The Canadian Office of the Privacy Commissioner (the Commissioner) released policy guidelines on online behavioural advertising (OBA). OBA involves tracking an individual’s web activities across sites and over time to deliver targeted advertising to the individual. These guidelines are directed to all parties involved in OBA (including advertisers, browser developers, and web site operators) and help clarify obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) relating to OBA practices.
The Commissioner generally considers all information collected for the purpose of OBA to constitute “personal information” as defined in PIPEDA. While the much of the information collected in online behaviour tracking may not be personally identifying by itself, when combined and used for the purpose of profiling to infer an individual’s interests, the information can become highly personalized about an identifiable individual. In particular, the guidelines acknowledge the existence of powerful tools now available that can collect and analyze disparate bits of information to potentially identify individuals.
The guidelines acknowledge that OBA may be considered an appropriate purpose to collect, use, and disclose personal information under PIPEDA. The guidelines recognize the importance of online advertising to content and services being free or less costly on the Internet. However, OBA is not the only type of online advertising, so OBA should not be a condition or term to use the Internet generally.
Meaningful consent to OBA must be obtained, and there should be limitations on the types of information collected and used for profiling. Likewise, it is import to safeguard the information collected, and limit the retention of data to the least amount of time possible.
Opt-out consent to OBA can be meaningful if the following conditions are met:
- The purposes of OBA practices must be disclosed in a clear and understandable way – the Commissioner suggests a variety of methods to identify the purposes, such as online banners, layered approaches, and interactive tools.
- Disclosure of the purposes of OBA must be made when or before information is collected, and information about the various parties involved also must be provided.
- There must be an easy mechanism to opt-out of OBA (preferably before information is collected), and the opt-out must take effect immediately and be persistent.
- The information collected must be limited as far as practicable to non-sensitive information (e.g., medical, health and financial information should not be collected.
- The information must destroyed as soon as possible or effectively de-identified. Since anonymization can be a challenge to achieve, deletion is preferred.
In addition to the above conditions, OBA must be restricted to exclude tracking using zombie cookies, supercookies, third-party cookies that appear to be first-party cookies, device fingerprinting, and other techniques that do not offer individuals the ability to consent or withdraw are non-compliant with PIPEDA. Individuals cannot stop or control some of these types of tracking tools without taking extraordinary and/or inconvenient measures (if they can be stopped at all).
OBA must also be restricted to avoid marketing to children. Given the practical challenges of determining whether a child is capable of giving meaningful consent, the guidelines suggest that organizations avoid knowingly tracking children and tracking on websites aimed at children.