Privacy Commissioner study finds compliance gaps with online behavioural advertising

June 15, 2015

New research released by the Office of the Privacy Commissioner of Canada (OPC) suggests that most advertising organizations placing behaviourally targeted online advertising are meeting privacy requirements, although the report also suggests there are a number of areas for improvement.

The study showed that most advertising organizations are providing some form of notification to users, as well as an opt-out mechanism; however, the research also suggests that some opt-out procedures can be confusing or cumbersome, and some of the advertising organizations are continuing to serve ads based on sensitive topics.

The stated intention of the report was to gather data on current practices relating to Online Behavioural Advertising (OBA), for the purpose of analysis and discussion.  The OPC explicitly noted that the initiative was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation.

That said, the findings of the research will be instructive to website owners, ad aggregators and servers, and advertisers alike.

The OPC has previously considered privacy requirements respecting OBA on several occasions, including issuing guidelines and a policy position document, as well as issuing findings in at least three decisions dealing with privacy issues related to the provision of OBA.  These previous findings have indicated that:

  • The OPC generally considers that information collected for the purpose of OBA will be “personal information”, and therefore subject to the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA)
  • The use of such personal information for the purpose of OBA requires the knowledge and consent of users
  • Opt-out consent for OBA will generally be considered to be adequate, provided that certain criteria are met, including that individuals are provided with clear and understandable notice of the purposes for which their personal information may be used, and are able to easily opt-out of the practice
  • OBA should be limited, to the extent practicable, to non-sensitive information
  • Organizations should avoid tracking children or tracking on websites aimed at children

The OPC’s latest findings indicate that the vast majority of the ads that its researchers identified as being behaviourally targeted displayed the AdChoices icon, which both signals participation in the self-regulatory program administered by the Digital Advertising Alliance of Canada (DAAC) and provides a link to information about OBA and an online tool that provides users with the ability to opt out of behavioural advertising.  Implicitly, the OPC report finds the AdChoices program, when correctly executed, to be a valid means of complying with privacy law requirements.

However, the OPC’s research also showed that some advertising organizations used the AdChoices icon inconsistently, while others never provided any form of notification or opt-out. 

In a small number of instances, the OPC also observed examples of targeted ads based on sensitive topics that were part of the OPC’s sample search, such as pregnancy tests, bankruptcy, divorce lawyers and liposuction. As noted above, the OPC considers that explicit user consent is required in order to employ OBA techniques with respect to sensitive topic areas.  Under PIPEDA, medical and financial information is almost always considered to be sensitive, but more generally, personal information that could lead to personal harm, financial or reputational damage or embarrassment, or that could reveal deeply personal or intimate details of the lifestyle and personal choices of an individual could be considered to be sensitive, depending on the context and the reasonable expectation of users. 

Moreover, the OPC study observed that clicking on the AdChoices icon did not lead to a consistent experience in terms of how information about the advertising program was displayed or the means by which a user could opt-out.  In the OPC’s study sample, users were presented with a variety of opt-out interfaces, accessible by differing means, and with variations in the clarity of their instructions and ease of use of the opt-out feature.

The study provides an opportunity for organizations within the online behavioural advertising chain to examine their practices with respect to privacy compliance, particularly with respect to the clarity and usability of their opt-out mechanisms, and to ensure that tracking is not being performed, without explicit user consent, with respect to sensitive subject areas.

DISCLAIMER: This publication is intended to convey general information about legal issues and developments as of the indicated date. It does not constitute legal advice and must not be treated or relied on as such. Please read our full disclaimer at