The Tracking And Usage Of User Data: A Look At Canada’s PIPEDA

Collection of Data Online

• There are various different identifiers and ways of tracking website and app users across multiple devices.
• The most common way is the use of cookies.
• A piece of code containing information saved by your web browser after visiting a website.
• The most well-known are HTTP cookies (web/browser cookie) used by sites.

Cookies: 1^st Party vs. 3^rd Party

• 1^st party cookies are cookies placed in your computer by visited sites.
• Helps the site remember you as a user and your situation:
• Items in your shopping cart
• Log-in information
• Site preferences
• Game scores
• 3^rd party cookies are cookies placed by someone other than the sites that you visited.
• These 3^rd parties could be online analytics companies, data brokers, or advertisers.
• These cookies provide information on the online activities of users to 3^rd parties.

Other Forms of Tracking

• Browser fingerprinting involves the generation and storage of attributes by a browser by virtue of the way it interacts with the web.
• Advertising/Device IDs are retrieved by apps and identifies individual smartphones and tablets.
• Pixel tags are 1px by 1px graphics on websites or emails that collects data when it a user visits a page or opens an email.
• IP addresses (“Internet Protocol address”) are unique addresses that label a device connected to a network, allowing information (ex. location) to be sent between devices on the network.
• MAC addresses (“Media Access Control address”) is a hardware identification number that identifies each device.
• …and many others!

How Data is Used

• Potential ways people’s data might be used (non-exhaustive list):
• Targeted advertising
• Research and targeting for political campaigns and interest groups
• Identification and locating by debt collectors and fraud investigators
• Research, identification, locating, and supervision by government agencies and law enforcement

​

Canada’s Legal Response to Data Tracking and Usage

• Canada has 2 pieces of federal legislation relating to data protection:
• Privacy Act – Dictates how government entities can handle individuals’ personal information.
• Personal Information Protection and Electronic Documents Act (PIPEDA) – Regulates how private sector players can deal with individuals’ personal information.
• Certain provinces like Alberta, BC, and Québec have their own privacy legislation.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• 10 principles that private organizations have to follow:
• 1) Accountability
• 2) Identifying Purposes
• 3) Consent
• 4) Limiting Collection
• 5) Limiting Use, Disclosure, and Retention
• 6) Accuracy
• 7) Safeguards
• 8) Openness
• 9) Individual Access
• 10) Challenging Compliance

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 1: Accountability
• The organization is responsible for personal information under its control and must designate individual(s) to ensure compliance with the 10 principles.
• 4.1.3 – The organization is responsible for personal information in its possession, including information that’s been transferred to a 3rd party for processing.
• 4.1.4 – The organization shall implement policies and practices to give effect to the principles, including:
• (a) protecting personal information;
• (b) handling complaints and inquiries
• (c) training staff on the organization’s policies and practices
• (d) information to explain policies and procedures

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 2 – Identifying Purposes
• The organization must identify the purposes for which personal information is collected at or before the time of collection.
• 4.2.3 – Identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 3 – Consent
• The knowledge and consent of the individual are required for the collection, use, and disclosure of personal information, except where it is inappropriate.
• 4.3.2 – The organization must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.
• 4.3.3 – The organization cannot require, as a condition of access to the product or service, an individual to consent to the collection/use of information beyond what is required to fulfil the explicitly specified purposes.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 3 – Consent
• 4.3.5 – The reasonable expectations of the individual are relevant in obtaining consent.
• 4.3.7 – Individuals can give consent in many ways.
• 4.3.8 – An individual may withdraw consent at any time.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 3 – Consent
• Re PIPEDA Report of Findings No. 2018-004
• Office of the Privacy Commissioner of Canada (Office) made recommendations to Microsoft to better ensure adequate knowledge and consent for collection, use, and disclosure of users’ personal information on Windows 10.
• Re PIPEDA Report of Findings No. 2015-001
• Office found that Bell’s “Relevant Advertising Program” (RAP) was not obtaining adequate consent and, although customers could withdraw their consent, Bell continued to track customers.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 3 – Consent
• Re PIPEDA Report of Findings No. 2014-011
• Office made recommendations after finding that Ganz, a toy manufacturer, did not provide a clear description of the information they were collecting from its website, how it was actually being used, and to whom it was being disclosed.
• R v. Spencer, 2014 SCC 43, 2014 CarswellSask 342
• An organization may disclose information to a government institution without the user’s consent if the institution has “lawful authority” to obtain it.
• Police obtaining subscriber information from ISP, in absence of exigent circumstances or a reasonable law, was unlawful.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 8 – Openness
• The organization must make specific information about its policies and practices on managing personal information readily available to individuals.
• 4.8.1 – Individuals must be able to acquire information about an organization’s policies and practices without unreasonable effort.
• This information must be available in a form that’s generally understandable.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Principle 9 – Individual Access
• Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be able to access that information.
• 4.9.3 – The organization should attempt to be as specific as possible when providing an account of the 3^rd parties to which it has disclosed personal information.

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Enforcement of PIPEDA
• S. 16: Civil remedies are available under PIPEDA.
• The Court can:
• Order an organization to correct its practices to comply with Divisions 1 and 1.1
• Order an organization to publish a notice of any action taken to correct its practices
• Award damages to the complainant, including damages for any humiliation suffered by the complainant

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Enforcement of PIPEDA
• S. 28: There are some sanctions available if an organization knowingly contravenes certain sections (ss. 8(8), 10.1, 10.3(1), 27.1(1)) or obstructs an audit or investigation conducted by the Commissioner:
• (a) Offence punishable on summery conviction and liable to a fine not exceeding $10,000; or
• (b) Indictable offence and liable to a fine not exceeding $100,000

​

Possible Changes to PIPEDA

• …but recently-proposed Bill C-11 (Consumer Privacy Protection Act) will implement some changes.
• The 10 Principles are codified in specific provisions
• Some notable changes:
• “Control” over personal information is defined as when an organization collects it and determines the purposes for its collection, use, or disclosure (cl. 7(2), CPPA).
• “Privacy management program”, which includes policies, practices, and procedures to fulfil CPPA obligations, now required (cl. 9(1), CPPA).

Possible Changes to PIPEDA

• …Some notable changes:
• For “consent” to be valid, the organization must provide certain information in “plain language” to the individual (cl. 15(3), CPPA).
• Specific type of personal information collected, used, or disclosed
• The purposes of the collection, use, or disclosure
• The way in which the information is collected, used, or disclosed
• Any reasonably foreseeable consequences of the collection, use, or disclosure
• The names and types of any 3^rd parties to which the organization may disclose the personal information

​

​

Possible Changes to PIPEDA

• …Some notable changes:
• Reasonableness test for appropriate purpose: Can collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances (cl. 12(1), CPPA).
• Uses factors from Turner v. Telus Communications Inc., 2005 FC 1601:
• Sensitivity of the personal information
• Legitimate business needs of the organization
• The role of the collection, use, or disclosure in meeting the organization’s legitimate business needs
• Possible less intrusive means of achieving those purposes
• Proportionality between the individual’s loss of privacy and the benefits of accessing their data

Possible Changes to PIPEDA

• …Some notable changes:
• Sets out new rights of individuals:
• Right to have personal information ”disposed” (deleted) (cl. 55, CPPA)
• Right to have personal information moved from one organization to another (cl. 72, CPPA)
• Right to access information on the organization’s automated decision system and how the personal information was used to make an automated prediction, recommendation, or decision (cl. 63(3), CPPA)

​

​

Possible Changes to PIPEDA

• It would confer greater powers to the Privacy Commissioner:
• Make binding compliance orders (cl. 92(2), CPPA)
• Recommend to the new Personal Information and Data Protection Tribunal that a penalty be imposed (cl. 93, CPPA)
• Clause 94(4) – Penalty up to $10,000,000 or 3% of global revenue, whichever is higher
• Certain contraventions are, upon prosecution, punishable with (cl. 125, CPPA):
• A fine not exceeding the higher of $25,000,000 and 5% of gross global revenue (indictable offence)
• A fine not exceeding the higher of $20,000,000 and 4% of gross global revenue (summary conviction)

Possible Changes to PIPEDA

• It introduces a new private right of action (cl. 106).
• An individual can bring a claim against an organization for damages for loss or injury suffered because of a contravention.
• Available if:
• The Commissioner has found that the organization has contravened this Act and the finding can no longer be appealed either due to the time limit expiring or the Tribunal dismissing a prior appeal; or
• The Tribunal has found that the organization has contravened this Act.

What Does This All Mean for Websites, Apps, and Platforms?

• There has been a shift from an “opt-out” system towards an “opt-in” system.
• Sites, apps, and platforms now ask users if they will “opt-in” to allow certain tracking rather than ask them to “op-out” to avoid tracking.
• Apple’s iOS 14 will require users to give apps permission to track them in a pop-up.
• This has started a feud between Apple and Facebook regarding this new change.

What Does This Mean for Websites, Apps, and Platforms?

• Possible phase-out of using 3^rd party cookies?
• Google introduced its “Privacy Sandbox” for developing new tools that will allow advertisers to target ads.
• E.g. Federated Learning of Cohorts (FLoC) – Machine-learning algorithm for creating clusters of people based on their history and behaviour.
• Various browsers are either moving away from 3^rd party cookies or taking steps to improve tracking protection.
• New browsers dedicated to blocking tracking and ads have also emerged (E.g. Brave Browser).
• Other ways of tracking will take on increased importance or new ones will be developed that could bypass technical and legal barriers.

What Does This Mean for Websites, Apps, and Platforms?

• Advertising still forms the majority of revenue for many sites and apps.
• Companies are still incentivized to track users’ data and transfer it to 3^rd parties.
• Online ads will still be used. However, with less information on the user, ads will be less personal and relevant.
• Attempts on forcing companies to be more transparent and to have “plain language” policies will continue…
• It still seems unlikely that consumers will read the policies.
• Development of new tracking methods may make it more difficult for organizations to provide adequate information.

Concluding Thoughts

• The current form of the PIPEDA appears to be too general and “light”.
• The fines available under the current PIPEDA are small compared to other jurisdictions (e.g. GDPR).
• The proposed changes are more of an incentive for big companies like Facebook and Google to comply.
• The Office of the Privacy Commissioner cannot issue fines or penalties.

​

​

​

Concluding Thoughts

• The current form of the PIPEDA appears to be too general and “light”.
• Currently, the PIPEDA contains the individual’s right to withdraw consent only, but not the right to erasure.
• Certain aspects of the current PIPEDA principles are either unclear or too lax.
• E.g. Meaning of “consent”, the use of “should” as a recommendation and not an obligation, the meaning of “reasonable efforts” by the organization.

​

Concluding Thoughts

• Questions about the possible changes to PIPEDA:
• Does the right to the erasure of data extend to data already obtained by 3^rd parties?
• Will the new penalties be a sufficient incentive to big companies like Google and Facebook?
• How will organizations handle providing “plain language” information on their data usage as tracking becomes increasingly sophisticated?

​

Concluding Thoughts

• Obtaining information on how a website or app tracks and uses user data can still be tricky.
• Although a site’s data policy may be accessible or visible, it is difficult to confirm actual compliance.
• Information on which 3^rd parties have access to your data is even more difficult to find.
• There is an added layer of difficulty in enforcement once 3^rd parties get a hold of user data.
• How to ensure that the only data that will actually be tracked is the data that users have allowed to be tracked?

​

​