Archive for the ‘PIPEDA’ Category

27 May 2016

Required reading for email marketers: a case study in how not to collect and use e-mail addresses


1-shutterstock_66401092%20-%20spammail

Our Office recently concluded an investigation that has resulted in two important firsts along with some key lessons learned for businesses conducting e-mail marketing.

The investigation represents our first action taken under the “address-harvesting” provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced by Canada’s anti-spam law (CASL).   It also resulted in the implementation of our first compliance agreement, a new tool made possible by changes to PIPEDA introduced by the Digital Privacy Act.

Read the rest of this entry »


11 May 2016

Mending the consent model: A call for solutions


ReadingPrivacyPolicies

We all encounter scores of user agreements when we go online. Do you read the full terms and conditions governing your use of a site, or do you just hit the “I accept” button and surf on?

If you were to read everything, research suggests you’re spending more than 10 full, 24-hour days of your life every year, immersed in privacy policies and related legalese. If you’re more inclined to skip that stuff and hit “OK”, then know that you’re explicitly allowing the organization to collect, use and share your personal information, exactly as it said it would in that fine print you ignored.

Providing meaningful consent is a cornerstone of Canada’s federal private sector privacy legislation.

Read the rest of this entry »


18 Mar 2016

We want to hear from you about….


Creating and Controlling your Online Reputation

“You are, without doubt, the worst pirate I’ve ever heard of,” sneers Commodore Norrington, the local military boss, in a scene from Pirates of the Caribbean.

Our hero, Jack Sparrow, is miffed but for an instant.

“Ah!” he crows, “but you have heard of me!”

In our celebrity-soaked culture, reputation is everything. It may be good or—as in Captain Sparrow’s case—bad, but never indifferent. Invisibility, the lack of an online identity, is the new no-no of our times.

And so, in an effort to build and burnish a pleasing reputation, we put it all out there. We post comments and status updates, pictures, tweets, blogs and videos. We tell our friends —and sometimes everybody—where we are, what we’re seeing, reading and eating, what we’re thinking and drinking. shutterstock_210790618-SM

We have no secrets. The world, to paraphrase Jack Sparrow, has heard of us; anonymity is dead.

Read the rest of this entry »


2 Sep 2015

Who did it better? A look at children’s apps/websites and the privacy protective controls on offer


Children are more connected than ever and often miles ahead of their parents when it comes to navigating the Internet and mobile applications (apps).

They’re also among our most vulnerable demographic groups and, in their quest to access their favourite game or social network, they may be apt to give out personal information without any thought to the potential privacy ramifications.

For this reason, the Global Privacy Enforcement Network made Children’s Privacy the theme of its 3rd annual Privacy Sweep.

The Office of the Privacy Commissioner of Canada, along with 28 other privacy enforcement authorities across the country and around the globe, assessed the privacy communications and practices of some 1,494 websites and mobile apps.

The goal: to find out which of them collect personal information, what type of personal information they collect, whether protective controls exist to limit the collection and whether a simple means to delete account information exists.

By briefly interacting with the websites and apps, the exercise was meant to recreate the consumer experience – in this case, the experience of children under the age of 12. Our sweepers, which included a number of adult volunteers as well as nine children, ultimately sought to assess privacy controls based on four key indicators:

  1. Collection of children’s data: Does the app/website collect children’s personal information and if so, what information is collected? (Ex. Name, email, date of birth, address, phone number, photo/video/audio.) Does a privacy policy or other privacy communications exist and if so, does it clearly explain the app/website’s personal information handling practices?
  2. Protective controls: Do protective controls exist and do they effectively limit the collection of personal data? (Ex. Prompts for parental involvement, warnings when leaving the site, pre-made avatars/usernames, moderated chats/message boards to prevent inadvertent sharing of personal information.) Are privacy communications tailored to children? (Ex. Simple language, large print, audio, animation.)
  3. Means to delete account information: Is there a simple means for deleting account information?
  4. Overall concerns about a child using the app/website: Overall, would I be comfortable with a child using this app/website?

In total, our Office examined 172 websites and mobile apps for both Android and iOS platforms. We focused on websites and apps that are targeted at or popular among children 12 and under.

Some 118 websites and apps appeared to be targeted directly at children, while 54 were considered popular among them. In other words, while designed for older audiences or audiences of all ages, children are said to be frequent users of these apps and websites.

The bulk of websites and apps swept were based in Canada and the United States. Our Sweep included a significant number of games and educational websites and apps, as well as leisure websites and apps hosted, for example, by museums or zoos. Traditional and social media apps and websites rounded out the list.

Before delving in, let’s be clear on a few points: Since apps and websites are constantly evolving, it’s best to think about our results as a snapshot in time. Also note that the Sweep was not a formal investigation. We did not seek to conclusively identify compliance issues or possible violations of privacy legislation. This was not an assessment of an app or website’s overall privacy practices, nor was it meant to provide an in-depth analysis of the design and development of the apps or websites examined.

Instead, we have compared and contrasted some of the web/app features and privacy practices that we found to be particularly kid-friendly, with those we felt could benefit from some “child-proofing.” We learned a lot and hope these concrete examples will help Canadians, as well as website and app developers, better understand our conclusions.

The moderated message/chat function:

Moderated message/chat functions ensure contributions are vetted before they are posted publicly. Items may be vetted for content but also for personal information as free-text portals can open the door to the inadvertent sharing of potentially sensitive details.

Family.ca, a site clearly targeted at children, indicated its message board feature was moderated. Our Sweepers put that claim to the test by attempting to post a message that included a full name, age and hometown. A day later, here’s the modified message that went public:

Family.ca image. Moderated message/chat function works effectively. Message was changed to exclude personal information.

As you can see, the site even cropped the username to “victorg.” Nice catch Family.ca.

We attempted the same experiment with Lego.com. As you can see, the moderator informed us that it had rejected our post for privacy reasons. Awesome moderating decision master-builder Emmet!

Lego.com image.

Kudos to Family.ca and Lego.com which have shown how a little moderation can go a long way!

By contrast, Moviestar Planet is an example of a social networking app targeted specifically at kids that displays little self-control. While the app said it is moderated for content, children were free to post selfies with titles asking, for example, others to rate them “hot or not.” Not the sort of thing you might necessarily want out there on the Internet when you grow up. We won’t display those images to protect the privacy of the children, but you can also see how our sweeper was able to include a whole lot of personal information in the free-text chat function. Big no no! What’s stopping kids from entering their address, school or where they plan to be that afternoon?

Moviestar Planet image.

Meanwhile, sweepers noticed that websites/apps that are popular among children may moderate for certain content but not to ensure that children aren’t sharing personal details about themselves online. The website for FIFA, soccer’s governing body and a site popular with soccer fans of all ages, for instance, moderates its site to ensure that there are no violations of the Terms of Service. But as you can see below, our sweeper was able to state his age and location. Therefore this reference to moderation has more to do with the appropriateness of the content . . . You know how partisan soccer fans can get!

FIFA image.

The website’s Terms of Service also states that it is the responsibility of parents to supervise their children’s activities on the site and that appears to be as far as FIFA’s obligation goes towards moderating the content that children may be sharing. Certainly parents have a role to play in protecting children’s privacy while online, but seriously FIFA, you are not absolved from getting in the game. If you’re already moderating for content, why not make sure kids aren’t oversharing too? This serious foul deserves a red card.

Less is more:

Leave a little mystery! Profile displays do not have to give everything away.

GamezHero.com is an example of a targeted website that allows users to display a significant amount of personal information on their user profile including name, grade, gender, age and city. While the website said it does not collect from children under 13, it had no problem posting our 10-year-old’s information. Fortunately, there was no option to load a photo!

GamezHero.com image.

A similar interface on Family.ca, however, had limited options for sharing personal information. The photo was a preset graphic and messages were fixed text. In other words, kids could choose what to say from a list of phrases.

Family.ca (Less is More) image.

Things can get a little trickier with popular apps and websites. Even though many children use these sites, they are often not designed with the under 12 crowd in mind. Gurl.com is one such example. As you can see, the social platform geared at teen girls collected and posted our 10-year-old sweeper’s full name, date of birth, occupation and location.

There were also no warnings or mechanisms to prevent users from uploading photos or posting personal information on message boards, some of which broach some pretty sensitive topics such as depression, suicide and self-mutilation. Given the lack of protective controls, there’s no telling what children could post and who might see it, raising all sorts of questions about the potential for harm to one’s reputation and well-being.

Gurl.com image.

For an otherwise pretty kid-friendly website, we found this next example worth mentioning. Santasvillage.ca offered kids an easy way to “get on Santa’s nice list” – by coughing up their full name and email address. In exchange, it promised to bombard subscribers with marketing materials. Not cool Santa, we’ll take the coal.

Santasvillage.ca image.

Avatars:

Selecting an image that will serve as your online identity doesn’t have to be personal. PBSkids.org is an example of a targeted website that asked our sweeper to choose from a pre-set list of icons.

PBS.org image.

Other websites/apps asked sweepers to load their own avatar which opens the door to using personal photographs. For example, the Cookie Monster Challenge app prompted us to take a selfie for our profiles. The app’s generic privacy policy also suggested personal information may be shared with third parties.

As the Cookie Monster himself might say: Parents not like when Cookie gobble up sensitive personal information like photograph and share with udder monsters.

Cookie Monster Challenge image 1.  Cookie Monster Challenge image 2.

All in a name:

Just as children should be discouraged from using a personal photo online, so too should they be discouraged from using their real name.

Websites such as Harry Potter fan site, Pottermore.com, don’t give kids the option. Instead, our sweepers were encouraged to select a username from a pre-set list. Thanks for thinking about the privacy of your younger Hogwarts classmates, Harry!

Pottermore.com (All in a name) image.

Meanwhile, Classdojo.com, a classroom management site that connects teachers, students and their parents, got a gold star for advising sweepers in simple, child-friendly language not to use their real name. But unfortunately that gold star got yanked as there was no actual mechanism to prevent us from using it.

Classdojo.com image.

Parental control:

On the subject of parental control, there are some effective ways to limit the functionality of a website or app to protect privacy. A great way to do that is with a parental dashboard and here are a few examples that put parents in the privacy driver’s seat.

The first was Grimm’s Red Riding Hood, an app targeted at children that allowed parents to turn certain settings on and off, such as in app purchases and access to the store.

Grimm's Red Riding Hood image.

Another example is Battle.net, a popular game website designed for children over the age of 13, even though younger children are known to frequent it. As long as young users have provided a valid parental email address, parents can control settings through a fairly comprehensive dashboard.

Battle.net image shows parental dashboard to control privacy settings and voice chat.

On social networking site GeckoLife.com, parents of young children must register an account, to which they can add a child.

GeckoLife.com image shows request message sent to parents when child asks to open an account.

Parents could also monitor their child’s activities, including media uploads and connections with other users, however, the website collected a fair bit of personal information in the process.

GeckoLife.com image shows parental dashboard to set permissions to upload media and contact other users. Also asks for child`s full name,  sex and date of birth.

Now just as the First Year kids at Hogwarts require parental permission for weekend trips to Hogsmeade, young Pottermore.com users need parental permission to activate their account. Of course that means deploying a summoning charm: Accio parental email address. Good job on involving mum and dad!

But this website didn’t just seek mum or dad’s email address, it also asked for the child’s first name, country, date of birth and which Harry Potter books and movies you’ve read or watched before sending the parental consent link via email. Is all that information really necessary, Harry?

Pottermore.com (Parental Control) image.

The American Girl doll website had options to collect personal information through quizzes and sweepstakes, but to post a photo of your child with their favourite doll, parents had to provide a signed waiver.

American Girl image 1.

American Girl image 2.

These other apps clearly targeted directly at children have found some creative ways to keep wee ones out of adult sections of the site, though they do so assuming young users can’t read or follow very basic instructions! Consider making it a little tougher. Don’t forget, some wee ones are learning how to swipe a tablet screen before they can walk!

Parental control says area is for grown-ups only and asks user to enter three numbers.

Parental control says area is for grownups and asks user to swipe left with two fingers anywhere on the screen.

Delete:

What seems so simple is often anything but. To put it mildly, not all delete functions are equal. From “no brainer” to “not an option,” here’s a look at our sliding scale when it comes to ease of deleting.

For some apps/websites, it was as easy as the click of a button. Take Quizlet.com for example. This educational website allows users to sign up and join study groups on a variety of topics. But when you’re done, you simply had to click the settings button in the top right corner, scroll down and hit delete.

Quizlet.com image.

Others required a multistep process that could involve emails and/or phone calls to the company. Buried in the middle of its privacy policy is the delete option for targeted game app Despicable Me: Minion Rush.

Despicable Me: Minion Rush image 1.

Stardoll.com, a website targeted at children that allows them to create dolls and interact with other users, requires parents/guardians to fill out a form. As you might be wondering from reading this excerpt from its privacy policy, it’s not clear whether the company actually destroys the personal information it has collected or whether it simply stops collecting, using and disclosing it to third parties. Given the amount of information this site collects and displays – country, gender, date of birth and anything through its free-text function – this raised some serious concerns for sweepers.

Stardoll.com image.

Unfortunately many popular websites and apps that collect personal information had no apparent means for deleting account data, leading our sweepers to believe that their information would be out there in the ether in perpetuity.

Off course:

It’s no surprise that kids like to click on shiny colourful things which many apps and websites have in spades. What’s not cool is when those shiny colourful things lead kids to places with different personal information collection practices or questionable content.

Redirection off-site often occurs through an ad or contest icon that sometimes appears to be part of the original site.

About a third of apps did not redirect users. Bravo! Meanwhile, 14 percent of them, including Barbie.com, at least provided a pop-up warning.

Barbie.com image.

Others had more questionable redirection practices. For instance some websites/apps, including ones targeted directly at children, had ads for alcohol or dating websites that could lead users astray if clicked on. Some even had non-descript icons that, if clicked on, led sweepers to other sites that contained graphic and violent videos. Scary!

BONUS: Battle of the bands

Pop idols Justin Bieber, Taylor Swift and One Direction are all hugely popular among the under 12 crowd. But which fan site best bears that in mind when it comes to protecting the privacy of their youngest Beliebers, Swifties and Directioners?

Based on our indicators, here’s how these musical magnates stacked up.

Taylorswift.com collected username, email, full name, photo, date of birth, city, gender and occupation. There was also an unmoderated free-text function in which users could type in whatever they like. The site could display your username, photo and city. While the site attempted to block users under the age of 13, the measure could be easily circumvented by keying in a different date of birth. It also redirected visitors to a half dozen social media sites, the Google Play Store and another Taylor Swift shop that separately collects a whole host of personal information. Finally, according to the website’s privacy policy, users could “access, update or delete” personal information via email. It also noted this could be done via the “my account” area of the website. That would be great. Too bad we couldn’t actually find a delete button.

Justinbiebermusic.com could collect a fan’s first name, email, date of birth, postal code and country. It too barred users under 13 but that measure could be similarly circumvented. The site also had links redirecting users to a variety of music and social media sites, including the pop star’s Facebook fan page. To “correct, update, amend, delete/remove” personal information, users are asked to send a letter via snail mail to an address in California, or to fill out an online form. It said users could also do it through the member information page, but no such page could be found.

Onedirectionmusic.com, meanwhile, did not collect any personal information directly on site, though users could be redirected to a number of social media and music sites. The One Direction store, however, did collect a variety of personal information.

We are certainly not trying to create any “Bad Blood,” despite Taylor Swift’s lyrics, but it seems as though all three sites could use some helicopter parenting! That said, according to our final indicator, OPC sweepers said they were most comfortable with the One Direction site which seemed to hit the higher privacy notes of the three. Too bad the band has broken up:( Or so we think!

While we recognize that age verification can be tough as crafty kids have found clever ways around such mechanisms, we commend One Direction for simply limiting collection. Remember, don’t collect if you don’t have to. We also observed other sites that recognized a user’s URL and barred them from going back to the site and simply entering a different age for a period of time in order to gain access to the site. Others automatically redirected young users to a children’s version of the site. While many protective controls are seldom fool proof, we encourage developers to be creative and to find new ways of using technology to protect our most vulnerable.

Final thoughts . . .

As you can see, sweepers here at the Office of the Privacy Commissioner of Canada found many great examples of websites and mobiles apps that do not collect personal information whatsoever. We believe there are many effective ways to at least limit collection.

When it comes to protecting the privacy of children online, everybody has a role to play. Children themselves need to be educated about digital privacy issues and the perils of sharing personal information online. Teachers and parents can help instill this knowledge and should themselves be aware of what sites and apps their kids are using and what types of information they are being asked to hand over. Finally, developers should be mindful of who their users are and limit, if not eliminate, the collection of personal information from children through the use of innovative privacy protective controls.

Once we’ve finished sorting through our results, in conjunction with our provincial and international partners who are doing the same, we will determine any appropriate follow-up action.

As with last year’s Sweep, our follow-up activities could include reaching out to organizations to inform them of our findings and making suggestions for improvements. We also have the option to pursue enforcement action.

By the way, we wrote to the companies mentioned in the blog before posting this to share our concerns. Past experience has shown that education and outreach alone can often go a long way towards effecting positive change for privacy.

 


2 Sep 2015

Child sweepers share observations on web/mobile app privacy


Commissioner Daniel Therrien visits with children during Kids Privacy Sweep.

Privacy Commissioner of Canada Daniel Therrien pops in on Global Privacy Enforcement Network Children’s Privacy Sweep where a few kids are on hand to help.

A children’s privacy sweep with no children? In the words of cartoon curmudgeon Charlie Brown, “good grief!”

. . . and that was roughly genesis of the Office of the Privacy Commissioner of Canada’s (OPC) first ever Kid’s Sweep.

Nine youngsters, the offspring of OPC employees who also participated in the Sweep, descended on 30 rue Victoria one early May morning during International Sweep Week.

Fuelled on promises of pizza and cookies, the seven to 13-year-old boys and girls parked themselves in front of the laptop or tablet of their choice. Their job? To interact with their favorite apps and websites, thus recreating the user experience under the watchful gaze of their parents who took notes on how they navigated the privacy settings, or lack thereof, as the case happened to be for some sites.

The following is an edited transcript of what the kids, and their parents, had to say during a post-Sweep debrief before the smell of hot cheese and pepperoni wafted into the room and snatched their attention.

Did you have fun?

“Yeaaah!” (Kids shout in unison.)

Was anything hard or frustrating?

“It was hard to read privacy policies; they were really long and boring.”

Was it hard to sign up for some of the websites?

“If you are under 13, you are redirected to (the kid’s version of the website.)” Mom proceeded to explain that her son nonetheless managed to find a work-around.

What were some of the personal questions the website or app asked you?

“Where do you go to school? What’s your address?”

“It asked if you’re a student or a teacher.”

“It asked what gender you were.”

“Date of birth.”

“(On one website), if you typed in your real name, it wouldn’t take it or any short form of the name.”

“My photo.” (Mom added: “I wouldn’t let him. I shut it down real fast.”)

“It asked for what grade you were in.”

“(One website) asked for your picture but we just used a picture of a penguin that was already saved on the computer.” (Mom added: “But then it encouraged you to use a real picture.”)

Boy at computer.Did you always understand what the website or app was asking for?

“When I was working on (one website), I thought there were games made by other people that you could play but it was just shopping. That’s where there was the long and boring parts.”

Did any websites or apps tell you to go get a parent to help you?

“Before you were able to get on (one website), they send an email to your parent.” Mom added: “And the parent had to confirm.”

“On one website there’s a privacy mode so if you’re under 13, you can’t change it. If you want to change your age, you have to ask a parent by email.”

Did you ever click on something that led you to a totally different website?

“I was on (one website) and there was this little thing on the top of the page that said ‘are you a boy or a girl.’ It didn’t really look like an ad but it was just like a little thing with a picture and so, of course, we clicked on it and it went to another game website and it showed you a trailer.” Mom added that it was “teen rated” and included a warning that the content contained “violence, blood, partial nudity and alcohol.”

If you had to sign up for an account, did the website or app make it easy to delete your account when you were done?

“I was on (one website) and there was an option to delete the account and it deleted right away.”

Did anybody have trouble?

“A little bit. You had to email the company to delete it.”

– – – – –

Days after the Kids Sweep we got some great feedback from one of our parental sweepers who quipped that her kids are now tattling on each other for failing to read privacy policies. She added:

“They had a really good time and learned a lot about thinking critically when it comes to their personal information. If the result is that they make one brighter choice about their own privacy, then it was 100 percent worth it to me.”

It was this very comment that inspired one of our post-Sweep follow-up activities. The OPC has drafted a classroom activity for Grade 7 and 8 teachers across Canada based on our 2015 Kids Sweep.

We’ve simplified the Sweep form used to assess the privacy communications of apps and websites and are encouraging teachers to conduct privacy sweeps with students using the forms as a way to kick off a discussion about online privacy and the protection of personal information.

Alone or in groups, we are encouraging students to “sweep” their favorite apps and websites, to learn how to read privacy policies, to learn about tracking, the different types of personal information that might be collected and to discuss their observations with their teacher and peers. We’ve also provided a take-home tip sheet dubbed Pro Tips for Kids: Protecting Your Privacy for students and their parents.
Mother and daughter at computer.

Note to teachers: you can find the classroom activity on our website. As for parents and guardians, if it’s not something your kids are learning in school, think about adapting the lesson plan as a rainy Sunday afternoon activity!

Intimate, controversial or embarrassing photos and comments can have a lasting impact on a person’s reputation. Today, digital literacy as is as important as learning your ABCs and kids who understand and implement safe online privacy practices are less likely to make the sort of mistakes that could haunt them in the future.

Click here for more on the results of this year’s Children’s Privacy Sweep.


5 Sep 2014

It’s back to school!


Looking for ways to kick the school year off right?

Start with a reminder to kids that privacy matters! Canadian kids are digitally savvy and they value their privacy, but they can sometimes be unsuspecting about the potential privacy risks of new digital communications technologies.

Our office has created a graphic novel, Social Smarts: Privacy, the Internet and You, to help young Canadians better understand and navigate privacy issues in the online world.

Social SmartsParents and educators can also take advantage of our new discussion guide and privacy activity sheets to generate more in-depth discussions on the privacy risks related to social networking, mobile devices and texting, and online gaming. These tools also provide ample opportunities to raise real-life situations in which privacy can be impacted.

Because kids go online earlier in life than ever before, the privacy activity sheets vary in difficulty, from very simple (a colouring page) to more difficult (a simple cryptography activity).

You can find these and more on the Youth Privacy section of our site!


19 Jun 2014

Mind the gap: Poll finds many Canadian businesses believe privacy is important but not taking basic steps to protect customer information


Ten years after Canada’s private sector privacy law came into full effect, our latest survey has found that many Canadian businesses are still not taking the basic steps necessary to protect the personal information of their customers and clients – despite believing that protecting privacy is “extremely important”.

An overwhelming majority of businesses (82%) said protecting privacy is important—in fact 59% rated it as “extremely important.”  As well, more than two-thirds (69%) indicated they were “very confident” in the ability of their business to protect the personal information they collect about customers.

However, the telephone survey of 1,006 companies across Canada identified serious gaps in basic privacy protection by businesses both large and small, for example:

  • More than half (55%) do not have a privacy policy;
  • Half (50%) do not have procedures for responding to customer requests to access their personal information;
  • Nearly half (49%) do not have procedures for dealing with privacy complaints; and
  • More than two in five (42%) have not designated an employee responsible for ensuring privacy protection.
  • Two-thirds (67%) have no policies or procedures for assessing the privacy risks of new products, services or technologies.

The survey, carried out in November 2013 by Phoenix Strategic Perspectives of Ottawa, also found that 59% of the surveyed businesses have little or no concern about the prospect of a data breach. Despite numerous high-profile media reports of data breaches in the private sector over the past few years, the number of businesses indicating a lack of concern about data breaches has increased over time to 59% from 49% in 2011 and 42% in 2010.

In addition, 58% of the businesses surveyed had no guidelines for dealing with a breach where the personal information of their customers was compromised.

We commissioned the survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, in order to better understand the extent to which businesses are familiar with privacy issues and requirements, and the types of privacy policies and practices they have in place. Similar surveys were conducted in 2011, 2010 and 2007.

What do you think – are businesses doing an adequate job of safeguarding customer information? What challenges do they face in protecting privacy? Let us know in the comments.


20 Sep 2013

An update on our Internet privacy sweep


Last month, we released the initial results of our Internet privacy sweep. You can read the original blog post to see what we observed. (We should note here that the screenshots and references in that blog post reflect what we saw online during the sweep and were still in place when we originally blogged about the sweep results on August 13.)

As part of our efforts on the sweep, our Office advised the companies that were mentioned in the blog, inviting them to contact the OPC if they wished to discuss the Sweep and our observations.

Since that original post, we are very pleased to see that some of the organizations we highlighted have made changes to enhance their online privacy policies.

A&W changed its privacy policy shortly after we issued the results of our Privacy Sweep. Their original 110-word privacy policy has now been expanded to just under 1600 words and covers the collection, use, disclosure and retention of customers’ personal information collected through customer feedback, events, gift card purchases and contests.

Bell Media also updated their privacy policy shortly thereafter, fixing the broken link to their Privacy Officer’s email address:

 New Bell Media privacy policy

We think customers will be pleased as well to see that the companies they choose to do business with are more open and straightforward about how they use customer information.

Hopefully other companies we looked at, as well as those that didn’t, will take note.


13 Aug 2013

Initial results from our Internet Privacy Sweep: The Good, The Bad, and The Ugly


You might recall, a few weeks back our Office led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.

We sought to replicate the consumer experience by spending a few minutes on each site, assessing how organizations communicated their privacy practices with the public.  The sweep was meant to assess transparency online and was not an assessment of organizations’ privacy practices in general. It was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches.

After searching over 300 sites that day, our Office is still poring over the reports we’ve created, but we wanted to share some of our preliminary results with you.

The good:

We found several positive examples of transparency when it came to sharing privacy practices. The best policies were oriented towards the consumer, providing information that real people would actually want to know and would find helpful. Here are a few of our favourites:

Tim Horton’s outlines the different types of personal information they collect and use in relation to a number of activities – for example, when people shop online, enter contests, or register for a payment card. Overall, we found their policy uncluttered and straightforward – click on the screenshot to read this excerpt:

Collection and Use of Personal Information  Tim Hortons collects and uses personal information from customers and others (an "Individual") as follows:     Tim Hortons may collect and maintain personal information such as an Individual's name, contact information, payment card information and purchase history when an Individual subscribes for services or purchases products on our website, in one of our stores or at a kiosk.      Tim Hortons may collect personal information from an Individual where the Individual submits an application for programs operated from time-to-time by Tim Hortons, such as the Tim Hortons Scholarship Program (the "Programs") or for an employment opportunity (such as that contained in a resume, cover letter, or similar employment-related materials). We use submitted personal information as is reasonably required to assess the Individual's eligibility in the Programs and to advertise and promote the Programs or to assess the Individual's suitability for employment at Tim Hortons as well as to process the application and respond to the Individual.     When participating in a contest or promotion, we may collect personal information, such as a contest winner's name, city of residence, and prize winnings in order to award prizes and promote such contests. This information may be published in connection with contests.      From time to time, we may obtain an Individual's consent to use the Individual's contact information to provide periodic newsletters or updates, announcements and special promotions regarding Tim Hortons products and services.

Tripadvisor’s Privacy Policy takes the extra step of offering a detailed explanation of its Instant Personalization feature, which uses information provided by Facebook to give the user a more customized experience. Their explanation not only details what information is collected and how it’s used, but also provides instruction on how to enable or disable the feature – take a look at this screenshot:

We have partnered with Facebook to provide Instant Personalization on TripAdvisor for members of Facebook. If you have Instant Personalization set to “enabled” in your Facebook privacy settings and you are logged into Facebook, then TripAdvisor will be personalized for you when you visit the Web site, even if you are a first-time user of TripAdvisor’s Web site. For example, we will show you reviews that your Facebook friends have posted on TripAdvisor and places they have visited. In order to provide you with this personalized experience, Facebook provides us with information that you have chosen to make available pursuant to your Facebook privacy settings. That information may include your name, profile picture, gender, friend lists and any other information you have chosen to make available.  When you first visit TripAdvisor, you will see an option to turn off Instant Personalization in just one click. If you decide to turn it off at a later date, you can do so by first logging into Facebook and clicking on the disable link on this page, or by scrolling over the “Learn More” link on the top of the page on TripAdvisor and clicking on “How to turn off personalization”. You can also turn off Instant Personalization by editing your privacy settings on Facebook. Please note that, if you have Facebook friends who are using TripAdvisor, they may also have shared information about you with us through Facebook. If you wish to prevent that sharing, you can do so by editing your Facebook privacy settings.   Learn more about Instant Personalization on Facebook or read TripAdvisor’s Instant Personalization FAQ’s.

Also going that extra step is Allstate, which has established an anonymous and confidential reporting system through a third party for its customers to report privacy breaches with discretion.  Promoting and facilitating two-way communication about privacy with consumers is a key element of transparency, so it’s heartening to see that a company like Allstate is thinking about how their consumers might want to communicate with them about privacy concerns.

As part of our ongoing commitment to privacy, we have established an anonymous (optional) and confidential reporting system, so that customers can report any breaches of privacy.  All comments made through this reporting mechanism are considered important to Allstate.  Accordingly, they will be reviewed in a timely manner and, rest assured, with the utmost discretion.    To report any issue relating to privacy concerns, please go online or mail:  ClearView Connects™  P.O. Box 11017 Toronto, Ontario M1E 1N0  1-866-505-9915

Privacy policies that cover both online and in-store practices made our list of bouquets as well. IKEA Canada’s privacy notice points out IKEA’s use of closed circuit television (CCTV) cameras in its stores and parking lots and references their separate CCTV Surveillance Policy, which can be obtained by contacting their privacy officer. Given that many stores and parking lots use CCTV monitoring technology, this example shouldn’t be as rare as it is!

For security, safety and liability purposes, we use CCTV cameras in our stores and adjoining areas such as parking lots. Information recorded by such cameras is retained for a short period (approximately 90 days), unless needed in connection with an investigation. Notices advising of the use of such cameras are posted in our stores. By visiting a store, you consent to our use of such cameras and the recording of your information. For further information regarding CCTV use in our stores, please see IKEA’s CCTV Surveillance Policy, a copy of which may be obtained by contacting our Privacy Office, as provided at the end of this Notice.

The bad:

Approximately 20 percent of sites we reviewed either listed no privacy contact, or made it difficult to find contact information for a privacy officer.

For example several sites, including theloop.ca and tsn.ca, linked to Bell Media’s Privacy Policy which reads in part:

QUESTIONS, COMMENTS OR SUGGESTIONS? If you have questions, comments or suggestions about this Privacy Policy or Bell Media's privacy practices that were not answered here, send us an email.

And that e-mail address is….?

Well, we couldn’t find it.

Many of the websites we looked at spent thousands of words regurgitating PIPEDA but providing very limited information of actual interest to readers. Just as the good examples made an effort to provide clear and useful information to the consumer, the not-so-good stuck to a more legalistic approach and merely claimed compliance to legislation.

For instance, take a look at GlaxoSmithKline’s explanation of how they seek consent for the collection, use and disclosure of individuals’ personal information, below. While their privacy policy hews closely to the language found in Canadian privacy legislation, it’s not all that helpful to a consumer who wants to know when their consent might be sought.  We’ve highlighted the text that appears almost verbatim from Schedule 1 of PIPEDA :

3.PRINCIPLE 3 - CONSENT The knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate. 3.1 The way in which we seek consent, including whether it is express or implied consent, may vary depending on the sensitivity of the information and the reasonable expectations of the individual. An individual may withdraw consent at any time, subject to legal and contractual restrictions and reasonable notice. 3.2 GSK will typically seek consent for the use or disclosure of personal information at the time of collection, but in certain circumstances consent may be sought after collection but before use. 3.3 GSK will only ask individuals to consent to the collection, use or disclosure of personal information as a condition of the supply or purchase of a product, if such use, collection or disclosure is required to fulfil an identified purpose. 3.4 In certain circumstances, as permitted or required by law, we may collect, use or disclose personal information without the knowledge and consent of the individual. These circumstances include: Personal Information which is subject to solicitor-client privilege or is publicly available as defined by regulation; where collection or use is clearly in the interests of the individual and consent cannot be obtained in a time way; to investigate a breach of agreement of a contravention of the law; to act in respect to an emergency that threatens the life, health or security of an individual; for debt collection; or to comply with a subpoena, warrant or court order.

Huh?

GlaxoSmithKline also offer readers an Internet privacy policy which, in some ways does a better job than their privacy code at explaining how a consumer’s information might be collected and used. However we found this policy, like others we saw during our sweep, focused on the use of cookies and other technical information collected via their site, while not providing enough information relevant to how the organization was collecting and using other types of information about the consumer.

The ugly:

About one out of every ten sites we looked at did not appear to have a privacy policy.

Another 10 percent had a privacy policy that was hard to find – sometimes exceedingly difficult to find, since it was buried in a lengthy Legal Notice or in the Terms and Conditions.

While almost 90 percent of the sites we swept had some sort of privacy policy or privacy notice, some policies offered so little transparency to customers and site visitors that the sites may as well have said nothing on the subject.

For example, A&W Canada, which collects personal information such as photos, addresses and dates of birth for various initiatives, has a 110-word privacy policy tacked on to the very end of the Terms and Conditions that offers nothing but a blanket promise of compliance with the law. While they do provide some other detail with respect to their privacy practices elsewhere on the site, and it is possible for visitors to their site to learn more by contacting their privacy officer through the e-mail address provided, we think organizations can do better. Individuals shouldn’t have to jump through hoops and provide their own personal contact information just to learn what an organization is going to do with their information.

Privacy Policy A&W Food Services of Canada Inc. is committed to protecting the privacy of personal information. Personal information obtained in the course of conducting our business will not be collected, used or disclosed except in compliance with governing legislation, including Canada’s Personal Information Protection and Electronic Documents Act and British Columbia’s Personal Information Protection Act. For further information on our Privacy Policy, contact our Privacy Officer at privacyofficer@aw. We may revise this Privacy Policy from time to time. You are responsible for checking this Policy when you visit our site to review the current policy. If you do not agree with the Policy, you should cease use of the site immediately.

Paternity Testing Centers of Canada, which collects and processes highly sensitive DNA samples of its clients, has a privacy statement so short it would fit in a tweet: “Paternity Testing Centers of Canada care about our clients and ensure that every test performed is strictly confidential.”

Confidentiality Uncertainty about parentage can have life-long psychological consequences. DNA paternity testing is the most advanced and accurate method available for resolving these parentage questions. Paternity Testing Centers of Canada can perform both Legal (court approved) and Non-legal tests. With advanced DNA technology, paternity testing is accurate, rapid and an affordable means for obtaining conclusive answers with respect to parentage. Paternity Testing Centers of Canada care about our clients and ensure that every test performed is strictly confidential.

We wanted to provide you with some preliminary results that stood out to us from our sweep.  Once we’ve completed a review of the results from our Office and the other jurisdictions that participated in the sweep, we will determine any appropriate follow-up action, in conjunction with our international sweep partners.


10 Jun 2013

Fixing leaky faucets: Raising the bar of privacy protection


“Web leakage” research and follow-up work by the Office of the Privacy Commissioner of Canada has resulted in improvements to the privacy practices of some popular Canadian websites.

You may recall that our Office’s technologists tested 25 sites last year and found a significant number were “leaking” registered users’ personal information – including names and email addresses– to third-party sites such as advertising companies.

The research project prompted extensive discussions with the operators of 11 sites where concerns or questions were identified.

Positive changes

In the end, we’re happy to say that the initiative has resulted in a number of positive changes for Canadians:

  • Several organizations have taken measures to stop unintentional or unnecessary disclosures of personal information.
  • Many also agreed to take steps to ensure they provide consumers with clear, accessible information about their privacy practices.

All of the organizations cooperated with our Office and we were able to resolve our concerns in each and every case.  Here is a summary of the results of our work with the 11 sites:

  • In three cases, the site operators had been previously unaware that personal information was being disclosed to third parties, but took steps to ensure the disclosures stopped.
  •  In a further three cases, websites that had been intentionally sharing information such as email addresses to third parties, but agreed to stop after we questioned the practice.  Another organization was looking at whether its site could be re-designed to prevent sharing with two of its online service providers.
  • One organization acknowledged that personal information was being shared with  third-party service providers in order to manage its website – even though its privacy policy states personal information is not made available to third parties.  The organization is in the midst of making changes to its privacy policy to provide greater clarity.
  •  In other cases, our discussions with organizations confirmed that no information was being disclosed to third parties beyond that found in our research – for instance, postal codes.  As a result, we determined the disclosed information was not personal information.

Of course, our initiative involved a very small sample of sites and “web leakage” concerns are not confined to the organizations identified in our research.  All web site operators and third parties should review the personal information they share and test own sites to check whether data is unintentionally leaking.

Issues beyond “web leakage”

During our work, it became apparent that organizations’ privacy practices, such as the legitimate sharing of information with third parties, were not always disclosed in a meaningful way to consumers.

Commissioner Stoddart has expressed concern about privacy policies that are too long, too convoluted, and, as a result, tend to be largely ignored by users.

Organizations should have clear, descriptive privacy policies.  Our Office has also started looking at other practices that could also be adopted to help inform people about how their personal information will be handled.  For example, we like just-in-time notifications – providing explanations of privacy practices when data is collected.

To that end, we were pleased that several organizations committed to improve the way in which they tell consumers about their personal information handling practices.  For example, some are reviewing their privacy policies and exploring more innovative ways – such as just-in-time notices – to provide privacy information.

All of these steps will go a long ways to help ensure these organizations have obtained informed consent for the collection, use and disclosure of personal information online – as required under Canadian privacy law.

And since the issues we identified have been addressed, the Privacy Commissioner has decided not to exercise her power to name these organizations.

Given our study has revealed systemic issues in this area, our Office is developing a guidance document on best practices with respect to how organizations obtain informed consent from Canadians for the collection, use and disclosure of personal information in the online world. We expect to publish the guidance document later this year.