Following an investigation into an unprecedented number of complaints, Privacy Commissioner Daniel Therrien urges telecom to adopt 'opt-in' consent to build detailed customer profiles that will facilitate behaviourally targeted advertising
GATINEAU, QC, April 7, 2015 /CNW/ - Bell's targeted advertising initiative has such a significant impact on privacy that the company must ask customers if they wish to opt in, an investigation by the Office of the Privacy Commissioner of Canada (OPC) has found.
The "Relevant Advertising Program" involves tracking the Internet browsing habits of customers, along with their app usage, TV viewing and calling patterns. By combining this information with demographic and account data already collected from customers, Bell can create highly detailed profiles that enable third parties to deliver targeted ads to Bell's customers for a fee. The program involves combining customer information from several Bell affiliates that offer a range of mobile, home phone, Internet and TV services.
The initiative sparked an unprecedented 170 privacy complaints under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector privacy law, after it was announced. A Commissioner-initiated investigation was subsequently launched.
"Bell's ad program involves the use of vast amounts of its customers' personal information, some of it highly sensitive," Commissioner Therrien says.
"Bell should not simply assume that, unless they proactively speak up to the contrary, customers are consenting to have their personal information used in this new way."
While the company has agreed to make a number of changes to address privacy concerns raised during the investigation, it has so far refused to implement a key recommendation to obtain express consent from customers.
Instead, Bell continues to put the onus on customers to "opt out" if they do not want their information to be used as part of the advertising initiative by clicking on a link at the bottom of the program's web page and following the prompts. Customers who do not take this step are automatically included in the program.
Bell maintains its customers support the company's position that opt-out consent is appropriate and submitted a poll to bolster its claim. However, an expert hired by the OPC to examine the Bell-commissioned report found that the survey lacked validity and contained questions that were unduly complex or leading. Ultimately, she found that most of the conclusions drawn by Bell from the survey could not be scientifically supported. Even with those problems, the Bell survey revealed that more than a third of respondents – which would translate to about two million Bell customers – were not comfortable with the company assuming their consent for such a program through an opt-out mechanism.
The Report of Findings made public today notes that Bell is able to track every website its customers visit, every app they use, every TV show they watch and every call they make using Bell's network. When that information is combined with account and demographic information – such as age range, gender, average revenue per user, preferred language and postal code – which the company has long collected, the end result is a rich multi-dimensional profile that most people are likely to consider highly sensitive.
In assessing the appropriate form of consent, the OPC considered the sensitivity of the information in question and what customers would reasonably expect from their telecommunications service provider with whom they've entrusted their private communications.
The investigation also found that Bell's opt-out policy did not fully respect the choice of its customers not to participate in the initiative. Bell planned to continue building customer profiles just in case they decide to opt back in. The OPC is pleased, however, that Bell agreed to a recommendation to stop building profiles for those who don't wish to participate, and to immediately delete the information already collected.
Other recommendations Bell agreed to:
- The OPC raised concerns that while Bell was not disclosing customers' personal information directly to advertisers, advertisers could still link the information obtained from Bell to an actual Bell customer with the help of cookies, device fingerprinting, other tracking methods and their own profile information. Bell has since agreed to include language prohibiting such activities in its contracts with advertisers.
- Bell agreed to stop including credit score information in its customer profiles for the purposes of the program, which the OPC found was inappropriate.
- Bell agreed to use partial postal codes for the purposes of delivering targeted ads after the OPC pointed out that using full postal codes could enable advertisers to target ads to much smaller audiences than Bell intended.
- Bell also agreed to remove The Source, a retail electronics store owned by the company, from the list of Bell affiliates that could gain access to information associated with the advertising initiative.
In reaching its conclusions, the OPC considered numerous factors, including whether Bell was taking adequate steps to ensure it was not disclosing the personal information of individual customers to advertisers and whether compiling user data to maximize advertising revenue while improving the online experience of customers was an appropriate business objective.
"While we are pleased that Bell has agreed to implement many of our recommendations, we are disappointed that the company has not adequately addressed the critical issue of consent," Commissioner Therrien says.
"We remain hopeful that Bell will reconsider its position but are prepared to address this unresolved issue in accordance with our authorities under PIPEDA, which could involve taking the matter to the Federal Court."
The OPC will decide on next steps in the coming weeks.
Behaviourally targeted advertising is an emerging business trend and the OPC will be monitoring this trend closely going forward.
"This is not something exclusive to Bell," Commissioner Therrien says. "We will be reaching out to other organizations that are engaged in or considering this type of activity, including the wider telecommunications sector, as we believe others could benefit from our findings in this investigation."
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector privacy law.
SOURCE Office of the Privacy Commissioner of Canada
For further information: Tobi Cohen, Office of the Privacy Commissioner of Canada, E-mail: [email protected]; NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.