Motivated to compete with Facebook and Google, Bell recently announced that starting November 16 it will be collecting massive amounts of customer data to deliver targeted advertising. The Office of the Privacy Commissioner of Canada (OPC) stated that it will be investigating the matter. Canada’s telecom giant is adamant that it will comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), but the extent of its practice raises questions about how PIPEDA’s key concepts should be interpreted and applied.
The extensiveness rather than purpose of Bell’s planned data collection seems to have generated the most controversy. The amount and type of user data that will be collected are ambitious: Internet history, search terms, location, mobile device type, calling patterns, and television viewing habits. To Bell’s credit, the company has been proactive in informing its customers of the upcoming changes and offers an opportunity to opt out.
At least one academic commentator has expressed doubt about the legality of Bell’s program, focusing specifically on the sensitivity of the information collected. Given how the concept of “sensitive information” has been interpreted under PIPEDA and how Bell treats location data under its own Privacy Policy for location-based services, the reliance on opt-out consent is indeed surprising. Privacy legislation mandates that the form of consent must be commensurate with the sensitivity of personal information. Where the information is considered to be sensitive, express consent (i.e. opt-in rather than opt-out) is necessary. PIPEDA identifies medical and income records as examples of sensitive information, but otherwise does not provide a definition. The OPC has also held that financial status and purchasing habits should be considered sensitive. Further, PIPEDA establishes that “any information can be sensitive, depending on the context”.
In light of these facts and the amount and type of data Bell intends to collect, it is difficult to mount a persuasive argument that the information proposed to be collected is not sensitive. In fact, there is reason to believe that Bell itself considers location data to be sensitive enough to warrant express consent. Under Bell’s Privacy Policy covering location-based services, use or disclosure of a wireless phone’s location requires express consent. Whether Bell can reconcile the interpretation of “sensitive information” under PIPEDA and its own position on location data to justify the upcoming changes remains to be seen.
Besides consent requirements, PIPEDA contains another relevant limitation: organizations should only collect personal information necessary for the stated purposes (emphasis added). Critically, this applies to both the amount and type of information collected, used, or disclosed. A brief survey of PIPEDA complaint investigations published by the OPC reveals that the concept of ‘necessity’ is given its plain meaning. For example, if the purpose is to contact a customer, then only their contact details are necessary and companies should not solicit additional information. While the concept is clear in this simple example, it is severely strained when information is used for purposes that are not well-defined. For instance, for data collected to facilitate targeted advertising, it is exceedingly difficult to determine the scope of what is necessary for that purpose. Presumably, more data allow more precise targeting, which translates into higher advertising revenue. In at least one case, the OPC has attempted to balance the purpose of collection against the scope of information collected, but it is uncertain how this approach could be applied to targeted advertising. In that case, the OPC held that a full date of birth is not necessary for demographics research and recommended that the company collect only the month and year. The OPC reasoned that marginal gains in accuracy afforded by using the full date did not justify the impact on privacy. It is difficult to predict whether the OPC will attempt to draw a line between financial rewards and privacy, but its investigation should clarify how the concept of ‘necessity’ should be applied.
In today’s data-driven world, businesses like Bell possess a natural data advantage through the services they provide. Since the OPC lacks strong enforcement powers, damage to brand reputation can pose the greatest risk for data gatherers. However, companies with little competition in the marketplace may be little deterred. Given Bell’s position in the Canadian telecommunications industry, we may therefore expect the OPC investigation to be conducted with an increased level of scrutiny.
Anatoly Zhitnik is a JD Candidate at Osgoode Hall Law School and is enrolled in Osgoode’s Intellectual Property Law Intensive Program. As part of the program requirements, students were asked to write a blog on a topic of their choice.