It’s a weekday, which means Google must be violating your privacy (weekend privacy violations belong to Facebook). This one is all official-like even, as the Office of the Privacy Commissioner of Canada (OPC) has just released a big fat honking report saying as much. Let’s see what nefarious get rich quick schemes have gotten Google into trouble today!
The official report is entitled “PIPEDA Report of Findings #2014-001 – Use of sensitive health information for targeting of Google ads raises privacy concerns”. For you newbies around here, PIPEDA is the Personal Information Protection and Electronic Documents Act, Canada’s privacy law (well, one of them). Under PIPEDA, individuals (like you!) can make a complaint about privacy to the OPC and the OPC will look into it. Then maybe, if you’re lucky, the OPC will release a report that says your privacy has been violated. Then the OPC will ask the offender really nicely to knock it off. That’s about all they have the power to do.
So some dude (complainants are kept confidential) made a complaint to the OPC. He said that he was on the Google searching for medical devices about sleep apnea (these devices are called “CPAP”s which stands for something, but that’s not relevant right now). He visited some websites about CPAPs. Then, when he was surfing the web later, he began to see advertisements, brought to him by Google’s AdSense, for CPAPs. He had a problem with that:
The complainant views his online activities relating to sleep apnea as sensitive information that should not be used for the delivery of targeted advertisements and should require his express consent.
Let’s take a quick step back to understand what’s going on here on the old interwebs. When you surf the net, Google knows. They know what you searched for, they know some of the websites you visit. And if some of those websites advertise through Google, when you surf the web, you may see advertisements for those very same things you were interested in from those websites (this is all done thanks to cookies, mmm, delicious cookies). This is called “remarketing”, and Google has a very handy explanation for you. It’s not just Google who does this, though. It is actually very common and there are many businesses who use behavioral tracking as part of their market research. This falls under the broader category of “Interest Based Advertising”, or “OBA” as the OPC calls it in the report, because Interest starts with the letter O, obviously.
You have undoubtedly experienced this yourselves. I recall that very recently, I was searching for toaster ovens on Amazon. For weeks, possibly months, later, I would see ads all over the web from Amazon for the very same toaster ovens I was looking at. It kind of freaked me out man. But whatever, toaster ovens, who gives a crap, life goes on.
But medical information is different, as the OPC has confirmed with the report. First, Google even denied that the ads the complainant saw were even OBA. The OPC said “nice try, dudes”. The OPC explains their policies regarding OBA as such:
As stated in our Office’s OBA guidelines, implied or opt-out consent for OBA purposes may be acceptable provided that the information collected and used is limited, to the extent practicable, to non-sensitive information
So the flip side of that is that implied or opt-out consent is n.g. for sensitive information. Sleep apnea, according to the OPC, is sensitive information. So to conclude:
implied consent for the collection or use of the complainant’s sensitive personal health information for the purpose of delivering ads based on the complainant’s online behaviour is not appropriate, and express consent is required.
They even have law to back this up! Section 4.3.6 of Schedule 1 of PIPEDA reads as follows (in part):
An organization should generally seek express consent when the information is likely to be considered sensitive.
So Google is in violation of PIPEDA. Google was even in violation of its own policies, but tried to pass the buck to the advertisers themselves:
Google requires all advertisers using this platform to agree to specific policies, which prohibit all forms of interest based advertising involving sensitive categories, including the use of user lists based on “health or medical information”. According to Google, it is up to each remarketer to determine the application of Google’s policies to any proposed remarketing. Google indicated that, despite its policies and guidance, certain advertisers or third party buyers can use remarketing products in error.
Nice try Google! But the OPC wasn’t buying it, and told Google to shape up. So Google promised to, uh, look into the matter. Specifically, they are going to, or have already:
- Reject all CPAP remarketing ads;
- Commit to revising its public interest-based advertising policies to add additional information about medical devices;
- Develop new training for internal teams to keep up to date with sensitive category ads policy, improve recognition of potential policy violations, and better understand how and when to escalate complaints and issues;
- Increased monitoring of existing remarketing campaigns, to better identify advertisers that have created campaigns that violate its policies;
- Committed to reviewing and upgrading its automated review systems.
So all that is something, I guess. Increased monitoring! Reviewing! Well done, OPC! Considering the amount of “power” you have, take any victory you can get.
Random semi-related side note
The report concludes with this fun little tidbit:
we also raised with Google the complainant’s claim that he was unable to locate contact information in order to submit his complaint to Google. Although Google does have contact information available we encouraged them to take steps to increase transparency in this regard. Google confirmed that they share our interest in improving transparency and indicated that they were reviewing possible improvements.
BWAHAHAHA. As anyone who as ever had to try to contact Google will tell you, it’s a nightmare. As any lawyer who has needed to contact Google (ME) will tell you, it is possibly the most frustrating thing in the world. Google does not want you to contact them, you peon. They’ve got shit to do and they can’t be bothered with your trite little complaints. So Google’s lines that they “share our interest in reviewing transparency” and are “reviewing possible improvements” in this regard are fracking hilarious. Total lip service crap. Sorry to burst your bubble OPC.