Privacy versus personalized content – it is the tension that underlies online behavioural advertising (OBA), and increasingly that tension is threatening to snap. OBA is the practice of tracking consumer’s online activities in order to deliver targeted marketing. Businesses stitch together information, like the websites a consumer visits, the content a consumer views and the searches a consumer runs, into a fingerprint of interests and tastes so that the consumer receives more resonant (and ideally more valuable) advertising.
OBA can be extremely valuable to your business. For example, if I purchase peanut butter online, the shopping website may recommend that I purchase jelly, resulting in a (potentially delicious) and mutually beneficial application of OBA for both myself and the business. However, businesses have to tread carefully where consumer data is collected, used and or stored in ways that violate the consumer’s expectations of privacy. The protection of online consumer data has gained a groundswell of support, on behalf of both users and legislators, for the institution of mechanisms or, “do not track” (DNT) measures, meant to give a consumer choice and control over their behavioural data.
So far in North America, OBA and the collection, use and storage of consumer online data is not explicitly regulated, leaving industry to largely self-regulate.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) already requires that businesses:
- obtain consent for the collection of non-sensitive personal information by providing consumers with a transparent and simple means to “opt-out”;
- limit use, disclosure and retention of personal information to the purposes specified at collection; and
- obtain affirmative express consent or “opt-in” consent to collect and use sensitive personal information.
However, it is unsettled as to the extent to which PIPEDA applies to OBA. For now, the answer largely depends on the question of whether an IP address is “personal information” under the Act. The Privacy Commissioner of Canada has taken the view that an IP address is not personal information unless it is actually combined or associated with personally identifiable information. For example, online tracking that uses deep packet inspection technology to allow an ISP to link a particular subscriber ID to a unique IP address would likely be subject to PIPEDA. See PIPEDA Case Summary #2009-010.
With unsettled law, industry groups and government have recognized that certain principles should govern the collection and use of consumer data, namely transparency and simplification of consumer choice over whether and how their data is collected and handled. In terms of governing principles, the FTC has put forward a report, offering up a DNT framework for “consumers, businesses and policy makers,” the European Union’s “Article 29 Data Protection Working Party” is also circulating “Best Practice Recommendations” in line with the EU’s ePrivacy Directive, and in Canada, the IAB has put together an entire “advertising ecosystem” to govern OBA.
However, if industry cannot provide effective DNT measures, it may only be a matter of time before universal top-down measures are legislated. Already in the United States, there is a flood of legislation waiting to set down universal and strict DNT measures. To name a few ..:
- Personal Data Privacy and Security Act of 2011, S. 1151, 112th Cong. (2011) (Sen. Patrick J. Leahy, D-Vt.);
- Do-Not-Track Online Act of 2011, S. 913, 112th Cong, (2011) (Sen. John D. Rockefeller, D-W.Va.);
- Commercial Privacy Bill of Rights Act of 2011, S. 799, 112th Cong. (2011) (Sen. John Kerry, D-Mass.);
- Do Not Track Kids Act of 2011, H.R. 1895, 112th Cong. (2011) (Rep. Edward J. Markey, D-Mass.);
- Consumer Privacy Protection Act of 2011, H.R. 1528, 112th Cong. (2011) (Rep. Cliff Stearns, R-Fla.);
- Global Online Freedom Act of 2011, H.R. 1389, 112th Cong. (2011) (Rep. Christopher H. Smith) (R-N.J.);
- Do Not Track Me Online Act of 2011, H.R. 654, 112th Cong, (2011) (Rep. Jackie Speier, D-Calif.);
- Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards (BEST PRACTICES) Act, H.R. 611, 112th Cong. (2011) (Rep. Bobby L. Rush) (D-Ill.)).
With legal uncertainty and the prospect of regulation, it is important to be ahead of the curve by defining and implementing a clear DNT policy. In Part II of Do Not Track, we set out current best practices for a DNT policy.