New technologies present vast opportunities for businesses to develop innovative advertising initiatives. However, it is important for organizations to assess the privacy impact of such marketing schemes in the early stages, to avoid having their ventures vetoed by privacy enforcement authorities.
The Bell Case
In November 2013, Bell launched its relevant advertising program ("RAP"). The RAP tracked users' Internet browsing activities (e.g., websites visited and apps used on a customer's mobile device) and combined such information with existing customer account information (e.g., postal code, gender, age range, plan type, device information, average revenue and credit score). Bell used this information to create detailed "interest profiles" for each customer. In assigning profile categories, Bell also used truncated URL history to assign interest categories such as "sports" or more specifically "soccer".
The OPC gave the following example of the types of profiles created by Bell:
"For instance, a Customer Profile could indicate that a Bell Customer is an English-speaking female, between the ages of 26 and 30, in the city of Montreal, who has a medium to high interest in hockey and who recently visited www.cbc.ca/news.1"
The RAP also contemplated the use and collection of information about Wi-Fi Internet usage, television viewing habits and telephone calling patterns, however, at the time of the OPC’s investigation, the company was not using this information to create profiles. In addition, Bell did not directly include predetermined sensitive categories in its profiles, such as “adult content” or “cancer”. Rather, such information was used to yield non-sensitive categories. For instance, while “cancer” would be discarded as a category, a non-sensitive category such as “men’s health” could be assigned to the customer profile.
Once the interest profiles were created, they would be matched against the "ad profiles" of third party advertisers, so that targeted advertisements could be delivered to Bell customers. Although Bell used customer personal information to develop its "interest profiles", the company did not disclose the identity of any customers to third parties in connection with the RAP. Furthermore, Bell made significant efforts to notify its customers about the RAP, including bill messages, text messages and emails. The OPC also accepted that maximizing advertising revenue and improving users' online experience through targeted advertising were legitimate business objectives, and therefore, there was a reasonable purpose for Bell to collect and use personal information in connection with the RAP.
However, the OPC found that the RAP did not comply with the Personal Information Protection and Electronic Documents Act in a number of respects. In particular, the OPC found that:
- Notices to customers were not sufficiently transparent. For instance, Bell's detailed explanation on its website did not explain that existing account/demographic information would be used in the RAP.
- Bell allowed customers to opt-out of the RAP, but given the sensitivity of the information and the reasonable expectations of customers, the OPC determined that opt-in consent was required for this program.
- Bell continued to track network usage information of customers who opted-out of the RAP, in order to further develop its customer profiles in the event the customer chose to opt back into the program.
In determining that opt-out consent was not appropriate for the RAP, the OPC reasoned that Bell had access to vast amounts of personal information which was provided by users in order to gain access to mobile, Internet, telephone and television services, and that the breadth of the combined information rendered it more sensitive. In addition, in considering the expectations of customers, the OPC noted that Bell charged for its services (sometimes hundreds of dollars per month), and so customers would not expect the information that Bell collected for the purposes of delivering its primary services to be used for the secondary purpose of delivering behaviourally targeted ads. This is in contrast to previous OPC decisions where it was found that users who are provided with a free service would expect that some information may be used for advertising purposes.
Following the OPC's Report of Findings, Bell decided to withdraw the RAP and it agreed to delete all existing customer profiles related to the program.
Lessons for Organizations
The Bell case illustrates the risks involved in developing new programs without considering applicable privacy laws. Bell undoubtedly invested significant resources in the RAP, only to cancel the program because of inadequate privacy controls. This could have been avoided if the company had conducted a privacy impact assessment early in the process.
Therefore, when developing a behavioural advertising program, organizations should:
- Assess the privacy impact with the involvement of the organization's privacy officer(s) and legal counsel
- Communicate with customers (and other affected persons) in a transparent and understandable manner, including providing clear information about the type of data that will be collected and the purposes for which the data will be used
- Obtain consent, and consider whether opt-out or opt-in consent is appropriate depending upon the sensitivity of the information and the reasonable expectations of affected individuals
- Consult and carefully consider the OPC's Online Behavioral Advertising Guidelines, which can be found at: https://www.priv.gc.ca/information/guide/2012/bg_ba_1206_e.asp
Such steps are important not only from a legal standpoint but also to build and maintain customer trust.
Online behavioural advertising is not prohibited in Canada, but as with any new initiative that involves personal information, such programs should be designed carefully to ensure appropriate privacy controls.