Building trust through privacy protection

Remarks at a Canadian Marketing Association Breakfast Seminar

September 24, 2015
Toronto, Ontario

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

I thank you for the opportunity to speak to you this morning – and for your interest in privacy protection issues. I am here with Vance Lockton from our Toronto Office, which, as you may know, investigates PIPEDA complaints and does stakeholder relations with organizations based in the GTA.

My remarks today will begin with some of the recent work my Office has been doing – specifically our research project related to online behavioural advertising and our investigation of Bell’s Relevant Ads Program.

I would also like to look ahead and tell you about our recently identified privacy priorities. These priorities will help guide our efforts over the next five years. Some of this work will be particularly relevant to your industry.

In fact, members of the Canadian Marketing Association attended our stakeholder input sessions where they provided valuable insight into some of the privacy issues affecting your industry. I thank you for that contribution and trust that you will find some of that input reflected in our strategies.

And just like we have consulted before adopting new priorities, we will continue to engage with stakeholders as we pursue initiatives under the priorities we have set. My leadership style is to favour consultation and collaboration. You can expect this approach to continue.

In any case, privacy protection is not the exclusive responsibility of the Office of the Privacy Commissioner and we cannot operate effectively in a silo. I believe hearing the opinion of stakeholders will contribute greatly to producing the kind of concrete results that will give Canadians more control over their personal information.

Before delving in to my talk here today, I would like to spend just a moment on a more recent initiative that I think you will find most interesting – the Global Privacy Enforcement Network Children’s Privacy Sweep.

GPEN Sweep

As part of this annual initiative, data protection authorities around the world choose a theme and together assess privacy communications and controls related to that theme. This year’s theme was children’s privacy with respect to mobile applications and websites.

We found that the majority of websites and mobile applications assessed were collecting personal information from children and sharing it with third parties.

We observed that there are too many developers collecting particularly sensitive personal information, such as photos, videos and the location of children, and often allowing it to be posted publicly.

We also saw too many instances of children being redirected to other sites with varied privacy protection practices, often via an ad or contest icon that sometimes appeared to be part of the original site.

We believe there are some important lessons to be learned, not just for children and parents, but also web and app developers and advertisers who should be thinking about limiting the ways and reasons for which children’s personal information is collected.

For example, we saw some innovative protective controls, such as pre-set usernames and avatars, moderated message/chat functions and parental dashboards. We were also encouraged to see that a number of quite popular sites targeted at children did not collect any information – thus demonstrating that it can be done.

Protecting the privacy of Canada’s children is a shared responsibility. Children, parents, teachers, developers and advertisers have a role to play and I urge the creative minds here in this room to really think about what you could do to help address the over-collection of children’s personal information, and to enhance the privacy protective features of your online environments.

OBA Research

Let’s turn to OBA research.

In June, my Office released the results of a study that looked at online behavioural advertising by 46 popular, free websites frequented by Canadians and subject to PIPEDA.

It came roughly four years after our Office issued guidance for stakeholders involved in OBA and was, in some ways, an assessment of how closely those guidelines were being followed.

I am pleased to report that we found many examples of good privacy practices related to online behavioural advertising.

For instance, the vast majority – more than 96 percent – of the targeted ads we saw provided notice of OBA and opt-out options.

That being said, we found there is still room for improvement.

We were disappointed to find sensitive information being used to target ads. For example, our research found that online searches on sensitive topics such as pregnancy tests, divorce lawyers, depression and bankruptcy could lead to related ads appearing on the user’s computer screen.

These sensitive targeted ads were not accompanied by an option to provide opt-in consent as set out in our guidelines.

In other instances, the procedures for opting out were overly complicated.

Information provided was not always clear. It was often difficult to find the opt-out option. And users who wanted to opt out across different advertising organizations were faced with multiple interfaces and websites.

So, what do we expect OBA players to do, for example, the advertising industry?

Advertising organizations must ensure that knowledge and consent is provided for all targeted ads.

Those that rely on opt-out consent must avoid targeting based on sensitive topics, and must closely monitor the use of retargeting.

Also, advertising organizations and industry groups need to improve the opt-out procedures so they are clear, consistent, and usable.

We shared our findings with advertising organizations generally, and more specifically, with the three identified as having used sensitive information without appropriate consent. 

I am pleased to note, as some of you may have read in media reports, that advertising associations say they are taking the report seriously, they are finding the results useful and they are using it to help shape their future work. 

We are, of course, continuing to follow up with these and other advertising organizations to ensure improvements are being made and I look forward to working with some of you right here in this room as we move forward on this issue.

As we have been stressing for a number of years now, the bottom line is that opt-out consent for OBA can be considered reasonable under PIPEDA provided it is carried out under certain parameters, including that the information collected if of a non-sensitive nature.

Even for non-sensitive topics, such as travel, digital cameras or golfing – which we also looked at in our research – accepting participation in online behavioural advertising should not be a condition for people to use the Internet generally and people must be able to easily opt out.

There are of course some no-go zones, such as when individuals are unable to opt-out of OBA because of the use of certain technologies, such as supercookies or zombie cookies.

As well, organizations should avoid tracking children, or tracking on websites aimed at children, as it is difficult to obtain meaningful consent from them.

Bell Investigation

Another closely related file we have been dealing with at the OPC is the Bell Relevant Ads Program.

My Office received more than 170 complaints – an unprecedented number – when the initiative was first announced.

The program involved tracking the Internet browsing habits of customers, along with their app usage, TV viewing and calling patterns. Combined with demographic and account data already collected from customers, detailed profiles were created to enable third parties to deliver targeted ads to Bell’s customers for a fee.

My Office accepted that Bell’s objective of maximizing advertising revenue while improving the online experience of customers was a legitimate business objective. We also accepted that Bell’s targeted advertising initiative could be very effective in achieving those objectives.

However, our Office concluded that Bell customers would reasonably expect to be asked for their express consent before being included in the program. 

This position was informed by the sensitivity of the information involved and the reasonable expectation of users, which in this case, was based on the nature of the relationship Bell historically had with its customers, including the fact that as a telecom, Bell is a paid service. 

As a result, our conclusion was that Bell should obtain opt-in consent from customers to proceed with the program.

As I am sure you know, the company has since decided to withdraw the program and delete all existing customer profiles.

Bell has indicated publicly that it plans to reintroduce the program using an opt-in model. It will be up to Bell to ensure any new program is consistent with PIPEDA.

As indicated in our report, we are continuing to engage with stakeholders to which the findings may be relevant as it is clear to us that the issue of targeted advertising is far from resolved. In fact, there are related investigations ongoing at the OPC as we speak.

Bearing in mind that my Office conducts its investigations on a case-by-case basis and draws its conclusions based on the specific and unique facts  surrounding each complaint, I do not wish to prejudge the outcome of these or any other OBA-related cases that might land on my desk in the future.

That being said, our Office is often asked about where to draw the line between opt-in and opt-out consent.

While the answer is not so black and white, I offer you this: Our OBA guidelines indicate that opt-out consent may be reasonable provided certain conditions are met:

  • The information should not be sensitive; the purpose for the collection should be clearly articulated; information should be provided about various third parties involved and the opt-out option should be obvious and timely.

This, however, does not mean that opt-out consent is the default for all behaviourally targeted advertising.

It is important to remember that OBA programs will most likely vary from one organization to another.

The essential considerations for determining the appropriate form of consent to use in a specific circumstance remains the sensitivity of the information and the reasonable expectations of the individual.

Our recommendation would be for organizations to evaluate these considerations by conducting a privacy impact assessment or similar risk analysis of their particular marketing programs and initiatives.

Privacy Priorities

On the subject of consent, some of you may know that a key initiative to emerge from our priority setting exercise is to examine the practical challenges associated with PIPEDA’s consent model.

We spoke extensively with members of the public during focus groups, as well as with private sector stakeholders, academia, civil society organizations and consumer groups during the research phase of the priority setting exercise.

Individuals we spoke with expressed concern about not having enough control over their online information.

They were aware that free online services are offered in exchange for personal information, and that companies use the information they collect to offer personalized content such as customized marketing.

Some accepted this practice; others thought they should be able to go online without having personal information collected and sold.

Some felt the power relationship between individuals and organizations was skewed in favour of industry, that consent is often meaningless and that more regulation is needed.

Others pointed to the benefits, such as access to free and innovative services and convenience, as well as economic growth.

Some stakeholders, which included representatives from the advertising industry, questioned the efficacy and suitability of PIPEDA’s consent model in the context of big data, the Internet of Things, and the mobile environment.

We, of course, heard concerns about poorly written privacy policies, consent forms and user agreements that failed to clearly explain complex information management practices, rendering them ineffective in obtaining meaningful consent.

We also heard that it is often difficult to identify and articulate a specific purpose for the collection of personal information at the time it is being collected.

While some argued organizations should not collect where no reasonable use exists, others expressed concern that this approach could impede future innovation.

We also heard about challenges with the binary nature of consent – that users must accept, holus bolus, an organization’s terms of use in order to participate. This inevitably leads to poor risk assessment – favouring immediate benefits over future harms, as well as peer pressure and normalization.

As part of our examination of consent, in the short term – that is next spring – we will produce a discussion paper outlining the various challenges I just mentioned. We will also suggest potential solutions, such as: industry codes and other forms of self-regulation; greater accountability, which some suggest would place responsibility more towards those who are able to assess risk; and enhanced regulation, including the definition of no-go zones where personal information should always be protected.

We will consider solutions that seek to minimize risk, legislative options, educational opportunities and technical or other practical ways to improve upon the current consent model.

We will also try to clarify the roles of individuals, organizations, regulators and legislators and we will open all this to debate with stakeholders.

For the moment, the potential solutions I have mentioned are just that – potential solutions that may be included in the discussion paper.  At this point, we are not advocating for any particular solution.  We also plan to undertake consultations before the discussion paper leads to Office positions.

In the medium term, we will identify what improvements could be made, we will apply the solutions that are within our jurisdiction and, where appropriate, we will recommend legislative changes.

But this is just one of many initiatives to flow from our priority setting exercise, which has ultimately resulted in four key priorities on which we will focus our efforts. I believe the first – the economics of personal information – which includes reviewing the consent model but also other issues – is of greatest interest to advertisers and marketing executives.

Over the next few years, we will also try to contribute to the development of creative and innovative privacy-enhancing solutions through our technology lab, and working with technology associations, manufacturers and security experts.

We will reach out to small businesses, with a special emphasis on those in the retail and accommodations sectors during the first phase of our outreach work, as research has shown these businesses may require more information about their privacy responsibilities. We will produce guidance and encourage organizations to explain the privacy implications of any new products and services in a language that individuals could easily understand.

We will also reach out to vulnerable groups, such as youth and seniors, to help contribute to their digital literacy, to ensure they are able to participate fully, albeit safely, in the digital economy.

We will do so by building or increasing our partnerships with organizations that serve seniors and youth, by initiating targeted media campaigns and by developing and distributing meaningful, actionable guidance to help these groups.

We will actually try to simplify our guidance and make it more concrete for all segments of the population, in part by making our website easier to navigate and making it more responsive to user needs. Canadians are concerned that they are losing control over their information, but they are not sure how to better protect themselves. We will seek to give them clear information about privacy risks and ways to mitigate them.

Conclusion

Today I have discussed how the OPC as a regulator has acted to and plans to protect the privacy of Canadians. But we are not alone in having a role in privacy protection.  I look forward to your participation in our stakeholder discussions as we move forward on the consent model paper and other priority initiatives.

I want to end by showing you a few figures from an OPC poll which confirms what you already know: that privacy is not just a matter of compliance; it is also good for consumer trust and therefore good for business.

We heard that some people like OBA because they see more ads that are relevant to their interests.

Others find it very privacy invasive. Two-thirds of respondents who recalled seeing a targeted ad indicated that the ad made them feel like they had less privacy online.

The majority of Canadians also have strong reservations about online tracking by Internet companies. In fact, 92 percent thought Internet companies should have to ask their permission to track what they do online.

Canadians, however, are concerned that they are losing control over their personal information. More than seven in ten agreed that they feel they have less protection of their personal information in their daily lives than they did a decade ago. This is the highest level of agreement with this statement since we began tracking this sentiment in 2005.

Our polling also showed that 81 per cent of Canadians would choose to do business with a company specifically because it has good privacy practices. More than half indicated they would choose to do business with a company specifically because it does not collect personal information.

Canadians are becoming more privacy conscious and they are speaking up. We heard that 29 percent have asked a company how it uses or protects their personal information prior to doing business with that company. Of them, 43 percent chose not to do business with the company due to concerns over privacy.

Why should this matter to you?

Consumers increasingly want to do business with companies they trust with their personal information. Not companies with weak privacy practices.

I would now be happy to take your questions.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: