Privacy czar cautions on web “leakage”

Stoddart’s bulletin makes it clear that failure to properly monitor such leakage could lead to a breach of privacy law – and action by the commissioner.

Says Timothy Banks, a privacy lawyer with Fraser Milner Casgrain LLP in Toronto: “The privacy commissioner is providing a heads-up to organizations to be careful to manage personal information they collect and share with others.

“Financial advisory firms,” Banks continues, “deal in sensitive personal information and should be careful to understand how they are using and sharing information about their clients through these technologies or risk public embarrassment, loss of trust by their clients, and an inquiry by the privacy commissioner.”

The personal information, which can range from email addresses and full names to birth dates and other sensitive or identifying data, is typically being picked up by advertising companies, consumer analytics firms and electronic-flyer services. Although your clients may only be troubled by unwanted marketing material as a result, the potential for much more serious results exists, such as identity theft and unauthorized access to financial information.

The privacy commissioner’s main concern, Banks notes, is “essentially, the possibility of behavioural profiling without consent.” The more sensitive the information, or the more identifiable or closely linked the information is to an individual, the greater the need for transparency regarding your reason for collecting that information and the more you need to bring that to the attention of the user of the website, he adds: “The law is that you need to have express or implied consent to the collection, use, retention and disclosure of personal information.”

On a practical level, that often means that your firm expressly needs to address this “leakage” issue in its privacy policy. Guarding against information leakage, however, isn’t easy. Website operators increasingly are employing analytics companies to look at website traffic and figure out who is using a website and how. For instance, when an advertisement is being placed on a website, personal information about the user of that web page may be transmitted to the ad server, a company that provides web ads targeted to the changing preferences of the site’s users.

In addition, a website can earn revenue when it allows third-party organizations to place ads on its site. Sites also can set tracking cookies in the user’s browser that retain the website visitor’s personal information.

In testing of 25 popular websites, the privacy commissioner found significant privacy concerns with six websites and had questions about the practices of another five sites. The leakage was invisible to most people using the sites and, in some cases, what was happening didn’t seem to be in keeping with the organizations’ own privacy policies.

The research didn’t look at whether the disclosures of personal information were intentional, such as a site being paid for the information, or unintentional, meaning it was due to lack of attention by operators of the sites.

As a result, if you use your company’s website – or your own if you are independent – you should be aware of whether the applicable privacy policies cover analytics or third-party ads. You also should be clear about what you are doing with your clients’ personal information.

Changing commercial practices are making that process more difficult. Some organizations outsource the running of their website, says Banks, or there may be a disconnect between the marketing and technology departments.

He adds that there can be a corporate relationship with an analytics company or a third-party ad server network that others in your company don’t know about.

“That’s one thing the financial advisor community needs to be aware of,” Banks cautions, “to make sure that they understand what they’re doing themselves and what the privacy impact of that is.”

And advisors also may be the target of third-party trolling, says Banks: “You, too, are potentially being profiled for analytics or advertising purposes as you’re moving around different websites.”

Indeed, Stoddart’s recent bulletin highlights the general potential for running afoul of the compliance department when it comes to the web.

That applies even though the substance of privacy legislation, such as the Personal Information Protection and Electronic Documents Act, hasn’t changed, notes Christopher Oates, a lawyer at Gowling Lafleur Henderson LLP in Toronto with expertise in privacy, advertising, marketing and regulatory law.

“What has changed,” Oates says, “is that the Internet – and social media, in particular – opens up a very wide array of areas to go offside, a very broad range of potential areas where your practices can be out of compliance.”

If there isn’t adequate communication between a company’s privacy officer and the various departments in an organization, says Oates, including the legal department, IT, marketing or other groups that come up with uses for the information, there’s a potential for something to be missed in the privacy policy.

“If it’s missed by the officer in legal,” Oates says, “it might not be adequately disclosed to the consumer. And that would be a problem under the law.”

© 2012 Investment Executive. All rights reserved.