Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Privacy in an Interconnected World
What are the Limits?
ACA Conference – Marketing and the Law: Negotiating the Minefield
Toronto: December 6, 2011
Moderator: David Young, Partner,
McMillan LLP
Panelists: Tarik Qahawish, Director, Digital Marketing and
Communications, Aeroplan
Paula Gignac, President, IAB Canada
Bill Hearn, Partner, McMillan LLP
2
PRIVACY ON THE INTERNET
Do privacy laws / principles apply to the Internet?
Expectation of privacy – How do users experience privacy?
Privacy Model –
• Rights protected
• Protection mechanisms (e.g. consent)
• Balancing rules with other considerations (e.g. innovation;
user benefits; web site finance)
How does this experience map into existing privacy frameworks?
How does privacy compliance evolve beyond links to legalese?
Should users’ experience of privacy online equate to what they
expect offline?
CONFIDENTIAL — NOT FOR DISTRIBUTION
PRIVACY IN AN INTERCONNECTED WORLD WHAT ARE THE LIMITS?
TARIK QAHAWISH
Director, Digital Marketing & Communications
MARKETING AND THE LAW: NEGOTIATING THE MINEFIELD
6 DEC, 2011
Title of the presentation - CONFIDENTIAL
4
CONSUMER ATTITUDE TOWARDS PRIVACY• 2011 Canadians and Privacy Survey*
– 55% of Canadians expressed privacy concerns related to social networking sites, while only one in ten (10%) were not concerned and a third (33%) were somewhat concerned.
– However, 64% felt that these sites provided them with the options or settings they needed to protect the privacy and 80% had changed the default settings to increase their privacy protection.
• Aeroplan Panel Research on Member Privacy
– 95% of members surveyed agreed that Aeroplan protects their privacy
– How would you rate aeroplan.com on security & confidentiality? 64% checked the top 3 boxes (1= Poor and 10= Excellent)
* Harris/Decima Survey preseted to the Office of the Privacy Commissioner of Canada – Mar 31, 2011
Title of the presentation - CONFIDENTIAL
5
DATA TRACKING TODAY
• Web Personalization Today Leverages:
– Web site traffic analytics tools, cookies, shopping recommendation engines, wisdom of the crowd.
– Transactional & demographic data from Customer Data Warehouse
– All designed to personalize & improve the user experience on the Web and deliver relevant offers
• Behavioural Targeting or Remarketing Extends the Personalization
Title of the presentation - CONFIDENTIAL
6
DATA TRACKING TODAY
• Data Exchanges & Real Time Bidding
– 3rd party tracking technology (e.g., beacons, flash cookies, pixels) are installed on Internet users’ computers
• Top 50 US websites on average install 64 pieces of tracking technology onto the computers of visitors1
– Data exchanges packages the data into profiles about individuals, without determining a person's name, and sells for ad targeting.
– Most provide users the ability to see what they monitor and opt-out
– Accounts for 10% of banner ad spend in Canada
1 - WSJ – The Web’s New Gold Mine – Jul 30, 2010
Title of the presentation - CONFIDENTIAL
7
DATA EXPLOSIONGhostery.com cookie
& beacon list from
a financial site
Title of the presentation - CONFIDENTIAL
8
SOCIAL INTEREST GRAPH
• EXPLOSION OF CONSUMER DATA FROM NEW DIGITAL MEDIA
– Over 1 million sites have social plug-ins installed (e.g., “Like”, “Share”, “Check-in”)
– Facebook Connect provides sites with a wealth of information most don’t know what to do with it.
– Social Open Graph brings along the users friends, their interests and profiles, and helps brands become part of the social circle.
– Social networks want sites to use the data in order:• Showcase their value outside their network
• This in return helps users feel more comfortable, and a reason to provide even more data
• More data means better targeting on the social network’s own ad platform
• WHO OWNS THE DATA?– Consumer?
– Social network?
– Web site?
– Cloud Storage provider?!?
Title of the presentation - CONFIDENTIAL
9
SOCIAL INTEREST GRAPH
Title of the presentation - CONFIDENTIAL
10
BEST PRACTICE
DON’T BE CREEPY
– Behavioural targeting shouldn’t use personal information
– Don’t be a stalker and follow the user everywhere (e.g., Zappos)
AVOID IMPRESSION FATIGUE
– Limit the length of the Remarketing period to an appropriate time
– Start with small tests, optimize and build on them
LESS DATA IS MORE
– Use data you can store and avoid too much reliance on Cloud Storage
– Over profiling or modeling can be a vicious circle
PROVIDE VALUE IN RETURN
– Clearly identify the value to the user when requesting social media data
Copyright © 2011 Interactive Advertising Bureau of Canada
12
OBA Self-Regulatory
Program
Presented by
Paula Gignac, President, IAB Canada
Copyright © 2011 Interactive Advertising Bureau of Canada
13
The Association Coalition Behind The Program
•L’Association des agences de publicité du Québec (AAPQ)
•The Association of Canadian Advertisers (ACA)
•Advertising Standards Canada (ASC)
•Le Conseil des directeurs médias du Québec (CDMQ)
•The Canadian Marketing Association (CMA)
•The Canadian Media Directors’ Council (CMDC)
•The Interactive Advertising Bureau Of Canada (IAB Canada)
•Institute of Communication Agencies (ICA)
Copyright © 2011 Interactive Advertising Bureau of Canada
14
Canada’s Advertising Industry Self-Regulation
Framework For Online Behavioural Advertising
• Transparency
• Provide Consumers with immediate notice when the
Websites that they are visiting are supplying them with
Online Behavioural Advertising
• Education
• Provide Consumers with one-click access to clear and
concise Web-based educational information about
Online Behavioural Advertising
• Choice
• Provide Consumers with education & one-click access
for a full opt-out of Online Behavioural Advertising
• Accountability
• Ensure that Consumers’ opt-out of preferences are
retained over the long-term
Copyright © 2011 Interactive Advertising Bureau of Canada
15
Implementation Examples
Copyright © 2011 Interactive Advertising Bureau of Canada
16
The OBA Opt-Out Tool
Copyright © 2011 Interactive Advertising Bureau of Canada
17
Timeline For Program Implementation
•Q1 2012 - Educational Webinars
•Q2 2012 – Various Publishers Begin Implementation
Copyright © 2011 Interactive Advertising Bureau of Canada
18
OBA Self-Regulatory
Program
Presented by
Paula Gignac, President, IAB Canada
19
The Law and Self-Regulatory
Principles for Behavioural
Advertising
Bill Hearn, Partner, McMillan LLP
Overview
– What is behavioural advertising and what are the main consumer protection
concerns raised by it?
– What does Canadian law say about behavioural advertising?
– How has industry responded in Canada and elsewhere to the concerns of
consumers and regulators?
– How have regulators in Canada and elsewhere weighed in on behavioural
advertising?
20
What is Behavioural Advertising?
– OPC Definition:
– Also sometimes called online behavioural advertising (OBA) or interest-
based advertising (IBA)
* From Report on 2010 OPC Consultations on Online Tracking, Profiling and Targeting, and Cloud
Computing – Draft October 2010 and Final May 2011
“…consists of tracking consumers’ online activities over time in
order to deliver advertisements that are targeted to individuals’
inferred interests”*
21
Downside and Why Regulators &
Some Consumers Are Concerned
– Canadians generally wary about the collection of their personal information online
– Under Canadian privacy laws, “personal information” means “information about
an identifiable individual and includes age, name income, ethnic origin, opinions,
comments, preferences, social status … but does not include the name, title or
business address or telephone number of an employee of an organization”
– Findings from OPC-Commissioned Canadians and Privacy Surveys
• 2009: 90% of respondents concerned about the impacts of new technologies
• 2011: 83% of respondents said Internet companies should ask their customers
for permission to track their online behaviour and Internet usage
22
Downside and Why Regulators &
Some Consumers Are Concerned
– Increasingly sophisticated forms of technology
– Provide for tracking of online and offline activities
– Privacy concerns and the issue of informed, meaningful consent to
track
23
Downside and Why Regulators &
Some Consumers Are Concerned
– Security concerns regarding the safe collection and retention of
sensitive personal information
– e.g., SIN number, home address, financial account number, geographic location,
personal history
– Lack of consumer education and knowledge about the risks involved
and corresponding privacy rights
24
What does Canadian law say?
– Technology leading consumer protection law in new directions
– Classic case of law catching up to new technologies
– That said, in many instances, existing law can still be applied to
address consumer protection concerns
– And new laws are on the horizon – e.g., CASL
25
What does Canadian law say?The starting point - addressing the “privacy” concern …
– Privacy Laws
– The collection, use and disclosure of personal information for commercial purposes
by private organizations in Canada is governed by the Personal Information
Protection and Electronic Documents Act (PIPEDA)
– British Columbia, Alberta and Quebec have legislation “substantially similar” to
PIPEDA regulating the private sector
26
What does Canadian law say?
– Privacy Laws
– PIPEDA and these provincial laws (collectively, “Privacy Laws”) provide that:
• Private organizations may only collect, use or disclose personal information
– for purposes that are reasonable, and only to the extent necessary to fulfil
those purposes
– when they have notified the individual of the purposes for the collection and
with the consent of the individual whose information is being collected, used
or disclosed (unless one of the exceptions applies and consents is not
necessary)
• The consent must be informed, meaning the organization has informed the
individual of the reason the information is being collected, how it is going to be
used, and to whom it may ultimately be disclosed
27
What does Canadian law say?
– Privacy Laws
– Compliance with Privacy Laws when carrying out behavioural advertising requires
that:
• the consumer’s knowledge and consent have been obtained
• the personal information gathered is only for the purposes identified
• the personal information gathered is only used or disclosed as is necessary
• any collection, use and disclosure of information is reasonably needed to carry
out the purposes required
• there is a privacy compliance program in the organization to address the
collection, use and disclosure of personal information for behavioural advertising
28
What does Canadian law say?
– Privacy Laws
– Consequences for not complying with PIPEDA:
• OPC may investigate or audit organization’s privacy practices and issue public
report detailing findings … but OPC has no power to make binding orders
• OPC or individual may apply to Federal Court seeking the imposition of fines,
sanctions, criminal liability, and/or civil damages (including those for humiliation –
there is no monetary ceiling on such damages)
29
What does Canadian law say?Addressing the “deception” concern …
– Federal Competition Act– Is a behavioural advertising campaign implemented without the knowledge
and consent of consumers “deceptive advertising” under Canadian
competition law?
• No one shall, for the purpose of promoting a product or business interest, make
a representation to the public that is deceptive in a material respect
• Don’t need to prove any consumer was actually deceived
• General impression and literal meaning taken together govern
• Even if only inadvertently contravened, the civil sanctions may still be substantial
monetary penalties of up to $10 million (for first contravention) and up to $15
million (for each subsequent contravention)
• If knowingly or recklessly contravened, the criminal sanctions may be up to 14
years in jail, an unlimited fine, or both
– Also a risk of civil liability for damages in a private action by class of
disgruntled consumers
30
What does Canadian law say?Addressing the “deception” concern
– Provincial/Territorial Consumer Protection Laws– Is a behavioural advertising campaign implemented without the knowledge
and consent of consumers an “unfair practice” under Ontario’s Consumer
Protection Act (CPA)?
• “Unfair practice” includes a deceptive representation … e.g., one that fails to
state a material fact that tends to deceive … or one that misrepresents the
purpose of any communication with a consumer
• Engaging in an “unfair practice” is an offence under the CPA
• Note: CPA applies to “suppliers” in Ontario even if targeting only consumers
outside Ontario
31
What does Canadian law say?Addressing the “deception” concern
– Provincial/Territorial Consumer Protection Laws– Is a behavioural advertising campaign implemented without the knowledge
and consent of consumers an “unfair practice” under Ontario’s Consumer
Protection Act (CPA)?
• A convicted company could be fined up to $250K and its directors and officers
fined up to $50K, jailed for up to two years less a day, or both, unless they have
taken reasonable care to prevent the offence
• A court may also order the convicted company and/or its directors and officers to
pay compensation to affected consumers
– Remember also to comply with any unique aspects of the consumer
protection laws in other provinces/territories– especially Quebec’s
Consumer Protection Act (consider adopting highest common denominator)
32
What does Canadian law say?
– Canada’s Anti-Spam Law (CASL)
– Requires consent before sending commercial electronic messages
– Prohibits the collection of personal information via unlawful access
to computers or unauthorized collection of electronic addresses
– Anticipated to come into force by Q2 2012 following passing of
revised draft CASL Regs (not yet published)
– Substantial penalties and multi-faceted enforcement mechanisms –
3 agencies involved: CRTC (CASL), Competition Bureau
(Competition Act) and OPC (PIPEDA) with Industry Canada playing
an oversight role as National Coordinating Body
33
How is industry responding?
– Self-Regulatory Principles & Guidelines – Chronology
– 2008 NAI Principles: The Network Advertising Initiative's Self-Regulatory
Code of Conduct
– [FTC Staff Report: Self-Regulatory Principles for Online Behavioral
Advertising (February 2009)]
– World Federation of Advertisers: Global Principles for Self-Regulation in
Online Behavioral Advertising (June 2009)
– Digital Alliance Initiative (DAA) Self-Regulatory Principles for Online
Behavioral Advertising (July 2009)
34
How is industry responding?
– Self-Regulatory Principles & Guidelines – Chronology– Coalition of Canadian Associations (i.e., AAPQ, ACA, ASC, CDMQ, CMA,
CMDC, IAB Canada, ICA) (the “Coalition”) starts developing framework
for industry self-regulation of behavioural advertising in Canada (June
2009 and announces framework March 2010 and again August 2011)
– Canadian Marketing Association (CMA) – Addition to Code of Ethics to
address concerns with behavioural advertising (December 2010)
– World Wide Web (W3C) First Draft of Proposed Standards for
Implementing “Do Not Track” Online (November 2011 – Final due
summer 2012)
– Coalition through IAB Canada launches behavioural advertising program
and opt-out tool with Q1-Q2, 2012 timeline for implementation (December
2011)
35
How is industry responding?
Self-Regulatory Principles & Guidelines -
Comparing the Details
36
How is industry responding?
– Self-Regulatory Principles & Guidelines
– 2008 NAI Principles: The Network Advertising Initiative's Self-
Regulatory Code of Conduct (2008)
• NAI first developed guidelines in 2000 and have periodically updated them
• Code requires NAI member companies to comply with certain notice, choice,
use, limitation, access, reliability and security requirements which include
– Disclosing their behavioural advertising practices in their privacy policies
– Offering an easy-to-use opt-out link
37
How is industry responding?
– Self-Regulatory Principles & Guidelines
– World Federation of Advertisers: Global Principles for Self
Regulation in Online Behavioural Advertising (June 2009)
• Crisp one pager espousing seven global principles:
– Education
– Transparency
– Consumer control
– Data security
– Material changes
– Sensitive data
– Accountability
38
How is industry responding?
– Self-Regulatory Principles & Guidelines
– DAA’s Self-Regulatory Principles for Online Behavioural
Advertising (July 2009)
• Largely mirror FTC’s February 2009 Principles – i.e., that consumers should
understand the behavioural advertising uses of their data and more easily find
and use a persistent opt-out mechanism
• On October 4, 2010, the DAA announced the implementation of its industry
principles into practice through a Self-Regulatory Program for Online
Behavioural Advertising (the “DAA Program”)
39
How is industry responding?
– Self-Regulatory Principles & Guidelines– DAA’s Self-Regulatory Principles for Online Behavioural Advertising (July
2009)
• The DAA Program includes the following main components:
– Participants must display an icon and accompanying language to inform
consumers about data collection and use practices (e.g., the icon
indicates that the advertising is targeted and constitutes behavioural
advertising)
– A single, industry-developed website that allows consumers to opt out of
behavioural advertising practices of companies participating in the DAA
Program
– A website dedicated to informing consumers about behavioural
advertising and the DAA Program
– Mechanisms for accountability and enforcement of the DAA Program
– Campaigns for greater consumer education about behavioural
advertising
40
How is industry responding?
– Self-Regulatory Principles & Guidelines
– With the Coalition of Canadian Associations having designed a
self-regulatory framework for behavioural advertising based on the
four elements of transparency, education, choice and
accountability (work having started in June 2009 leading to the
framework being announced in March 2010 and again in August
2011), IAB Canada launches behavioural advertising program and
opt-out tool with Q1-Q2, 2012 timeline for implementation
(December 2011)
41
How is industry responding?
– Self-Regulatory Principles & Guidelines
– Addition to the Canadian Marketing Association (CMA) Code of
Ethics to address concerns with behavioural advertising
(December 2010)
• Acknowledges that web browsing data may be considered personal
information to which Canadian privacy laws apply
• Recommends exercising transparency, and obtaining appropriate consent
from consumers, regarding behavioural advertising practices
• Recommends that marketers not engage in behavioural marketing aimed at
children under 13 except where express opt-in consent has been obtained
from child’s parent/guardian
42
How is industry responding?
– Industry Standards– Technology initiatives designed to empower consumers, specifically
browser implementation of do-not-track functionality
– World Wide Web Consortium (W3C): proposed standards for
implementing “Do Not Track” online – first draft released in November
2011; final due out by summer of 2012
• Working Group includes Google, Facebook, Microsoft, IBM, Mozilla and
several big privacy organizations including the US-based Centre for
Democracy and Technology and Electronic Frontier Foundation, and several
interactive advertising organizations
• US FTC and German independent Centre for Privacy Protection also advising
Group
43
How is industry responding?
– Industry Standards
– W3C’s Proposed Do-Not-Track Standards
• Striving to “balance needs of privacy-conscious consumers with the data-
collection demands of online advertising by matching expectations of users”
• Tracking Preference Expression Standard - How consumers can express
their tracking preferences (i.e., how a browser can tell a website that a user
wants more privacy)
• Tracking Compliance and Scope Specification Standard - How websites
and their affiliates will acknowledge those preferences (i.e., how websites
should comply with Do Not Track preferences
44
How Canadian Regulators Are Responding
– Nothing from federal Competition Bureau or provincial/territorial
consumer protection regulators – e.g., Director under Ontario’s Ministry
of Consumer Services
– Not surprising if industry’s self-regulatory principles have addressed the
possible “deception” issue with “transparency” and “education”
– Federal OPC continues to lead on “privacy” concerns
45
How OPC Is Responding
– OPC Investigation of Facebook (2010)
– Recognized distinction between “contextual” advertising (delivered in response to
current online activities without collection and retention of personal information – e.g.,
a user visits a holiday site and while on that site receives advertising for hotels in the
area) and “behavioural” advertising (which entails the collection and retention over
time of personal data and involves consumer tracking)
– Concluded that behavioural advertising is more intrusive than contextual advertising
because it targets activities and connects them to identity
– Resulted in Facebook developing simplified privacy settings and rolling out a
permission-based model whereby applications inform users of the categories of
data they require to run and seek consent to access and use this data
46
How OPC Is Responding
– OPC’s Reports on Online Tracking, Profiling and
Targeting, and Cloud Computing – Draft (October
2010), Final (May 2011)
– Organizations that engage in behavioural advertising should collect
personal information only for reasonable and appropriate purposes
– Organizations that track the online activities of Canadian consumers should
be upfront about their practices
– Consumers must provide meaningful informed consent before profiling and
targeting technologies using their personal information are implemented
– Supports the permission-based model and use of technical controls to
ensure access only to information specifically requested
47
How OPC Is Responding
– OPC’s Reports on Online Tracking, Profiling and
Targeting, and Cloud Computing – Draft (October
2010), Final (May 2011)
– Individuals should feel comfortable creating online profiles and engaging on
social networking websites without becoming unintended consumers
– Data must expire as PIPEDA is clear that personal information can only be
kept as long as it is needed
– There is a need to address the serious issue of tracking the personal
information and online activities of children
48
How OPC Is Responding
– OPC Issues Guidelines for Behavioural Advertising
– New guidance document, to be released December 6, 2011, to help
organizations involved in behavioural advertising ensure their
practices comply with PIPEDA
– Will also help consumers know their rights under PIPEDA
49
How Other Regulators Are Responding
– US FTC Staff Report: Self-Regulatory Principles for Online Behavioral
Advertising (February 2009)
– US FTC Preliminary Staff Report: Protecting Consumer Privacy in an
Era of Rapid Change - Proposed Framework for Businesses and
Policymakers (December 2010)
– EU Directive, with effect May 25, 2011 and subject to one narrow
exception, requires companies with European customers to get
informed consent from such visitors to their websites in order to use
cookies
– Australia’s Privacy Commissioner also engaged – i.e., released Fact
Sheets on behavioural advertising (May 2011)
50
How Other Regulators Are Responding
Comparing the Details
51
How Other Regulators Are Responding
– US FTC Staff Report: Self-Regulatory Principles for
Online Behavioral Advertising (February 2009)
– Report set out advisory principles for self-regulation and followed consultations in
November 2007 and the issuance for public comment by FTC staff of a set of
proposed principles designed to serve as the basis for industry self-regulatory efforts
– The principles called for:
• transparency and consumer control
• reasonable security for consumer data
• companies to obtain “opt-in” (i.e., affirmative express) consent from consumers:
– before they use data in a manner that is materially different than promised
at the time of collection and
– before they collect and use “sensitive” consumer data for behavioral
advertising
52
How Other Regulators Are Responding
– US FTC Staff Report: Self-Regulatory Principles for
Online Behavioral Advertising (February 2009)
– “First party” advertising (i.e., advertising by and at a single website – where no data is
shared with third parties) is more likely to be consistent with consumer expectations
and less likely to lead to consumer harm than other forms of behavioral advertising;
includes first party data collection and analysis for website optimization (analytics)
– Also less likely to be invasive is “contextual” advertising (i.e., advertising based on a
consumer’s current visit to a single web page or a single search query that involves
no retention of data about a consumer’s online activities beyond that necessary for
the immediate delivery of an ad or search result)
– FTC concluded the principles did not need to cover these practices
53
How Other Regulators Are Responding
– US FTC Preliminary Staff Report: Protecting Consumer Privacy in
an Era of Rapid Change - Proposed Framework for Businesses
and Policymakers (December 2010)
– Follows consultations in 2010, provides a preliminary indication on how the FTC
believes consumer privacy should be protected going forward, and proposes new
framework for addressing the commercial use of commercial data building on the
notice-and-choice model and the harm-based model
54
How Other Regulators Are Responding
– US FTC Preliminary Staff Report: Protecting Consumer Privacy in
an Era of Rapid Change - Proposed Framework for Businesses
and Policymakers (December 2010)
– Endorses Ontario Privacy Commissioner’s “Privacy by Design” and “Privacy Payoff”
concepts – i.e., that companies should systematically build consumer privacy
protections into their everyday business practices, such protections to include:
• Providing reasonable security for consumer data
• Collecting only the data needed for a specific business purpose
• Retaining the data only for as long as necessary to fulfill that purpose
• Safely disposing of data no longer being used
• Implementing reasonable procedures to promote data accuracy
55
How Other Regulators Are Responding
– US FTC Preliminary Staff Report: Protecting Consumer Privacy in
an Era of Rapid Change - Proposed Framework for Businesses
and Policymakers (December 2010)
– Proposes that companies provide choices to consumers about their data practices in
a simpler, more streamlined way than has been in the past
– Proposes measures for companies to make their data practices more transparent to
consumers including making privacy policies clearer, more concise and easier-to-
read
– Proposes providing consumers with reasonable access to the data companies
maintain about them
56
How Other Regulators Are Responding
– US FTC Preliminary Staff Report: Protecting Consumer Privacy in
an Era of Rapid Change - Proposed Framework for Businesses
and Policymakers (December 2010)
– Proposes that stakeholders undertake a broad effort to educate consumers about
commercial data practices and the choices available to them so as to facilitate
“competition on privacy” across companies
– Supports development of a do-not-track mechanism and better tools that allow
consumers to control the collection and use of information collected online
• For instance, by placing a persistent setting, similar to a cookie, on a consumer’s
browser, signaling the consumer’s choices about being tracked and receiving
targeted ads
57
How Other Regulators Are Responding
– US FTC Preliminary Staff Report: Protecting Consumer Privacy in
an Era of Rapid Change - Proposed Framework for Businesses
and Policymakers (December 2010)
– FTC believes it does not have legal authority to develop and implement a do-not-
track requirement indicating it must be accomplished through legislation or private
sector efforts
– Two of the five FTC Commissioners, while concuring with the Staff’s Preliminary
Report, have expressed reservations about a do-not-track mechanism (i.e., that it is
premature, may not be technically feasible but if so, should be opt-in)
– Final Report likely to be issued by end of Q1 2012
58
How Other Regulators Are Responding
– EU Regulatory Developments, 2011
– A recent EU Directive (with Pan-EU effect as of May 25, 2011) requires companies
with European customers to get informed consent from such visitors to their websites
in order to use cookies; the only exception to this rule is where website operator is
doing something that is “strictly necessary” for a service specifically requested by the
user
– Old EU law required website operator only to tell website users how the operator
uses cookies and how users can “opt out” if they object
– The UK Information Commissioner’s Office (ICO) has published guidance on
compliance from a UK perspective
59
How Other Regulators Are Responding
– EU Regulatory Developments, 2011
– ICO’s Guidance includes that:
• Information must be provided about a cookie before a cookie is set for the first
time
• Once consent is obtained, a website operator need not seek consent again for
the same person each time the same cookie (for the same purpose) is used in
the future
• The “strictly necessary” exception is a narrow one – e.g.,
– it allows a website operator to place a cookie on a user’s computer when
the user has chosen the goods they wish to buy, clicks “add to basket”, and
the website “remembers” what the user chose on a previous page
– it does not allow a website operator to place a cookie just because the
website would be more attractive if it remembered users’ preferences or
because the operator wishes to collect statistical information about use of
the website
60
How US Legislators Are Responding
– Three bills have been introduced in Congress in 2011 to deal with online
tracking:
– Do Not Track Me Online Act (February 2011)
– Do-Not-Track Online Act of 2011 (May 2011)
– Do Not Track Kids Act of 2011 (May 2011)
– ―The narrow scope of these bills, together with the support of the do-not-
track mechanism derived from the success of the Do-Not-Call Registry,
makes them compelling candidates for action this term.‖
– Morrison & Foerster LLP, July 2011
61
Summary Coalition of Canadian Associations – 4 elements of Framework
1. Transparency
– Provide consumers with immediate notice when websites they are visiting are
supplying them with behavioural advertising. This notice can be provided via an
icon placed on the behavioural ads themselves or in other prominent areas on the
websites being visited
2. Education
– Provide consumers with one-click access to clear and concise web-based
educational information about behavioural advertising so consumers may learn:
– The nature of these practices
– How and when their privacy is protected within various targeted advertising
processes
– How to protect themselves in areas on the Internet that represent security
risks to their privacy
62
SummaryCoalition of Canadian Associations – 4 Elements of Framework
3. Choice
– Educate consumers with practical skills (e.g., how to use privacy settings, control
cookies by altering browser preferences, delete an account, use pseudonyms) and
give them one-click access for full opt-out of behavioural advertising should they
desire to do so
4. Accountability
– Develop and maintain an accountability program to ensure that consumers’ opt-out
preferences are retained over the long-term
– Program to include an independent consumer complaint mechanism to be
developed in consultation with Advertising Standards Canada (ASC)
63
Some Conclusions
– Main consumer concerns are protection of privacy and protection against
deception
– Canada’s privacy laws can be applied to address consumer privacy concerns
– Canada’s competition and consumer protection laws can be applied to address
consumer deception concerns
– Industry has responded in Canada and elsewhere with self-regulatory principles,
guidelines and standards
– Regulators have responded in Canada and elsewhere with consultations,
investigations and guidelines
– Some legislators have responded with proposed new laws
– This body of law and the self-regulatory principles, guidelines and standards will
likely remain fluid and grow for some time
64
CONCEPTIONS, EXPECTATIONS &
LIMITATIONS
What do we mean by “privacy” on the Internet?
• Definitional gaps
• Generational gaps
• Expectation Gaps
• Social Networks v. Online Shopping v. Online Targeted Advertising v.
Online e-mail
• Just how private is “Private browsing”?
65
CONCEPTIONS, EXPECTATIONS &
LIMITATIONS (cont’d)
User Knowledge and the User Experience
• What is going on behind the scenes?
• Do users fully understand the processes and
the players involved in online advertising? In
social networking? Do they care?
• The manner in which users are made to
understand how their personal information is
being accessed and used online.
66
ISSUES
The Social Web --
• What does this mean?
• Is the Social Web different from Social Networks?
• What does the Social Web ecosystem look like?
• authentication
• Content
• third party developers
• advertising
• What is the user experience?
67
ISSUES (cont’d)
Data Mining
• What is it?
• Data-based decision-making
• Conflicts with privacy?
• User expectations
• Commodification of data
68
ISSUES (cont’d)
• “Personal Information” vs. “Personally Identifiable
Information”
• Location-based marketing
• Facial recognition
• photo-tagging
• predictive messages
• personally-directed messages
69
Document #
PRIVACY AND INNOVATION
Generative v. Closed Systems
• Regulators like gatekeepers
• How does this relate to privacy regulation?
Privacy user experience
• What should privacy controls look like?
• Can there be too much choice?
• How do we design the social web in a way that
looks like real life?
70
71
Privacy in an Interconnected World
What are the Limits?ACA Conference – Marketing and the Law: Negotiating
the Minefield
Toronto: December 6, 2011
Moderator: David Young, Partner, McMillan LLP
Panelists: Tarik Qahawish, Director,
Digital Marketing and Communications,
Aeroplan
Paula Gignac, President, IAB Canada
Bill Hearn, Partner, McMillan LLP