Last week, the Privacy Commissioner of Canada reported on research undertaken by her office during the summer to assess whether websites in Canada are inappropriately “leaking” the personal information of registered users. Researchers tested 25 sites and identified “significant privacy concerns” with six of them. Researchers also had questions about the practices of an additional five sites.
The Commissioner reported that the user information being leaked varied from website to website, but such leaks generally included one or more of a user’s name, email address, postal code and location.
The organizations receiving the information were reported as falling into three main categories: advertising companies, analytics companies and electronic flyer services.
The six websites in respect of which the Commissioner identified “significant privacy concerns” were cited for a lack of transparency. The organizations operating these websites were disclosing information to third parties, “apparently without the knowledge or consent of the people affected.” The Commissioner also noted that, in some cases, it did not appear that the disclosures were in keeping with the organizations’ own privacy policies.
More Factual Information Required
The Commissioner has not concluded that the disclosures summarized in her report violated federal privacy law. Rather, she has requested information from 11 organizations that will allow her to assess whether current practices need to be modified to ensure compliance with privacy law.
It remains to be seen how many of these organizations will be expected to modify their practices. Given that two organizations were reported to have disclosed nothing more than postal codes, it is far from clear that modifications will be required in each case.
The Commissioner has not publicly named the 25 organizations that were tested or the 11 organizations who have been asked to provide information about their privacy practices. While the Commissioner’s decision to keep the website names confidential has been criticized, there are strong arguments that can be made in support of it.
Naming names when an official investigation has not been conducted and a finding has not been made would be premature. It may be that, in at least some instances, websites are able to provide a valid and satisfactory explanation of the disclosures they have made (e.g., disclosure pursuant to a proper consent or a valid exception to consent – such as a transfer to a service provider for processing).
Naming names without all of the relevant facts would not be in the public interest and, as a result, is not allow under PIPEDA. Once the Commissioner has received the information she has requested, she will be in a position to assess whether the public interest would be served by doing so. The Commissioner alone will be in a position to make that assessment.