Lexpert’s 7th Annual Information Privacy and Data Protection SeminarTorontoDecember 1, 2015
David Young, Principal, David Young LawAlbert Luk, Vice President and General Counsel, Jumbleberry Interactive Group Ltd.Bill Hearn, Partner, Fogler, Rubinoff LLP
PROGRAMMATIC TRADING - BIG DATA -ONLINE BEHAVIOURAL ADVERTISING
OVERVIEW
2
• Online and mobile advertising - collection, use and disclosure of personal information
• Big Data Landscape
• Privacy Principles
• Targeting / tracking
• Programmatic ad trading
• What is Big Data? / Privacy concerns
• What is Online Behavioural Advertising?
• OBA privacy concerns - OBA
• OPC guidance on OBA
• Emerging best practices
• Key Information References
• Questions
3
ONLINE ADVERTISINGWhat media?
• Random/banner ads
• Contextual ads
What targeting?
• Third party targeted ads
• Online behavioural advertising/targeting
• Geolocation/geofencing
How are they placed and bought?
• Programmatic/real time bidding impressions (typically, targeted ads)
5
Many online services are fiscally free with personal information taking the form of
the real currency. In other words, cost-free content comes at a price of personal
data rather than dollars. And, often as not, it’s the online enterprise collecting the
data, rather than the customer relinquishing it, who determines what happens
next.
And that personal data includes so much more than the name and address you
knowingly submit; it now encompasses data about your location, activities and
preferences that flow automatically from your electronic devices, often without
your knowledge.
PERSONAL DATA – THE NEW ONLINE CURRENCY
– OPC’S 2013 ANNUAL REPORT
6
• Diverse channels/functionalities:
- website registration/purchase/subscription interactions
- search engines
- website landing/navigation (cookies)
- mobile location/search/purchase actions
- social media postings
• May be active (e.g. registration) or passive (e.g. cookies)
• May involve “personally identifiable” or “non-personally identifiable” PI
• However collected, in whatever form, is likely to be added to one or more databases
in which information about the individual, which may or may or not be by name, is
held
COLLECTION OF PERSONAL INFORMATION –ONLINE AND MOBILE
7
• Website owners/advertisers/publishers (first party data
collectors)
• Search engines
• Social media sites
• ISPs/mobile device providers
• App developers/providers
• Third party data collectors
• Data aggregators/suppliers/analytics providers/brokers
DATA COLLECTORS / STORESANALYSTS / USERS
8
Big data Landscape
9
KEY PIPEDA PRINCIPLESCollection - Use - Disclosure
Notice of Purposes
• Transparency
Consent
• Knowledgeable/meaningful
• Sensitive vs. non-sensitive information
• Opt-out consent – when available
Ancillary rules
• Data limitation
• Retention / deletion
Symantec 2014 Report
10
Information collected for the purposes of OBA will generally be
considered personal information given that its purpose is to create
profiles of individuals that in turn permit serving of targeted ads and
given the powerful means available for gathering/analyzing disparate
bits of data and the serious possibility of identify in affected
individuals and the highly personalized nature of the resulting
advertising
IS TRACKING DATA PERSONAL INFORMATION? OPC – BROAD, CONTEXTUAL VIEW
11
CHALLENGES of OBTAINING CONSENTWhat is informed consent?
•53% of Canadians unaware their apps track location
Global Privacy Enforcement Network (GPEN) Privacy Sweep
•Providing details of privacy policy / terms of use prior to download?
•The “small-screen challenge” = opt-in vs. “web wrap” acceptance
•Privacy settings
What don’t we know about what we don’t know…
•Retention periods
•Aggregating and data mining
•Other information collected without notice or consent: SIM card information;
address book; mobile PINs; call history
Symantec 2014 Report
12
TRANSPARENCY ABOUT BIG DATA
13
FTC AND OPC REPORTS ON DATA BROKERS (MAY/SEPTEMBER 2014) – TRANSPARENCY FOR BIG DATA
• Data brokers collect consumer data from online and offline sources, largely without
consumers’ knowledge, ranging from consumer purchase data, social media activity,
warranty registrations, magazine subscriptions, religious and political affiliations,
and other details of consumers’ everyday lives.
• Data brokers combine and analyze data about consumers to make inferences about
them including potentially sensitive inferences such as those related to ethnicity,
income, religion, political leanings, and age.
• Many of the purposes for which data is collected pose risks to consumers (e.g.
unanticipated uses)
• Given the scope, scale and size of information that data brokers hold, the merging
of offline and online activities, and the sophisticated analytical and technological
solutions that exist, data brokers increasingly are compiling mature consumer
profiles.
• Reports recommend greater transparency and control over the practices of
data brokers, and consumer control over the personal information that they
hold.
14
TARGETING EXAMPLE – CREEPY?
• Big Data
&
Online Behavioural Advertising
• Bill Hearn
Overview – BD and OBA What’s “Big Data” (BD) in the context of advertising & marketing and what are the
opportunities and main privacy concerns it raises?
What’s “online behavioural advertising (OBA)” and how has the Office of the Privacy
Commissioner of Canada (OPC) responded to the privacy concerns it raises?
– Some Guidelines and Reports (Nexopia, 2012 and Google, 2014)
– Two Recent Reports
– OPC’s Ganz Webkinz.com Findings/Backgrounder - October 2014/March 2015
– OPC’s Bell Canada Relevant Advertising Program (RAP) Findings - April 2015
What are emerging best practices for OBA and what’s on the horizon?
– DAAC’s AdChoices Program, launched September 2013
– OPC’s OBA Follow-Up Research Report, June 2015
– Digital Privacy Act amendments in force June 18, 2015
– Privacy Commissioner Therrien’s Speeches at the University of Alberta in June 2015 and
to the Canadian Marketing Association in September 2015
What’s BD?
Generally
BD refers to data sets so large or complex that traditional data processing
applications are inadequate
Challenges include analysis, capture, data curation, search, sharing, storage,
visualization and information privacy
Wikipedia – 2015
BD is a term that describes large volumes of high velocity, complex and
variable data that require advanced techniques and technologies to enable the
capture, storage, distribution, management and analysis of the information
TechAmerican Foundation – 2013 (US)
What’s BD?
Generally BD is characterized by several factors including:
– Volume = sheer amount and intensity of data to collect and analyze
– Velocity = speed by which data is produced and must be processed
– Variety = wide range of sources of data
– Variability = inconsistency of data
– Veracity = quality of data
– Complexity = especially where large volumes of data are coming from
multiple sources
Combination of Sources
What’s BD?
For Advertisers & Marketers
BD refers to the processing of data too big to handle on a single server, most
likely including unstructured data, and likely involving integration of multiple
data sources that reflect advertising & marketing activities and consumer’s
reactions to them
BD can include as many consumer touch points as are available or focus on a
limited number of them to address specific advertising & marketing questions
yielding insights that were previously unachievable through more
conventional business analysis
Council for Research Excellence 2014 (US)
What’s BD?
For Advertisers & Marketers
BD refers to collecting, analysing and generating insights from a wide variety
of customer, commercial and environmental information
BD is used to develop a better understanding of customer preferences, habits
and considerations in making transactions with different categories, brands
and channels
The successful use of BD in advertising and marketing leads to improved
customer experience, a better exchange of value between customers and
organizations, and improved business performance
Association for Data-driven Marketing & Advertising (ADMA), 2013
(Australia)
What’s BD?
The Potential for Advertisers & Marketers
Some see the confluence of BD and online and mobile marketing as
the “Holy Grail” of advertising and marketing
BD and mobile allows advertisers and marketers to target customers
precisely and efficiently with highly relevant offers tailored to the
customer’s attributes delivered at the right time and place
But privacy concerns loom large
Identifying Purposes/Knowledge, Consent The complexity of the BD ecosystem and the practical limitations of
privacy notices and policies may make it a challenge for individuals
to understand what will happen to their personal information (PI) –
e.g., PI may end up in the database of a data broker and combined
and disclosed in ways not easily understood by the individual even if
disclosed in privacy notices and policies
Some BD Privacy Concerns
Identifying Purposes/Knowledge, Consent The individual may simply not understand where their PI may end up,
and that it could be combined with other existing profile data in a
manner that reveals more than contemplated at the time of disclosure
Onward transfer and combining with yet more data could reveal even
more and compound the problem
The individual data subject may lack an understanding of the
interpretations, inferences and deductions that may be drawn from
their combined data using BD mining techniques and analytics
Some BD Privacy Concerns
Openness, Accuracy, Individual Access Individuals may not know what entities may be collecting
information about them and creating profiles
Data subjects may be able to identify companies to whom they have
provided PI and may have a direct relationship with those companies
… but they may not be able to do the same for data brokers
Even if the individual can identify a data broker, they may have
challenges getting access to their PI for correction and ensuring
accuracy
Some BD Privacy Concerns
Do Not Collect (Not Just Do Not Target) With pervasive and constant collection of information about
individuals from multiple sources, data brokers may be able to
pinpoint a user’s identity and specific preferences without having
information that has traditionally been considered PI
Common methods for de-identification may not be effective, if the
unique identifier of the computer or mobile device used to access a
website, when combined with specific behavioural and other data,
can supply enough information to identify a person individually
Concern is compounded when collection and aggregation of
seemingly non-sensitive data about an individual reveals sensitive
information regarding their finances or health
Some BD Privacy Concerns
De-Identification Data sets that are de-identified have had key information stripped
away in order to prevent others from identifying the individuals to
whom the data set relates
But if de-identification is not performed properly, it may be possible
to re-identify individuals in an anonymized data set
The risk of re-identification of BD sets using contextual “micro data”
is a significant privacy concern (as this may constitute a data breach
and attract regulatory investigations and lawsuits)
Some BD Privacy Concerns
The OPC’s Definition OBA involves tracking consumers’ online activities across sites and
over time in order to deliver advertisements targeted to their inferred
or apparent interests
OBA often uses sophisticated algorithms to analyze the collected
data, build detailed personal profiles of users, and assign them to
various interest categories which, in turn, are used to present ads
defined as relevant to users in those categories
Ads can also be targeted based on specific websites that users have
visited recently (often called retargeting or remarketing)
OPC Guidelines on Privacy and Online Behavioural Advertising,
December 2011/June 2012
What’s OBA?
OBA Privacy Concerns
Evidenced in OPC Guidance
Guidelines on Privacy and Online Behavioural Advertising, 2012
Guidelines for Online Consent, 2014
Report of Findings in Investigation of Nexopia, 2012
Report of Findings in Investigation of Google, 2014
Report of Findings in Investigation of Ganz Inc.’s Webkinz.com and
Backgrounder, 2014 and 2015
Report of Findings in Investigation of Bell Canada’s Relevant
Advertising Program (RAP), 2015
Online Behavioural Advertising Follow Up Research Report, 2015
Guidelines Privacy and Online Behavioural Advertising, issued December 2011,
updated June 2012
– Intended to help organizations using OBA ensure their practices are fair, transparent
and in compliance with PIPEDA
– Takes position that information involved in online tracking and targeting for
purpose of serving OBA to individuals generally constitutes PI
– Confirms that an individual’s knowledge and consent for the collection, use and
disclosure of their PI is required under PIPEDA
– Recognizes that form of consent can vary – e.g., express consent (opt-in) when PI is
sensitive; implied consent (opt-out) when PI is not sensitive
– Defines sensitivity as depending on nature of information and context in which it is
being collected, used or disclosed
OPC Guidance on OBA
Guidelines Privacy and Online Behavioural Advertising, issued December 2011, updated June
2012
– Indicates that opt-out consent for OBA is reasonable provided:
– Individuals are made aware of purposes of OBA in clear and understandable manner;
must be obvious and not buried in privacy policy; must be transparent and effectively
inform individuals of OBA practices through online banners, layered approaches and
interactive tools
– Individuals are informed of these OBA purposes and the various parties involved in
OBA at or before time of collection
– Individuals are able to easily opt-out of OBA – ideally at of before time PI is collected
– The opt-out takes effect immediately and is persistent
– The PI collected and used is limited to non-sensitive PI (i.e., avoid sensitive PI like
health or financial information)
– The PI collected and used is destroyed as soon as possible or effectively de-identified
OPC Guidance on OBA
Guidelines Privacy and Online Behavioural Advertising, issued December 2011,
updated June 2012
– If the individual is not able to decline the tracking and targeting using an opt-
out mechanism because there is no viable possibility for them to exert control of
the technology used, or if doing so renders a service unusable, then organizations
should not deploy that technology for OBA purposes – e.g., no zombie or super
cookies
– It is difficult to ensure meaningful consent from children to OBA; so, as a best
practice, organizations should avoid tracking children and tracking on websites
aimed at children
OPC Guidance on OBA
Guidelines Guidelines for Online Consent, May 2014
– What’s PI? Combining disparate bits of information, derived from multiple sources,
can also lead to detailed profiles that enable individuals to be identified – the
possible re-identification of anonymous data has increased with advances in
technology that allow for vast amounts of data to be collected and combined
– What is meaningful consent? The key is openness and transparency. Data and
information management practices must be explained in a comprehensible,
understandable and accessible manner so that individuals can make informed
decision about sharing their PI
– Consent is valid only for the purposes about which the individual has been
informed
– The purposes for which an organization collects and uses personal information must
be reasonable and defined. Even with consent, PIPEDA requires collection, use
and disclosure of PI to be limited to purposes that a reasonable person would
consider appropriate in the circumstances
OPC Guidance on OBA
Guidelines Guidelines for Online Consent, May 2014
– Online consent can be expressed by the mechanics of clicking an “I agree” button or
selecting online choices by ticking off a check box. It can also be expressed by an
action such as downloading an app after reading what PI the app will access and
how it will be used
– Consent can sometime be inferred by non-action such as where an opt-out option
has not been exercised
– Privacy policies should be understandable and readable to the average person.
They should also be made accessible in a conspicuous manner such as a hyperlink
on the organization’s landing page
– Real-time communication methods should be used, including online banners,
layered approaches and mouse hover pop-ups
– “Just in time” notices – e.g., if a user’s age is be requested to register for online
service, a just in time notice explaining why this PI is needed should appear near the
space where the user would input the PI
OPC Guidance on OBA
Guidelines Guidelines for Online Consent, May 2014
– “Layered notices” help make better sense of lengthy and complex disclosures by
presenting a summary of the key highlights up front. Having read the highlights,
the user may then click through to a condensed notice that covers all the basic
information in concise, easy-to-read language. The complete version of the privacy
policy addressing all legal requirements must also be available to the user
– Standardized “icons” that communicate whether the site shares PI with third
parties or whether it engages in OBA can help users quickly decide whether they
want to interact with the site
– Mobile technologies only amplify the privacy law compliance challenges of the
fixed online environment – as the mobile medium does not lend itself to detailed
and lengthy explanations
OPC Guidance on OBA
Guidelines Guidelines for Online Consent, May 2014
– In the mobile environment, privacy issues should be highlighted at decision
points in the user experience where people are most likely to pay attention and
where they most need disclosure and guidance – e.g., when users are asked to
provide PI at registration, they should be informed why each piece of data is needed
and how it will be used
– Organizations should recognize and adapt to special considerations in managing
the PI of children and youth
– Organizations should implement innovative ways of presenting privacy information
to children and youth that take into account their cognitive and emotional
development and life experience
OPC Guidance on OBA
Reports of FindingsOPC’s Nexopia findings, March 2012
– OPC found that Nexopia (a social networking website for youth) had inappropriate default
privacy settings, provided inadequate information about a number of privacy practices
(leading to a lack of meaningful consent for the collection, use and disclosure of PI at
registration and the sharing of PI with advertisers and other third parties without proper
consent), and kept PI indefinitely even after users selected a “Delete Account” option
– Nexopia took issue with some of the OPC’s recommendation (including not keeping PI
indefinitely) resulting in the OPC filing an application in Federal Court seeking an order
requiring Nexopia to stop retaining PI indefinitely
– Following a change in Nexopia’s ownership, the company committed to addressing all of
the OPC’s findings by April 30, 2013 including the issues raised in the court application
– A prominent notice now appears on many website pages that contain ads inviting visitors
to learn about, and potentially opt out of, OBA
– The court application was discontinued on May 29, 2013 upon the OPC confirming that
corrective measures had been implemented to address all of the OPC’s recommendations
OPC Guidance on OBA
Reports of FindingsOPC’s Google findings, January 2014
– OPC found that, contrary to PIPEDA, Google’s online advertising services (i.e., AdSense
and AdWords) used sensitive information about an individual’s online activities (i.e.,
browsing for medical devices to treat sleep apnea) to target him with ads for continuous
positive airway pressure or “CPAP” machines (which treat sleep apnea), on websites
completely unrelated to sleep apnea
– How Did It Work? When the complainant visited a website offering information about
CPAP machines, a cookie was placed on his browser that triggered ads for sleep apnea
treatment devices to appear on his computer screen when he visited any website that used
Google’s advertising services, even on sites about unrelated issues like news and weather
– The complainant had not provided his explicit opt-in consent to receive such ads
– Google conceded that the problem related to “remarketing campaigns” (a form of interest-
based advertising which allows an advertiser to target ads to recent visitors to their site)
– Google acknowledged that some of the advertisers using its ad service did not comply with
Google’s policy against interest-based advertising relating to sensitive issues (like health)
OPC Guidance on OBA
Reports of FindingsOPC’s Google findings, January 2014
– OPC reiterated its distinction between “contextual advertising” (which uses
information about a current visitor to a website in order to serve a targeted ad to
the user on that site) and “OBA” which involves an advertising service placing
an ad on a webpage based on tracking data collected across multiple websites
– OPC identified shortcomings in Google’s monitoring systems and Google
agreed to develop a more formalized and rigorous system for reviewing ads for
policy compliance which included:
– Providing additional information to advertisers creating remarketing
campaigns
– Increasing monitoring of remarketing campaigns for possible violations
of its policy
– Offering more training to Google’s own staff in addressing potential
policy violations
– Upgrading its automated review systemm
OPC Guidance on OBA
Reports of FindingsOPC’s Ganz Webkinz.com findings, October 2014
– Ganz operates Webkinz.com, a website aimed at 6-13 year olds
– Website allows users to open a free account by creating a virtual pet and then other
pets through the purchase of Webkinz plush toys
– In March 2012, OPC initiated complaint against Ganz re: its Webkinz website
– OPC concerned that Ganz collected, used and retained the PI of children
through its online Webkinz registration process, without fully explaining the
purposes for doing so, or obtaining appropriate knowledge and consent
– OPC also concerned that Ganz was allowing third party advertisers to track
and profile children for the purposes of serving OBA
– Ganz fully cooperated with the OPC and undertook several important steps to
protect the privacy of its young users
OPC Guidance on OBA
Reports of FindingsOPC’s Ganz Webkinz.com findings, October 2014
– OPC found that Ganz needed to improve its privacy protection policies and practices
– OPC made several recommendations that Ganz committed to implement including:
– Avoiding the collection of children’s PI wherever possible
– Being careful about inadvertent collection of PI
– Using age-appropriate language and interactive techniques to communicate with
website’s target children’s audience
– Ensuring children understand the importance of involving their parent or
guardian in processes like accepting a website’s terms and conditions
– Monitoring the practices of third parties communicating and interacting with
users
– Informing users of the actual privacy practices of the website and explaining what
practices apply to which website if more than one site is covered by a user
agreement or privacy policy
OPC Guidance on OBA
Reports of FindingsOPC’s Ganz Webkinz.com findings, October 2014
– Ganz prohibited advertising networks and advertisers from tracking children on the
Webkinz website for the purposes of building online profiles and serving OBA
– While there was no evidence of OBA on the website, the OPC’s testing showed that
– unbeknownst to Ganz – advertisers appeared to be tracking and potentially
profiling children visiting the website
– Ganz’s lack of awareness of the cookie and advertising practices of third
parties on the Webkinz website suggested a need for Ganz to improve its due
diligence and monitoring of such activities
– Ganz was reminded to provide privacy information in the languages in which the
website is offered (both English and French)
OPC Guidance on OBA
Reports of FindingsOPC’s Ganz Webkinz.com findings, October 2014
– Findings highlighted the need for extra caution in protecting children’s privacy
rights
– In response to OPC recommendations, Ganz agreed to
> use its avatar “Miss Birdy” to prompt children, during the registration
process, to have their parents/guardians review and accept the website’s
terms and conditions
> modify its registration process to limit the PI collected and to advise
parents of the website’s policy against children including their real names
or other PI in their users names
OPC Guidance on OBA
Reports of FindingsOPC’s Bell RAP findings, April 2015
– In November 2013, Bell began serving its customers with targeted ads from fee-
paying third parties (under Bell’s “relevant advertising program”) based on its
customers’
– network usage (e.g., Internet browsing habits, app and device features usage,
TV viewing, and calling patterns) and
– account and demographic information (e.g., age range, gender, primary
language, average revenue per user, credit score, payment pattern, and billing
address location by city and postal code)
– By combining this data, Bell created highly detailed profiles that enabled third
parties to deliver targeted ads to Bell customers for a fee
– OPC received an unprecedented 170 privacy complaints about the RAP
OPC Guidance on OBA
Reports of FindingsOPC’s Bell RAP findings, April 2015
– Bell did not obtain explicit opt-in consent from its customers but they had a choice
to opt out of the program
– Bell made efforts to notify its customers about the RAP in bill messages, text
messages, emails and information on Bell’s website
– But Bell’s notices did not explain that existing account and demographic
information would be used in the RAP
– Moreover, even if a customer opted out of the RAP, Bell continued to track their
network usage information to further develop its customer profiles in case the
customer chose to opt back into the program in the future
OPC Guidance on OBA
Reports of FindingsOPC’s Bell RAP findings, April 2015
– Even if Bell did not give RAP advertisers access to information that constituted the
PI of its customers, advertisers could still link the information obtained from Bell to
an actual Bell customer with the help of cookies, device fingerprinting, other
tracking methods and their own profile information
– Moreover, the detail of the RAP’s categories permitted the selection of highly
specific groups – e.g., “26-30 year old males in the city of Ottawa with below
average credit and an interest in hockey” and “an English-speaking female, between
the ages of 26 and 30, in the city of Montreal, who has a medium to high interest in
hockey and who recently visited www.cbc.ca/new”
OPC Guidance on OBA
Reports of FindingsOPC’s Bell RAP findings, April 2015
– OPC found that:
– Earning ad revenue and promoting improved customer experience through
OBA (two key purposes of the RAP from Bell’s standpoint) were valid
business objectives
– But Bell did not obtain adequate consent from its customers for the RAP
– The breadth of the information collected, when taken in combination,
qualified as sensitive information and required explicit opt-in consent
– While Internet users might reasonably expect web services to track usage for
the purposes of OBA in order to generate revenue to support services that are
otherwise free, Bell was charging customers for its services
– It was reasonable for Bell customers to expect that Bell would obtain explicit
opt-in consent for a secondary use of that information such as the RAP
OPC Guidance on OBA
Reports of FindingsFall-out from OPC’s Bell RAP findings, April 2015
– Bell’s initial response to OPC’s findings was to insist that the PI used in the RAP
was not sensitive and that, accordingly, opt-out consent was adequate under
PIPEDA
– Shortly after that, however, Bell advised the OPC that it had decided to withdraw its
RAP and would delete all existing customer profiles related to the RAP
– National class actions were filed in Ontario and Quebec claiming $750 million in
damages for, among other things, breach of contract, breach of the
Telecommunications Act, and intrusion upon seclusion arising from Bell’s
unauthorized use of its customers’ PI for the RAP
OPC Guidance on OBA
Guidelines Online Behavioural Advertising Follow Up Research Project, June 2015
– OPC had concern that, even though OPC guidelines were widely distributed and
discussed and an industry-led self-regulatory program (i.e., the AdChoices Program)
had been subsequently launched, OBA practices could still be offside PIPEDA
– Purpose of project was to gather data on current practices – not an investigation, just
an opportunity to observe OBA practices across a range or websites and advertising
organizations (e.g., advertisers, ad networks and ad agencies) to gather data for
analysis and discussion
OPC Guidance on OBA
Guidelines Online Behavioural Advertising Follow Up Research Project, June 2015
– Discusses what constitutes “sensitive” PI by confirming that it almost always includes
health and financial information and, depending on the context, may include other
information where the collection, use or disclosure (alone or when combined with other
information):
– Could lead to personal harm, financial or reputational damage, or embarrassment of
an individual
– Could reveal deeply personal or intimate details of the lifestyle and personal choices
of an individual
– Confirms that where PI is sensitive, opt-out consent is not appropriate; must have opt-in
consent
OPC Guidance on OBA
Guidelines Online Behavioural Advertising Follow Up Research Project, June 2015
– Concluded that: OBA is widely used on websites; AdChoices icon is sometimes
being used to provide notice and an ability to opt-out; some targeted ads did appear
without any form of knowledge or consent; and ads were targeted based on prior
online activities that related to sensitive topics without opt-in consent
– Recommended to industry that: advertising organizations ensure knowledge and
consent be provided to all OBA; websites ensure that the advertising organizations
they work with meet the OPCs’ requirements for OBA; advertising organizations
that rely on opt-out consent must avoid targeting based on sensitive topics and must
monitor closely the use of retargeting; and opt-out procedures must be improved so
that they are clear, consistent and usable
–
OPC Guidance on OBA
Emerging Best Practices
The AdChoices Program, September 2013
Is a self-regulatory program to govern online ads established by the Digital Advertising Alliance
of Canada (DAAC), a consortium of leading Canadian advertising & marketing associations
Encourages organizations to provide consumer-friendly notice of OBA practices to Internet users
and an ability to opt out of OBA programs
A core feature is the “Ad Choices” icon (also widely used in US and Europe)
Participating companies adhere to accepted set of six principles - known as the Canadian Self-
Regulatory Principles For Online Behavioural Advertising - that provide consumers with
transparency and control over OBA
The six Principles are Education, Notice & Transparency, Consumer Control, Data Security,
Sensitive Data, and Accountability
The icon links information about OBA and an online tool that allows consumers to opt out of
OBA if they choose
Advertising Standards Canada (ASC) accepts and investigates complaints about OBA that may
violate the Principles and works with advertisers to achieve compliance
Emerging Best Practices
Digital Privacy Act amendments to PIPEDA in force June 18, 2015
Establishing new requirement of “sliding scale” of consent
– To validly consent, an individual to whom an organization’s activities are directed
must reasonably expect the nature, purpose and consequences of the collection, use
or disclosure of their PI
– Applied to OBA (and based on the OPC’s RAP finding), an individual who visits a
free website may reasonably expect that information pertaining to their online
behaviour (like clicking on a banner) can be collected, used to target ads pertaining
to products advertised on the banner, and disclosed by the website to an ad network
and its advertisers
– But if the OBA program goes beyond the user’s reasonable expectations, explicit
opt-in consent should be obtained
Emerging Best Practices
Commissioner’s Speech to CMA, September 2015
– Ensure knowledge and consent is provided
– Avoid targeting based on sensitive topics
– Opt-out procedure should be clear, consistent, usable
– Opt out consent may be reasonable if information collected is not
sensitive and is consistent with the reasonable expectations of
individuals
– But opt-out consent should not be the default for all OBA
programs
Emerging Best PracticesPrivacy Policy – OBA Disclosure Example
How does Third Party Ad Serving/targeted advertising work
Third party ad serving utilizes technology such as cookies and web beacons to
assemble usage information from websites you’ve visited. This information is
utilized to try to understand your potential interests and match them with
potential suppliers of related products and services. If one of these potential
suppliers has contracted with a website that you are visiting to deliver its
corresponding advertisement, your internet browser will assemble appropriate
ad information and deliver it to you while you are browsing on the unrelated
website.
How to limit Third Party Ad Serving
If you prefer to limit or not receive third party advertising, look for an
"AdChoices" icon in or near to the advertising you are viewing. By selecting
this icon, you should be redirected to a website that should allow you to limit
or stop the delivery of advertisements to your computer. However, you should
know that the "AdChoices" icon can only help you limit advertisements from
companies that have signed-up to use the "AdChoices" icon to manage Third
Party Ad Serving. To the extent an advertisement does not include the
AdChoices icon, you should visit the website where you are receiving the
third party ad or the actual advertiser's website to view its privacy policy and
learn how to stop receiving third-party advertisements.
Takeaways
Main Risks of OBA
– That disparate bits of information collected could, in combination, be considered PI
or sensitive information requiring opt-in consent – e.g., a social media user name
combined with an IP address may lead to identifying an individual
– Implied consent is not always appropriate for OBA, even if bits of information are
each, in their own right, non-sensitive
– The targeted ad itself should allow users to opt-out of OBA - e.g., by putting the
AdChoices icon directly on the ad and the opt-out mechanism must be user-friendly
– Users must be given clear information about OBA practices – this is best done
through icons, layered notices and just in time notices (not just through privacy
policies)
– Adequate safeguards must be in place for use of PI and it should be de-identified so
that the identity of individual cannot be determined
– Information collected should be destroyed or de-identified as soon as it is no longer
required
Takeaways
Main Ways to Mitigate OBA Risks
– Communicate with customers in a transparent and understandable manner
– Provide clear information about the type of data that will be collected and the
purposes for which the data will be used
– Obtain consent (opt-in required where the information is sensitive and where the
reasonable expectations of affected individuals dictate)
– When reyling on opt-out consent, provide an easy-to-use opt-out mechanism
– Register for DAAC’s AdChoices program and take advantage of being consistent
with the industry standard (don’t be an outlier)
– That said, the AdChoices program may not satisfy all of the OPC’s concerns – e.g.,
what about complying with the “do not collect” requirement under PIPEDA?
What’s On the Horizon
Remarks of Privacy Commissioner Therrien at University of Alberta
June 12 , 2015
– Need to keep abreast of change and stay ahead of curve
– The need to closely examine PIPEDA’s current consent model is a key concern in
achieving the objective of increasing the control Canadians have over their PI
– Is it realistic to seek one-time consent in exchange for PI in an age where analytics
and algorithms identify new possible uses for data all the time?
– Asking people to read a tome of legalese before clicking “accept” is no longer
sufficient and is becoming less and less so as BD gets even bigger
– As part of the OPDC’s priority regarding the “economics of personal information”,
the OPC will be producing a discussion paper outlining challenges with the current
consent model
Key References
OPC - Guidelines – Privacy And Online Behavioural Advertising (December 2011, updated June 2012)
OPC - Guidelines – Policy Position On Online Behavioural Advertising (June 2012)
OPC/B.C. OPIC/Alberta OIPC – Guidelines For Online Consent (April 2013)
OPC – PIPEDA case report #2013 – 017 (Apple called upon to provide greater clarity on its use and disclosure
of unique device identifers for targeted advertising), November 20, 2013
OPC – PIPEDA case report #2014 -001 (Use of sensitive health information for targeting of Google ads raises
privacy concerns), January 14, 2014
OPC PIPEDA case report #2014 – 008 (Agreement to an app’s “permissions“ does not, by itself, equal consent
to collect, use and disclose personal information )
OPC - Online Privacy Transparency, Annual Report To Parliament 2013 (PIPEDA)
BC OIPC Good Privacy Practices for Developing Mobile Apps (October, 2012)
BC OIPC Practical Suggestions for your Organization’s Website Privacy Policy (Aug., 2013)
Programmatic Essentials – CMA Webinar (Nov. 24, 2014), presented by AcuityAds
How Programmatic Buying Works – Video by AcuityAds http://acuityads.com/programmatic-buying/
Questions?
“Not everything that counts can be counted,
and not everything that can be counted counts.”
Albert Einstein
Thank YouDavid Young, Principal, David Young Law
Bill Hearn, Partner, Fogler, Rubinoff LLP
Albert Luk, Vice President and General Counsel, Jumbleberry Interactive Group Ltd.
Disclaimer: This presentation is intended to provide general comments on the law. It is not intended to be a
comprehensive review nor is it intended to provide legal advice, You should not act on the information in this
presentation without first seeking specific legal advice on a particular matter from a qualified lawyer.