Privacy Challenges in the Digital Age
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks to the Consumers in the Digital Age: Issues and Opportunities Conference organized by l'Union des consommateurs
March 14, 2011
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Thank you for inviting me to come and talk about the challenges facing consumers in the digital age. I especially wish to thank the organizer of this event, the Union des consommateurs, a strong advocate of consumer protection. I am also pleased to be here with the Office de la protection du consommateur and Protégez-vous magazine, a Quebec institution in consumer protection.
Also taking part in this event are various stakeholders who play different roles in the marketing and consumer sectors within the digital platform, or who closely follow the evolution of these sectors: regulatory authorities, advocates, legal counsels and industry and media representatives. Today we have a valuable opportunity to share our views regarding online consumer use.
I will begin by presenting some of my Office's work on the controversial topic of social media advertising:
- After a brief review of the OPC investigation on Facebook, I will outline the results of the consumer privacy consultations that we held in 2010.
Internet is a commercial space conducive to the commodification of personal data
We have seen a significant increase in the quantity of personal data online and its commercial use. Personal information has ipso facto become a money of exchange. To quote Meglena Kuneva, former European Commissioner for Consumer Protection: "Personal data is the new oil of the internet and the new currency of the digital world." This situation is exacerbated on social networking sites, because advertisers perceive users as ways to transmit their ads.
The social networking site business model is to provide a dedicated location for sharing data, in order to then derive income through the shared information. The OPC had to establish its position regarding this business model:
- We think that advertising is justifiable up to a certain point, to the extent that it ensures free access to Web sites.
- However, we must remain vigilant regarding so-called free services offered by social networking companies. For example, it is important to establish a distinction between the different types of advertising and consent. By defining clear parameters, we can implement collective standards for online advertising.
Facebook, which now boasts over 600 million members, is responsible for protecting its members' personal information. Given Facebook's influence on the industry, its policies can have the force of standards for privacy protection in our digital age.
2009 Facebook investigation: Toward greater transparency
As you probably already know, in 2009 the OPC investigated a complaint against Facebook filed by the Canadian Internet Policy and Public Interest Clinic. This complaint involved 24 allegations on a range of topics including default privacy settings and the collection and use of users' personal information for advertising purposes. This investigation was our Office's first intervention in the world of behavioural advertising.
As part of our investigation, we looked at the distinction between the two types of advertising that Facebook uses on its site:
- On the one hand, there are Facebook ads or contextual advertising designed for and imposed on users. In this type of advertising, targeting is based on the user's profile. Since this type of social networking site is free, advertising is essential to its functioning.
- On the other hand, social (or behavioural) advertising is by definition intrusive, because it tracks social activities instead of just the words in the profile. People's actions, as well as their names and photos can be used to promote a product or service. Through their privacy settings, however, users can choose which of their activities will appear in their friends' "News Feed". They can also opt out of social ads by changing their privacy settings.
At the end of our investigation, we found that Facebook default privacy settings and ads contravened federal private sector privacy laws.
The OPC also had concerns about the lack of clear information provided to users regarding these two types of advertising. We determined that the reasons why personal information is collected and used should be explained. Under PIPEDA, this means that "the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed."
My Office did not find fault with Facebook’s business model per se, but rather requested that it provide users with clear information about its privacy practices.
That said, we have not yet closed the file. There is still a lot to be done. Since our investigation, we have received several different complaints regarding issues other than those we dealt with in 2009, such as Facebook's invitation feature and social plug-ins (e.g. "Like" buttons).
In the United States, the Federal Trade Commission has strongly recommended that advertisers apply a Do Not Track mechanism. Similarly, U.S. Senate members requested that Facebook ensure that sensitive information is not too easily communicated to third parties. Senators John McCain and John Kerry circulated a legislative proposal to create a bill on the right to online privacy.
It is also worthwhile to look at what is happening in Europe. For example, the Council of Europe amended its directive on privacy protection in the electronic communications sector. Such changes would require Web sites to demonstrate greater transparency and give users more control over cookies. Member states plan to pass legislation enabling these new provisions to come into force in May.
We are closely monitoring these international developments, which will help us develop our own proposals to strengthen legislation during the parliamentary review that will take place later this year.
The findings of our Facebook investigation and subsequent work on the marketing of personal information led us to organize consultations on consumer privacy protection in the digital age. Our objective was to learn about Canadians' expectations concerning privacy with regard to the industry's advertising practices.
Highlights of the report on consumer privacy consultations: The increasingly blurred distinction between public and private domains
These consultations, which were held in a few Canadian cities in 2010, allowed us to take the pulse of the general public and various stakeholders. The feedback we collected will be taken into account as part of the parliamentary review of PIPEDA.
I will share some of the key comments we received about online advertising during these consultations. One of the recurring ideas that came up during the consultations was that traditional notions of private life and public life are changing. Users have the mechanisms available to make their private life public, which is contributing to changing expectations concerning the protection of personal information.
Because individuals post online information about themselves and their friends does not necessarily mean that they are intending this information to be used by unseen entities to do with as they will. One person pointed out that much of the technological architecture online is public by default and private only by effort.
In the context of social networking, the distinction between our social interactions and our "role" as consumers is disappearing. The business models developed based on online tracking undermine the balance between e-commerce and privacy protection. However, this balance is the underlying foundation of PIPEDA.
With the rise of social networks comes the rise of possibilities, and perceived advantages, for tracking individuals. As a result, the opportunities for surveillance by both businesses and government to monitor purchase trends, political opinions, social affiliations or geographic movement are unprecedented.
Paradoxically, the general public and privacy advocates continue to use online services, even though they say they are uneasy about the use of their personal information. They are right to be concerned: there is a growing body of research showing how easily data that is thought to be anonymous can be re-indentified. Advances in technology are making it increasingly difficult to prevent information from being associated with identifiable people.
It is interesting to note the differences between the industry's perception and that of users: whereas one industry representative asserted that users see advertising as a benefit, an advocacy organization was of the opinion that it is merely tolerated.
Individuals' control over their own personal information is one of the underpinnings of the law, along with knowledge and consent. Transparency and meaningful consent are important issues that generated a lot of discussion during the consultations. Under PIPEDA, consent is only meaningful if the purpose and practices are sufficiently clear.
Also among the various concerns raised was that online tracking, profiling and targeting reduces the individual's ability to control the flow of their personal information. The OPC maintains that the practice of constructing profiles and drawing inferences based on social networking information that individuals post poses a range of risks to individuals' privacy.
The biggest challenges to the privacy principles laid out in PIPEDA for industry, individuals and the OPC arise from the practices of online tracking, profiling and targeting. Defining personal information, determining the appropriate types of consent and controlling one's own personal information are core issues that require attention if we want to provide better privacy protection for Canadians of all ages.
The OPC believes that the level of online protection must be equal to that which exists in the non-virtual market. In a rapidly evolving world, it is, of course, difficult to anticipate everything, but companies should consider privacy protections to be a sine qua non condition. There should be clear policy on privacy protection; it is not something that is achieved through trial and error.
Privacy advocates assert that information provided to users regarding online tracking and targeting is often overly complex or legalistic. During the consultations, we discussed the possibility of better written, more easily accessible privacy policies, for example, by providing clearer notices or privacy "nutrition" labels. This comment is closely akin to one of the OPC's recommendations following the Facebook investigation.
Since it is impossible to eliminate online tracking, the public should be made aware of the monitoring that is done on social networks, especially the tracking, aggregation and analysis of data, so that individuals can make informed decisions on the services they use and the information they disclose.
We must focus our efforts on implementing measures to ensure that the industry's interests do not get in the way of privacy rights.
OPC research activities and privacy promotion
The OPC still has a lot to accomplish in this area. We plan to implement specific activities related to online tracking, profiling and targeting, such as research and public education, as well as policy development. For example, we are currently planning short- and long-term research activities, particularly on the public's perception regarding the separation of public and private domains.
We will continue raising awareness among young people. We are currently looking at ways to reach younger users, as well as older novice users. One of our most exciting projects is a comic strip aimed at teenagers.
The OPC and the industry — associations, organizations and developers — are facing major challenges. We will continue to work with our provincial and territorial counterparts, and with the federal departments involved. Our common goal is to strengthen online privacy protection.
Lastly, the OPC will focus its research on the television sector. In the United States, businesses specialized in data collection and information technology companies are trying to associate television viewers' behaviour with other personal data. This industry's goal is to apply online tracking to new technologies that people use in their living rooms. The OPC will continue to work to fight this trend, which is reaching epidemic proportions.
Thank you for your attention. I would welcome the opportunity to discuss these issues further with the other speakers here and answer any of your questions.
Report a problem or mistake on this page
- Date modified: