As was widely reported, on January 15, 2013, the Office of the Privacy Commissioner of Canada (OPC) issued a Report of Findings regarding interest-based advertising or online behavioural advertising through Google’s AdSense service.
Reports of the case frequently suggested that the Canadian law does not permit the use of “health information” for interest-based advertisements. This is debatable but, in any event, that wasn’t really what the case was about. The issue appears to have been whether Google exercised sufficient due diligence in monitoring its customers.
What the complaint was about
Accordingly to the Report of Findings, the complainant searched for a particular type of medical device for sleep apnea. Importantly, the complainant was signed into his Google account when he made those searches. Subsequently, the complainant began to see targeted advertising on other sites relating to his searches.
Google participates in the AdChoices program and advertisements often include the AdChoices icon indicating that there page involves interest-based advertising or OBA. By clicking on the icon users can opt-out of interest-based advertising.
Although the complainant browses while signed into this Google account (and appears not to have opted-out), the complainant argued, according to the Report of Findings that “he did not provide Google with consent to display his personal medical information in browsers.”
Contextual advertisements versus OBA
Previously, the OPC has distinguished between contextual advertising, which is advertising based on the content of a page, with interest-based or online behavioural advertising (OBA), which is based on “tracking” user interests across websites.
Initially, Google disputed that the advertising was OBA and instead was based on recent or related page content that, according to the Report of Findings, “appeared out of context to the user”. However, subsequently Google appears to have conceded that the advertisements were placed as a result of a Google customer’s AdWords remarketing program.
The AdWords remarketing program allows Google customers to install code on their websites provided by Goggle. This code installs a cookie ID in the user’s web browser unless the user has opted-out of interest-based advertising or OBA. The Google customer can then design an advertising campaign that the user will see on other webpages that uses Google’s advertising products. This is interest-based advertising or OBA.
Google’s policy
The problem for Google was that its privacy policy stated it did not use any collected information for advertising based on health:
“[w]e use information collected from cookies and other technologies, like pixel tags, to improve your user experience and the overall quality of our services […] When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health”
Although Google requires advertisers to agree to specific policies that prohibit OBA based on “health or medical information”, the customers could use the products in violation of these policies since the customer is in control.
According to the OPC, Google’s practice did not correspond to the actual wording of the privacy policy as outlined above. Moreover, the OPC was of the view that meaningful consent was required. Implied or “opt-out” consent was only permissible for “non-sensitive” information. Health information was “sensitive”.
But is health information really off-limits?
The OPC (perhaps incorrectly) equated implied consent with “opt-out” consent. Leaving aside that debate, it appears that the OPC is reinforcing previous guidance that express consent should be used when conducting interest-based advertising using sensitive information.
Principle 4.3.6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states:
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
Importantly, however, subsection 5(2) of PIPEDA states that “[t]he word “should” […] indicates a recommendation and does not impose an obligation.” Whether a court would agree that express consent is always required even if the Ad Choices program is prominently used (and the website Privacy Notice is clear) is open for debate.
What does the future hold in this case
What is not open for debate is that Google’s privacy policy said that it was not using health information for advertising purposes. Although its customers were doing so in violation of this policy, the OPC concluded that Google it did not have a sufficiently rigorous and scalable compliance program to ensure enforcement. Google was, in effect, required to be a gatekeeper.
To remedy this situation, Google undertook initiatives to:
- reject remarketing campaigns involving the sleep apnea treatment devices;
- clarify its policies to advertisers;
- develop new training for internal teams;
- increase monitoring of advertiser’s remarketing campaigns;
- upgrade automated screening systems;
Bottom line?
The bottom line is that the practice of Google’s customers did not comply with Google’s policies and the OPC was not satisfied with Google’s due diligence in enforcing its policies. Whether health information is always off limits to interest-based advertising is not at all clear. The OPC suggests it is absent express consent; however, whether this view will ultimately prevail on the current wording of PIPEDA is uncertain, particularly if an organization prominently draws its practices to the attention of the consumer and provides an immediate opt-out mechanism. On the other hand, this may be one of those uses of personal information that simply fails the test of reasonableness under subsection 5(3) of PIPEDA.
…