Investigation finds BC firm delivered micro-targeted political ads without ensuring consent
Joint investigation finds failings in political consultancy’s consent practices for uses and disclosures of personal information and in its security safeguard practices.
VANCOUVER, British Columbia, November 26, 2019 – AggregateIQ failed to meet its obligations under Canadian privacy laws when it used and disclosed the personal information of millions of voters in British Columbia, the United States, and the United Kingdom, an investigation has found.
AggregateIQ Data Services Ltd. (AIQ) is a Victoria-based company that provides election-related software and political advertising services. AIQ has been linked to Cambridge Analytica – a company caught up in a global scandal involving the micro-targeting of voters in various political campaigns.
The Office of the Information and Privacy Commissioner for British Columbia and the Office of the Privacy Commissioner of Canada jointly conducted the investigation, which focused on whether AIQ was meeting legal obligations relating to consent and safeguarding personal information in connection with work it performed for certain political campaigns.
The two offices found AIQ failed to ensure appropriate consent for its use and disclosure of the personal information of voters. The company did not take reasonable steps to ensure that consent obtained by its international clients was valid for its practices in Canada.
As well, the company did not take reasonable security measures to protect personal information, leading to a privacy breach in 2018.
“It is imperative that the activities of tech companies operating across borders respect privacy obligations in all jurisdictions in which they operate,” says Michael McEvoy, Information and Privacy Commissioner for British Columbia. “That’s especially the case when it comes to handling sensitive information like the psychological profiles described in this investigation report.”
“The AIQ investigation shows how sensitive personal information can be used by political campaigns to sway voters. This highlights once again the urgent need for law reform to protect democratic processes and the fundamental human right to privacy,” says federal Privacy Commissioner Daniel Therrien.
“The federal government has said that Parliament should study how to bring federal parties under privacy legislation. We urge the government to move quickly with this review and amend the law.”
Earlier this year, the BC and federal Commissioners released the findings of another joint investigation that found major failures in Facebook’s privacy practices related to the Cambridge Analytica scandal.
The AIQ investigation was launched after media reports raised concerns related to that company’s involvement in the 2016 Brexit referendum on the UK’s membership in the European Union. Subsequent reporting also linked the company to political consulting firm Cambridge Analytica, and its parent, SCL Elections Ltd (SCL).
AIQ worked with SCL on various U.S. political campaigns between 2014 and 2016. These included midterm elections and a presidential primary campaign.
AIQ created a political customer relationship management tool for SCL called Ripon. This tool was used to collect and store vast amounts of voter data and to provide lists of voters to various campaigns for targeting. The personal information provided by SCL to AIQ included psychographic profiles, ethnicity and religion, political donation history, birthdates, email addresses, magazine subscriptions, association memberships, inferred incomes, home ownership information, and vehicle ownership details. AIQ confirmed that SCL was able to use the information to segment individuals into narrow groups for micro-targeted advertising campaigns on Facebook.
AIQ used individuals’ names and email addresses to deliver ads for SCL and other clients using the social network’s “custom audience” feature, which allows advertisers to show ads to a list of contacts which Facebook matches on its platform. It also leveraged Facebook’s “lookalike” audience feature, which allows advertisers to target broader groups of Facebook users with similar characteristics.
The investigation found AIQ did not appropriately verify consent. Individuals would not have expected that their personal information would be disclosed to Facebook for the purpose of delivering political advertising. Nor would they have expected their information to be analyzed for the purposes of identifying people with similar characteristics.
The BC and federal offices recommended that AIQ implement measures to ensure the company obtains valid consent in the future and that it delete all personal information that is no longer necessary for legal or business purposes. The company agreed to do so.
The investigation also found that AIQ’s inadequate safeguards resulted in unauthorized access to US voter information and left vulnerable the personal information of some 35 million people. This failure to adequately protect personal information was a contravention of Canadian privacy laws.
AIQ committed to taking a number of measures to improve its security measures. The two Offices were satisfied with those steps and will follow up with AIQ in the coming months to confirm that they have implemented the investigation recommendations.
- 30 -
News conference details:
Date: Tuesday, November 26, 2019
Where: Room 1600 (Canfor Policy Room), SFU Harbour Centre, 515 W Hastings St. Vancouver
Time: 10:30-11:30 a.m. PST/1:30 p.m.-2:30 p.m. EST
Journalists outside of Vancouver may join the news conference by telephone. For that number, please email email@example.com.
Be advised that the news conference is only open to accredited journalists.
Office of the Information and Privacy Commissioner for BC
250-415-3283 | firstname.lastname@example.org
Office of the Privacy Commissioner of Canada
819-994-5663 | Valerie.Lawton@priv.gc.ca
Report a problem or mistake on this page
- Date modified: