The privacy implications of online behavioural advertising (OBA) continue to be an area of focus for the Privacy Commissioner of Canada. On Wednesday of last week, the federal Privacy Commissioner published a Policy Position on Online Behavioural Advertising. She also issued a slightly updated version of the OBA guidelines she released in December.

OBA is defined as tracking and targeting of individuals’ web activities, across sites and over time, in order to serve targeted advertisements. While the Commissioner’s position on OBA has not been as restrictive we’ve seen in other some jurisdictions (such as the European Union), the Commissioner has adopted detailed rules for relying on opt-out consent applicable to OBA.

The rules require that:

  • individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform
  • individuals of their online behavioural advertising practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
  • individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in online behavioural advertising;
  • individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected;
  • the opt-out takes effect immediately and is persistent; the information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
  • information collected and used is destroyed as soon as possible or effectively de-identified.

While the new policy position and updated guidelines do not include significant changes to the Privacy Commissioner’s general approach to OBA, the following observations are noteworthy:

  •  It is now clear that the commissioner’s guidelines do not apply to 1st party targeted ads; the commissioner clarified that OBA means tracking and targeting of individuals’ web activities, across multiple unrelated sites and over time, in order to serve ads tailored to those individuals’ inferred interests.
  • While the commissioner has continued to maintain that information collected in the context of OBA should generally be considered to be “personal information”, she has now directly acknowledged that whether information is about an identifiable individual will need to be evaluated on a “case-by-case basis”.
  • Whereas the commissioner’s guidelines in December suggested that OBA could never be made a condition of service, her “updated” guidelines now suggest that this restriction will be applied if OBA is made a condition of service “for accessing and using the Internet, generally.” This change appears to signal that there may be circumstances in which tying access to an online service or website to consent to OBA will be acceptable.
  • The commissioner has (again) elected not to provide specific guidance on how organizations can comply with the practical challenges created by her opt-out consent framework in the context of OBA. These challenges include:
  • informing end users about OBA practices and the various parties involved in OBA “at or before the time of collection”, notwithstanding that cookies are place (and information is gathering) upon a user first visiting a publisher’s website);
  • obtaining consent at the time of collection;
  • determining the sensitivity of the information being collected; and
  • ensuring that opt-outs are “persistent”, even though some commonly used opt-out mechanisms rely on the placement of an opt-out cookie that may be removed by the user in the process of clearing out the cookies on their computing device.