be placed in users’ browsers when they visited the Website. Cookies were set during the advertisement delivery process and individuals using or visiting the Website did not need to click on advertisements for the cookies to be placed. Some of the cookies observed contained apparent identifiers such as unique serial numbers.
  2. Ganz asserted that third-party cookies placed on the Website were for statistical purposes such as frequency-capping and advertising campaign analytics.
  3. It also claimed that cookies were used by third parties to identify the Website’s users so that their information could be ‘segregated’ and blocked from further profiling or tracking for the purposes of serving targeted OBA.
Ganz’s cookie audits
  1. While Ganz originally acknowledged that it did not regularly monitor the presence and purpose of third-party cookies on its Website, it had conducted some self-initiated cookie audits.
  2. Each review involved the examination of all cookies placed by Ganz and third parties to determine if there were any new or unexpected cookies on the Website, to understand their purposes, and to identify what information was being collected through their use. In Ganz’s opinion, these audits did not reveal any privacy issues.
Advertising networks
  1. Ganz confirmed that it used a US advertising network (the “US Network”) and a Canadian advertising network (the “Canadian Network”) for the placement of third-party advertising on the Website.
  2. Online advertising networks serve advertisements by selecting appropriate advertisements from a database or ‘inventory’ of approved advertising. In serving these advertisements, an advertising network will share revenue each time a visitor to a website clicks on the advertisementsFootnote 6.
The US Network
  1. Ganz informed us that, as an approved member of the US Network’s publisher network, it had access to the US Network’s advertising approval system. As a result, it was able to review advertisements on a daily basis. The system allowed it to view each advertisement and access the relevant advertiser’s website and examine its privacy policy before deciding to approve or filter out the advertisement.
  2. Ganz stated that the US Network was using cookies to track the delivery of advertisements approved by Ganz for campaign analytical purposes only.
The Canadian Network
  1. Ganz stated that it also had access to the Canadian Network’s advertising approval system. Similar to the US Network’s system, Ganz was able to individually review advertising content and examine the advertiser’s website and privacy policy before manually approving or rejecting the advertisement.
Advertising networks – Terms and Conditions
  1. Ganz confirmed that in becoming an approved publisher of the US and Canadian Networks, it agreed to each advertising network’s terms and conditions.
  2. We reviewed the two advertising networks’ terms and conditions. We noted that under the US Network’s terms, the Network was collecting “non-personally identifiable data” in connection with tags placed on publishers’ websites and that such user information and data was owned by the Network and/or its advertisers. The Network had the right to market and re-market such information about the websites users’ and data, at their discretion, and without further obligation to website publishers.
  3. In the Canadian Network’s terms, the Canadian Network was the sole owner of all website, campaign, and aggregate user data collected by it. Advertisers were apparently only granted access to campaign and aggregate user data collected as part of their advertising campaign. Publishers had access only to campaign and aggregate user data collected through the use of their inventory. Unlike the US Network’s terms, we did not see any references to the use of cookies or other technology to track and build profiles on individuals for the purpose of serving OBA.
  4. After signing each network’s terms and conditions, Ganz sought additional assurances. It asked the networks to confirm that: (i) they would ‘segregate’ any user information that they collected through the use of cookies on the Website so that it would not be used to build user profiles; and (ii) that they would not use any information collected for the purpose of serving OBA. Ganz indicated to us that, in January 2012, each network had provided such assurances.
Follow-up information from the advertising networks
  1. During the investigation we raised a number of questions with Ganz about the use of cookies and advertising on the Website. As a result of these, Ganz entered into further discussions with the two advertising networks.
  2. Ganz later confirmed to us that the US Network assigned the Website to a certain category within its website directory. As such, a user’s visit to the Website could be reflected within any online profile created by the US Network.
  3. We asked Ganz to provide further clarification about the US Network’s categorization of its Website and details about the US Network’s placement of cookies in individual users’ browsers when visiting the Website.
  4. According to Ganz, the US Network originally categorized the Website as a ‘Children’s Channel’. The Website was later re-categorized and placed within the US Network’s ‘Home and Family’ category and ‘Parenting’ sub-category, alongside other websites directed at parents, teachers and, in about 15% of the websites, children.
  5. Ganz explained that the US Network served advertisements based on the dominant elements of an individual’s online profile, rather than all the elements with a profile. In order for a user to be served targeted advertisements based on their visit to the Website, the user would need to visit a substantial number of websites falling with the same sub-category of the US Network’s advertiser directory.
  6. We were later notified by Ganz that it was no longer using the US Network for serving advertisements in Canada. No reason was cited for the change.
  7. Ganz confirmed that the Canadian Network did not update any user profiles based on their surfing experiences on the Website.
  8. In stating this, Ganz pointed to correspondence it received from the Canadian Network in January 2012 where the Network imposed client restrictions on using technical means, such as cookies and pixels, on the Website to create user profiles to serve OBA.
Testing the revised Website for cookies and OBA
  1. We conducted further testing of the advertising practices on the Website after the April 2013 update.
  2. Our examination of the code used to place certain advertisements on the Website revealed that, although Ganz arranged for the Canadian Network to place many of the advertisements, the actual advertisements were often delivered by other third-parties.
  3. A review of the cookies placed in users’ browsers during visits to the Website showed that numerous third-party tracking cookies were being placed by companies known to engage in OBA.
  4. Many of the cookies found appeared to contain unique identifiers, e.g. data fields were labelled with a variation of an “ID” tag such as “ID”, “UID” and exchange_uid”.
  5. In one test, we visited the Website’s login page and reloaded it 10 times. This resulted in the display of a large number of third-party advertisements and the placement of 41 cookies from third-parties in our test browser.
  6. We then visited the US Digital Advertising Alliance’s Consumer Choice opt-out page.Footnote 7 Code on this page analyzed the 41 cookies held in our test browser and the opt-out function revealed that 29 companies had “…enabled interest based ads for this web browser”, indicating that the Canadian Network and its partners might be enabling the tracking of users and visitors to the Website for the purposes of profiling.
  7. We followed this by testing the Website for the presence of OBA. We carried out tests based upon interests we induced through web searches on particular topics and by visiting a number of websites related to those topics, e.g. specific toys, vacations, and trucks. This form of testing typically results in the placement of many tracking cookies. After this, we visited the Website and other neutral websites and observed whether the advertisements that appeared were related to the induced interestsFootnote 8.
  8. Our test results did not find any direct evidence of OBA being served when advertisements were placed on the Website, or that visits to it were leading to OBA on the other neutral websites we reviewed. This suggested to our Office that third party advertisers may be tracking children for the purposes of profiling while they were on the Website, but not targeting them to serve OBA.
  9. We brought our test results to Ganz’s attention and asked for their response.
  10. Ganz confirmed that all cookies placed when a visitor comes to the Website login page came from, or through, the Canadian Network. It also pointed to the past assurances it had received from the Network that it did not collect any data about its users, or update a user’s profile, based on their experience on the Website and that none of the advertisers it featured targeted Webkinz users specifically.
  11. Ganz contacted the Canadian Network to obtain reconfirmation of these assurances. The Canadian Network responded that data collected was not used to provide OBA to users on websites targeted at children under the age of 13. The Network also stated that many, if not all, of the cookies placed on the Website’s login page were used for other purposes, e.g., validating impression counts or time stamping for frequency-capping purposes. Our Office’s testing appeared to contradict this response.
  12. The Canadian Network admitted that it could collect IP addresses for geo-targeting against US and Canadian postal codes. It could also collect IDs to facilitate the targeting of advertisements based on a user’s profile created prior to visiting the Website. The Network indicated that such “anonymous” user IDs are required in order to frequency cap and recognize users with relevant interests.
  13. Subsequently, Ganz advised us that the Canadian Network was re-evaluating its position, including the activities of its online partners.
  14. Later, Ganz informed us that the Canadian Network issued a notice to all of its media partners, informing them that it had introduced new controls to classify and flag publisher websites identified as directed at children under the age of 13.
  15. We reviewed a copy of the notice. The Canadian Network indicated that, effective July 1, 2013, it would ensure that it would not apply any behavioural targeting on flagged websites.
  16. The Canadian Network stated that it would forward details of the flags from publishers to advertisement buyers and ask the buyers to act accordingly. The notice asked buyers using the Network’s media exchange to not place behaviourally targeted advertisements, create profiles of users or visitors, or collect personal information of users or visitors on identified, flagged, websites.
  17. Ganz stated that it contacted the Canadian Network and the Network had written to them confirming that its new controls were being applied to the Website.
Ganz’s Privacy Policy and Ad Policy
  1. We reviewed Ganz’s Privacy Policy and Ad Policy on the collection of information to track users and serveOBA. The Privacy Policy described the use of cookies and other technology by advertising companies. It suggested that some companies may use technology to target users for the purposes ofOBA:
    • From time to time, we may use third-party advertising service providers to serve ads on the Service. Outside the service, these companies may use cookie-based ad serving technology for the purpose of (i) ad delivery and reporting; and (ii) re-targeting and/or online advanced targeting [emphasis added]. Furthermore, to monitor usage or transfer of content to another site or location and collect advertising metrics, such third parties may include in the content web beacons or clear GIFs…

      Although the third-party advertising service providers may not have access to tracking technologies set by Ganz, or any of your personal information collected on the Service, they may have set and access their own tracking technologies [emphasis added] and/or they otherwise have access to information about you. The use of such technology by these third parties is within their control and not ours…

  2. Ganz’s Ad Policy described the presence of cookies and web beacons on the Website. These may be placed by advertising networks (including third party ad servers, advertising agencies, advertising technology vendors and research firms) while serving advertisements to Webkinz users. The Ad Policy explained what cookies and web beacons are and what they may be used for:
    • Third party use of cookies and web beacons is subject to their own privacy policies. Our Privacy Policy describes how we treat personal information…Ganz does not provide any personal information to the advertiser when you interact with or view a third party ad on the Website…

      Contests, sweepstakes and giveaways hosted on the Website may be sponsored or co-sponsored by Ganz, or may be sponsored by companies other than Ganz. Third parties that host such promotions may collect and use your information in accordance with their own privacy policies…

  3. We questioned Ganz about the evident contradictions between their stated prohibition on third party advertisers and advertising networks placing tracking cookies for the purposes of profiling Webkinz users and serving OBA, and the references to tracking cookies and OBA by third parties in their policy material.
  4. Ganz explained that the placement of tracking cookies and the serving of OBA existed where individuals visit and use certain Ganz website properties targeted at adults, e.g. www.ganz.com and www.ganzestore.com. This was not the case with the Website, which was aimed at children.
  5. In line with their response to the issue of collecting visitor and user personal information, Ganz replied that it included references to tracking cookies and OBA in the Privacy Policy and Ad Policy for educational purposes and out of caution, rather than based on the actual user experience on the Website.
Opting-out of cookies and advertising
  1. As part of our investigation, we examined how easy it was to opt-out of receiving cookies and third party advertising on the Website.
Advertising networks
  1. When Ganz agreed to the advertising networks’ terms, it was required to include a statement in its Privacy Policy that advertisements displayed on the Webkinz website could be delivered through one or more advertising networks which used cookie technology in connection with the delivery of advertisements. The terms required Ganz to provide its users with an opportunity to opt-out of receiving cookies from third party advertising networks, through a link to the Network Advertising Initiative’s (“NAI”) Consumer Opt-Out functionFootnote 9.
  2. The Privacy Policy, Ad Policy and WebkinzNewz Frequently Asked Questions all explained how users visiting the Website can decline to accept cookies and the implications of doing so, and how users could configure their browser and change their cookie preferences.
  3. Ganz also provided information in the documents as to how users could learn more about managing Flash cookies. Links were provided to www.adobe.com and users are invited to make changes at the Adobe ‘Website Privacy Settings’ panel.
  4. We tested the links. In each case, we were directed to the appropriate NAI and Adobe web pages.
Limiting third party advertisements
  1. The Website has a Limit Ads Option (the “Option”) which allows users with Full or Deluxe accounts to opt-out of receiving third-party advertisements. Individuals with free accounts are not able to select the Option.
  2. The availability of the Option and how it works are described in the Website’s Ad Policy and in Frequently Asked Questions.
  3. The April 2013 update to the Website introduced a change to the activation and deactivation process for the Option.
  4. As a result of the update, parents were given greater control over third party advertisements seen by their children through the establishment of a Parent’s Account.
  5. Ganz told us that once a parent activated the Option, third-party advertisements would be blocked from their child’s user account on the next visit to the Website. Likewise, the Option prevented the placement of third party advertising-related cookies on a user’s browser. If the user logged out and back in again immediately, the block came into effect. The block needed to be placed only once and remained in effect indefinitely, until the parent chose to deselect it.
  6. Ganz explained that a block was established, in part, by setting a flag in the Webkinz database, which would preclude the display of third party advertisements to child users while they are logged into the Website. A cookie would also be placed in the child user’s browser to prevent third-party advertisements being served on the Website’s landing and exit pages.
  7. We received a demonstration of the Option during our site visit and tested its effectiveness. The Option worked consistent with the representations made to us.
  8. Ganz indicated that the Ad Policy had been updated to correspond to the new process. However, our review of the Ad Policy indicated that the old Option process was still being described. We brought this to Ganz’s attention and they immediately amended the Ad Policy.

Application of the Act

  1. In making our determination on these issues, we applied Principles 4.2 and 4.8.2 (c) of Schedule 1 of the Act.
  2. Principle 4.2 states that the purposes for which information is collected shall be identified by an organization at or before the time the information is collected.
  3. Principle 4.8.2(c) states that information made available under the Openness principle shall include... a description of the type of personal information held by the organization, including a general account of its use.

Analysis

  1. In our Policy Position on Online Behavioural Advertising paper, our Office expressed its concerns about online tracking practices:
    1. The difficulties in characterizing what is and what is not personal information and the privacy implications of online tracking;
    2. A lack of transparency around tracking, profiling and targeting and what this means in terms of obtaining meaningful consent from users;
    3. The number of parties involved in such tracking and that such parties are largely unknown to users; and
    4. Children are online at younger and younger ages and are often unaware that they are being tracked or being served advertisements.Footnote 10
  2. On the tracking and profiling of children online, we added:
    • The most obvious type of information that should not be tracked involves children’s information. Operators of websites that are targeted at children should not permit the placement of any kind of tracking technologies on the site. It is hard to argue that young children could meaningfully consent to such practices, and the profiling of youngsters to serve them online behaviourally targeted ads seems inappropriate in such circumstances…

      Given the practical obstacles to obtaining meaningful consent from children, especially implied consent, organizations should avoid knowingly tracking children and tracking on websites aimed at children.Footnote 11

  3. Ganz confirmed that it contractually prohibits third party “premium” advertisers from tracking users on the Website for the purposes of building user profiles or serving OBA. Ganz also sought assurances from external advertising networks that they and their clients would not conduct tracking, profiling or the serving of OBA to users of its Website.
  4. Over and above these assurances, Ganz took steps to ensure it was protecting its users by conducting cookie audits. In Ganz’s view, the results of the audits did not reveal any privacy issues with the Website.
  5. During our investigation, we did not find any direct evidence of OBA being served by Ganz or third-parties placing advertisements on the Website. However, our testing and further questioning of Ganz revealed an apparent conflict between the conduct of the US and Canadian Networks on the Website and the assurances sought by, and given to, Ganz regarding the tracking of children using its Website.
  6. Ganz later ceased to use the US Network for the serving of advertisements in Canada on the Website, without citing a reason.
  7. The Canadian Network re-examined its own practices and introduced new controls to prevent advertising agencies, advertising exchanges and other third parties from: (i) placing behaviourally targeted advertisements; (ii) creating user profiles; and (iii) collecting user personal information on websites directed at children under 13 (like webkinz.com). The efficacy of these new controls has yet to be tested.
  8. In considering the above, we are of the view that Ganz had not taken steps to inform itself of the actual cookie-based practices of its US and Canadian Networks, or the practices of the Networks’ third-party clients delivering advertisements to the Website.
  9. Ganz’s lack of awareness of the cookie and advertising practices of third-parties on the Website demonstrated to us a need for Ganz to adopt measures to improve its due diligence in this respect, and develop an appropriate escalation process in the event of adverse findings. This is especially important, given the young demographic that the Website serves, i.e., children under 13 years of age.
  10. In responding to the issue of collecting visitor and user personal information, Ganz replied that it included references to tracking cookies and OBA in the Webkinz Privacy Policy and Ad Policy solely for educational purposes and out of caution, rather than based on the actual user experience on the Website.
  11. In our view, Ganz does not provide a clear description of the information that is being collected on the Website for the purposes of advertising, how such information may actually be used, or to whom it may be disclosed.
  12. Ganz confounds the practices of what happens on the Website with what happens on other Ganz websites aimed at older users. Our Office views this lack of clarity and transparency as a contravention of Principles 4.2 and 4.8.2.
  13. Notwithstanding this, we note that Ganz has introduced measures to provide parents with the information and tools needed, so that they can take appropriate steps to prevent their children from receiving third party advertising through their Full or Deluxe Webkinz accounts.

Recommendations

  1. As a result of our investigation on this issue, we made two recommendations to Ganz:

Recommendation 6

Ganz should adopt appropriate, systematic and regular due diligence procedures to ensure that advertising networks and other third parties are not setting tracking cookies on users of the Website for the purposes of building profiles for advertising purposes, or otherwise conducting online behavioural advertising.

Recommendation 7

Ganz should amend its Privacy Policy and Ad Policy to accurately inform users and their parents about what actually happens on the Webkinz website regarding the collection, use and disclosure of their personal information through cookies and other technological measures.

The Privacy Policy and Ad Policy should indicate whether such collection, use and disclosure takes place, the purposes for doing so, who is responsible for such activity and how Ganz will prevent such practices, including OBA, that are prohibited.

The Privacy Policy and Ad Policy should seek to differentiate the practices of third parties on the Website and other Ganz websites aimed at older users.

Ganz should ensure the content, language and methods used to communicate such practices on webkinz.com are appropriate for the understanding of its user base.

Ganz’s proposed measures

  1. In responding to the Preliminary Report, Ganz reiterated its rigorous selection process used in the approval of advertising agencies and advertising networks placing advertisements on the Website. It also pointed to its screening of all advertisements and highlighted the steps it had taken to ensure that privacy-respectful practices were adhered to by the agencies and networks.
  2. Ganz stated that it had already taken steps to enhance its due diligence procedures in response to recommendation 6. It had commenced regular, in-depth, cookie audits of the Website and was developing an escalation process to address any infractions or instance of non-compliance found. It also confirmed that if violations of its policies were detected, it would seek to enforce its rights with third-parties. Ganz agreed to comply with the recommendation within five months of the date of issue of our Report of Findings.
  3. Ganz agreed to amend its Privacy Policy, Ad Policy and Frequently Asked Questions to address recommendation 7, by more clearly communicating how information is collected, used or disclosed in connection with advertising on a website specific basis, within the same timeline cited for Recommendation 6.

Conclusion

  1. We believe that Ganz’s proposed measures will, once implemented, address our recommendations on this issue. Therefore, we find this aspect of the investigation to be well-founded and conditionally resolved.

Other – Retention and Destruction of User Information

Issues

  1. During the course of our site visit, Ganz informed our Office about its practices concerning the retention and deletion of user account information.

Our examination

Indefinite retention of user information in inactive accounts
  1. Ganz explained that Webkinz World accounts do not expire. If a user does not access their Webkinz account for 18 months, the account is considered ‘inactive’. Information on inactive accounts is archived separately from active accounts. Inactive account information is kept indefinitely unless a user or their parent contacts Ganz to request reactivation of the account, or its deletion.
  2. Mindful of our Office’s past investigations into the indefinite retention of user information on other websites and the young user base of the Website, we inquired further into Ganz’s retention practices.
  3. Ganz explained that it archives inactive accounts rather than deletes them because it is concerned about adverse user reaction. In their experience, children and their parents have strong emotional ties to their Webkinz World accounts, with many users building up collections over many years.
  4. Ganz informed us that it typically reactivates between one and two thousand accounts annually. It acknowledged that this number of re-activated accounts represents a small percentage of the total number of inactive accounts.
  5. Furthermore, Ganz claimed that as it does not historically record and maintain contact information for users or their parents, it is unable to initiate account deletion communications with them in a proactive manner.
  6. The Website’s Privacy Policy states that Ganz keeps personal information for a “reasonable period of time only”:
    • We keep your information for a period reasonably necessary to meet the purposes for which it was collected, for the security of Ganz and the Service or to protect users, the public or third parties and to comply with any legal requirements, including statutory retention periods and corporate best practices.

  7. We found one reference to Ganz’s practice of indefinitely archiving inactive user account information. However, the reference was not within the Website itself, but located within a Frequently Asked Questions page of another Ganz website.
  8. the archiving of accounts:
    • How do I permanently delete my pet or account?

      …After 18 months of inactivity, we may archive your account, including all of your items and pets included on that account. An archived account can be recovered by contacting our Customer Service team.

Account deletion
  1. During our earlier testing, Ganz informed us that it did not have a user-directed account deletion option. Accounts could only be deleted by a user, or their parent, contacting Customer Support who would delete it from Ganz’s records.
  2. The Ganz User Agreement contained a reference to voluntary account deletion:
    • The Agreement will remain effective until terminated. If you wish to terminate your Account, you may do so by contacting our Customer Service. Upon our acceptance of your request, your Account will be terminated... [Section Q: Termination].

  3. We did not find any information in the User Agreement, Privacy Policy, Frequently Asked Questions or Help sections of the Website informing users about deleting their accounts, how to do this or the implications of choosing this option.
  4. Ganz introduced a deletion option when it updated the Website on July 1, 2013.
  5. A parent is now able to request deletion of their child’s account, via their Parent’s Account. The system deletes the account within 7 days of receipt of the request. The delay representing a cooling-off period, in case a parent changes their mind about the deletion. Once an account has been deleted, it cannot be reinstated.
  6. When we issued our Preliminary Report, no change had been made to the User Agreement, Privacy Policy, Frequently Asked Questions or Help section to refer to the new option.

Application of the Act

  1. In making our determinations on these issues, we applied Principles 4.3.8, 4.5, 4.5.2, 4.5.3 and 4.8.2(c) of Schedule 1 of the Act.
  2. Principle 4.3.8 states that an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.
  3. Principle 4.5 stipulates that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of these purposes.
  4. Principle 4.5.2 adds that organizations should develop guidelines and implement procedures with respect to the retention of personal information. The guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.
  5. Principle 4.5.3 points out that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations are required to develop guidelines and implement procedures to govern the destruction of personal information.
  6. Principle 4.8.2(c) states that information made available under the Openness principle shall include...a description of the type of personal information held by the organization, including a general account of its use.

Analysis

  1. In our Preliminary Report, we recognized that parents pass on toys to their children, and that children may, in turn, pass on toys to their younger siblings and friends. While parents may spend substantial amounts of money purchasing Pets, much of the value of such purchases are linked to the Website, where children can play with virtual versions of their Pets and interact with other users. To pass on the toys, they need to pass on the account and its contents.
  2. While we recognize Ganz’s sensitivity to its users’ reactions, in our view, its practice of archiving inactive user accounts indefinitely was not consistent with Principle 4.5. This is particularly so when we compared the small number, and percentage, of re-activated user accounts to the total number of archived inactive accounts.
  3. Ganz did not adopt procedures in respect of its retention of information contained within inactive accounts other than to keep them for as long as is necessary. No minimum or maximum retention periods appear to have been introduced or followed in line with its obligations under Principle 4.5.2.
  4. Ganz’s retention of personal information that is no longer required to fulfil the purpose for which it was collected also contravened Principle 4.5.3. In our Preliminary Report, we explained that such information should be destroyed, erased or made anonymous when the original purpose for collection has expired.
  5. Ganz explained the difficulty of reaching out to former users to notify them of the potential deletion of their account under a fixed schedule, in the absence of any contact details.
  6. This lack of contact details on many accounts undoubtedly presents some difficulties for Ganz. However, Ganz is free to use other means to communicate a user account retention and destruction policy, e.g. through its Privacy Policy, Frequently Asked Questions, Help section, Customer Support team and other means.
  7. We also recommended that Ganz implement a maximum retention period.
  8. On the matter of account deletion, we were encouraged to see Ganz’s introduction of an easy-to-use account deletion option.
  9. However, we note that outside of the option itself and one paragraph in the User Agreement, there was no mention of the new option, or the implications for users deleting their accounts, which is a form of consent withdrawal under Principle 4.3.8.
  10. We encouraged Ganz to provide more information on the option, in an easily accessible format, so as to better address its obligations under Principle 4.8.2.

Improving Compliance

  1. Taking into account the above, we made four recommendations to Ganz:

Recommendation 8

Ganz should introduce a policy and procedures for the retention and destruction of inactive user account information. This should include the adoption of minimum and maximum retention periods for user information held within such accounts, taking into account the reasonable expectations of its users and their parents. The policy and procedures should include arrangements for the destruction, erasure or making anonymous such user account information after the maximum retention period has expired.

Recommendation 9

Ganz should examine its existing archive of inactive accounts and adopt measures to delete, or otherwise make anonymous, those older user accounts that lie outside its new maximum retention period. In doing so, Ganz may wish to conduct a general notification program on its Website to notify former users and their parents of the deletion of the accounts so that these individuals can consider if they wish to reactivate or voluntarily delete their inactive accounts.

Recommendation 10

Ganz should communicate its personal information retention and destruction policies and procedures to its users in an easily accessible form and in a language and method appropriate to its user base.

Recommendation 11

Ganz should take additional steps to more prominently explain the options available to users and their parents to: a) allow an inactive account to be archived with the option to later reactivate it, and b) the availability of an account deletion option. In each case, Ganz should set out the implications for users and their parents of choosing each option.

Ganz’s proposed measures

  1. In response to Recommendation 8, Ganz stated that it already had a minimum retention period. It nevertheless agreed to publish information on the Website advising users of the changes to its current data retention practices.
  2. Furthermore, Ganz agreed to adopt policies and procedures for the deletion of archived inactive user accounts after 7 years. It felt that given that the Website`s primary user-base is from ages 6 to 13, this would permit a user who created an account at age 6 to return to his or her account prior to attaining age 13.
  3. To resolve Recommendation 9, Ganz agreed to post a notice about the deletion of older inactive accounts within the Frequently Asked Question section of its Website and on its webkinznews.com pages. Ganz pointed out that it was not in a position to provide this information to users or parents who no longer visit its websites.
  4. With regards to Recommendations 10 and 11, Ganz agreed to update the content of its Privacy Policy, User Agreement and Frequently Asked Questions to provide clarification of the points raised.
  5. Ganz agreed to make changes to address Recommendation 8 within nine months of the date of issue of our Report of Findings, and other changes to address Recommendations 9 to 11 within five months of the date of issue of our Report of Findings.

Conclusion

  1. We believe that Ganz’s proposed measures will, once implemented, adequately address our recommendations. Therefore, we find the issues relating to the retention and deletion of user accounts to be well-founded and conditionally resolved.
  2. In our view, Ganz’s proposed data retention and destruction measures in response to recommendations 8 to 11 remain relevant even in light of Ganz’s proposal to cease collecting personal information during registration. While future Website user accounts may not contain personal information, Ganz continues to manage and store personal information contained within large numbers of existing active and inactive user accounts.

 

 

Date modified: