The Canadian Press reports:
Canada’s interim privacy commissioner says Google has been caught afoul of the law by displaying web ads linked to a person’s health history.
An investigation led by Chantal Bernier, who has stepped in for outgoing privacy commissioner Jennifer Stoddart, backed up a man’s complaints that he was seeing so-called behavioural advertisements based on his web browsing history.
Read more on CBC News. The following press release was issued today by the Office of the Privacy Commissioner:
Google’s online advertising service used sensitive information about individuals’ online activities to target them with health-related advertisements, contrary to Canadian privacy law, an investigation has found.
In response to the investigation by the Office of the Privacy Commissioner of Canada, Google has agreed to take steps aimed at stopping the privacy-intrusive ads.
“We are pleased Google is acting to address this problem. Most Canadians consider health information to be extremely sensitive. It is inappropriate for this type of information to be used in online behavioural advertising,” says Interim Privacy Commissioner Chantal Bernier.
“As Canadians spend more and more time online, they create a digital trail that can reveal a great deal about a person. Organizations such as Google must ensure privacy rights are respected in this complex environment.”
The investigation was prompted by a complaint from a man with sleep apnea, a condition which affects breathing during sleep.
After searching online for medical devices to treat sleep apnea, the complainant was shocked to be suddenly “followed” by advertisements for such devices as he visited websites completely unrelated to the sleep disorder.
Testing by the Office of the Privacy Commissioner confirmed the complainant’s experience. Ads for the medical devices were displayed on test sites about unrelated issues such as news and weather.
The investigation revealed that the complainant visited sites offering information about continuous positive airway pressure (CPAP) machines, which are used during sleep. This resulted in a cookie being placed in the complainant’s browser. The cookie ultimately triggered ads for sleep apnea devices to appear on the complainant’s screen when he visited websites that used Google’s advertising services.
Online behavioural advertising guidelines issued by the Office of the Privacy Commissioner of Canada two years ago make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads.
Google’s own privacy policy states that, when tailored ads are shown, the company will not associate a cookie or other identifiers with sensitive categories, such as race, religion, sexual orientation or health.
Google says the problem identified during the investigation relates to “remarketing campaigns” – which allow an advertiser to target ads to recent visitors to their site. Google acknowledged that some of the advertisers using its ad service do not comply with the corporation’s policy against interest-based advertising relating to sensitive issues.
The investigation identified shortcomings in Google’s monitoring systems. The Office of the Privacy Commissioner recommended that Google develop a more formalized and rigorous system for reviewing advertisements for policy compliance.
In response to the Privacy Commissioner’s concerns, Google committed to:
- Provide additional information to advertisers creating remarketing campaigns;
- Increase monitoring of remarketing campaigns for possible violations of its policy;
- Offer more training to its own staff in addressing potential policy violations; and
- Upgrade its automated review system.
Google agreed to fully implement the recommendations by June 2014. The organization has acknowledged it has an obligation to do more to address this issue as advertisers may attempt to violate Google’s policy in the future. The Office of the Privacy Commissioner appreciates Google’s commitment and urges individuals to flag any inappropriate ads to Google.
“We also have concerns about whether other advertising networks are complying with Canadian privacy law. We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations,” says Interim Commissioner Bernier.
The Office of the Privacy Commissioner benefited from collaboration with the U.S. Federal Trade Commission (FTC) over the course of the investigation. “We would like to express our appreciation for the FTC’s assistance,” the Interim Commissioner says.
Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, says: “We would like to congratulate the Office of the Privacy Commissioner of Canada for this important investigation involving online behavioural advertising. Privacy issues are increasingly global. Working in partnership with other enforcement bodies is critical to protecting privacy rights domestically and around the world.”
You can read the official PIPEDA report here (pdf).