Privacy in an Interconnected World What are the Limits?

Privacy in an Interconnected World

What are the Limits?

ACA Conference – Marketing and the Law: Negotiating the Minefield

Toronto: December 6, 2011

Moderator: David Young, Partner,

McMillan LLP

Panelists: Tarik Qahawish, Director, Digital Marketing and

Communications, Aeroplan

Paula Gignac, President, IAB Canada

Bill Hearn, Partner, McMillan LLP

2

PRIVACY ON THE INTERNET

Do privacy laws / principles apply to the Internet?

Expectation of privacy – How do users experience privacy?

Privacy Model –

• Rights protected

• Protection mechanisms (e.g. consent)

• Balancing rules with other considerations (e.g. innovation;

user benefits; web site finance)

How does this experience map into existing privacy frameworks?

How does privacy compliance evolve beyond links to legalese?

Should users’ experience of privacy online equate to what they

expect offline?

CONFIDENTIAL — NOT FOR DISTRIBUTION

PRIVACY IN AN INTERCONNECTED WORLD WHAT ARE THE LIMITS?

TARIK QAHAWISH

Director, Digital Marketing & Communications

MARKETING AND THE LAW: NEGOTIATING THE MINEFIELD

6 DEC, 2011

Title of the presentation - CONFIDENTIAL

4

CONSUMER ATTITUDE TOWARDS PRIVACY• 2011 Canadians and Privacy Survey*

– 55% of Canadians expressed privacy concerns related to social networking sites, while only one in ten (10%) were not concerned and a third (33%) were somewhat concerned.

– However, 64% felt that these sites provided them with the options or settings they needed to protect the privacy and 80% had changed the default settings to increase their privacy protection.

• Aeroplan Panel Research on Member Privacy

– 95% of members surveyed agreed that Aeroplan protects their privacy

– How would you rate aeroplan.com on security & confidentiality? 64% checked the top 3 boxes (1= Poor and 10= Excellent)

* Harris/Decima Survey preseted to the Office of the Privacy Commissioner of Canada – Mar 31, 2011


5

DATA TRACKING TODAY

• Web Personalization Today Leverages:

– Web site traffic analytics tools, cookies, shopping recommendation engines, wisdom of the crowd.

– Transactional & demographic data from Customer Data Warehouse

– All designed to personalize & improve the user experience on the Web and deliver relevant offers

• Behavioural Targeting or Remarketing Extends the Personalization


6

DATA TRACKING TODAY

• Data Exchanges & Real Time Bidding

– 3rd party tracking technology (e.g., beacons, flash cookies, pixels) are installed on Internet users’ computers

• Top 50 US websites on average install 64 pieces of tracking technology onto the computers of visitors1

– Data exchanges packages the data into profiles about individuals, without determining a person's name, and sells for ad targeting.

– Most provide users the ability to see what they monitor and opt-out

– Accounts for 10% of banner ad spend in Canada

1 - WSJ – The Web’s New Gold Mine – Jul 30, 2010


7

DATA EXPLOSIONGhostery.com cookie

& beacon list from

a financial site


8

SOCIAL INTEREST GRAPH

• EXPLOSION OF CONSUMER DATA FROM NEW DIGITAL MEDIA

– Over 1 million sites have social plug-ins installed (e.g., “Like”, “Share”, “Check-in”)

– Facebook Connect provides sites with a wealth of information most don’t know what to do with it.

– Social Open Graph brings along the users friends, their interests and profiles, and helps brands become part of the social circle.

– Social networks want sites to use the data in order:• Showcase their value outside their network

• This in return helps users feel more comfortable, and a reason to provide even more data

• More data means better targeting on the social network’s own ad platform

• WHO OWNS THE DATA?– Consumer?

– Social network?

– Web site?

– Cloud Storage provider?!?


9

SOCIAL INTEREST GRAPH


10

BEST PRACTICE

DON’T BE CREEPY

– Behavioural targeting shouldn’t use personal information

– Don’t be a stalker and follow the user everywhere (e.g., Zappos)

AVOID IMPRESSION FATIGUE

– Limit the length of the Remarketing period to an appropriate time

– Start with small tests, optimize and build on them

LESS DATA IS MORE

– Use data you can store and avoid too much reliance on Cloud Storage

– Over profiling or modeling can be a vicious circle

PROVIDE VALUE IN RETURN

– Clearly identify the value to the user when requesting social media data


THANK YOU


[email protected]

Copyright © 2011 Interactive Advertising Bureau of Canada

12

OBA Self-Regulatory

Program

Presented by


[email protected]


13

The Association Coalition Behind The Program

•L’Association des agences de publicité du Québec (AAPQ)

•The Association of Canadian Advertisers (ACA)

•Advertising Standards Canada (ASC)

•Le Conseil des directeurs médias du Québec (CDMQ)

•The Canadian Marketing Association (CMA)

•The Canadian Media Directors’ Council (CMDC)

•The Interactive Advertising Bureau Of Canada (IAB Canada)

•Institute of Communication Agencies (ICA)


14

Canada’s Advertising Industry Self-Regulation

Framework For Online Behavioural Advertising

• Transparency

• Provide Consumers with immediate notice when the

Websites that they are visiting are supplying them with

Online Behavioural Advertising

• Education

• Provide Consumers with one-click access to clear and

concise Web-based educational information about

Online Behavioural Advertising

• Choice

• Provide Consumers with education & one-click access

for a full opt-out of Online Behavioural Advertising

• Accountability

• Ensure that Consumers’ opt-out of preferences are

retained over the long-term


15

Implementation Examples


16

The OBA Opt-Out Tool


17

Timeline For Program Implementation

•Q1 2012 - Educational Webinars

•Q2 2012 – Various Publishers Begin Implementation


18

OBA Self-Regulatory

Program

Presented by


[email protected]

19

The Law and Self-Regulatory

Principles for Behavioural

Advertising


Overview

– What is behavioural advertising and what are the main consumer protection

concerns raised by it?

– What does Canadian law say about behavioural advertising?

– How has industry responded in Canada and elsewhere to the concerns of

consumers and regulators?

– How have regulators in Canada and elsewhere weighed in on behavioural

advertising?

20

What is Behavioural Advertising?

– OPC Definition:

– Also sometimes called online behavioural advertising (OBA) or interest-

based advertising (IBA)

* From Report on 2010 OPC Consultations on Online Tracking, Profiling and Targeting, and Cloud

Computing – Draft October 2010 and Final May 2011

“…consists of tracking consumers’ online activities over time in

order to deliver advertisements that are targeted to individuals’

inferred interests”*

21

Downside and Why Regulators &

Some Consumers Are Concerned

– Canadians generally wary about the collection of their personal information online

– Under Canadian privacy laws, “personal information” means “information about

an identifiable individual and includes age, name income, ethnic origin, opinions,

comments, preferences, social status … but does not include the name, title or

business address or telephone number of an employee of an organization”

– Findings from OPC-Commissioned Canadians and Privacy Surveys

• 2009: 90% of respondents concerned about the impacts of new technologies

• 2011: 83% of respondents said Internet companies should ask their customers

for permission to track their online behaviour and Internet usage

22



– Increasingly sophisticated forms of technology

– Provide for tracking of online and offline activities

– Privacy concerns and the issue of informed, meaningful consent to

track

23



– Security concerns regarding the safe collection and retention of

sensitive personal information

– e.g., SIN number, home address, financial account number, geographic location,

personal history

– Lack of consumer education and knowledge about the risks involved

and corresponding privacy rights

24

What does Canadian law say?

– Technology leading consumer protection law in new directions

– Classic case of law catching up to new technologies

– That said, in many instances, existing law can still be applied to

address consumer protection concerns

– And new laws are on the horizon – e.g., CASL

25

What does Canadian law say?The starting point - addressing the “privacy” concern …

– Privacy Laws

– The collection, use and disclosure of personal information for commercial purposes

by private organizations in Canada is governed by the Personal Information

Protection and Electronic Documents Act (PIPEDA)

– British Columbia, Alberta and Quebec have legislation “substantially similar” to

PIPEDA regulating the private sector

26


– Privacy Laws

– PIPEDA and these provincial laws (collectively, “Privacy Laws”) provide that:

• Private organizations may only collect, use or disclose personal information

– for purposes that are reasonable, and only to the extent necessary to fulfil

those purposes

– when they have notified the individual of the purposes for the collection and

with the consent of the individual whose information is being collected, used

or disclosed (unless one of the exceptions applies and consents is not

necessary)

• The consent must be informed, meaning the organization has informed the

individual of the reason the information is being collected, how it is going to be

used, and to whom it may ultimately be disclosed

27


– Privacy Laws

– Compliance with Privacy Laws when carrying out behavioural advertising requires

that:

• the consumer’s knowledge and consent have been obtained

• the personal information gathered is only for the purposes identified

• the personal information gathered is only used or disclosed as is necessary

• any collection, use and disclosure of information is reasonably needed to carry

out the purposes required

• there is a privacy compliance program in the organization to address the

collection, use and disclosure of personal information for behavioural advertising

28


– Privacy Laws

– Consequences for not complying with PIPEDA:

• OPC may investigate or audit organization’s privacy practices and issue public

report detailing findings … but OPC has no power to make binding orders

• OPC or individual may apply to Federal Court seeking the imposition of fines,

sanctions, criminal liability, and/or civil damages (including those for humiliation –

there is no monetary ceiling on such damages)

29

What does Canadian law say?Addressing the “deception” concern …

– Federal Competition Act– Is a behavioural advertising campaign implemented without the knowledge

and consent of consumers “deceptive advertising” under Canadian

competition law?

• No one shall, for the purpose of promoting a product or business interest, make

a representation to the public that is deceptive in a material respect

• Don’t need to prove any consumer was actually deceived

• General impression and literal meaning taken together govern

• Even if only inadvertently contravened, the civil sanctions may still be substantial

monetary penalties of up to $10 million (for first contravention) and up to $15

million (for each subsequent contravention)

• If knowingly or recklessly contravened, the criminal sanctions may be up to 14

years in jail, an unlimited fine, or both

– Also a risk of civil liability for damages in a private action by class of

disgruntled consumers

30

What does Canadian law say?Addressing the “deception” concern

– Provincial/Territorial Consumer Protection Laws– Is a behavioural advertising campaign implemented without the knowledge

and consent of consumers an “unfair practice” under Ontario’s Consumer

Protection Act (CPA)?

• “Unfair practice” includes a deceptive representation … e.g., one that fails to

state a material fact that tends to deceive … or one that misrepresents the

purpose of any communication with a consumer

• Engaging in an “unfair practice” is an offence under the CPA

• Note: CPA applies to “suppliers” in Ontario even if targeting only consumers

outside Ontario

31

What does Canadian law say?Addressing the “deception” concern

– Provincial/Territorial Consumer Protection Laws– Is a behavioural advertising campaign implemented without the knowledge

and consent of consumers an “unfair practice” under Ontario’s Consumer

Protection Act (CPA)?

• A convicted company could be fined up to $250K and its directors and officers

fined up to $50K, jailed for up to two years less a day, or both, unless they have

taken reasonable care to prevent the offence

• A court may also order the convicted company and/or its directors and officers to

pay compensation to affected consumers

– Remember also to comply with any unique aspects of the consumer

protection laws in other provinces/territories– especially Quebec’s

Consumer Protection Act (consider adopting highest common denominator)

32


– Canada’s Anti-Spam Law (CASL)

– Requires consent before sending commercial electronic messages

– Prohibits the collection of personal information via unlawful access

to computers or unauthorized collection of electronic addresses

– Anticipated to come into force by Q2 2012 following passing of

revised draft CASL Regs (not yet published)

– Substantial penalties and multi-faceted enforcement mechanisms –

3 agencies involved: CRTC (CASL), Competition Bureau

(Competition Act) and OPC (PIPEDA) with Industry Canada playing

an oversight role as National Coordinating Body

33

How is industry responding?

– Self-Regulatory Principles & Guidelines – Chronology

– 2008 NAI Principles: The Network Advertising Initiative's Self-Regulatory

Code of Conduct

– [FTC Staff Report: Self-Regulatory Principles for Online Behavioral

Advertising (February 2009)]

– World Federation of Advertisers: Global Principles for Self-Regulation in

Online Behavioral Advertising (June 2009)

– Digital Alliance Initiative (DAA) Self-Regulatory Principles for Online

Behavioral Advertising (July 2009)

34


– Self-Regulatory Principles & Guidelines – Chronology– Coalition of Canadian Associations (i.e., AAPQ, ACA, ASC, CDMQ, CMA,

CMDC, IAB Canada, ICA) (the “Coalition”) starts developing framework

for industry self-regulation of behavioural advertising in Canada (June

2009 and announces framework March 2010 and again August 2011)

– Canadian Marketing Association (CMA) – Addition to Code of Ethics to

address concerns with behavioural advertising (December 2010)

– World Wide Web (W3C) First Draft of Proposed Standards for

Implementing “Do Not Track” Online (November 2011 – Final due

summer 2012)

– Coalition through IAB Canada launches behavioural advertising program

and opt-out tool with Q1-Q2, 2012 timeline for implementation (December

2011)

35


Self-Regulatory Principles & Guidelines -

Comparing the Details

36


– Self-Regulatory Principles & Guidelines

– 2008 NAI Principles: The Network Advertising Initiative's Self-

Regulatory Code of Conduct (2008)

• NAI first developed guidelines in 2000 and have periodically updated them

• Code requires NAI member companies to comply with certain notice, choice,

use, limitation, access, reliability and security requirements which include

– Disclosing their behavioural advertising practices in their privacy policies

– Offering an easy-to-use opt-out link

37



– World Federation of Advertisers: Global Principles for Self

Regulation in Online Behavioural Advertising (June 2009)

• Crisp one pager espousing seven global principles:

– Education

– Transparency

– Consumer control

– Data security

– Material changes

– Sensitive data

– Accountability

38



– DAA’s Self-Regulatory Principles for Online Behavioural

Advertising (July 2009)

• Largely mirror FTC’s February 2009 Principles – i.e., that consumers should

understand the behavioural advertising uses of their data and more easily find

and use a persistent opt-out mechanism

• On October 4, 2010, the DAA announced the implementation of its industry

principles into practice through a Self-Regulatory Program for Online

Behavioural Advertising (the “DAA Program”)

39


– Self-Regulatory Principles & Guidelines– DAA’s Self-Regulatory Principles for Online Behavioural Advertising (July

2009)

• The DAA Program includes the following main components:

– Participants must display an icon and accompanying language to inform

consumers about data collection and use practices (e.g., the icon

indicates that the advertising is targeted and constitutes behavioural

advertising)

– A single, industry-developed website that allows consumers to opt out of

behavioural advertising practices of companies participating in the DAA

Program

– A website dedicated to informing consumers about behavioural

advertising and the DAA Program

– Mechanisms for accountability and enforcement of the DAA Program

– Campaigns for greater consumer education about behavioural

advertising

40



– With the Coalition of Canadian Associations having designed a

self-regulatory framework for behavioural advertising based on the

four elements of transparency, education, choice and

accountability (work having started in June 2009 leading to the

framework being announced in March 2010 and again in August

2011), IAB Canada launches behavioural advertising program and

opt-out tool with Q1-Q2, 2012 timeline for implementation

(December 2011)

41



– Addition to the Canadian Marketing Association (CMA) Code of

Ethics to address concerns with behavioural advertising

(December 2010)

• Acknowledges that web browsing data may be considered personal

information to which Canadian privacy laws apply

• Recommends exercising transparency, and obtaining appropriate consent

from consumers, regarding behavioural advertising practices

• Recommends that marketers not engage in behavioural marketing aimed at

children under 13 except where express opt-in consent has been obtained

from child’s parent/guardian

42


– Industry Standards– Technology initiatives designed to empower consumers, specifically

browser implementation of do-not-track functionality

– World Wide Web Consortium (W3C): proposed standards for

implementing “Do Not Track” online – first draft released in November

2011; final due out by summer of 2012

• Working Group includes Google, Facebook, Microsoft, IBM, Mozilla and

several big privacy organizations including the US-based Centre for

Democracy and Technology and Electronic Frontier Foundation, and several

interactive advertising organizations

• US FTC and German independent Centre for Privacy Protection also advising

Group

43


– Industry Standards

– W3C’s Proposed Do-Not-Track Standards

• Striving to “balance needs of privacy-conscious consumers with the data-

collection demands of online advertising by matching expectations of users”

• Tracking Preference Expression Standard - How consumers can express

their tracking preferences (i.e., how a browser can tell a website that a user

wants more privacy)

• Tracking Compliance and Scope Specification Standard - How websites

and their affiliates will acknowledge those preferences (i.e., how websites

should comply with Do Not Track preferences

44

How Canadian Regulators Are Responding

– Nothing from federal Competition Bureau or provincial/territorial

consumer protection regulators – e.g., Director under Ontario’s Ministry

of Consumer Services

– Not surprising if industry’s self-regulatory principles have addressed the

possible “deception” issue with “transparency” and “education”

– Federal OPC continues to lead on “privacy” concerns

45

How OPC Is Responding

– OPC Investigation of Facebook (2010)

– Recognized distinction between “contextual” advertising (delivered in response to

current online activities without collection and retention of personal information – e.g.,

a user visits a holiday site and while on that site receives advertising for hotels in the

area) and “behavioural” advertising (which entails the collection and retention over

time of personal data and involves consumer tracking)

– Concluded that behavioural advertising is more intrusive than contextual advertising

because it targets activities and connects them to identity

– Resulted in Facebook developing simplified privacy settings and rolling out a

permission-based model whereby applications inform users of the categories of

data they require to run and seek consent to access and use this data

46


– OPC’s Reports on Online Tracking, Profiling and

Targeting, and Cloud Computing – Draft (October

2010), Final (May 2011)

– Organizations that engage in behavioural advertising should collect

personal information only for reasonable and appropriate purposes

– Organizations that track the online activities of Canadian consumers should

be upfront about their practices

– Consumers must provide meaningful informed consent before profiling and

targeting technologies using their personal information are implemented

– Supports the permission-based model and use of technical controls to

ensure access only to information specifically requested

47


– OPC’s Reports on Online Tracking, Profiling and

Targeting, and Cloud Computing – Draft (October

2010), Final (May 2011)

– Individuals should feel comfortable creating online profiles and engaging on

social networking websites without becoming unintended consumers

– Data must expire as PIPEDA is clear that personal information can only be

kept as long as it is needed

– There is a need to address the serious issue of tracking the personal

information and online activities of children

48


– OPC Issues Guidelines for Behavioural Advertising

– New guidance document, to be released December 6, 2011, to help

organizations involved in behavioural advertising ensure their

practices comply with PIPEDA

– Will also help consumers know their rights under PIPEDA

49

How Other Regulators Are Responding

– US FTC Staff Report: Self-Regulatory Principles for Online Behavioral

Advertising (February 2009)

– US FTC Preliminary Staff Report: Protecting Consumer Privacy in an

Era of Rapid Change - Proposed Framework for Businesses and

Policymakers (December 2010)

– EU Directive, with effect May 25, 2011 and subject to one narrow

exception, requires companies with European customers to get

informed consent from such visitors to their websites in order to use

cookies

– Australia’s Privacy Commissioner also engaged – i.e., released Fact

Sheets on behavioural advertising (May 2011)

50


Comparing the Details

51


– US FTC Staff Report: Self-Regulatory Principles for

Online Behavioral Advertising (February 2009)

– Report set out advisory principles for self-regulation and followed consultations in

November 2007 and the issuance for public comment by FTC staff of a set of

proposed principles designed to serve as the basis for industry self-regulatory efforts

– The principles called for:

• transparency and consumer control

• reasonable security for consumer data

• companies to obtain “opt-in” (i.e., affirmative express) consent from consumers:

– before they use data in a manner that is materially different than promised

at the time of collection and

– before they collect and use “sensitive” consumer data for behavioral

advertising

52


– US FTC Staff Report: Self-Regulatory Principles for

Online Behavioral Advertising (February 2009)

– “First party” advertising (i.e., advertising by and at a single website – where no data is

shared with third parties) is more likely to be consistent with consumer expectations

and less likely to lead to consumer harm than other forms of behavioral advertising;

includes first party data collection and analysis for website optimization (analytics)

– Also less likely to be invasive is “contextual” advertising (i.e., advertising based on a

consumer’s current visit to a single web page or a single search query that involves

no retention of data about a consumer’s online activities beyond that necessary for

the immediate delivery of an ad or search result)

– FTC concluded the principles did not need to cover these practices

53


– US FTC Preliminary Staff Report: Protecting Consumer Privacy in

an Era of Rapid Change - Proposed Framework for Businesses

and Policymakers (December 2010)

– Follows consultations in 2010, provides a preliminary indication on how the FTC

believes consumer privacy should be protected going forward, and proposes new

framework for addressing the commercial use of commercial data building on the

notice-and-choice model and the harm-based model

54





– Endorses Ontario Privacy Commissioner’s “Privacy by Design” and “Privacy Payoff”

concepts – i.e., that companies should systematically build consumer privacy

protections into their everyday business practices, such protections to include:

• Providing reasonable security for consumer data

• Collecting only the data needed for a specific business purpose

• Retaining the data only for as long as necessary to fulfill that purpose

• Safely disposing of data no longer being used

• Implementing reasonable procedures to promote data accuracy

55





– Proposes that companies provide choices to consumers about their data practices in

a simpler, more streamlined way than has been in the past

– Proposes measures for companies to make their data practices more transparent to

consumers including making privacy policies clearer, more concise and easier-to-

read

– Proposes providing consumers with reasonable access to the data companies

maintain about them

56





– Proposes that stakeholders undertake a broad effort to educate consumers about

commercial data practices and the choices available to them so as to facilitate

“competition on privacy” across companies

– Supports development of a do-not-track mechanism and better tools that allow

consumers to control the collection and use of information collected online

• For instance, by placing a persistent setting, similar to a cookie, on a consumer’s

browser, signaling the consumer’s choices about being tracked and receiving

targeted ads

57





– FTC believes it does not have legal authority to develop and implement a do-not-

track requirement indicating it must be accomplished through legislation or private

sector efforts

– Two of the five FTC Commissioners, while concuring with the Staff’s Preliminary

Report, have expressed reservations about a do-not-track mechanism (i.e., that it is

premature, may not be technically feasible but if so, should be opt-in)

– Final Report likely to be issued by end of Q1 2012

58


– EU Regulatory Developments, 2011

– A recent EU Directive (with Pan-EU effect as of May 25, 2011) requires companies

with European customers to get informed consent from such visitors to their websites

in order to use cookies; the only exception to this rule is where website operator is

doing something that is “strictly necessary” for a service specifically requested by the

user

– Old EU law required website operator only to tell website users how the operator

uses cookies and how users can “opt out” if they object

– The UK Information Commissioner’s Office (ICO) has published guidance on

compliance from a UK perspective

59


– EU Regulatory Developments, 2011

– ICO’s Guidance includes that:

• Information must be provided about a cookie before a cookie is set for the first

time

• Once consent is obtained, a website operator need not seek consent again for

the same person each time the same cookie (for the same purpose) is used in

the future

• The “strictly necessary” exception is a narrow one – e.g.,

– it allows a website operator to place a cookie on a user’s computer when

the user has chosen the goods they wish to buy, clicks “add to basket”, and

the website “remembers” what the user chose on a previous page

– it does not allow a website operator to place a cookie just because the

website would be more attractive if it remembered users’ preferences or

because the operator wishes to collect statistical information about use of

the website

60

How US Legislators Are Responding

– Three bills have been introduced in Congress in 2011 to deal with online

tracking:

– Do Not Track Me Online Act (February 2011)

– Do-Not-Track Online Act of 2011 (May 2011)

– Do Not Track Kids Act of 2011 (May 2011)

– ―The narrow scope of these bills, together with the support of the do-not-

track mechanism derived from the success of the Do-Not-Call Registry,

makes them compelling candidates for action this term.‖

– Morrison & Foerster LLP, July 2011

61

Summary Coalition of Canadian Associations – 4 elements of Framework

1. Transparency

– Provide consumers with immediate notice when websites they are visiting are

supplying them with behavioural advertising. This notice can be provided via an

icon placed on the behavioural ads themselves or in other prominent areas on the

websites being visited

2. Education

– Provide consumers with one-click access to clear and concise web-based

educational information about behavioural advertising so consumers may learn:

– The nature of these practices

– How and when their privacy is protected within various targeted advertising

processes

– How to protect themselves in areas on the Internet that represent security

risks to their privacy

62

SummaryCoalition of Canadian Associations – 4 Elements of Framework

3. Choice

– Educate consumers with practical skills (e.g., how to use privacy settings, control

cookies by altering browser preferences, delete an account, use pseudonyms) and

give them one-click access for full opt-out of behavioural advertising should they

desire to do so

4. Accountability

– Develop and maintain an accountability program to ensure that consumers’ opt-out

preferences are retained over the long-term

– Program to include an independent consumer complaint mechanism to be

developed in consultation with Advertising Standards Canada (ASC)

63

Some Conclusions

– Main consumer concerns are protection of privacy and protection against

deception

– Canada’s privacy laws can be applied to address consumer privacy concerns

– Canada’s competition and consumer protection laws can be applied to address

consumer deception concerns

– Industry has responded in Canada and elsewhere with self-regulatory principles,

guidelines and standards

– Regulators have responded in Canada and elsewhere with consultations,

investigations and guidelines

– Some legislators have responded with proposed new laws

– This body of law and the self-regulatory principles, guidelines and standards will

likely remain fluid and grow for some time

64

CONCEPTIONS, EXPECTATIONS &

LIMITATIONS

What do we mean by “privacy” on the Internet?

• Definitional gaps

• Generational gaps

• Expectation Gaps

• Social Networks v. Online Shopping v. Online Targeted Advertising v.

Online e-mail

• Just how private is “Private browsing”?

65

CONCEPTIONS, EXPECTATIONS &

LIMITATIONS (cont’d)

User Knowledge and the User Experience

• What is going on behind the scenes?

• Do users fully understand the processes and

the players involved in online advertising? In

social networking? Do they care?

• The manner in which users are made to

understand how their personal information is

being accessed and used online.

66

ISSUES

The Social Web --

• What does this mean?

• Is the Social Web different from Social Networks?

• What does the Social Web ecosystem look like?

• authentication

• Content

• third party developers

• advertising

• What is the user experience?

67

ISSUES (cont’d)

Data Mining

• What is it?

• Data-based decision-making

• Conflicts with privacy?

• User expectations

• Commodification of data

68

ISSUES (cont’d)

• “Personal Information” vs. “Personally Identifiable

Information”

• Location-based marketing

• Facial recognition

• photo-tagging

• predictive messages

• personally-directed messages

69

Document #

PRIVACY AND INNOVATION

Generative v. Closed Systems

• Regulators like gatekeepers

• How does this relate to privacy regulation?

Privacy user experience

• What should privacy controls look like?

• Can there be too much choice?

• How do we design the social web in a way that

looks like real life?

70

71

Privacy in an Interconnected World

What are the Limits?ACA Conference – Marketing and the Law: Negotiating

the Minefield

Toronto: December 6, 2011

Moderator: David Young, Partner, McMillan LLP

Panelists: Tarik Qahawish, Director,

Digital Marketing and Communications,

Aeroplan



Privacy in an Interconnected World What are the Limits?

Documents

Transcript of Privacy in an Interconnected World What are the Limits?