The Office of the Privacy Commissioner of Canada issued Guidelines for Online Behavioral Advertising that address tracking children's online activities, when to use an opt-out approach, and technologies that should not be used for online tracking.
Canada's privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), requires an individual's knowledge and consent for the collection, use or disclosure of personal information. PIPEDA also requires that the purposes for which an individual's information is to be collected, used or disclosed be explained in a clear and transparent manner.
The Office of the Privacy Commissioner determined that the information involved in online tracking and targeting for the purpose of serving behaviorally targeted advertising to individuals constitutes personal information under PIPEDA. Therefore, "any collection or use of an individual's web browsing activity must be done with that person's knowledge and consent." However, the form of consent can vary: "for example, express consent (opt-in) when dealing with sensitive information, and implied consent (opt-out) when the information is less sensitive." According to the Guidelines, the sensitivity of information depends on the nature of the information and the context in which it is being collected, used or disclosed.
The guidelines specifically address these practices:
Children. The Guidelines discourage companies from tracking children or tracking on websites aimed at children.
Technologies that should not be used. "If an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes." In a press release announcing the new Guidelines, the Privacy Commissioner stated: "So, in the current online behavioural advertising environment, that means no use of web bugs or web beacons, no super cookies, no pixel hacks, no device fingerprinting and no to any new covert tracking technique of which the user is unaware and has no reasonable way to decline."
Non-sensitive information. The Guidelines state that opt-out consent for online behavioral advertising could be considered reasonable provided that:
- Individuals are made aware of the purposes for the practice in a manner that is clear and understandable - the purposes must be made obvious and cannot be buried in a privacy policy;
- Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in online behavioral advertising;
- Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
- The opt-out takes effect immediately and is persistent;
- The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
- Information collected and used is destroyed as soon as possible or effectively de-identified.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.