Online Behavioural Advertising
Putting a Normative Framework Around a Business Model

Remarks at the 20^th Annual Advertising and Marketing Law Conference

January 21, 2014
Toronto, Ontario

Address by Chantal Bernier
Interim Privacy Commissioner of Canada

(Check against delivery)

---

As you know, my Office made public last week our investigation on online advertising at Google. This investigation has taught us and, I believe, Google, about the operational importance of complying with privacy law in relation to online behavioural advertising or OBA.

What I intend to do today is share with you the lessons I draw from this investigation in relation to

• the privacy implications of online advertising as a business model,
• the operational challenges for privacy compliance in online behavioural advertising and
• the necessary measures for that compliance.

Let’s start with the context or, more specifically, online advertising as a business model.

1. Online Advertising as a Business Model

As I am sure many of you did as well, I had to chuckle when I read on December 9th an open letter signed by eight US tech giants, including Google, to the U.S. government, urging it to “Limit its authority to collect users’ information and be transparent about its demands”.

Specifically, the tech giants urged Governments to “codify sensible limitations” on their ability to compel personal information.

I fully agree with the tech giants on that one and indeed my Office is currently working on specific recommendations to Parliament in that regard. Still, there is a certain amount of irony between that call for limitations on government use of personal information and the same tech giants’ appetite for, in fact dependency upon, personal information.

We all know that the more personal information used in the online advertising ecosystem, the more effective the companies’ algorithms will be to serve personalized ads. The most precise algorithms will allow serving the most relevant ads. The most relevant ads will be the most profitable for the advertisers, and therefore will be served for a higher price by the search engine or the website.

Bottom line: More personal information, more money.

It is a valid business model, the one that gives us, in return, access to Internet largely free of monetary charges. But it is a tricky one: personal information becomes not only a currency but the currency. The entire business model rests upon the amount and precision of personal information collected. Just consider this: Google’s latest filing with the Securities Exchange Commission reports advertising revenues at 91.6% of its total revenues.

That is where the privacy risk comes in, in relation to online advertising as a business model. It comes from the dependency upon collecting ever-increasing amounts of personal information in order to be financially viable and competitive.

The privacy risk is heightened in relation to OBA since OBA rests upon the collection and use of personal information. That privacy risk calls for a clear normative framework to protect privacy. To use the tech giants’ own words, we need to “codify sensible limitations” to online advertising. By sensible limitations, we mean,

• Limitations that reflect the reality of online advertising as a business model: the wording of PIPEDA, and its application by the Courts, direct us to interpret it through a reasonable, pragmatic approach; consequently, our legal approach to OBA is that PIPEDA does not prohibit it, but only allows it in manner that complies with privacy principles;
• Concretely, that equation is spelled out in our OBA Guidelines issued in December 2011, which clarify the “sensible limitations” that must apply to OBA in order for an opt-out consent model to be acceptable:
  • First, users must remain in control - in other words,
    • Organizations should be transparent about their practices;
    • Individuals are made aware of the purposes in a manner that is clear and understandable — the purposes must be made obvious and cannot be buried in a privacy policy.
    • Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
    • The opt-out takes effect immediately and is persistent;
    • Technology that does not respect a user’s control choices, such as zombie cookies or digital fingerprinting, should not be used since the individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility to do so; and
    • Organizations should avoid tracking children and tracking on websites aimed at children as it is difficult to ensure that they have meaningfully consented.
  • Second, the company cannot collect more personal information than it needs. This entails that:
    • The information collected and used is limited, to the extent practicable, to non-sensitive information. The legal underpinning is in the premise of PIPEDA, which seeks to balance the right to privacy with the need for an organization to collect information for purposes that a reasonable person would consider appropriate. Applying this principle to sensitive information, it appears that the intrusion upon privacy exceeds the needs of the organization and therefore it is not allowed; and,
    • Information collected and used is destroyed as soon as possible or effectively de-identified.

We were confronted on a number of privacy-related OBA issues in our investigation on Google OBA released last week. That investigation brings to light the operational challenges for organizations of ensuring privacy compliance in relation to OBA. I will first summarize the investigation and then move to the operational issues that transpired.

2. Our Google investigation on OBA

The allegation here was that Google allowed for tracking of online activities in relation to health information, and therefore sensitive information, for the purpose of OBA.

The complainant alleged that, after having searched online for medical devices for sleep apnea, various unrelated websites he visited would display ads for a sleep apnea device through the Google AdSense Service. As searches on sites unrelated to the search on the medical device would still show ads for it, the complainant alleged that he was targeted with ads on the basis of sensitive personal information. He also alleged that he could not find information to contact Google to resolve his concerns so he complained to our Office.

Let me deal with the first, and most important, allegation.

2.1 Did Google serve OBA on the basis of sensitive personal information?

The first question was whether the complainant was actually tracked on the basis of that information for advertising purposes.

To verify this, our Office conducted a technical analysis of the complainant’s allegation:

• Our technologists induced an interest in the medical device in question by performing a Google search and then visiting 20 to 40 sites listed in the search results.
• To assess whether online behavioural advertising was taking place, they then visited nine unrelated sites, such as sites about the weather or the news, chosen arbitrarily to host unrelated content.
• Our analysis found that ads would appear for the medical device on the unrelated test sites very frequently after related sites were visited. It became clear that online tracking was taking place and that the medical device ads were being placed and advertised through OBA.

We also examined the instructions and code involved in placing the medical device ads on the test sites. This testing confirmed that Google was responsible for the ads.

At this point the following legal issues required explanation: as we concluded this to be OBA, namely that ads were being placed on webpages based on online activity across multiple unrelated websites, is it permissible OBA ? Namely,

• Is it about sensitive personal information? Visiting websites related to a medical device that is used to treat sleep apnea infers an individual’s personal health, therefore we consider it to be sensitive information.
• Was Google transparent about using health information to serve ads? No — on the contrary, Google’s privacy policy assures users that they will not be tracked on the basis of sensitive personal information, in which Google specifically includes health information.
• Did Google have the accountability framework for compliance with the law, and its own privacy policy, on OBA? Obviously, not quite. Google did have a governance framework to monitor ads but that did not meet the complexity of the task. And that brings me to the lessons we learned in relation to the operational challenges to accountability for privacy compliance in the context of OBA.

2.2 Did Google have the accountability framework to ensure OBA compliance with privacy law?

Google, who I found very cooperative on this file, made the following representations on their governance framework for OBA monitoring:

• Google is open about the fact that it does serve OBA
• OBA ads are divided into two categories:
  • Ads based on categories of interest, defined according to user browsing,
  • Remarketing ads, where an advertiser builds its own custom list of users based, mostly, on website visits.
• Under the first approach using categories of interest, Google compiles an interest list, based on browsing, and users can view the interest list attached to their cookies by viewing their Ad Settings page.
• Note that there is no interest based setting on “health” since Google identifies that as a prohibited ground to track interest.
• Users also have the ability to opt out of interest based advertising

As I mentioned earlier, Google’s privacy policy expressly reassures users that they will not be served OBA in relation to sensitive personal information. To quote Google’s policy “when showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories such as those based on race, religion, sexual orientation or health”.

Google’s response to the allegations raised during our investigation was that certain advertisers do not comply with its advertising policies.

Google’s explanation for the gap between its privacy policy on OBA and the reality of OBA on its platform brings to light the operational challenges of monitoring privacy protection in online advertising.

One of the operational challenges comes in relation to remarketing ads.

A remarketing ad campaign involves an advertiser copying a code from Google’s advertiser -facing interface (Google’s terminology) and inputting that code on a webpage or pages relating to the remarketers campaign. When a user visits that webpage, the code will run, making a request to Google’s system to add the user’s advertising cookie ID to the advertisers’ remarketing list. The user list is stored by Google.

If the user has opted out of interest based advertising, there is no cookie ID collected.

Advertisers also use Google services to develop the advertisement by using Google’s online tools to create a remarketing campaign. For example, information about the ad campaign, its name or scope, is stored by Google so that when users visit webpages using Google advertising products, they will see ads served by Google. If the remarketing campaign wins Google’s automated auction process, the user will be shown ads from that remarketing campaign.

In our findings we stated that Google’s remarketing program fits within our Office’s definition of OBA.

So clearly, Google must demonstrate accountability with respect to the remarketing campaign.

To understand the operational accountability challenges, it is helpful, as a start, to spell out the continuum of accountability in relation to delivering OBA:

• In the case of Google, and it may apply business wide,
  • Google offers the platform and the tools for advertisement,
  • Google determines the advertising policies including the monitoring and prohibition of OBA that involve sensitive information,
  • Google negotiates contracts with advertisers on the basis of these policies,
  • Google stores the personal information gathered by the advertisers so that the ads can be served on any webpage that uses Google's advertising products and
  • Google hosts an automated auction process amongst the available advertising inventory that will determine the remarketing ads that will be served.
• The advertisers in turn,
  • define the parameters of their ad campaign, such as the user lists and the remarketing criteria,
  • And they determine the application of Google’s policies to their ad campaign.

That is where errors or transgressions can occur. And that is where Google’s accountability for monitoring comes in.

Google described to us, in strict confidentiality, the details of its system to ensure compliance with its privacy policy on OBA. We will respect that confidentiality so I will summarize it to what can be made public:

• Google does have a review system in place to monitor advertising — our investigation revealed that it was not scalable and had demonstrable shortcomings;
• When Google’s monitoring system does identify a compliance issue, Google endeavours to review the products and websites in question and determines the appropriate treatment for that advertiser. Typically, advertisers raising compliance issues will first receive a warning to fix the problem, and if the policies are broken repeatedly, their advertising account will be suspended.

While we recognize that Google has taken steps to establish a monitoring system to ensure compliance among advertisers, this case and our analysis of the system, showed it does not meet the operational challenge in view of:

• the volume of ads — we’re talking of billions;
• the difficulty at times, to identify sensitive information;
• The diversity of users — now from 9 to 99; and
• accounting for the normal incidence of bad actors among advertisers.

2.3 OPC Recommendations to Google

We made specific recommendations for Google to adopt a more formalized, rigorous system for monitoring compliance. In accepting our recommendations, Google has agreed to the following measures to fully address our concerns:

1. Google rejected all active remarketing campaigns involving devices to treat sleep apnea. To ensure compliance, Google regularly searches for remarketing campaigns that could refer to this device.
2. Google will also revise its public interest based advertising policies to add additional information about medical devices — thus assisting its review staff in identifying them as such.
3. Google will also develop new training for its internal teams to keep up to date with sensitive category ads and therefore improve recognition of potential policy violations and better understand how and when to escalate issues.
4. Google has already increased monitoring of existing remarketing campaigns to better identify violations through increased searches for specific medical devices.
5. Finally, Google has committed to reviewing and upgrading its automated review systems to improve compliance assurance by June 2014.

From an accountability point of view, this corresponds to the continuum of accountability our Office expects.

Google’s obligation to ensure compliance by advertisers has to be operationalized through advertisement agreements as well as effective compliance monitoring.

We have also asked Google to consider the complainant’s concern that he could not readily access Google’s remedy mechanisms. Google shared our interest in improving transparency and indicated that they were reviewing possible improvements.

3. Lessons learned

In conclusion, I would like to highlight how this investigation has brought me to refine the position on OBA beyond Google’s specific circumstances.

1. I am comfortable with the idea that OBA, with proper constraints, is part of a business model that may benefit users as well as business by allowing more relevant ads. The legitimacy of that business model rests upon a proper balance between, on the one hand, the benefit to the user —such as access to online searching at no monetary cost and the convenience or informational value of interest based ads — and, on the other hand, the level of intrusiveness of the collection of personal information — defined by the sensitivity of the personal information collected, the user’s control over the collection, including the age of the user, and the transparency of the practice.
2. While I am aware of the operational issues for ensuring privacy compliance for OBA, I expect the implementation of OBA to be bounded by a very robust governance structure where:
   1. Policies on OBA are consistent with the OPC’s guidelines on OBA;
   2. These policies are clear for users and for advertisers — including what constitutes sensitive personal information and what constitutes health information;
   3. Contracts with advertisers clearly state their obligations under privacy law in relation to OBA;
   4. The intensity of monitoring by the advertising platform is in line with the volume of ads, sensitivity of personal information, and with the risks of transgression;
   5. Compliance staff are supported with proper training and definition to identify ads based on sensitive information; and
   6. Remedy mechanisms are readily accessible including:
      1. Comprehensive interests lists so that users can see the full list of interests on the basis of which they are tracked; and
      2. Contact information is salient enough to be obvious.
3. My third observation through all this is that there is nothing new to the legitimacy of OBA. I agree with Ron Lund’s comments in reaction to our investigation that OBA does not constitute a practice so new and so different that it should be banned outright. Instead, OBA is subject to the same, long-established ethics of advertising as they relate to privacy.
   
   Going back to the ethics of advertising, three principles are most relevant here:
   • Respect for individual autonomy in the face of advertising. This is nothing new in itself; online, it now means offering Internet users clear choices as well as effective and immediate controls.
   • Transparency of advertising. Also a principle as old as advertising, which entails accessible and accurate information about the advertising, upfront and not buried in a privacy policy.
   • Accountability for compliance. Simply deriving from the principle of honouring a commitment to consumers, it entains a governance structure that meets the compliance challenge.
   All these ethical principles are as old as advertising and simply find new applications in relation to OBA.

What is particular to OBA is that the operational challenge for privacy compliance is high, considering the number of advertisers, the pace and reach of advertising, its intrusive nature, and the diversity of users.

That is the great lesson from Google OBA for Google, for us and for business: the very personal profile that can be built via OBA is what makes it a high return proposition — but it also makes it a high privacy risk that comes with the commensurate obligation to monitor its compliance with privacy law.

We hope our report of findings in this investigation will serve as a helpful tool to meet that challenge.

Thank you.