Canada’s new federal Privacy Commissioner has wasted no time in continuing the tradition of showing leadership on privacy regulatory issues at home and around the world. Here are a few important takeaways from recent developments that are of special interest to organizations operating in the retail sector.
Privacy breaches: Smoke doesn’t always mean fire
Dentons represented a Canadian online back-office services provider in a cross-border data breach involving the disclosure of customer and payment information of individuals who had made transactions online and in-premises with numerous clients of the online provider. The organization was able to demonstrate that it had created an effective data breach management plan. It had implemented safeguards such as firewalls, hashing and encryption of sensitive information, separate storage and obfuscation of encryption keys, and multiple intrusion detection systems. Although the organization suffered a breach as a result of a criminally-motivated hack, for the first time in a reported case, the Office of the Privacy Commissioner of Canada (OPC) concluded that the complaint against the organization was not well-founded. View the PIPEDA Report of Findings #2014-004, Online service provider that suffered a breach had appropriate safeguards in place.
Dentons’ key takeaway: Conduct a fire drill with the assistance of knowledgeable counsel. Would you have the evidence to prove you met the standard of care for safeguards?
Foreign service providers have obligations in Canada
In the same decision involving the back-office service provider, the OPC agreed that the back-office service provider had done the right thing in making breach notification to the affected consumers of the back office service provider’s clients in Canada. The fact that the organization was based in the US, without any presence in Canada, did not mean that the organization was beyond the reach of Canada’sPersonal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws. Moreover, for the first time, the OPC concluded that a service provider could be jointly in control of personal information it processes on behalf of a client and, therefore, have independent obligations to the individuals with whom it does business.
Dentons’ key takeaway This is an area of evolving law. Whether you are a service provider or an outsourcer, it is prudent to seek legal advice when negotiating breach response obligations under service agreements. Don’t assume it will always be the outsourcer’s sole responsibility.
Collecting personal information from kids: You may need parental consent
In recent years, the OPC has expressed concern regarding the collection and use of personal information of children. Canada does not have an equivalent law to the US’s Children’s Online Privacy Protection Act. However, the open-textured, principled nature of PIPEDA allowed the OPC to set a high bar for obtaining consent in a recent investigation into the practices of Ganz. Ganz marketed Webkinz plush toys and operated a related website for children. Ganz thought that it had avoided collecting personal information by requesting children not use their real names. However, the OPC concluded that this was not enough as children might use their real name and the collection of a parental email address could, in any event, lead to the connection of the username with the child. Among the important recommendations of the OPC in connection with obtaining meaningful consent on websites for children were:
- Privacy policies must explain the actual practices of the website so parents can determine exactly what is happening on the child’s website versus other websites directed to other audiences – this can be an issue when trying to use one policy for multiple sites;
- Traditional privacy notices are not appropriate for children and should be supplemented with other just-in-time notices;
- Children’s websites should use age-appropriate language, ideally with interactive tools to ensure children understand and/or pay attention to the notices;
- Interactive tools should communicate to the child that they must involve a parent or guardian in critical steps, such as accepting terms and conditions;
- Organizations should obtain parental consent if the website is directed to children 13 years or younger because obtaining meaningful consent is unlikely for that age group without parental assistance; and
- Analytics and advertising providers should be carefully monitored to ensure that they are not collecting personal information of children without appropriate consent – too often website operators fail to monitor the practices of third parties with cookies and other digital markers on their sites.
Dentons' key takeaway: Although privacy policies are of continuing importance, greater evidence is being placed on just-in-time privacy notices and icons. If you are developing new content or functionality, now is the time to build in best practices.
Online advertisers beware: More interest-based advertising guidance
The OPC released a controversial decision regarding Bell Canada’s proposed “Relevant Advertising Program.” Under this program, Bell Canada proposed to collect information from user activities and demographic information from customer accounts and compile a profile of consumers for advertising purposes. Advertisers could obtain a limited-use code from Bell Canada to advertise to consumers who fit the characteristics that the advertiser was looking for. The most contentious issues were whether Bell’s use of network usage information and account/demographic information to support sales of advertising to its customers was an appropriate use of personal information and whether express opt-in consent was required for that use. Ultimately, the OPC concluded that the use of the information for advertising programs was an appropriate purpose but decided that express opt-in consent was required because of the potential sensitivity of the browsing behaviour being used by Bell. The OPC’s view was that the reasonable expectations of consumers would be that their telecommunications service provider would seek such consent before making use of that information.
- Organizations must monitor and conduct due diligence regarding tracking technology on their sites: To demonstrate accountability, organizations must ensure that they monitor tracking technology on their site. They must conduct due diligence and ensure that third parties are not using personal information collected through cookies and other technologies contrary to the purposes identified to the users of those sites. Organizations must conduct their due diligence and should use contractual provisions to prevent misuse.
- Interest-based advertising is an appropriate use of personal information: The OPC has stated in the Bell Report of Findings that it accepts that the objective of maximizing advertising revenue and improving a customer’s online experience through targeted advertising can be a legitimate business objective. In general the use of personal information for that purpose is appropriate.
- But use of credit information not appropriate: The use of credit scores, whether on an individual basis or an aggregate basis, is not appropriate for targeted advertising. Using this information for this purpose may not be permitted by consumer reporting legislation. The OPC recommended, and Bell agreed, to discontinue the use of that information.
- Opt-out consent must be meaningful – no rainy day retention: The OPC recommended that if a customer opted out of Bell’s interest-based advertising program, that the information be deleted and not further collected. Bell had proposed to continue to collect the information but not use it unless the customer opted back in.
- Opt-out consent is not a universal rule: Previously, the OPC said in its online behavioural advertising guidance that opt-out consent would be appropriate for online behavioural advertising if the information used was not sensitive and there was an effective opt-out mechanism. However, in the Bell Report of Findings, the OPC confirmed that opt-in consent may be required if the scope of the information being collected is very broad and the reasonable expectations of the consumer would be to expect opt-in consent.
- Broad collection creates sensitivity: In the OPC’s view, the scope of collection could result in the information being collected being sensitive. The OPC believed that Bell could track virtually all of its customers’ online activities and, therefore, this information was, in the aggregate, sensitive.
- Reasonable expectations of consumers are relevant to whether opt-in consent is required: The OPC has reintroduced its primary/secondary purposes analysis through the guise of a reasonable expectations analysis. In the Bell Report of Findings, the OPC just couldn’t get past the fact that Bell charged for Internet services, unlike a free service, such as Facebook. As a result, the OPC thought Bell was making a secondary use of personal information and commodifying customer information for purposes other than the delivery of telecommunications services.
- Time-limited retention won’t eliminate sensitivity: Even though Bell only kept 90 days’ worth of behavioural information, the information was, in the OPC’s view, still sensitive in the aggregate.
In response to the decision, Bell withdrew its proposed Relevant Advertising Program. View the PIPEDA Report of Findings #2015-001, Results of Commissioner Initiated Investigation into Bell’s Relevant Ads Program.
Dentons' key takeaway: At this point, this is the most detailed and important guidance from any regulator on interest-based advertising. Whether you are an advertiser, an advertising network or a platform, or simply looking to build a richer CRM database profiling your clients, this is the time to consider how this guidance affects your business strategy.