The Office of the Privacy Commissioner of Canada (OPC) just published a finding into a complaint made by an individual with sleep apnea. The individual had been searching for information about Continuous Positive Airway Pressure (CPAP) devices (a device that essentially forces you to continue breathing while you sleep), and was unimpressed when he started to receive ads for CPAP machines on various websites.
Through its investigation the OPC confirmed that the ads were placed through the Google AdSense service, which allows for both contextual and interest-based advertising. Not surprisingly, the OPC found the use of the service to deliver targeted ads for CPAP devices to be a violation of PIPEDA. According to the OPC’s Policy Position on Online Behavioural Advertising, behavioural advertising can only occur with implied/opt-out consent where non-sensitive information is involved. Sensitive information, e.g., that related to a medical condition, requires express, opt-in consent.
Although Google initially argued that the ads were more “contextual” than interest-based, the deciding factor for the OPC was that the ads were based on past activity online. During the course of the investigation it was revealed that the ads were in fact delivered as part of a remarketing campaign. The OPC recommended that “Google ensure that no sensitive interests will be used to deliver advertisements without express consent.”
However, a further complicating factor is that there are differing opinions on what is and is not “sensitive”. Although tracking and targeting based on sleep apnea may be considered sensitive in the Canadian context, it may be less so in the U.S.
For example, the Digital Advertising Alliance Self-Regulatory Principles for Online Behavioral Advertising state that
Entities should not collect and use financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual for Online Behavioral Advertising without Consent.
This would not appear to preclude an advertiser from collecting information about a medical condition such as sleep apnea. Interestingly, Google indicated that it had previously received complaints about retargeting of CPAP devices, and, before the involvement of the OPC, “these complaints would have been reviewed and determined to be compliant with its policies, and therefore permitted to continue.”
The Canadian version of the Principles are markedly less permissive, stating that
Entities should not collect and use sensitive Personal Information for Online Behavioural Advertising without consent, as required and otherwise in accordance with applicable Canadian privacy legislation.
It is the OPC’s position that any health or medical-related information is sensitive for the purposes of PIPEDA, and therefore subject to a higher standard of consent.
The OPC ultimately concluded the complaint as be well-founded and conditionally resolved, based on, among other things, Google’s undertaking to amend its polices, training, and monitoring of how its services are used. According to the OPC, the tools for monitoring and enforcing compliance in place at the time of the complaint were “not scalable and had demonstrable shortcomings.”
It is worth noting that Google seems to have born all of the responsibility in this matter, with no discussion of how users of Google AdSense may also be accountable. This is despite the fact that there are advertisers who “malicious advertisers continuously work to subvert or avoid its compliance mechanisms.” Although this is an interesting finding, we are only beginning to scratch the surface of OBA in Canada.