Behavioural Marketing: Privacy Law Considerations (PIPEDA)

What are the privacy law considerations of behavioural marketing?

Is behavioural marketing subject to PIPEDA and Canadian privacy laws?

What should online advertisers and online users know about the privacy consequences of behavioural marketing?

In this article, we will break this down in detail.

We will understand what is behavioural marketing and then analyze it from the perspective of the Personal Information Protection and Electronic Documents Act of Canada.

Are you ready?

Let’s get started!!!

What is behavioural marketing 

Behavioural marketing is when an advertiser or an organization uses technology to track, analyze and create individual profiles navigating the Internet and leaving a trail of information behind them.

The objective of behavioural advertising is to present targeted ads to consumers by collecting their browsing behaviour.

Companies will track different pieces of information about online uses such as:

  1. Page visits on a website
  2. Time spent on a website
  3. User clicks
  4. The recency of the visit
  5. User’s site interaction 
  6. IP addresses
  7. Advertisements viewed
  8. Articles read
  9. Search terms used
  10. User preferences such as language and browser type
  11. Operating system
  12. Geographical location

Every online user leaves behind a trail of information and data about their online navigation.

Companies use that data to create a user persona allowing them to segment their audience.

Online users showing similar behaviour are segmented into the same category and targeted with specific ads catered to that segment.

According to the Network Advertising Initiative, behavioural marketing is a lucrative business as companies can achieve a much greater level of conversions when targeting their advertisements.

Online tracking and profiling for behavioural marketing  

Advertisers and marketers have developed sophisticated technology and algorithms to analyze online data collected about a user to build a detailed user profile.

By creating a user profile, the advertiser can segment their audience and assign the profile to a specific interest category.

Based on the segmentation or interest category, marketers will then present targeted advertisements to that segmented audience to achieve a greater conversion and thus a greater return on investment.

To create user personas and profiles, advertisers will combine many individual pieces of data that are unidentifiable to an individual in of themselves.

However, when combined, individual and anonymous data can help identify or paint a portrait of an online user.

The anonymous user profile can then be tracked against social media websites to specifically identify the user persona to the real-life person.

Canadian privacy law on behavioural advertising

The Canadian government has adopted the Personal Information and Electronic Documents Act (PIPEDA) representing a comprehensive data privacy and protection law companies operating in Canada must adhere to.

Individual consent is a key element under PIPEDA.

PIPEDA requires that organizations get meaningful consent from individuals for collecting, using and disclosing their personal information.

Let’s break this down to better understand how PIPEDA applies to behavioural advertising.

Is online profiling personal information

PIPEDA defines personal information as “information about an identifiable individual”.

This is a very broad definition intended to capture a lot of use cases and scenarios.

Any factual or subjective information about a person allowing a company to identify an individual is personal information.

Personal data can be a single piece of information or a combination of different data allowing the identification of an individual.

In the matter Gordon vs Canada (Minister of Health), 2008 FC 258, the Federal Court of Canada ruled that when there is a serious possibility that an individual can be identified through the use of a piece of information, alone or in combination with other available information, you have personal information about an identifiable individual. 

As it relates to behavioural advertising, when an organization combines anonymous data about an online user and creates a user profile, the moment the user profile can be linked to a person or an identifiable person, that’s personal information.

The Privacy Commissioner of Canada is of the view that information collected for behavioural marketing is identifiable information considering that: 

  1. The purpose of behavioural marketing is to create user profiles for segmentation and targeting
  2. Companies have powerful means to collect, gather and use available data on users
  3. Companies can use the available data to generate highly personalized advertisements

As a result, personalized advertising can result in a company gathering personal information and be subject to the provisions of PIPEDA.

Collection and use of data to create online user profiles

To track user behaviour and track someone’s online navigation, advertisers and companies will generally place a third-party cookie on a user’s website.

The third-party cookie will contain a serial number associated with a unique online user.

The cookie will track the user’s online behaviour and can assemble the following information about the user:

  1. IP address
  2. Browser type
  3. Browser identification strings
  4. Browser technical parameters
  5. Website visits
  6. Inferred areas of interest
  7. Search terms
  8. Terms used on online forms
  9. Transactions
  10. Purchases
  11. Usernames
  12. ID on web services
  13. ID on social media sites

When data about someone is used to make decisions about them, you are essentially collecting and using the data for commercial activity.

PIPEDA governs the use, collection and disclosure of personal information.

Companies in the behavioural marketing space creating detailed user profiles must be mindful of the fact that once they assemble disparate data to create a user profile, the result may be that they are collecting and using personal information.

Such collection and use trigger the application of PIPEDA obligations.

Behavioural marketing is a commercial activity

There is no doubt that a company engaged in behavioural marketing is engaged in a commercial activity.

Article 2(1) of PIPEDA defines commercial activity to be any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Behavioural advertising is the process of collecting and using personal information to sell online advertisements, products and services.

Such activity is a commercial activity in nature and is subject to PIPEDA.

User consent for targeted advertising 

So far, we have determined that online profiling in the context of behavioural advertising presents a serious possibility of identifying an individual and to create an online profile, organizations need to collect and use information about an online user to reap the commercial benefits.

This leads us to the element of user consent.

Do companies need to get user consent for behavioural marketing?

Yes.

Users must provide meaningful consent so their information is used for targeted advertising. 

In addition to the consent, organizations must set limits on the type of information they collect and use for profiling.

Companies operating in the online marketing and advertising space must clearly define what type of information they need to achieve their intended purpose and obtain the necessary consent from the users for that purpose.

They must limit their collection and use strictly to that purpose and nothing more, unless a new consent is obtained from the user.

Any data collected and used must be safeguarded and protected just like any other personal information collected by the organization.

Opt-out consent is acceptable

Companies can obtain consent using the opt-in or opt-out form of consent.

Opt-in consent is a form of consent given by an online user acknowledging they agree to a product or a service and authorize the third-party organization to collect, use and disclose their data to benefit from the service.

Opt-out consent is when an individual is given the chance to decline giving consent or continue using the services.

By not opting-out or declining, consent can be considered as implicitly given by the user.

As it relates to behavioural marketing, the Canadian Privacy Commissioner considers that an opt-out form of consent is acceptable to protect users and prevent user frustration and fatigue in getting bombarded with too many messages and consents to protecting their personal information.

To implement an acceptable opt-out consent form, organizations should consider the following parameters:

  1. Individuals should be made aware of the company’s collection, use and disclosure purpose
  2. Companies must present the information effectively and not hidden or in a deceitful manner 
  3. Opt-out consent disclosure and notification should be given on or before the time of collection of information
  4. Opting out should be easy for the user 
  5. Opting out should take immediate effect if that’s what the user wishes
  6. Information collected under an opt-out consent form should be non-sensitive as much as possible and limited to what is needed
  7. Organizations must destroy the information as soon as it is possible or anonymize the information 

Following these guidelines can help companies obtain acceptable consent from online users.

Unauthorized tracking and profiling under PIPEDA

In some cases, companies can install zombie cookies, supercookies, third-party cookies, perform device fingerprinting and deploy techniques that cannot be controlled by users.

If a user cannot opt-in or opt-out in sharing information, or if it is very difficult or effectively impractical to withdraw consent, then we may be dealing with a collection and use of information that may be unauthorized under PIPEDA.

What’s important is that a user can effectively decide to give or not his or her consent for data collection and use.

If data is collected against the user’s will, making it impossible or nearly impossible for the user to decide or withdraw consent or collect information without the user knowing about it, there may be privacy violations under PIPEDA.

Organizations should make sure not to use techniques or technologies allowing them to develop user profiles in hidden, misleading or deceitful ways.

Can behavioural marketing be a reasonable purpose 

To determine if behavioural marketing can be a reasonable purpose under PIPEDA, let’s look at some of the foundational principles outlined in the law.

The first principle is that an organization must get the consent of a person to use personal information beyond what is explicitly specified and its legitimate purpose.

Under the principle of consent, PIPEDA states that “an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.”

Furthermore, the purpose of the collection and use of personal information must be appropriate to a reasonable person. 

Article 5(3) of PIPEDA establishes the appropriateness of purpose by stating that “an organization may collect, use or disclose personal information only for the purposes that a reasonable person would consider are appropriate in the circumstances”.

With that being said, the Privacy Commissioner of Canada has identified the following considerations:

  1. Online users are not comfortable with the notion of being followed around the web
  2. Online users think that targeted advertisements geared to their interest are useful
  3. The use of the internet must be generally free for users
  4. Some level of personal information may need to be given by users to access some services or information online

As a result, online behavioural advertising can be considered an appropriate purpose for the collection, use and disclosure of personal information from the perspective of a reasonable person.

Online tracking and profiling for other purposes

Online tracking and profiling can be done for reasons other than behavioural marketing.

Companies may track user behaviour to improve their website functionality and prevent fraud.

For these reasons, companies may use a technique called device fingerprinting to capture data and information about an online user’s specific device such as:

  1. User IP address
  2. Specific device serial number
  3. Device screen size
  4. Device plugin data

Device fingerprinting allows the accurate targeting of an online user with a very high level of confidence.

Now that more and more online search is done using mobile devices, device fingerprinting allows a company to track online behaviour and activity of a user using a specific mobile device.

Often, device fingerprinting is used to prevent fraud.

However, online marketing and behavioural segmentation is a multi-billion dollar business.

Companies may want to expand the use of device fingerprinting to online behavioural marketing thus creating privacy concerns.

Takeaways

Behavioural marketing, targeting and segmentation represent techniques where online advertisers collect and use online data to deliver targeted advertisements based on a user profile and inferred preferences.

Online behavioural marketing consists of tracking user activity online, on websites and over time so advertisements can be tailored specifically to the targeted user.

For marketing purposes, when collecting individual and anonymous data and creating a user profile, under PIPEDA, you may be collecting and using personal information for a commercial purpose.

As a result, user consent will be necessary allowing the organization to deliver targeted advertisements to its website users.

The Privacy Commissioner of Canada considers that an opt-out consent or implied consent is acceptable in the context of behavioural marketing and implementing the proper procedures to obtain such consent will satisfy a company’s obligation under PIPEDA.

What’s important to note is that every company’s situation may be slightly different.

All organizations must evaluate the nature of the information they collect, the purpose for which the information is collected and determine whether there is a legitimate purpose and evaluate the type of consent needed from the user.

We hope this article helped clarify the obligations under PIPEDA relating to behavioural marketing.

Do you have any useful information to share with us on the privacy aspect of behavioural marketing?

We would love to hear from you.

Drop us a comment!