Online behavioral advertising (OBA) has become a popular part of the business model for many organizations. It can also be an intrusion on privacy. The difficulty is that the guidelines governing OBA have not always been clear.
Clarity, however, took a giant step forward with the release in April 2015 of The Report of Finding of the Office of the Privacy Commissioner of Canada’s (OPC) on Bell’s Relevant Ads Program. The findings followed a high-profile investigation into an advertising revenue generating program that tracked the browsing habits and app usage of customers together with their TV viewing and calling patterns. Bell combined the information derived with demographic and customer account data and came up with a service that allowed the telecom giant to deliver highly targeted ads to Bell customers on behalf of third parties.
The OPC found that the core difficulty with Bell’s program was its failure to provide for opt-in consent, instead providing only the ability to opt out. “We felt the privacy implications of the initiative were significant enough to require opt-in consent from customers,” the OPC said in a statement that accompanied the Report’s release.
But the OPC also clarified that Bell’s objective of maximizing ad revenue while improving customers’ online experience was a legitimate business objective. The key takeaways from the decision include:
- Although OBA is reasonable, it is not necessary, and therefore requires express or implied consent;
- Whether express or implied consent is required depends on the sensitivity of the personal information and the reasonable expectations of customers;
- In certain cases, such as health information, sensitivity is inherent. But sensitivity may also be contextual, and determining its degree depends on such factors as the identifiers compiled (e.g., URLs, usage, account information), as well as the information generally compiled by the organization in providing its services;
- Whether an expectation is reasonable is also a contextual issue and may depend on such factor as to whether the information was specifically collected for OGA or for another purpose; whether the service is free or either partly or wholly dependent on advertising; whether the information enables third party or only service provider ads; and the extent to which the company already has been given access to vast amounts of personal information;
- Where consent is required, an option to withdraw at any time must be available. If that option is exercised, the profiling as well as the OBA must stop;
- Meaningful consent requires a high level of transparency including the availability of information on what data is being used, how it is being used and how it will be used in the future;
- Meaningful consent is not, however, carte blanche: the personal information must still be within the range of what a reasonable person considers appropriate. Generally speaking, credit information is inappropriate as are full postal codes;
- As previously established by the OPC, personal information may not be disclosed to third party advertisers and information compiled for OBA cannot be retained when it is no longer necessary to the program; and
- Organizations should have a specific governance framework to document compliance with privacy law.
Plaintiffs’ class action lawyers weren’t impressed with the Report. Within weeks, Sutts, Strosberg LLP in Windsor and Charney Lawyers in Toronto launched a $750-million class action suit seeking damages for breach of privacy, breach of contract and breach of the Telecommunications Act. A similar action was launched in Québec.
The CRTC’s Unsolicited Telecommunications Rules remain unchanged after a review by the Commission left them mostly in place. Among other things, the CRTC rejected proposals to broaden the use of “robocalls” by automated dialing-announcing devices (ADAD) even where the caller has an existing business relationship as well as proposals that would have permitted non-consensual indirect ADAD solicitations. Several years ago, Canada’s three largest wireless carriers incurred some $1.7 million in sanctions for making such calls, which involved both providing notice to prepaid subscribers of the pending expiry of their minutes and providing a number at which the minutes could be increased. The CRTC also declined to require telemarketers to display their name on recipients’ caller ID; refused to add additional record-keeping requirements for telemarketers; did not extend the three year validity period for an internal DNCL; did not require telemarketers to notify consumers about DNCL expiries or extend DNCL requests to affiliated companies; refused to require parties exempt from the telemarketing rules, like registered charities and political parties, to maintain internal DNCLs; declined to remove the exemption for calls made to businesses from the telemarketing rules.
There were, however, certain changes, including reducing from 31 to 14 days the period within which telemarketers must comply with requests to be added to an internal do-not-call list (DNCL). The 31-day period for giving effect to such requests on the national DNCL remained unchanged. Other changes allow ADAD calls to include a postal address or an email address in addition to a telephone number in their introductory messages; require ADAD calls to start messages with a brief description of the purpose of the telecommunication; and mandate that contact information provided during live voice or ADADs remain valid for at least 60 days.