Information & Ethics Committee on Dec. 11th, 2012

I think it's safe to say that social media companies are participating in a developing culture regarding privacy. For example, I've been focusing on privacy for almost a decade. From a privacy standpoint, the notion of providing a website with a list of all your contacts and the events you happen to be going to and pictures of friends would have been unthinkable 10 years ago, yet today it is fairly widespread. Even the initial news feed was fairly controversial when Facebook offered it, and a number of folks screamed that this was a privacy invasion.

Both from a legislative and a regulatory perspective, it's a delicate balance to define the balance between stifling innovation and protecting consumer privacy interests. Fortunately in Canada, while I don't claim to be an expert in Canadian privacy law, I do know that a pretty comprehensive framework is in place already, and a self-regulatory program is going to be launched within the next several months.

From my perspective, it would be a very good idea to see how that program develops prior to taking proactive steps. At least give the industry the opportunity to demonstrate that this is in the consumer's interest.

It is. I think when you're referring to six months, that's BlueKai's data retention period, but that's a separate thing from the opt-out period.

Once a user has hit an opt-out mechanism and a BlueKai opt-out cookie has been dropped, that effectively replaces the other BlueKai cookies and zeroes out that particular record.

I think it's safe to say that the opt-out cookie removes any targeting and preference data existing on that computer for future ad targeting.

I think to the extent that data is stored over a period of time by, say, an advertiser advertising in a digital format, the pseudonymous data will be maintained over time. The opt-out is typically forward-looking, and in the future they're no longer going to conduct online behavioural advertising.

I think that to destroy all data retroactively becomes a pretty significant challenge. There are people who are far more articulate than I, but I might point the committee to some of the discussions going on in the European Union regarding the right to be forgotten.

Allowing the self-regulatory program to continue to develop, I think, would be a very good start. Then I would suggest regular interaction, whether that's strictly the Office of the Privacy Commissioner or whether this committee also gets involved, or both, but I think a regular check-in—I don't want to say a report card—might be a good way for this committee to continue to have oversight on the development of the self-regulatory program.

These things tend not to happen overnight. I have some experience with that in the United States, but I think that—

We're moving in the right direction.

We're seeing more and more Internet users download their own transparency tools. Ghostery is one that comes to mind, but I believe there are others. They're browser-based plug-ins that tell an Internet user which cookies are being dropped by which companies on the websites that they visit. Certainly, users can be provided with that mechanism with some additional transparency. We're seeing more and more Internet users utilize those exact types of tools.

Moreover, in the industry self-regulating program—and here I'm talking about the United States—there are two websites. One is called networkadvertising.org and the other is aboutads.info. Both of those websites enable users to opt out from all member companies.

Again in the United States, it's probably worth noting that we're seeing more and more forward-looking little icons on digital advertisements that are being targeted with online behavioural advertising data. From the user's perspective, looking at that little dot on the advertisement may not let that person know exactly which company is targeting them, but it does provide a mechanism for them to understand a little bit more about the practice of online behavioural advertising and then let them go to the opt-out page.

Yes, we do.

I find myself involved in many, if not most, client interactions, helping to educate companies about what the privacy rule set is. Some of that depends on the jurisdiction and some of it depends on the type of data that's being utilized, but we take that very seriously. We see one of our roles in the marketplace as being the ones to help educate clients on what the rules of the road are for privacy.

Sure.

I'm going to talk mostly about the United States. Many of these concepts are certainly working in other jurisdictions.

The first organization I mentioned was the Network Advertising Initiative. It's an industry trade association that's been around for about 12 years. The organization is made up primarily of what we call the Internet intermediaries: the networks, the platforms, the exchanges, and the data companies. These are the entities that sit in between a website publisher and an advertiser. They help facilitate the delivery of that.

With those companies, historically the challenge has been that since they don't control the ad and they don't control the website, it's difficult for those companies to push privacy standards out into the rest of the ecosystem. Those privacy standards involve notice, transparency, opt-out choice, and a rule set around what we call “sensitive data”.

When I refer to the Digital Advertising Alliance, I'm referring to what is more of a broad coalition of industry associations, which includes the Network Advertising Initiative. However, it also includes the online publishers, the online advertisers, and the digital advertising agencies.

The goal of the Digital Advertising Alliance is to make sure that all the privacy standards are harmonized within the business ecosystem.