DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Google ads targeting Canadians using personal health info violate Canadian privacy law – Privacy Commissioner

Posted on January 15, 2014 by Dissent

The Canadian Press reports:

Canada’s interim privacy commissioner says Google has been caught afoul of the law by displaying web ads linked to a person’s health history.

An investigation led by Chantal Bernier, who has stepped in for outgoing privacy commissioner Jennifer Stoddart, backed up a man’s complaints that he was seeing so-called behavioural advertisements based on his web browsing history.

Read more on CBC News. The following press release was issued today by the Office of the Privacy Commissioner:

Google’s online advertising service used sensitive information about individuals’ online activities to target them with health-related advertisements, contrary to Canadian privacy law, an investigation has found.

In response to the investigation by the Office of the Privacy Commissioner of Canada, Google has agreed to take steps aimed at stopping the privacy-intrusive ads.

“We are pleased Google is acting to address this problem. Most Canadians consider health information to be extremely sensitive.  It is inappropriate for this type of information to be used in online behavioural advertising,” says Interim Privacy Commissioner Chantal Bernier.

“As Canadians spend more and more time online, they create a digital trail that can reveal a great deal about a person.  Organizations such as Google must ensure privacy rights are respected in this complex environment.”

The investigation was prompted by a complaint from a man with sleep apnea, a condition which affects breathing during sleep.

After searching online for medical devices to treat sleep apnea, the complainant was shocked to be suddenly “followed” by advertisements for such devices as he visited websites completely unrelated to the sleep disorder.

Testing by the Office of the Privacy Commissioner confirmed the complainant’s experience.  Ads for the medical devices were displayed on test sites about unrelated issues such as news and weather.

The investigation revealed that the complainant visited sites offering information about continuous positive airway pressure (CPAP) machines, which are used during sleep.  This resulted in a cookie being placed in the complainant’s browser.  The cookie ultimately triggered ads for sleep apnea devices to appear on the complainant’s screen when he visited websites that used Google’s advertising services.

Online behavioural advertising guidelines issued by the Office of the Privacy Commissioner of Canada two years ago make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads.

Google’s own privacy policy states that, when tailored ads are shown, the company will not associate a cookie or other identifiers with sensitive categories, such as race, religion, sexual orientation or health.

Google says the problem identified during the investigation relates to “remarketing campaigns” – which allow an advertiser to target ads to recent visitors to their site. Google acknowledged that some of the advertisers using its ad service do not comply with the corporation’s policy against interest-based advertising relating to sensitive issues.

The investigation identified shortcomings in Google’s monitoring systems.  The Office of the Privacy Commissioner recommended that Google develop a more formalized and rigorous system for reviewing advertisements for policy compliance.

In response to the Privacy Commissioner’s concerns, Google committed to:

  • Provide additional information to advertisers creating remarketing campaigns;
  • Increase monitoring of remarketing campaigns for possible violations of its policy;
  • Offer more training to its own staff in addressing potential policy violations; and
  • Upgrade its automated review system.

Google agreed to fully implement the recommendations by June 2014. The organization has acknowledged it has an obligation to do more to address this issue as advertisers may attempt to violate Google’s policy in the future.  The Office of the Privacy Commissioner appreciates Google’s commitment and urges individuals to flag any inappropriate ads to Google.

“We also have concerns about whether other advertising networks are complying with Canadian privacy law.  We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations,” says Interim Commissioner Bernier.

The Office of the Privacy Commissioner benefited from collaboration with the U.S. Federal Trade Commission (FTC) over the course of the investigation. “We would like to express our appreciation for the FTC’s assistance,” the Interim Commissioner says.

Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, says: “We would like to congratulate the Office of the Privacy Commissioner of Canada for this important investigation involving online behavioural advertising. Privacy issues are increasingly global.  Working in partnership with other enforcement bodies is critical to protecting privacy rights domestically and around the world.”

You can read the official PIPEDA report here (pdf).

Category: Health Data

Post navigation

← Who hacked Nordstrom?
NY: Rockville Centre woman sentenced for role in ID theft scam →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.