CANADIAN ADVERTISING LAW: BEHAVIOURAL TARGETING, INFLUENCER MARKETING AND SOCIAL MEDIA Daniel Cole, Partner and Chris Oates, Partner, Gowling WLG Presented to Association of Canadian Advertisers, October 29, 2019
Meaningful Consent and Behavioural Advertising
REGULATORY FRAMEWORK The Personal Information Protection And Electronic Documents Act (“PIPEDA”) • Regulates the collection, use and disclosure of “personal information” in the private sector. • The provinces of British Columbia, Alberta, and Quebec have ‘substantially similar’ provincial privacy laws. • Separate laws apply in the public sector, and in many provinces, to health information custodians 3
COLLECTING PERSONAL INFORMATION Overarching principles of Canadian privacy law: Disclose the purposes for which you collect personal information; 1. Obtain informed consent to those purposes; 2. Limit the collection of personal information to what is necessary for purpose(s) 3. identified; Use personal information only in accordance with the purposes disclosed; 4. 5. Provide adequate security for the information you collect, proportionate to its sensitivity; and 6. Retain personal information only as long as needed for the disclosed purposes. 4
PERSONAL INFORMATION ‘Personal Information’ examples • Guidance on Behavioural Advertising and Tracking: Taking a broad, contextual view of the definition of personal information, the OPC will generally consider information collected for the purpose of OBA to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising • Results of Commissioner Initiated Investigation into a Relevant Ads Program: Account, demographic and network usage information are Personal Information as they are linked to a specific customer. • Apple Targeted Advertising: the Apple UDID and Ad ID constitute Personal Information as Apple has the capacity to link them with individuals. 5 5
VALID CONSENT The requirement for consent in PIPEDA is tied to what it is reasonable to expect the individual would understand: • ...the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. 6
GUIDELINES FOR MEANINGFUL CONSENT The Office of the Privacy Commissioner has published guidance on meaningful consent. • Key Recommendations: 1. Emphasize key elements- avoid information overload by highlighting elements such as: • What information is collected? • For what purposes is it collected, used, and disclosed? Highlight matters that would not be obvious. • With whom is it shared? • Any risk of harm? Provide information in a layered format- Allow individuals to control the level of detail they get. 2. 7
GUIDELINES FOR MEANINGFUL CONSENT • Key Recommendations: Provide individuals with an option to say “yes” or “no” to non -integral collections, uses and 3. disclosures of information. Explore innovative concepts to obtain consent, such as ‘just in time’ notices, and 4. interactive privacy tools. Take advantage of the dynamic nature of the online environment. Consider the consumer’s perspective, and ensure the information provided is 5. understandable: • Clear explanations • Language suitable for diverse audiences • Easily accessible 8
GUIDELINES FOR MEANINGFUL CONSENT • Key Recommendations: Treat consent as a dynamic and ongoing process- including when policies change. When 6. policies are changed, or information is used for new purposes, users must be notified and consent. Be able to demonstrate your consent processes are effective: “ pointing to a line buried in 7. a privacy policy will not suffice ”. In assessing consent practices, consider: • The sensitivity of the information • The reasonable expectations of the individual • Whether there is a risk of harm • Any underlying context (e.g. the age of the individual) 9
GUIDELINES FOR MEANINGFUL CONSENT Potential Challenges: Forcing a “yes” or “no” option ignores the availability of implied consent under PIPEDA, 1. and poses challenges with regard to CASL. • The “must do” is offering clear and accessible choices for non-integral uses of personal information → this includes behavioural advertising There is little to suggest what “demonstrating effectiveness” of one’s consent processes 2. means in practice. Considering “risk of harm” at the consent stage (in contrast to breach assessment) can be 3. very conjectural, and moreover, adds to the what is already often very detailed disclosure. 10
BEHAVIOURAL ADVERTISING • OBA involves tracking consumers' online activities and browsing behaviour, across websites and over time, to deliver advertisements better targeted to their perceived interests. • May include consumer profiles built for different Internet users by collecting information about their preferences using a variety of tracking technologies, such as cookies. • The profiles attempt to predict a consumer's interests from past activity. Targeted advertisements are then served based on a specific profile. • Same underlying principles would apply to offline- Canadian privacy law is technology neutral! 11
BEHAVIOURAL ADVERTISING Privacy Commissioner Guidelines for opt-out consent: • The individual must be made aware of the purposes for which you are collecting personal information. • A clause buried in a The individual must be informed at the time or privacy policy would not before information is collected and informed of be adequate! the parties involved. • There must be an easily available opt-out, that takes effect immediately and is persistent. • The information is not sensitive. Opt-in consent is required for sensitive information. • The information is de-identified or destroyed as soon as possible. 12
BEHAVIOURAL ADVERTISING BEST PRACTICES Be Transparent about OBA Practices • Be clear, comprehensive and concise. • Describe all personal information collected and for what purposes. • Provide this information before data collection. • Use an ad icon, pop-up or just-in-time notice to provide this information, rather than simply hiding it in a lengthy privacy policy. 13
BEHAVIOURAL ADVERTISING BEST PRACTICES Provide a User Friendly Opt-Out Mechanism • Process should be easy. • Display mechanism prominently on a webpage. • Opt-out must take effect immediately and be permanent/persistent. • Provide notice of successful opt-out. • Ensure the opt-out does not prevent use of other site features (e.g. purchase functionality). 14
CONSENT TAKE-AWAYS Organizations must disclose: Actual types of information the website passively collects and how the organization 1. uses this information. (e.g. the information collected for targeted advertising, and how to out out) 2. Technology used to collect this information. Website's practices with third-party advertisers. 3. Whether the organization pairs this information with other types of personal 4. information collected from: the user; third parties; or other sources. 15
CONSENT TAKE-AWAYS • Consider whether opt-out or opt-in consent is appropriate depending on information sensitivity, the amount of data collected and combined and the reasonable expectations of affected individuals. • Where possible, limit collection to non-sensitive data. • Disclose meaningful risks and benefits. • Do not use tracking tools that do not enable users to opt-out. Provide a clear and easy to use opt-out. 16
INAPPROPRIATE PRACTICES NO-GO ZONES
GUIDELINES ON INAPPROPRIATE DATA PRACTICES The Office of the Privacy Commissioner has published guidance on Inappropriate Data Practices. These seek to interpret and apply the principle that organizations may only collect, use or disclose personal information in a manner that a reasonable person would consider appropriate in the circumstances - even with consent. 18
GUIDELINES ON INAPPROPRIATE DATA PRACTICES Key Recommendations: “ No-go Zones ” including: 1. • Using information for unlawful practices- including genetic testing, and using credit score information to target advertising • Profiling that leads to unfair, unethical, or discriminatory treatment • Collection, use, and disclosure that is known or “likely” to cause significant harm - including to reputation and relationships or negative effects on one’s credit score • Publishing information to charge for its removal • Requesting social media account access for employee screening • “Surveillance” through the audio or visual functionality on one’s own device 19
Influencers and Social Media
21
22
23
24
25
26
27
Love a quick #DuaneReade run? Even @KatieHeigl can’t resist shopping #NYC's favorite drugstore 28
29
30
31
Recommend
More recommend