As Online Behavioural Advertising (OBA) becomes a business model, the Report of Findings of the Office of the Privacy Commissioner of Canada (OPC) on Bell’s Relevant Ads Program (RAP) constitutes a milestone. Here are the takeaways for CEOs, counsel and Chief Privacy Officers:

  1. OBA is not unreasonable but is not necessary for the purposes of a commercial transaction. Consequently, it requires separate express or implied consent.
  2. The legality of express or implied consent is contingent upon:< >the sensitivity of the personal information used; andreasonable expectations of customers.Sensitivity of the information may be inherent (e.g., health information, as was the case of OPC-Google-OBA, January 2014), or contextual, through the compilation of identifiers, such as URLs, internet browsing history, telephone and television usage, account and demographic information, as well as the information generally gathered by the organization for the purpose of delivering service.
  3. Reasonable expectations of privacy are contextual and differ whether:
    • the information used for OBA was collected for this purpose or for another, such as providing service;
    • the service is free and therefore entirely dependent upon advertising (as in OPC-Facebook 2009), or paid for with advertising as an additional revenue stream for the organization;
    • the information provided enables third party ads or only service provider ads; and
    • the company is, for reason of service, already entrusted with vast amounts of personal information.
  4. Where consent is appropriate, the option to withdraw it must remain effective, meaning that the profiling intrinsic to the behavioural ads must stop as well as the ads.
  5. Meaningful consent to OBA requires a high level of transparency which entails detailed, accessible information on:
    • what information is used; and
    • how it is and will be used.
  6. Even with meaningful consent, OBA purposes must still limit the personal information to what a reasonable person would consider appropriate.
    • Credit information is generally viewed as inappropriate considering its financial implications.
    • As postal codes are shared by one to 19 households, the possibility of identification is high. Postal code information should be limited to the three first digits.
  7. As established in OPC-Facebook 2009,
    • personal information may not be disclosed to third party advertisers; and
    • information compiled for OBA cannot be retained for longer than that purpose.
  8. Safeguards must include measures to protect against re-identification.
  9. OBA must be accompanied by a specific governance framework to document and demonstrate compliance with privacy law.

In short, before an organization moves to OBA, it should:

  • develop a program that uses as few identifiers as possible. The ads may be less targeted but implied consent will suffice.
  • propose options that are proportionate to the sensitivity of the information, and
  • make options clear, detailed, accessible and readily effective.