On April 7, 2015, the Privacy Commissioner of Canada ruled in its Report of Findings #2015-001 against Bell, one of Canada’s largest telecommunications companies. The Commissioner ruled Bell’s targeted advertising program violated federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), since Bell did not obtain adequate consents for facilitating the delivery of third party behaviourally targeted ads to its customers. Following the release of the Commissioner’s Findings, Bell decided to withdraw its Relevant Ads Program and delete all existing customer profiles related to the program. It is important to note the decision did not take into account whether Bell was in compliance with the Telecommunications Act (Canada), and this issue is currently before the Canadian Radio-television and Telecommunications Commission (CRTC).
The purpose of PIPEDA is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes: (a) the right of privacy of individuals with respect to their personal information; and (b) the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In making its analysis, the Commissioner examined the sensitivity of the information and the reasonable expectations of Bell’s customers.
The decision establishes “Big Data” as sensitive personal information. Big Data is a broad term used to describe vast amounts of data, collected over time or from multiple sources. Using data analytics or other forms of computational interpretation, Big Data may reveal human preferences, behavior and patterns. Principle 4.3.6 of PIPEDA provides express consent is the appropriate form of consent when personal information is likely to be considered sensitive. The Commissioner found the breadth of information gathered from multiple sources would render the information, when compiled, more sensitive than the individual elements of that information. These multiple sources included:
- Internet, television and telephone network usage information (such as websites visited and apps used on a mobile device);
- demographic information (such as billing address, age, gender, language, credit score, average revenue, payment patterns, plan type and mobile device information); and
- information generated or inferred (e.g. customer interest categories).
It was also deemed to be personal information since the data was retained and linkable to a specific customer. The decision did not address keyword selection in search engines by customers, Wi-Fi or wireline Internet usage data, television viewing habits, telephone calling patterns or mobile location information (such as information derived from GPS or cell-tower triangulation), as this functionality was not yet enabled by Bell. That information could potentially be used for delivery of relevant ads to customers and would likely also be considered more sensitive.
The Commissioner also looked at the context of the information gathering process and the relevant ads. Principle 4.3.5 of PIPEDA requires organizations to also consider the reasonable expectations of individuals in assessing which form of consent is appropriate in the circumstances. The Commissioner, in referring to the Ontario Court of Appeal decision Royal Bank of Canada v. Trang, 2014 ONCA 883, stated that even where personal information is considered “less sensitive”, the reasonable expectations of the individual, when considered in the particular context, may be such that express consent is required. The findings clarified “reasonable expectations” to be an objective test of all of the relevant contextual factors as a whole, including the type of services the organization offers, and the nature of the relationship between the organization and its customers. Customer survey evidence, which may measure actual expectations, cannot be determinative of the reasonable expectations of individuals.
The Commissioner found that Bell customers would reasonably expect that express consent was required, in particular, since: (a) Bell was collecting information from its customers that trust it with vast amounts of sensitive personal information in order to gain access to Bell’s primary services (e.g., mobile, Internet, telephone and television communications in Canada); and (b) this information was being used for secondary purpose marketing and enabling delivery of third-party behaviourally targeted ads. Therefore, opt-out consent was not sufficient. It is important to note from this decision that the reasonable expectations of individuals must first be assessed, before a determination is made as to what form of consent is required. If the reasonable expectations analysis leads to a finding that express consent is required, sending out notifications based on an implied consent model will not render an organization in compliance with PIPEDA.
Bell argued it had complied with the Office of the Privacy Commissioner’s Privacy and Online Behavioural Advertising Guidelines (“OBA Guidelines”). The OBA Guidelines provide opt-out consent may be acceptable where certain conditions are met. The Commissioner however found Bell’s relevant advertising program went beyond the type of use of personal information and advertising contemplated by the OBA Guidelines. The Findings clarified the OBA Guidelines were intended to cover targeted advertising in connection with free online websites, not paid-for services where there is an established customer relationship. While the Commissioner did note opt-out consent may be appropriate in certain circumstances, organizations should be careful to consider all of the factors outlined in the Commissioner’s Findings and the relevant circumstances, in order to determine the form of consent required. This decision also reminds us to beware that Guidelines are just guidance documents and should not be exclusively relied upon as law.
For consent to be meaningful in this context, the Commissioner recommended Bell:
(a) obtain express opt-in consent for the practice;
(b) ensure that any Bell customers’ choices to decline to participate in the relevant advertising program effectively ends the use of information for profiling, as well as for delivery of targeted ads; and
(c) ensure that Bell customers’ understanding of the ad program and their associated choices are supported by clear explanations outlining all the relevant advertising program information.
The decision also established that it is inappropriate for an organization to use credit information, even with consent or in aggregated form (e.g., below, average, or above average credit), for designing targeted ads. The collection and use of credit information, such as credit scores from credit reporting agencies, is expressly limited by provincial legislation.
As well, once customers withdraw their consent, the Commissioner made it clear that an organization must stop tracking those customers and delete their profile information. Principle 4.3.8 of PIPEDA provides an individual “may withdraw consent at any time” for the collection, use or disclosure of their personal information. An organization that continues to maintain or track a customer’s information after the individual selected to opt-out would be in violation of PIPEDA. The Privacy Commissioner also indicated in its Policy Position and Guidelines that “super-cookies” or “zombie cookies” should not be used.
The decision sets out a number of criteria which need to be met for behavioural or targeted advertising to be compliant with PIPEDA, including what information can be used and what customer communications result in meaningful and valid consent. Decision making processes, keyword selections, associated assessment criteria, privacy policies, staff training programs, consent forms and customer profile management need to be properly documented and vetted by someone knowledgeable about the sensitivity of the information being gathered, the technology being implemented, the reasonable expectations of the individuals, the contracts with the advertisers and Canadian privacy, consumer protection and telecommunications law.
The Findings also highlight the need for caution when investing or purchasing businesses that are providing marketing and advertising services or Big Data analytics in Canada or to Canadians. Due diligence of the target company’s contracts, privacy practices (including required documented procedures and staff training to ensure the appropriate use of individuals’ personal information) and technologies is required to minimize the risk of acquiring a company with liability risk due to non-compliance with Canadian privacy laws, which could result in future litigation (including class action law suits) and significant costs to the purchaser or any investors.