Chapter 11
Online Privacy
Online privacy is governed by Canadian Privacy Statutes (discussed above). In general, Canadian privacy regulatory authorities have been active in addressing online privacy concerns.
For example, in the context of social media, the OPC has released numerous Reports of Findings addressing issues including:
- Default privacy settings
- Social plug-ins
- Identity authentication practices
- The collection, use and disclosure of personal information on social networking sites.
- The OPC has also released decisions and guidance on privacy in the context of Mobile Apps
In addition, the OPC has released findings and guidelines related to the use of cookies and online behavioral advertising, including findings indicating that information stored by temporary and persistent cookies is considered to be personal information and therefore subject to PIPEDA. The OPC has adopted the same position with respect to information collected in connection with online behavioral advertising.
In ‘Privacy and Online Behavioral Advertising’, the OPC stated that it may be permissible to use opt-out consent in the context of online behavioral advertising if the following conditions are met:
- Individuals are made aware of the purposes for the online behavioral advertising, at or before the time of collection, in a manner that is clear and understandable
- Individuals are informed of the various parties involved in the online behavioral advertising at or before the time of collection
- Individuals are able to opt-out of the practice and the opt-out takes effect immediately and is persistent
- The information collected is non-sensitive in nature (ie, not health or financial information), and
- The information is destroyed or made de-identifiable as soon as possible
The OPC has indicated that online behavioral advertising must not be a condition of service and, as a best practice, should not be used on websites directed at children.
Canadian privacy regulatory authorities also consider location data, whether tied to a static location or a mobile device, to be personal information. As such, any collection, use or disclosure of location data requires, among other things, appropriate notice, and consent. Most of the privacy regulatory authority decisions related to location data have arisen with respect to the use of GPS in the employment context.
The Canadian privacy regulatory authorities provide the following test that must be met for the collection of GPS data (and other types of monitoring and surveillance activities):
- Is the data demonstrably necessary to meet a specific need?
- Will the data likely be effective in meeting that need?
- Is the loss of privacy proportional to the benefit gained?
- Are there less privacy-intrusive alternatives to achieve the same objective?
Bill 64 has introduced several changes to the Quebec Privacy Act that will likely have significant impacts on online privacy. Starting September 22, 2023, organizations collecting personal information by offering a product or service with privacy parameters must ensure that the highest privacy settings are enabled by default. Additionally, organizations collecting personal information from persons using tracking, localization or profiling technology will have the obligation to inform the person in advance of the use of such technologies, and to inform the person of the method for activating such functions: the use of such technologies will be opt-in only. “Profiling” is broadly defined as the collection and use of personal information in order to evaluate certain characteristics of a person such as workplace performance, economic or financial situation, health, personal preferences or interest, or behavior.