Given the time of year, many Canadians are spending extended time in malls.
By now, most have come to terms with the fact that security cameras survey nearly every corner of every store.
This is well known -- and if stores obey Canada's private sector privacy law, they provide notice.
In short, if you're out shopping, you're informed that you're on camera.
But how would you feel if there were people on the other side of the cameras, not simply monitoring to see what you might steal, but instead keeping tabs on the specific stores you visited, the specific brands, styles, colours and sizes of clothes you tried on, the magazines you leafed through at newsstands, what you ordered from the food court, and everything you actually bought from stores during your visit?
Copious notes would be recorded throughout and filed upon your exit.
Upon returning, you would be recognized and new data would be entered into your file accordingly.
This may sound far-fetched, but something similar is happening regularly to eight in 10 Canadians aged 16 and older, according to Statistics Canada's latest figures.
While it's not actually happening to people browsing in malls, it is happening to most anyone browsing online, through a practice called behavioural advertising.
Online advertising used to simply consist of mini-billboards that came up for everyone who visited a certain page or made a particular search query.
Today, increasingly, ads are based on profiles compiled on us by tracking our browsing activity over time.
It's usually carried out by third parties who follow users via cookies or web beacons.
These effectively lay a trail of digital bread crumbs which are tracked and analyzed to determine your interests based on where and what you click and, in turn, what ads may interest you which are effectively "beamed" onto pages upon your visit.
Some people appreciate ads being tailored to them.
Others might feel like they're browsing in that earlier-described mall.
Either way, the information involved in this practice can identify individuals and will generally constitute personal information under Canada's private sector privacy law.
As a result, individuals must be made aware of what's happening when they browse and provide meaningful consent.
To be fair, this is a fairly new practice in the still evolving digital world. Some advertisers are making an effort to inform users and many may be unsure how to ply their trade in compliance with privacy law.
For example, what constitutes meaningful consent?
This is why my Office has just released a new guidance which explains that "opt-out" consent may be used so long as some conditions are met.First, individuals must be:
- made aware of the purposes for the practice in a manner that is clear, obvious and understandable. In other words, one shouldn't have to hunt for it;
- informed of these purposes at or before the time of collection and should be provided with information about the parties involved in the advertising; and
- able to easily opt-out of the practice, ideally at or before the time the information is collected.
- must be limited, to the extent practicable, to non-sensitive information (for example, avoiding sensitive data such as health information); and
- should be destroyed as soon as possible or "anonymised," so if someone gains access to it through say hacking, it can't be used to identify specific individuals.
Further, the use of tracking techniques of which users are unaware and can't decline such as web bugs, web beacons, and super cookies in the current context of behavioural advertising should be avoided.
On top of this, websites specifically aimed at kids should not allow tracking for behavioural advertising, as it is difficult to obtain meaningful consent from children.
Attention to this is needed as a recent report noted 40 per cent of kids aged two to four have used a smartphone, tablet, or video iPod.
All told, in the months to come, we'll be watching the watchers to see that our guidance is being followed.
And if we see troubling trends, we'll take enforcement action.
This article first appeared on blog.privcom.gc.ca