Credit Score Canada free OnlineCanada Creditworthiness Free Online
The use of Big Data for targeting advertisements may breach Canada's data protection laws.
The Canadian Data Protection Commissioner decided on 7 April 2015 in his Report of Findings #2015-001 against Bell, one of Canada's biggest telecoms operators. Ms. PIPEDA decided that Bell's selective promotional programme was in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA) as Bell had not received sufficient consent to facilitate the distribution of behavioral advertisements from third parties to its clients.
Importantly, the ruling did not consider whether Bell met the requirements of the Telecommunications Act(Canada) and this question is currently before the Canadian Radiocommunications and Telecommunications Commission (CRTC). PIPEDA's objective is to set policies for the gathering, use and dissemination of personally identifiable information in a way that recognises this:
a) the right to individual privacy with regard to their personally identifiable information; and b) the need for companies to gather, use or disclose personally identifiable information for any purpose that a reasonably considered individual would deem appropriate in the particular circumstances. 3. The Commissioner's analyses looked at the sensibility of the information and the appropriate expectation of Bell's clients.
Big Data" is defined as sensible data of a person by the ruling. PIPEDA's 6 offers an explicit opt-in is the appropriate way of opting in when person-related data is likely to be regarded as Sensitive. In the Commissioner's view, the range of information collected from different origins would make the information more fragile in its compilation than the various components of that information.
This was also a matter of person-related information, since the information was stored and could be linked to a particular client. She also examined the background to the information collection and reporting processes. PIPEDA expects companies to consider the individual's appropriate expectation when evaluating what type of approval is appropriate in the given circumstance.
With regard to the Ontario Court of Appeal's ruling, Royal Bank of Canada v. Trang, 2014 ONCA 883, the Commissioner explained that even if personally identifiable information is deemed to be "less sensitive", the person's appropriate expectation, when taken into account in its particular contexts, may be such that explicit approval is called for.
Results highlighted'reasonable expectations' as an objective test of all pertinent contextors as a whole, encompassing the types of service offered by the company and the types of relationships between the company and its clients. Records from the client research that can gauge real expectation cannot be decisive for the individual's appropriate expectation.
She noted that Bell's clients would reasonably anticipate that explicit approval would be necessary, in particular because: (a) Bell collects information from its clients who entrust it with large volumes of personally identifiable information in order to obtain acces to Bell's core business (e.g. wireless, web, telephone and TV communication in Canada); and (b) this information is used for alternative merchandising and enables the provision of third parties' behavioural advertisements.
Therefore, the agreement on the opt-out was not enough. For the purposes of this judgment, it should be stressed that the appropriate individual expectation must first be evaluated before determining the type of assent necessary. Wherever the reasoned expectation assessment concludes that explicit approval is necessary, dispatching alerts on the basis of an implicit approval scheme will not result in a company being in accordance with PIPEDA.
The company claimed that it had adhered to the guidelines of the Office of the Privacy Commissioner for Data Protection and Online Behavioral Promotion ("OBA Guidelines"). OBA guidelines stipulate that approval of the opt-out may be accepted if certain requirements are fulfilled. However, the Commissioner noted that Bell's promotional programme in this area goes beyond the use of data and publicity provided for in the OBA guidelines.
These results made the OBA guidelines clearer and should include specific advertisements in the context of free-online web sites, i.e. non-chargeable products and service that have an existing client relation. Whilst the Commissioner noted that opting out may be appropriate in certain situations, companies should ensure that all elements described in the Commissioner's findings and the pertinent circumstance are taken into account in order to establish the necessary level of approval.
In order for approval to be useful in this regard, Commissioner Bell recommended: obtaining explicit opt-in approval for the practices; ensuring that Bell's customers' understandings of the promotional programme and related decisions are backed up by clear statements containing all pertinent information about the promotional programme. It also found that it is not appropriate for a company to use credit information, including with approval or in aggregate format (e.g. sub-, medium- or above-average loans), to design specific advertisements.
Recording and use of credit information, such as credit rating information from credit bureaus, is explicitly restricted by national law. Once clients had withdrawn their agreement, the Commissioner made it clear that a company had to stop following them and erase their profiles. PIPEDA provides a person who "may revoke his or her permission at any time" for the purpose of collecting, using or disclosing his or her personally identifiable information.
A company that maintains or pursues the information of a client even after leaving the company would be a breach of PIPEDA. In his opinion and guidelines, the Privacy Commissioner also pointed out that "super cookies" or "zombie cookies" should not be used. Commissioner Ferrero-Waldner suggested that agreements with marketers should contain limitations, surveillance procedures and sanctions for infringements in order to prevent unintentional re-identification of persons if marketers find a way to associate advertising profiling information with personal client profiling, which might be possible through the use of cookie, machine fingerprint, bank accounts or other types of information.
It establishes a set of eligibility requirements for PIPEDA to be PIPEDA-aware, behavioral or target-oriented advertisements, which include what information can be used and what communication leads to appropriate and effective approval. Decisions, key word choices, associated evaluation metrics, data security guidelines, employee education programmes, opt-in questionnaires and client profiling must be duly recorded and reviewed by someone who is aware of the sensitivities of the information collected, the technologies used, the appropriate personal expectation, the advertiser agreements and Canada's laws on Privacy, Consumers and Telecommunication.
Results also emphasize the need for prudence when making investments or buying companies that provide big data analysis, promotional and market research in Canada or for Canadians. Duty of care with respect to the contract, data protection practice of the targeted entity (including the necessary documentation processes and personnel education to assure the appropriate use of individuals' personally identifiable information) and technology is necessary to mitigate the risks of acquisition of a business with risks of liabilities arising from non-compliance with Canada's data protection legislation, which could lead to potential lawsuits (including collective actions) and significant expenses for the buyer or an investor.