DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Google ads targeting Canadians using personal health info violate Canadian privacy law – Privacy Commissioner

Posted on January 15, 2014 by Dissent

The Canadian Press reports:

Canada’s interim privacy commissioner says Google has been caught afoul of the law by displaying web ads linked to a person’s health history.

An investigation led by Chantal Bernier, who has stepped in for outgoing privacy commissioner Jennifer Stoddart, backed up a man’s complaints that he was seeing so-called behavioural advertisements based on his web browsing history.

Read more on CBC News. The following press release was issued today by the Office of the Privacy Commissioner:

Google’s online advertising service used sensitive information about individuals’ online activities to target them with health-related advertisements, contrary to Canadian privacy law, an investigation has found.

In response to the investigation by the Office of the Privacy Commissioner of Canada, Google has agreed to take steps aimed at stopping the privacy-intrusive ads.

“We are pleased Google is acting to address this problem. Most Canadians consider health information to be extremely sensitive.  It is inappropriate for this type of information to be used in online behavioural advertising,” says Interim Privacy Commissioner Chantal Bernier.

“As Canadians spend more and more time online, they create a digital trail that can reveal a great deal about a person.  Organizations such as Google must ensure privacy rights are respected in this complex environment.”

The investigation was prompted by a complaint from a man with sleep apnea, a condition which affects breathing during sleep.

After searching online for medical devices to treat sleep apnea, the complainant was shocked to be suddenly “followed” by advertisements for such devices as he visited websites completely unrelated to the sleep disorder.

Testing by the Office of the Privacy Commissioner confirmed the complainant’s experience.  Ads for the medical devices were displayed on test sites about unrelated issues such as news and weather.

The investigation revealed that the complainant visited sites offering information about continuous positive airway pressure (CPAP) machines, which are used during sleep.  This resulted in a cookie being placed in the complainant’s browser.  The cookie ultimately triggered ads for sleep apnea devices to appear on the complainant’s screen when he visited websites that used Google’s advertising services.

Online behavioural advertising guidelines issued by the Office of the Privacy Commissioner of Canada two years ago make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads.

Google’s own privacy policy states that, when tailored ads are shown, the company will not associate a cookie or other identifiers with sensitive categories, such as race, religion, sexual orientation or health.

Google says the problem identified during the investigation relates to “remarketing campaigns” – which allow an advertiser to target ads to recent visitors to their site. Google acknowledged that some of the advertisers using its ad service do not comply with the corporation’s policy against interest-based advertising relating to sensitive issues.

The investigation identified shortcomings in Google’s monitoring systems.  The Office of the Privacy Commissioner recommended that Google develop a more formalized and rigorous system for reviewing advertisements for policy compliance.

In response to the Privacy Commissioner’s concerns, Google committed to:

  • Provide additional information to advertisers creating remarketing campaigns;
  • Increase monitoring of remarketing campaigns for possible violations of its policy;
  • Offer more training to its own staff in addressing potential policy violations; and
  • Upgrade its automated review system.

Google agreed to fully implement the recommendations by June 2014. The organization has acknowledged it has an obligation to do more to address this issue as advertisers may attempt to violate Google’s policy in the future.  The Office of the Privacy Commissioner appreciates Google’s commitment and urges individuals to flag any inappropriate ads to Google.

“We also have concerns about whether other advertising networks are complying with Canadian privacy law.  We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations,” says Interim Commissioner Bernier.

The Office of the Privacy Commissioner benefited from collaboration with the U.S. Federal Trade Commission (FTC) over the course of the investigation. “We would like to express our appreciation for the FTC’s assistance,” the Interim Commissioner says.

Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, says: “We would like to congratulate the Office of the Privacy Commissioner of Canada for this important investigation involving online behavioural advertising. Privacy issues are increasingly global.  Working in partnership with other enforcement bodies is critical to protecting privacy rights domestically and around the world.”

You can read the official PIPEDA report here (pdf).

Category: Health Data

Post navigation

← Who hacked Nordstrom?
NY: Rockville Centre woman sentenced for role in ID theft scam →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.