Results of Commissioner Initiated Investigation into Bell’s Relevant Ads Program
PIPEDA Report of Findings #2015-001
April 7, 2015
See also: News release: Bell advertising program raises privacy concerns
Update
Following the release of the Report of Findings, Bell advised us that it has decided to withdraw its Relevant Ads Program and that it will delete all existing customer profiles related to the program. Furthermore, Bell has said that if it launches a similar program in the future, it would do so using express opt-in consent.
We appreciate Bell’s cooperation throughout the course of our investigation and we respect Bell’s decision to terminate the program.
As we stated in our investigation report, our Office accepted that Bell’s objective of maximizing advertising revenue while improving the online experience of customers was a legitimate business objective. We also accepted that Bell’s targeted advertising initiative could be effective in achieving those objectives.
Our recommendation to Bell was that it use opt-in consent in its targeted advertising program. We felt that the privacy implications of the initiative were significant enough to require opt-in consent from customers.
We consider this matter to be resolved.
Table of contents
- Definitions
- Background
- Overview of the RAP
- Bell's Collection and Use of Information for the RAP
- Retention of Information for Purposes of the RAP
- Bell Notifications Regarding the RAP
- Users' Ability to Opt Out of the RAP
- Why Bell Implemented the RAP
Executive Summary
Overview
In the weeks following Bell's August 2013 announcement that it would use customers' network usage and account information to enable the serving of targeted ads, our Office received an unprecedented number of public complaints, and ultimately decided to commence a Commissioner Initiated Complaint, in lieu of those complaints, to consider the breadth of privacy issues surrounding the Relevant Advertising Program ("RAP"). The results of our investigation are summarized below.
Bell Fails to Obtain Adequate Consent — Well–Founded
We found that Bell was not, via its opt-out model, obtaining adequate consent for the RAP. We are disappointed that Bell has refused to implement our recommendation that it give customers an express choice regarding whether or not they wish to participate in the RAP.
In coming to our determination that express, opt-in, consent is required, we considered two principle factors:
- Sensitivity of Information: Bell is using sensitive URLs for the purpose of generating customer profiles. Furthermore, in our view, the sheer breadth of information being used or contemplated for the RAP (including internet, telephone and television network usage information, as well as account/demographic information) renders such information more sensitive when compiled. Bell should obtain express consent for the use of sensitive information.
- Reasonable Expectations of Bell Customers: We determined that Bell Customers would reasonably expect Bell to obtain opt-in consent in light of all the contextual factors surrounding theRAP, when considered in combination and in concert with each other. More specifically, we considered that Bell:
- began using information it already collected for the purposes of delivering its primary services for the new secondary purpose of delivering behaviourally targeted ads;
- delivers paid services, for which customers may pay up to hundreds of dollars per month;
- is enabling the delivery of third-party ads; and
- is a telecommunications service provider to whom users must entrust vast amounts of their sensitive personal information in order to gain access to mobile, internet, telephone and television communications in Canada.
It is important to note that while our Office's OBA Guidelines provide that opt-out consent may be appropriate in certain circumstances, they do not render opt-out consent the default for all behaviourally targeted advertising. In determining the appropriate form of consent, organizations should be careful to consider all of the circumstances surrounding their advertising programs, including those factors outlined in this report.
We found this aspect of the complaint to be well-founded. We will proceed to address this unresolved issue in accordance with our authorities under the Act.
RAP not Inappropriate (except for use of "credit information")
While we found that Bell was not obtaining adequate consent for the RAP, we recognized Bell's valid business objective to generate increased advertising revenue, and we determined that the RAP does not represent a use of customers' personal information for an "inappropriate purpose".
We also found, however, that it was inappropriate for Bell to use credit information (e.g., "below average credit") for behavioural targeting. Bell agreed to our Office's recommendation that it cease using such information for the RAP.
We therefore found this aspect of the complaint to be not well-founded in part, and well-founded and resolved in part.
Bell Customers Unable to Withdraw Consent to the RAP
We found that Bell was not allowing its customers to withdraw their consent to the RAP. More specifically, upon receiving a customer's opt-out request, Bell would cease serving the customer "relevant ads" but continued to track the customer and augment the customer's profile, in case the customer were to change his or her mind in the future, and opt back in to the program.
In response to our recommendation, Bell agreed that upon receipt of an opt-out request, it will immediately delete all information from the customer's profile and cease tracking the customer. We therefore found this aspect of the complaint to be well-founded and resolved.
Other Issues Resolved or Conditionally Resolved:
- Adequacy of Communications: Bell agreed to, by April 30, 2015, improve its RAP-related communications to explain more clearly the extent of the information that Bell may use for the RAP, now and in the future. We therefore found this aspect of the complaint well-founded conditionally resolved.
- Full Postal Code: Bell has, in response to our recommendation, ceased using full customer postal code, which was in our view a use of more information than necessary for broad targeting. It will now use only the first three characters. We therefore found this aspect of the complaint well-founded and resolved.
- Disclosure to The Source: We recommended and Bell has agreed to, by March 31, 2015, remove The Source from the list of affiliates with which Bell may share RAP Information. We recommended removal of The Source from the list given that Bell was unable to explain why it would need access to such information. We therefore found this aspect of the complaint well-founded conditionally resolved.
- Disclosure of Personal Information: During the course of our investigation, we identified Bell was not disclosing personal information to advertisers. We also recommended, however, that Bell exercise greater due diligence, in the form of contractual and other measures, to protect against the possibility that advertisers might, using other available information, link customer profile information to an identifiable individual. Bell agreed to implement such measures. We therefore found this aspect of the complaint not well-founded, in part, and well-founded and resolved, in part.
- Accountability: Lastly, Bell agreed to, by March 31, 2015, implement our recommendation that it document, and communicate to staff, certain internal procedures to ensure the appropriate use of customers' personal information. We therefore found this aspect of the complaint well-founded conditionally resolved.
Other Issues Not Well-Founded
- Limiting Collection: We found that Bell was not collecting any new information for the purposes of the RAP, and that it was therefore not collecting more information than necessary for such purposes.
- Retention: We found that Bell was not retaining information for longer than necessary for purposes of the RAP.
Complaint
- On November 15, 2013, the Office of the Privacy Commissioner of Canada initiated a complaint, pursuant to subsection 11(2) of the Act, against Bell Canada, Bell Mobility Inc. (including Virgin Mobile Canada, "Bell Mobility"), Bell ExpressVu L.P., The Source (Bell) Electronics Inc. ("The Source"), and Bell Media Inc. (the "Bell Companies" or "Bell").
- More specifically, based on information gathered prior to the commencement of our investigation, the then Assistant Privacy Commissioner had reasonable grounds to investigate whether the Bell Companies were, pursuant to the Bell Relevant Advertising Program ( the "RAP"), contravening:
- Subsection 5(3) of Part 1 of the Act by collecting, using and disclosing personal information regarding its customers for purposes that a reasonable person would not consider appropriate;
- Principle 4.3 of Schedule 1 of the Act, on the basis that they are not obtaining the meaningful consent of individuals prior to collecting, using and disclosing personal information under the RAP, and in particular, whether the use of an opt-out mechanism by the Bell Companies is consistent with Principle 4.3 in the circumstances;
- Principle 4.4 of Schedule 1 of the Act, on the basis that they are not limiting their collection of personal information to that which is necessary for the purposes identified by the organizations; and
- Principle 4.5 of Schedule 1 of the Act, on the basis that they are retaining personal information for longer than is necessary to fulfill their purposes.
Summary of Investigation
Definitions
- The definitions below will apply for the purposes of this report:
- "Bell Residential Services" means Bell TV, Bell Home Phone and Bell Wireline Internet.
- "RAP Advertiser" means an advertiser that contracts with Bell to facilitate the delivery of targeted ads to Bell Customers, via the RAP.
- "RAP Information" means the network usage information, interest categories and account/demographic information used by Bell in the RAP.
Background
- BCE Inc., the parent company of Bell Canada, is one of Canada's three largest communications companies (along with Rogers Communications Inc. and TELUS Corporation) with total revenues of over 18 billion dollars in 2013Footnote 1. Bell Mobility, Bell ExpressVu L.P., The Source (Bell) Electronics Inc. and Bell Media Inc. are affiliates of Bell Canada.
- Bell sells wireless services (i.e., mobile telephone, Internet and text), with 7.9 million subscribers at the end of 2013Footnote 2, as well as Bell Residential Services.
- Beginning in August 2013, Bell announced via various delivery channels (including news releases, website posters, and email and text customer notifications) the launch of the RAP on November 16, 2013. Bell explained that it would begin using certain network usage information, such as web pages visited from a mobile device, as well as account/demographic information (e.g., postal code, gender, age range, and payment patterns) to serve Bell Customers, starting with Bell Mobility Customers, targeted (i.e., "more relevant") ads. Bell also identified the process by which Bell Customers could opt out of the RAP. Finally, Bell indicated that it would not share any personal information outside of the Bell Companies.
- In the weeks following Bell's announcement of the RAP, our Office received 170 complaints from individuals alleging that the RAP contravened the Act. This is the largest number of complaints that our Office has ever received in respect of a specific issue under PIPEDA.
- On November 15, 2013, the then Assistant Privacy Commissioner of Canada initiated a complaint to investigate the issues outlined above in paragraph 2 of this report, in lieu of the 170 individual complaints received by our Office.
- In October 2014, we issued our preliminary report of findings outlining our Office's understanding of the facts uncovered during our investigation, our position with respect to the issues under investigation, and certain recommendations that would allow Bell to bring the RAP into compliance with the Act.
- This final report outlines Bell's responses to our recommendations as well as our ultimate findings with respect to each issue under investigation.
- The facts outlined below are, unless otherwise stated, based on information provided to our Office by Bell via written representations (supported by affidavits from senior managers at the Bell Companies), teleconferences and in-person interviews at Bell's offices. While Bell provided significant technical detail with respect to the component systems and processes associated with the RAP, we have, where possible, limited our explanations to high-level summaries.
Overview of the RAP
- Bell charges "RAP Advertisers" a fee to facilitate the delivery of targeted ads by such advertisers to Bell Customers. At the time of this investigation, Bell had only implemented the RAP for Bell Mobility Customers, but was exploring the opportunity to expand the RAP to Bell Residential Services.
- We will discuss the key elements of Bell'sRAP in detail later in this report, but in simple terms, theRAP functions as follows:
- Customer Profiles - Bell creates and maintains a Customer Profile for each Bell Customer of a Bell Service that is associated with the RAP, using network usage information and account/demographic information it already collects for various existing operational purposes. Bell indicated that it collects no new information for the purposes of the RAP. Generally speaking, a Customer Profile includes demographic information and account information combined with network usage information, such as specific websites visited and apps used on a Bell Customer's mobile device. The Customer Profile also includes interests Bell has inferred from such network usage. For instance, a Customer Profile could indicate that a Bell Customer is an English-speaking female, between the ages of 26 and 30, in the city of Montreal, who has a medium to high interest in hockey and who recently visited www.cbc.ca/news.
- Ad Profiles - RAP Advertisers create, via a special web interface, "Ad Profiles" that define the audience of Bell Customers to which they would like to deliver targeted ads (e.g., 26-30 year old males in the city of Ottawa with below average credit and an interest in hockey). Ad Profiles are comprised of a number of "dimensions", each corresponding to a specific type of information captured in Bell's Customer Profiles. Bell can limit the dimension selections available to any RAP Advertiser. Each Ad Profile is reviewed by Bell and approved prior to activation.
- Profile Matching and Ad Placement - Bell then facilitates the delivery of targeted ads by RAP Advertisers to Bell Customers (currently limited to Bell Mobility Customers). In simple terms, Bell sends a temporary customer ID and Customer Profile identification number to the RAP Advertiser, which in turn allows the advertiser to deliver a targeted ad to the Bell Customer whose Customer Profile matches an active Ad Profile. Bell does not, except when also acting as a RAP Advertiser (see paragraph 20 below), deliver the ads directly, and does not share the identity of the Bell Customer with RAP Advertisers during the process.
Bell's Collection and Use of Information for the RAP
- As noted above, Bell currently uses network usage information and account/demographic information from its Bell Mobility Customers for the purposes of the RAP. Bell has not yet implemented the RAP for Bell Residential Services, although it does intend to expand the program to those services in the future, and was not, at the time of the writing of this report, using information collected via Bell TV, Bell Home Phone or Bell Wireline Internet to deliver targeted ads to Bell Customers.
Network Usage Information
- Currently, the network usage information used by Bell for theRAP is comprised of Universal Resource Locators ("URLs" - i.e., web addresses) visited by Bell Mobility Customers using web browsers or apps on their mobile devices, whether inside Canada or roaming on foreign networks. It does not include network usage of foreign users roaming on Bell's network. Network usage information is used by Bell in several ways, as outlined below:
- URL Matches - RAP Advertisers have the option to identify, via 'free text' in each Ad Profile, one or more full or partial URLs that they would like Bell to match against URLs visited by Bell Mobility Customers. However, RAP Advertisers are not permitted to match against search terms which are captured in the portion of the URL following the "?" (e.g., the URL for a browser search for "hockey news" would be www.browser.ca/?… .=hockey+news).
Bell indicated that prior to approving an Ad Profile, a management-level employee would, in consultation with Bell's Privacy Office as necessary, manually review any URL specified by the RAP Advertiser to ensure that it does not contain sensitive information. Bell had not documented this decision making process, or any associated assessment criteria, at the time of our investigation. - Interest Categories - Bell also usesURLs visited by a customer in three ways to assign and rank interest categories to that customer's Customer Profile:
- Bell runs truncated URLs (i.e., domain and maximum two sub-levels - e.g., www.domain.com/level1/level2) through an automated tool to assign one or more interest categories to the Customer Profile for that customer. The interest categories correspond to the standard "Tier 1" and "Tier 2" categories developed and maintained by the Interactive Advertising Bureau ("IAB")Footnote 3. Tier 1 categories are general categories (e.g., "Hobbies & Interests") within which fit the more specific Tier 2 categories (e.g., "freelance writing"). To give a concrete example, a customer who visits the website http://www.cbc.ca/sports would be categorized as having an interest in "sports". If the customer then navigated to a specific article relating to soccer, the interest category "soccer" would also be added to the Customer Profile.
Bell identified that it is currently using roughly 22 "Tier 1" categories and over 290 "Tier 2" categories covering a wide range of specific interests (e.g., "Studying Business", "Jewelry making", "Scuba diving").
Any categories that correspond to a list of categories that Bell has predetermined to be sensitive (e.g., "Adult Content", "Special Education", "Diabetes", "Catholicism" or "Gay Life") or likely to be of interest to minors (e.g., "Family Internet", "Society - Teens" or "Animation") are discarded and not added to the Customer Profile.
However, URLs that may be considered inherently sensitive could be used to yield non-sensitive interest categories. For example, hypothetically, a URL related to a certain type of cancer could yield the interest categories "Cancer" and "Men's Health". Bell would discard "Cancer", as a category it deems to be sensitive, and assign the non-sensitive category, "Men's Health", to the Customer Profile. - Bell augments the categorization process outlined above by searching full URLs (including search terms) for key words from a list determined by Bell (e.g., hockey). Bell then assigns, based on key word matches, interest categories from a current list of 22 such categories which it has developed and deemed to be non-sensitive. These categories may or may not correspond to the IAB standard list of categories referred to in paragraph 15(b)(i) above.
Bell indicated that its practice is for a management-level employee, in conjunction with the Bell Privacy Office, as necessary, to develop and maintain the list of key words and associated interest categories. At the time of our investigation, Bell had not documented a decision-making process or associated criteria to ensure that key word searches do not result in the use of sensitive information.
The web interface used by RAP Advertisers includes functionality which could allow advertisers to select keywords entered in search engines by customers, but this functionality is currently disabled. - Bell also assigns interest categories, from a list of categories it has developed, based on the mobile apps used on Bell Mobility Customers' devices, as indicated by the URLs visited via the apps. Bell follows an undocumented process like that outlined in sub-paragraph (ii), above, to ensure that the interest categories assigned based on app usage are non-sensitive.
- Bell runs truncated URLs (i.e., domain and maximum two sub-levels - e.g., www.domain.com/level1/level2) through an automated tool to assign one or more interest categories to the Customer Profile for that customer. The interest categories correspond to the standard "Tier 1" and "Tier 2" categories developed and maintained by the Interactive Advertising Bureau ("IAB")Footnote 3. Tier 1 categories are general categories (e.g., "Hobbies & Interests") within which fit the more specific Tier 2 categories (e.g., "freelance writing"). To give a concrete example, a customer who visits the website http://www.cbc.ca/sports would be categorized as having an interest in "sports". If the customer then navigated to a specific article relating to soccer, the interest category "soccer" would also be added to the Customer Profile.
- URL Matches - RAP Advertisers have the option to identify, via 'free text' in each Ad Profile, one or more full or partial URLs that they would like Bell to match against URLs visited by Bell Mobility Customers. However, RAP Advertisers are not permitted to match against search terms which are captured in the portion of the URL following the "?" (e.g., the URL for a browser search for "hockey news" would be www.browser.ca/?… .=hockey+news).
Account / Demographic Information
- Bell also attaches the account/demographic information of Bell Mobility Customers to its Customer Profiles.
- At the time of the issuance of our preliminary report, the list of account / demographic dimensions thatRAP Advertisers could specify in the creation of Ad Profiles included the following (for each dimension, advertisers can choose one or more of several options):
- Billing Address Location - city (or cities) and/or full or partial postal code(s);
- Age - age range(s) (i.e., 18-25, 26-30, 31-35 … 56-60);
- Gender - male, female, any, none;
- Primary Language - English, French, other;
- Credit Score - below average, average and/or above average;
- Average Revenue per User or "ARPU" (based on monthly billing amount) - very low, low, average, high and/or very high;
- Plan Type - post-paid and/or pre-paid; and
- Device Information - e.g., mobile device manufacturer, model, device type, platform.
Information Not Yet Used for the RAP
- In its notifications to users, Bell refers to the fact that it may use certain network usage information that it is not yet using.
- Bell Residential Services Information: Bell confirmed to our Office that while Bell Mobility Customers are currently the only customers subject to the RAP, Bell does intend to expand the RAP - for example, to serve relevant ads to the customers of Bell Residential Services using other network usage information such as Wi-Fi or wireline Internet usage data, television viewing habits and telephone calling patterns.
Bell indicated that it is not in a position to comment on what specific network usage information it might use in the future for delivery of relevant ads to customers of Bell Residential Services. That said, the information that Bell has access to in relation to those services includes, but is not limited to, the following:- Wi-Fi or wireline Internet usage - full URLs for all websites visited by customers on the Bell network;
- TV viewing information - full details of all television programs viewed via Bell TV (e.g., programs viewed, duration and time of viewing) as well as channels subscribed to and programs purchased on demand; and
- Telephone calling patterns - domestic and international telephone numbers called as well as duration and time of such calls.
- Mobile Location Information: While Bell refers to the use of location network usage information in its notifications [see paragraph 22(c) below], Bell explained that it does not use location information derived from GPS or cell-tower triangulation for the purposes of the RAP at this time. It did not indicate that it had any specific plans to use such information for the RAP in future.
- Bell Residential Services Information: Bell confirmed to our Office that while Bell Mobility Customers are currently the only customers subject to the RAP, Bell does intend to expand the RAP - for example, to serve relevant ads to the customers of Bell Residential Services using other network usage information such as Wi-Fi or wireline Internet usage data, television viewing habits and telephone calling patterns.
Limits on Precision of Ad Profiles
- Bell indicated to our Office that while RAP Advertisers have access to a large number of dimensions which could in theory be used to design very precise Ad Profiles of small target audiences, in practice Bell intends Ad Profiles to capture broad audiences that will justify the significant resources associated with the development and placement of online ads. Bell's RAP is currently designed to hold, for all RAP Advertisers, an aggregate of no more than 1,000 Ad Profiles. Bell also claimed that it would not approve and activate any Ad Profile with a small target audience. Bell had not yet documented its minimum Ad Profile audience size but indicated to our Office that it would be a minimum of approximately 1,000 individuals per Ad Profile.
Use of Information when Bell is also a RAP Advertiser
- Bell Media may at times operate, and has operated, as an ad network using the RAP. Bell explained that when Bell Media is operating in this capacity it receives no information above that which any other RAP Advertiser would receive. Bell Media employees involved in the ad network function have no access to the database containing Customer Profile information.
Retention of Information for Purposes of the RAP
- TheRAP architecture is comprised of various component systems, each of which performs a different function (e.g., collecting and compiling network usage information, generating interest categories for Customer Profiles, compiling and storing Customer Profiles for comparison to Ad Profiles, etc.).RAP Information collected (i.e., network usage and account/demographic information) or generated (i.e., interest categories) by theRAP is stored by Bell within theRAP's component systems for different periods of time, corresponding to the purposes for which it is retained. Maximum retention periods for the main categories of information used by Bell are included below:
- Full URL Information is retained under the RAP for 90 days, to determine customer interests and to allow for URL matches.
- Customer Interest Categories are retained by Bell for one year. While only two months of interest category data is currently being used by Bell for delivery of targeted ads, it is within Bell's future plans to use up to one year's worth of interest category data.
- Account/Demographic Information is retained under the RAP for as long as the individual is a Bell Customer, to create Customer Profiles.
Bell Notifications Regarding the RAP
- Bell explained that it has taken a multi-pronged approach to informing existing customers, new customers and the general public about itsRAP:
- Notifications to Existing Customers - Between August 2013 and February 2014, Bell sent over nine million notifications to affected Bell Mobility Customers using a variety of methods such as bill messages, text messages, and emails. Most affected Bell Mobility Customers received multiple notices. For example, Bell sent the following text message to customers for whom they did not have a contact email address:
Free Bell Msg: We'd like to make ads more relevant to you, acct & usage info will be used. For details or to opt out http://bell.ca/ads
Specific messages varied, depending on the method of delivery (e.g., emails contained a longer explanation) but each message: (i) explained that account and network usage information would be used to deliver ads that are more relevant; and (ii) provided a link by which users could obtain more information about, and/or opt out of, the RAP. - Notifications to New Customers - New customers to Bell Mobility also receive notification of the RAP through: (i) Bell's Critical Information Summary (which new customers must sign before receiving Bell Mobility services), immediately before the signature line; and (ii) Bell's Terms of Service, near the beginning of the document.
- Persistent Notifications - Bell provides information about the RAP to all customers and the public in general via Bell's website. The www.bell.ca home page prominently displays a banner that reads "Learn More about Bell Canada's relevant advertising program" and then, when clicked, links to further details about the RAP. The more detailed explanation on Bell's websiteFootnote 4 indicates that the following types of information will be used for theRAP:
Network usage information, such as:
- Web pages visited from your mobile device or your Internet access at home. This may include search terms that have been used.
- Location
- App and device feature usage
- TV viewing
- Calling patterns
Account information:
- Information about your use of Bell products and services (such as device type, postal code, payment patterns, and language preference)
- Demographic information such as gender or age range
- Bell Privacy Policies - Bell explained that the notifications outlined above provide customers with a more specific description of the uses of their personal information identified in its Privacy Policies. For example:
- Bell's Privacy Policy explains that the purposes for which Bell Companies will collect personal information may include:
…and;
b. to understand customer needs and preferences, and determine eligibility for products and services;
c. to recommend particular products and services to meet customer needs; [and]
d. to develop, enhance, market or provide products and services… - similarly, Virgin Mobile Canada, a division of Bell Mobility that is subject to its own distinct Privacy Policy, explains in that Privacy Policy that it may use personal information for purposes which include:
…
5. Improving our products and services by better understanding your needs; …
7. In order to contact you with information on products and/or services….
- Bell's Privacy Policy explains that the purposes for which Bell Companies will collect personal information may include:
- Notifications to Existing Customers - Between August 2013 and February 2014, Bell sent over nine million notifications to affected Bell Mobility Customers using a variety of methods such as bill messages, text messages, and emails. Most affected Bell Mobility Customers received multiple notices. For example, Bell sent the following text message to customers for whom they did not have a contact email address:
Users' Ability to Opt Out of the RAP
- Bell notified, and continues to notify, individuals about their ability to opt out of the RAP as outlined in paragraph 22 above.
- Bell Customers can opt out (and/or opt back in to) the RAP via one of two links at the bottom of Bell's RAP page, which is in turn accessible via a link at the bottom of the Bell home page. The customer simply selects the link corresponding to the services to which he or she subscribes and then follows the prompts to opt out (as well as manage other marketing preferences). Bell explained that its customers can also opt out, or opt back in, using MyBell online account management.
- An individual's choice to opt out of the RAP is captured in Bell's database, takes effect the following day, and is effective until he or she opts back in to the RAP. Once the opt-out is processed, Bell ceases to use the Bell Customer's information to serve targeted ads.
- Bell informed us, however, that it continued to use network usage information to further develop its Customer Profiles (i.e., as outlined in paragraph 15) for Bell Mobility Customers even after they had opted out of the RAP. Bell did not offer its customers a way to opt out of the use of their information for the purposes of creating and augmenting their Customer Profile. Bell also offered no way for the customer to have the information in their Customer Profile deleted.
- Even in the event that an individual opted out, Bell explained that it maintained and continued to augment Customer Profiles so that, should an individual who was opted out of the RAP choose to opt back in, Bell would be in a position to serve them targeted ads immediately.
Why Bell Implemented the RAP
- Bell asserts that by providing targeted (and thus more relevant) ads to users and more powerful and effective functionality to advertisers, it can improve its customers' overall online experience, better compete in a global online advertising market with strong international advertising players, and ultimately generate greater advertising revenue.
Application
- In making our determinations, we applied the definition of "personal information" under subsection 2(1), as well as subsection 5(3) of the Act, and Principles 4.1.4(a) and (c), 4.3, 4.3.2, 4.3.3, 4.3.5, 4.3.6, 4.3.8, 4.4 and 4.5 of Schedule 1 of the Act.
- Subsection 2(1) defines personal information as information about an identifiable individual.
- Subsection 5(3) provides that an organization may collect, use or disclose personal information for purposes that a reasonable person would consider are appropriate in the circumstances.
- Principle 4.1.4 indicates that organizations shall implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information, and (c) training staff and communicating to staff information about the organization's policies and practices.
- Principle 4.3 states that knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 clarifies that the principle requires "knowledge and consent", and that the organization shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Principle 4.3.5 provides that in obtaining consent, the reasonable expectations of the individual are also relevant. Principle 4.3.6 further stipulates that the way in which the organization obtains consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Principle 4.3.8 provides that an individual may withdraw consent to the collection, use and disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice.
- Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.
- Principle 4.5 provides that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Analysis
- The analysis below takes into account our reasoning as outlined to Bell in our preliminary report, as well as our Office's consideration of Bell's responses to our preliminary report as articulated in subsequent written submissions and discussions.
Summary
- We found that Bell's use of personal information pursuant to the RAP was not, generally, for an inappropriate purpose. We are also pleased that Bell has taken certain steps and made certain commitments that will bring the RAP into compliance with several aspects of the Act (i.e.: to cease using credit information and full postal code for targeting; to allow customers to effectively withdraw their consent to being tracked; to cease sharing RAP Information with The Source; to exercise due diligence to protect against re-identification of profile information by advertisers; to enhance the explanations it provides to its customers regarding the RAP; and to document certain privacy procedures). We are, however, disappointed that Bell has refused our recommendation to implement an opt-in consent model, which we view to be required given: (i) the sensitivity of information used by Bell for the RAP; and (ii) the reasonable expectations of Bell customers in the circumstances.
Scope of Analysis
- While Bell has asserted that it has not yet implemented the RAP beyond its Bell Mobility business and Bell Mobility Customers, Bell's notifications (as detailed in paragraph 22 of this report) provide for its use of a broader range of information (including information related to Bell Residential Services) and define the parameters of the practice for which Bell is seeking consent. For the purposes of our analysis, and in view of the fact that Bell intends to pursue these future uses, we will consider the RAP in that broader and all-inclusive context.
Number of Complaints
- In its response to our preliminary report, Bell asserted that the number of complaints received by our Office was inflated due to the fact that: (i) it sent out such a large number of notifications; and (ii) some of the media coverage surrounding the launch of the RAP contained incorrect statements about the RAP. Bell further stated that the 170 complaints represent a small proportion of the overall number of Bell Customers notified, and that the number of complaints ultimately reflects a minimal level of public concern over the privacy impacts of the RAP.
- While the number of complaints has not factored into our analysis of the appropriateness of any aspect of the RAP, in our view, we do not agree that it reflects a minimal level of public concern. Our Office often receives individual complaints in respect of privacy practices that impact a large number of Canadians, and which have been the subject of significant media coverage, but never before have so many Canadians taken the time to submit formal complaints to our Office on a specific issue. Individual complaints brought to our Office often act as a proxy for a broader base of concern amongst Canadians, including those who have concerns but have not chosen to express them via a complaint to our Office. We remain of the view that this is a reflection of the significant level of Canadians' concern with the RAP, and it was in part for this reason that we decided to commence a Commissioner Initiated Complaint in this case.
OBA Guidelines
- Bell has claimed in its representations to our Office that the RAP is consistent with our Office's Privacy and Online Behavioural Advertising Guidelines ("OBA Guidelines" or "Guidelines")Footnote 5, last updated in June 2012. We do not accept this view.
- As a preliminary matter, it is important to note that the Guidelines provide that opt-out consent for online behavioural advertising could be considered acceptable providing that certain conditions are met. Ultimately, the Guidelines provide that "[a]ny future complaints concerning online behavioural advertising would be assessed based on the specific facts of each individual case." Accordingly, our Office is considering this complaint based on the specific facts as outlined in detail throughout this Report.
- In the circumstances, we consider that the RAP goes beyond the type of Online Behavioural Advertising ("OBA") contemplated in the Guidelines for which opt-out consent may be acceptable. The Guidelines describe OBA as "tracking consumers' online activities, across sites and over time in order to deliver advertisements targeted to their inferred interests". In contrast, Bell combines network usage information, including specific URLs visited, with extensive account information, including demographic information such as age, gender, average revenue per user, and postal code, for the purpose of serving targeted ads. Moreover, Bell intends to use an even greater breadth of personal information to which it has access, including not only websites visited, but also app usage, TV viewing habits and calling patterns.
- Furthermore, the context for the OBA Guidelines was targeted advertising in connection with free online websites, which is materially different from Bell's RAP. In our Office's Policy Position on Online Behavioural AdvertisingFootnote 6 ("OBA Policy Position"), issued in June 2012, we explained that one of the bases for our general position on OBA is that "[online] services are generally free and users ought to expect that some personal information may be needed to access services and information…". In contrast, Bell has historically charged, and currently charges, its customers for the provision of its telecommunications and broadcasting distribution services, and by virtue of the nature of such services, is able to use a breadth of information exceeding that which would generally be available to an online website, including not only web browsing usage, but also telephone and television network usage, as well as a substantially rich repository of account and demographic information. As such, the nature of Bell's relationship with its customers is significantly different from the context in which the OBA Guidelines were intended to operate.
- Bell's position seems to be that the Guidelines establish opt-out as the appropriate form of consent for any behaviourally targeted advertising program, so long as the personal information used is non-sensitive in nature. However, it would be erroneous to view the Guidelines as endorsing opt-out consent as the default standard for targeted advertising programs. The Guidelines outline specific and limited circumstances where opt-out consent may be appropriate. However, the essential considerations for determining the appropriate form of consent to use in the specific circumstances remain: the sensitivity of the information; and the reasonable expectations of the individual.
- As this complaint demonstrates, any organization that may wish to engage in OBA and/or other forms of targeted advertising should consider all the circumstances surrounding its advertising program, including those factors which we have considered in this complaint, discussed below, to determine the appropriate form of consent.
Personal Information
- All account/demographic and network usage information collected and used by Bell for the purposes of the RAP is individual-level data linked to a specific Bell Customer and therefore constitutes personal information under the Act.
Disclosure of Personal Information and Related Accountability
- Bell has explained to our Office in significant technical detail, the process by which it facilitates the delivery of ads by RAP Advertisers to Bell Customers. While we have not described that process in full detail in this report, we accept that Bell has taken sufficient steps to ensure that the RAP does not disclose personal information to advertisers.
- We do, however, recognize that a RAP Advertiser could potentially identify the Bell Customer to whom it delivers a RAP advertisement by using tracking cookies, device fingerprinting, account information, or other tracking methods, and link details from the associated Ad Profile to its own profile for that individual. While our investigation, which was limited to consideration of Bell's practices, did not uncover evidence that RAP Advertisers are engaging in such a practice, we also note that Bell has not contractually prohibited RAP Advertisers from doing so. That being said, Bell has indicated that such a practice would be contrary to its intentions and business interests, as it wishes to continue to leverage its Customer Profile information to generate future revenue.
- In our preliminary report, we recommended, consistent with Principle 4.1.4, that Bell take further pro-active steps (e.g., contractual provisions, monitoring processes, penalties for non-compliance) to ensure that RAP Advertisers do not link Ad Profile information to identifiable individuals, and outline in detail to our Office its process to accomplish this.
- In response to our preliminary report, Bell committed to take such pro-active steps, including the introduction of contractual provisions, and processes to ensure compliance therewith by RAP Advertisers.
- Therefore, with respect to the disclosure aspect, we consider this aspect of the complaint to be not well-founded. With respect to the accountability aspect, we find this aspect of the complaint to be well-founded and resolved.
Appropriate Purposes
- Before considering whether Bell has obtained adequate consent for the RAP, we must first consider whether the RAP is appropriate pursuant to subsection 5(3) of the Act. In general, and subject to the caveat explained below, we believe that a reasonable person would consider Bell's purpose in using account/demographic and network usage information (i.e., to deliver targeted ads) to be appropriate in the circumstances. In our view, however, a reasonable person would not consider it appropriate for Bell to use credit score information, even in aggregated form (i.e., below average, average, above average), for the delivery of targeted ads.
- In our analysis of this issue, we have considered Bell's objectives in implementing the RAP, the likely effectiveness of the RAP in achieving those objectives, and the nature of the information used. We must also remain cognizant that the purpose of PIPEDA is to "establish…rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances".
- With that in mind, we accept that Bell's objectives of maximizing advertising revenue while improving customers' online experience is a legitimate business objective. We also accept that the RAP may very well be effective in achieving those objectives. Studies like The Value of Behavioural AdvertisingFootnote 7, sponsored by the National Advertising Initiative, have found that behaviourally targeted ads are significantly more effective than random or contextual ads, and thus generate greater revenue for ad networks. The addition of account/demographic information to interest categories in Bell's Customer Profiles should serve to improve the precision and effectiveness of its targeting. We also appreciate that some users may prefer to see ads that are consistent with their interests and/or demographic characteristics.
- We note that the above analysis has not taken into account whether Bell's RAP is in compliance with the Telecommunications Act,Footnote 8 a matter which is currently before the Canadian Radio-television and Telecommunications Commission ("CRTC").Footnote 9 If it were determined that Bell cannot, pursuant to the Telecommunications Act, legally engage in the RAP, this would be another factor which may impact on our s. 5(3) analysis.
- In our view, however, Bell's use of credit score information for the purposes of the RAP requires further specific analysis. The collection and use of credit information such as credit scores from credit reporting agencies is expressly limited by provincial legislation. For example, Ontario's Consumer Reporting ActFootnote 10 (the "CRA") prohibits organizations from obtaining credit information except for certain limited purposes such as those related to: credit decisions, collection of a debt, employment decisions, tenancy decisions, underwriting of insurance, determining a consumer's eligibility under a statute or regulation, or any decision where there is a direct business need for the information in connection with a credit or business transaction involving the consumer. These stated purposes do not, based on our interpretation of the CRA, include targeted advertising.
- We see such provincial legislation as reflecting the recognition that measures of credit worthiness, such as credit scores, are only to be used for certain limited purposes directly related to decisions with important financial implications for the consumer and the organization concerned. Bell's use of credit score information to design targeted ads clearly extends beyond these recognized purposes. Given this, we see the use of credit score information for purposes of the RAP as clearly inappropriate.
- In our preliminary report, we recommended that Bell not use credit information, even in aggregated form, for the purposes of targeted advertising.
- Bell agreed to our recommendation and has committed to not using credit information, in individual or aggregated form, as part of the RAP.
- We therefore find this aspect of the complaint to be not well-founded, in part, and well-founded and resolved, in part.
Consent
- The fact that Bell's purpose for usingRAP Information, apart from credit score, is appropriate is not, however, the end of the matter. To be in compliance with the Act, Bell must also obtain meaningful consent for the use ofRAP Information. In our view, Bell does not ensure adequate consent for theRAP. For such consent to be meaningful in this context, Bell should:
- obtain express opt-in consent for the practice;
- ensure that Bell Customers' choices to decline to participate in the RAP effectively ends the use of RAP Information for profiling, as well as for delivery of targeted ads; and
- ensure that Bell Customers' understanding of the RAP and their associated choices are supported by clear explanations outlining all RAP Information.
Form of Consent: Opt-in vs. Opt-out
- In our preliminary report, we concluded that Bell could not rely on the opt-out consent of its customers in order to implement the RAP, and we recommended that Bell implement an opt-in consent model. As outlined below, Bell did not agree with our position.
- In its response to our preliminary report, Bell asserted that the changes it has made or committed to make, as discussed above and later in this report (i.e., ceasing the use of individual credit information and full postal code for the RAP, giving effect to users' choice not to be tracked, and providing enhanced notifications) rendered opt-out consent appropriate, if it was not already. We explained to Bell that our analysis regarding 'form of consent' was predicated on the assumption that those changes would be made, and that the changes did not impact our conclusion regarding the form of consent required.
- More specifically, our rationale for requiring opt-in consent is based primarily on two key factors, as provided byPIPEDA:
- the sensitivity of the information at issue, and
- the reasonable expectations of Bell's customers.
Sensitivity of Information
- PIPEDA provides that express consent is the appropriate form of consent when personal information "is likely to be considered sensitive" (Principle 4.3.6).
- In our view, based on Bell's use and retention of sensitive URLs and highly detailed multi-faceted profiles, Bell is using sensitive information for the purposes of the RAP.
- More specifically, while we are satisfied that Bell does not facilitate the delivery of targeted ads based on sensitive interest categories, like those relating to health or children, Bell does in certain circumstances use sensitive URLs for the purposes of assigning interest categories. In this regard, we note that the RAP involves the analysis of all URLs visited by a Bell Customer to assign interest categories. As such, certain of the URLs visited will inevitably be sensitive in nature as they will reveal an interest in sensitive issues. Principle 4.3.4 of Schedule 1 of the Act provides that certain information (for example, medical records and income records) is almost always considered to be sensitive. In our view, URLs that relate to serious health conditions, sexual orientation, financial condition, etc. would fall into this category. Bell does have processes in place to ensure that URLs do not generate sensitive interest categories. However, as noted above, sensitive URLs may be used to generate non-sensitive interest categories regarding customers.
- In its response to our preliminary report, Bell asserted that the URLs used for the purposes of the RAP are rendered non-sensitive as they: (i) are used to derive non-sensitive interest categories; (ii) are subsequently deleted; and (iii) cannot be re-engineered from the interest category. Bell's explanation is consistent with our understanding of the RAP, subject to the material clarification that URLs are "subsequently deleted" by Bell only after 90 days, during which time they are kept in the RAP to assist with the profiling process. We do not, however, accept that these factors render sensitive URLs non-sensitive.
- In our view, the mere fact that sensitive URLs are used to generate non-sensitive interest categories does not change the fact that the underlying information being used is sensitive. Both the underlying information and the resulting categories that are derived from such information must be assessed in determining the sensitivity of the information at issue.
- To focus solely on the end-result of the process, as Bell is suggesting, would unduly minimize the privacy interest at stake and would have serious implications. According to Bell's logic, accessing, for example, sensitive medical records would not be a "use" of sensitive information provided the resulting category derived from such medical records is non-sensitive in nature, a result which in our view, is clearly unreasonable.
- To put this issue in context, we might ask the rhetorical question: "Would a Bell Customer who visits a dating website for HIV-positive individuals consider the associated URL to be non-sensitive when used and retained by Bell to serve him or her targeted ads, even if such ads are targeted based on non-sensitive categories?" In our view, many individuals would consider such information to be inherently sensitive and would not want Bell to imply their consent to the use of such information for the purpose of serving them targeted ads - to the contrary, they would expect to be given the express choice to determine whether or not Bell could use and retain such information for the RAP.
- We must also consider the sensitivity of the information used by Bell for the RAP in the aggregate. Bell has the infrastructure to offer a full range of telecommunications and broadcasting distribution services including: mobile telephone and data, wireline Internet and telephone, and television. By virtue of the nature and breadth of its services, Bell has access to vast amounts of information about its customers. In essence, Bell is able to track every website its customers visit, every app they use - and in the future, potentially every TV show they watch and every call they make - using Bell's network, whether at home or abroad. Under the RAP, Bell can use this information to infer a wide range of both general and specific interests. The combination of this information with the extensive account/demographic information (e.g., age range, gender, average revenue per user, preferred language and postal code) used by Bell for the RAP will result in highly detailed and rich multi-dimensional profiles that, in our view, individuals are likely to consider quite sensitive. We would note that the sensitivity of the information compiled by Bell for its RAP would necessarily increase should the RAP be expanded to include network usage information from Bell Residential Services.
- In its response to our preliminary report, Bell asserted that the breadth of information it used for purposes of the RAP does not render it, in aggregate, more sensitive than its constituent elements. More specifically, Bell points to the fact that: (i) the individual elements in the Customer Profile are not sensitive; and (ii) Bell does not access the full detail of a Customer Profile. It simply uses an automated tool to indicate when elements of the Customer Profile match those within an Ad Profile to target large groups of individuals.
- We maintain that the breadth of the information Bell retains for the RAP, including all URLs visited by the Bell Customer during the past 90 days, is more sensitive than the individual elements of that information. Note that while URLs are not stored in the Customer Profile, they are retained for the RAP and linkable to an individual customer. Further, the fact that only certain elements of the Customer Profile information may be used by Bell at any given time does not render the information, in its entirety, less sensitive. We have seen all too often that even with sophisticated safeguards, no data repository is immune to the potential for unauthorized access. Such information may also be subject to, in certain circumstances, lawful access requests.
- In our view, for the reasons expressed above, the RAP clearly involves the use of sensitive personal information. As such, the sensitivity of the information at issue leads us to the conclusion that Bell must obtain express consent for the RAP in the circumstances. This conclusion is further supported by our assessment of the reasonable expectations of Bell Customers, which is set out below.
Reasonable Expectations
- Pursuant to Principle 4.3.5, we must also consider the reasonable expectations of individuals in assessing which form of consent is appropriate in the circumstances. Even where personal information is considered "less sensitive", the reasonable expectations of the individual, when considered in the particular context, may be such that express consent is required.Footnote 11
- "Reasonable expectations" is an objective standard which requires that our Office consider all of the relevant contextual factors surrounding the practice in question, including the type of services the organization offers, and the nature of the relationship between the organization and its customers. These contextual factors must not be considered in isolation but rather, evaluated as a whole.
- Taking into consideration all of the factors surrounding Bell's RAP, in combination and in concert with each other (i.e., that Bell wishes to use customers' personal information, much of it sensitive, originally collected for the purposes of delivering paid telecommunications and broadcasting distribution services, for the new secondary purpose of enabling third-party behaviourally targeted advertising), we are of the view that Bell Customers would reasonably expect Bell to give them an express choice with respect to whether or not they wish to participate in the RAP.
- We will explain in greater detail below our analysis of the constituent contextual factors we considered in determining the reasonable expectation of Bell customers.
Introduction of Secondary Behaviourally Targeted Advertising
- For many years, customers have reasonably understood that they need to provide access to their personal information so that Bell can, in return, deliver its primary services - i.e., connect them to requested websites, telephones and/or television programs. In November 2013, Bell proposed a material change to the nature of its relationship with Bell Customers. It will now use the personal information it collects for the primary purpose of delivering telecommunication and broadcasting distribution services, for the new secondary purpose of facilitating the delivery of third-party behaviourally targeted ads. This is one of the constituent factors that we considered in determining that Bell customers would expect opt-in consent.
Paid Services
- While Internet users might in certain circumstances expect websites to track their Web browsing for the purposes of behavioural targeting in order to generate revenue in support of delivering services that are otherwise free to the user, Bell charges for its services, sometimes hundreds of dollars per month. It now wishes to earn additional revenue through the monetization of customers' personal information by facilitating the delivery of third-party targeted ads. This is another of the constituent factors that we considered in determining that Bell customers would expect to be given an express, opt-in, choice.
Third-Party Ads
- Bell Customers may reasonably expect Bell to use certain account/demographic information for the limited purposes of marketing its own products and services, as it has for many years, but the RAP involves the collection of much more information - including web browsing activity - to enable behaviourally targeted advertising by third parties. Furthermore, while we found no evidence that Bell is disclosing personal information to RAP Advertisers, and while we are comfortable based on Bell's commitments (as outlined in paragraph 51) that it will be exercising due diligence to protect against unintended re-identification, including by means of contractual provisions, the risk persists that advertisers could link Ad Profile information to an identifiable individual.
The Nature of Telecommunication Services
- In our view, the unique nature of the relationship between telecommunications carriers and their customers must be considered in determining the form of consent Bell Customers would reasonably expect for the RAP, particularly given that Bell wishes to use customers' information for a purpose other than to deliver telecommunication services. Telecommunications service providers, like Bell, act as "trusted agents"Footnote 12. They provide customers with access to Internet, mobile and landline phone services, and are in effect the pipeline through which all customers' mobile, telephone and internet communications, however sensitive, must flow. Customers entrust their private communications to their telecommunications service provider with the expectation that they will be delivered safely and securely, and that they will generally not be monitored unless it is for a purpose directly related to the provision of the service. The RAP, however, departs from this reasonable expectation by tracking the details of Bell Customers' activities on the network for a purpose unrelated to the effective delivery of telecommunications service.
- In its response to our preliminary report and in our subsequent discussions, Bell challenged the appropriateness of us considering each of the contextual factors, as outlined above. We reiterate that each contextual factor contributing to the reasonable expectation of the individual cannot be considered in isolation. Rather, they must be considered in combination and in concert with each other to inform the analysis regarding the form of consent that is required for the RAP.
- Bell also asserted that its customers' expectations would be best determined by the notifications they would have received from Bell regarding the RAP. We note, however, that not all notifications are opened. For instance, one study has suggested that the open rate for email marketing notifications is approximately 20%Footnote 13. For those who opened the notifications, even less would have read the messages or "clicked through" (i.e., clicked on a link within the email) to get more information. By their nature, such notifications are premised on implied consent and so do not represent confirmation that all customers have read, understood and expressly agreed to the RAP.
- Furthermore, Bell's argument puts the proverbial horse before the cart. One must first determine what individuals' reasonable expectations are and then determine what form of consent is required. If the reasonable expectations analysis leads to a finding that express consent is required, the fact that notifications were sent, based on an implied consent model, no matter their level of penetration, will not render an organization in compliance with the Act.
- Bell further claimed that our Office had not adequately considered the actual expectations of Canadians in determining what Bell Customers should reasonably expect. We agreed to offer Bell the opportunity to submit further evidence on this issue (post-issuance of our preliminary report). Bell subsequently submitted evidence, based on a survey conducted by a professional survey firm, on its behalf, in December 2014. Bell relied on this survey evidence to support its position that Canadians consider opt-out consent appropriate for the RAP.
- First, we note that survey evidence can never be determinative in assessing the reasonable expectations of individuals. The 'reasonable expectations' test is an objective standard. In applying this test, we must assess from an objective perspective, what a fully informed individual apprised of all the circumstances, including the legal context, would reasonably expect. It is highly unlikely that survey respondents would have been apprised of all the circumstances and legal context surrounding the RAP. In any event, while a survey may measure actual expectations, it cannot be determinative of the legal issue of whether expectations are "reasonable" in light of all the circumstances.
- That said, our Office engaged a survey expert to provide a professional evaluation of Bell's survey evidence. The expert appointed by the OPC opined, supported by published authorities, that the survey evidence was of low validity, due to serious issues with the survey instrument including but not limited to the following: (i) "framing" questions were demonstrably leading, likely inflating later responses in favour of Bell's propositions; (ii) certain terminology critical to the interpretation of results was ambiguous; and (iii) several of the questions were multi-barrelled and/or unduly complex. Ultimately, she opined that "most of the conclusions drawn by Bell from the survey are not scientifically supported."
- By way of example, we note that there were serious issues with respect to the validity of the following question in Bell's survey: Text version of Figure 1
It is reasonable for your home or mobile internet service provider to use information such as your online browsing activity to enable systems to make the ads you see more relevant to you if you are notified in advance and can opt-out if you want.
42% Agree; 20% Somewhat agree; 7% Somewhat disagree; 29% Disagree; 3% Unsure. - The expert noted that for reasons including those listed above, the results of this "multi-barreled" complex question "do not reflect the beliefs of Canadians with respect to the specifics of the RAP program, nor to the reasonableness of Bell's implied consent program."
- Our Office noted in particular, that the wording
"[i]t is reasonable for your home or mobile internet service provider to use information such as your online browsing information… [emphasis added]"
is not reflective of the actual RAP, which is much broader, involving a telecommunications carrier and broadcasting distribution undertaking using network usage information (including mobile and home Internet network usage, television viewing, and calling patterns) and account/demographic information (including city and postal code, age, gender, average billing amount, etc.). - The expert found similar issues with respect to the validity of the other survey questions on which Bell relied. Given the survey's low level of validity, we do not consider Bell's survey evidence to be relevant to our determination of the reasonable expectations of Bell Customers.
- We do note, however, that in our view the survey results, which the survey expert indicates are likely inflated in favour of Bell's position, would even as presented, still not support Bell's assertion that opt-out consent is appropriate for theRAP. For example, in relation to the opt-out question displayed above:
- only 42% of respondents agreed with the opt-out proposition;
- 20% agreed in part, with one or more aspects of the multi-barrelled question (it is impossible to determine which components the respondents disagreed and agreed with); and
- 36% disagreed or somewhat disagreed with the proposition.
- We also note that a number of the 170 complainants who took the time to forward their complaints to our Office expressed a specific desire and expectation that Bell obtain express opt-in consent to the use of their personal information for the RAP.
Competitive equity concerns
- Bell further claimed that requiring it to obtain opt-in consent would put it at a competitive disadvantage, submitting various examples of organizations that it alleged were engaging in advertising pursuant to opt-out consent, while being similar to Bell with respect to one or more, but not all, of the contextual factors outlined in paragraphs 81 to 84 above. Bell asked that our Office refrain from making a finding with respect to the appropriate form of consent for the RAP until our Office holds broad consultations and devises rules that would be applicable to all organizations engaged in targeted advertising.
- With respect to Bell's concerns, we note that the applicable principles from the Act apply consistently to all organizations: the appropriate form of consent will depend on the sensitivity of the information and the reasonable expectations of the individual in a given context.
- Furthermore, we expect that our findings in this matter will inform the privacy practices of other organizations similarly situated to Bell, and more specifically the form of consent they should obtain. If other organizations are engaged in a targeted advertising program which is materially similar to Bell's, then equally, our expectation would be that such a program would be based on express opt-in consent model.
- We also note that, to our knowledge, no other telecommunications service providers and broadcasting distribution undertakings are engaged in a targeted advertising program similar to the RAP. In a letter to the CRTC, Telus Communications Company has indicated that it would not use the personal information of its customers to enable targeted advertising by third parties without its customers' express consent.Footnote 14 As such, Bell's direct competitors in the telecommunications and broadcasting distribution industry do not appear to be engaged in programs similar to the RAP.
- Bell's position seems to be that its true competitors are not only telecommunications service providers and broadcasting distribution undertakings, but also online websites and other organizations engaged in targeted advertising. We will not comment on any of the specific examples raised by Bell in this report; our investigation relates solely to Bell's practices in relation to the RAP. Each investigation must be determined based on its own unique set of facts. Further, it goes without saying that the fact that other industry players may be engaged in similar privacy practices does not render those practices acceptable if they are in contravention of PIPEDA.Footnote 15
- In light of the above, we remain of the view that Bell cannot rely on the opt-out consent of its customers in order to implement the RAP. Both the sensitivity of the information at issue and the reasonable expectations analysis lead us to the conclusion that such consent is not appropriate in the circumstances.
- In our preliminary report, we recommended that Bell provide its customers with the opportunity to make an express opt-in choice regarding whether or not they consent to Bell's use of their personal information for the RAP.
- Bell refused to comply with our recommendation.
- We therefore find this aspect of the complaint to be well-founded.
Customer's Choice Not to Participate
- In our preliminary report, we expressed our view that while Bell ceases to deliver targeted ads to Bell Customers who opt-out of the RAP, Bell was not fully respecting a customer's choice not to participate in the RAP.
- Firstly, Principle 4.3.8 provides that an individual "may withdraw consent at any time" for the collection, use or disclosure of their personal information. The opt-out option made available by Bell did not allow a Bell Customer to withdraw consent to the use of his or her information for Bell's profiling purposes. As noted above, Bell continued to assemble interest categories for customers who have opted out of the RAP in case the customer may one day change his or her mind and opt back in to the program. In our OBA Policy Position and Guidelines, we indicate that organizations should not use persistent techniques, like "super-cookies" or "zombie cookies", that render it difficult or impossible for users to effect their choice not to be tracked. That same reasoning applies to the circumstances in this complaint.
- Furthermore, Bell had not clearly explained to its customers, either in its Privacy Policy or its RAP notifications, that opting out of the RAP did not result in Bell ceasing the use of RAP Information for profiling purposes. It is not intuitive, in our view, that opting out of the RAP would be limited in such a way. It follows that when Bell maintains RAP Information in the Customer Profile of a customer who has opted out of the RAP, and/or continues to augment that profile with new network usage information despite the customer's expressed wish to opt-out, Bell would be doing so without the customer's consent.
- In our preliminary report, we recommended that Bell take steps to ensure that a Bell Customer's choice not to participate in the RAP results in: (i) the deletion of all information from that individual's Customer Profile; and (ii) the cessation of the use of RAP Information to continue to augment that profile. We further recommended that Bell outline in detail to our Office its process to accomplish this.
- Bell agreed to our recommendation. The RAP opt-out process has been amended so that an opt-out will terminate all use of the RAP Customer Profile for marketing and the deletion of any browsing, interest and category information from existing profiles. The change will be implemented retroactively so that it applies to anyone who chose to opt out since the initiation of the RAP.
- We therefore find this aspect of the complaint to be well founded and resolved.
Adequacy of Communications Explaining the RAP
- We wish to acknowledge that Bell has taken significant measures to provide timely and prominent notices to its customers with a view to making them aware of the RAP. However, in our view, the Bell Companies' notifications do not provide sufficient detail to form the basis of meaningful consent to the RAP. Bell's Privacy Policy provisions, as outlined in paragraph 22(d), do not clearly explain or encompass Bell's use of customers' personal information pursuant to the RAP. Further, the high-level explanations, coupled with limited examples of information to be used, included in Bell's RAP-specific notifications, like those outlined in paragraph 22(c), provide insufficient guidance for Bell Customers to understand the full extent of the information Bell may use for the RAP, even in respect of Bell Mobility alone. In particular, not all account information used in the RAP (such as account revenue or device type) is outlined, nor are key terms such as "location" or "app and device feature usage" explained in detail. Further, Bell has not explained that all URLs are used to determine interest categories, even URLs which may be considered sensitive in nature.
- As outlined in paragraphs 73 and 75 above, the combination of information that Bell may use for purposes of the RAP renders such information more sensitive. For customers' consent to the RAP to be meaningful, it would need to be supported by a detailed explanation that allows them to clearly understand the full breadth of actual information which Bell might use to target them, including a full list of dimensions available to RAP Advertisers for the creation of Ad Profiles and a clear explanation that all URLs they visit may be used for the purpose of assigning interest categories.
- It follows that Bell has also failed to provide a sufficiently clear explanation with respect to potential expansions of the RAP to Bell Residential Services, the full details of which are yet to be determined. For instance, Bell has not clearly explained to its customers what information relating to "TV viewing" or "calling patterns" may be used in the RAP.
- We recommended that Bell provide an adequate explanation of the RAP to its customers via prominent detailed explanations outlining the full breadth of RAP Information currently being used by Bell for the RAP. We further recommended that Bell obtain consent for any future uses of other information, including that related to mobile location or network usage for Bell Residential Services, only once Bell is able to provide a sufficiently clear and detailed explanation of intended uses to support meaningful consent.
- Bell has committed, in the context of a continued opt-out regime, to augment the explanations available to individuals relating to the personal information that is currently collected under the RAP and may be collected in the future, as well as the uses for such information under the RAP, by April 30, 2015.
- While such notifications will not render opt-out consent adequate, we find this aspect of the complaint, relating to the adequacy of Bell's explanations regarding the RAP, to be well-founded and conditionally resolved.
Requiring Consent (full postal code)
- Bell has indicated that it does not intend Ad Profiles to target audiences of less than 1,000 Bell Customers, and that in most cases it would expect the audience to be much greater than that number. However, the option for RAP advertisers to select full postal code, as opposed to the first three characters, could yield a much smaller target audience. According to Statistics Canada, the average number of households served by a postal code is approximately nineteen, but could include as little as one household.Footnote 16
- In our view, Bell was therefore requiring those customers who wish to partake in the RAP to consent to the use of more information than necessary for the purposes of the RAP.
- We recommended that Bell cease the use of full postal code information, for the purposes of targeted advertising.
- Bell agreed to our recommendation and has commenced using only the first three characters of customers' postal codes for the purposes of the RAP.
- We therefore find this aspect of the complaint to be well-founded and resolved.
Requiring Consent (disclosure to The Source)
- Bell indicated, as outlined in paragraph 6, that RAP Information would not be shared beyond the Bell Companies, which include The Source. In its representations to our Office, Bell indicated that "The Source (Bell Electronics) Inc. has no involvement in the RAP".
- It is our view that if The Source has no involvement in the RAP, customers should not be required to consent to the disclosure of their personal information to The Source for the purposes of the RAP.
- We recommended that Bell remove The Source from the list of Bell Companies to which RAP Information may be disclosed.
- Bell agreed to our recommendation and will remove The Source from the list by March 31, 2015.
- We therefore find this aspect of the complaint to be well-founded and conditionally resolved.
Limiting Collection
- We accept that Bell is not collecting any new personal information for the purposes of the RAP. It is simply using, for new purposes, information which it already collects for the purposes of delivering its services. As such, we are satisfied that Bell is not collecting more information than necessary for the purposes of the RAP.
- We therefore find this aspect of the complaint to be not well-founded.
Retention
- We are also satisfied that Bell's retention periods for the various types of information outlined in paragraph 21 of this report, are consistent with the uses of that information for purposes of the RAP.
- We therefore find this aspect of the complaint to be not well-founded.
Accountability
- During the course of our investigation we noted that Bell was lacking certain documented procedures to ensure the appropriate use of individuals' personal information pursuant to the RAP.
- We recommended that Bell ensure that such practices (i.e., vetting of URLs submitted by RAP Advertisers via Ad Profiles, establishing additional key word searches or interest categories, and ensuring minimum Ad Profile audience size) are documented and communicated to Bell staff to ensure consistency and reliability in application.
- Bell agreed to this recommendation and will demonstrate to our Office that it has implemented the documentation, and associated communications and training by March 31, 2015.
- We therefore find this aspect of the complaint to be well-founded and conditionally resolved.
Conclusion
Well-founded and conditionally resolved allegations
- We remain interested in Bell's compliance with the commitments it has made to our Office, as outlined in this report, and we will continue to follow-up with Bell to ensure that those changes are adequately implemented within the agreed timeframes. At the appropriate time, we will gauge whether Bell has fully complied with our recommendations and, if necessary, we will address any outstanding concerns in accordance with our authorities under the Act.
Bell's Failure to Obtain Adequate Consent - Well-founded
- While we are pleased that Bell has implemented significant changes so that certain aspects of the RAP are, or would soon be, in compliance with the Act, we are also disappointed that Bell has declined our recommendation to amend the RAP to obtain opt-in consent from its customers, which in our view is required given: (i) the sensitivity of the information Bell uses for the program; and (ii) the reasonable expectations of Bell customers in the circumstances. We will proceed to address this unresolved issue in accordance with our authorities under the Act.
Other
- Given the importance and utility of these findings in further clarifying our Office's expectations of organizations engaged in, or considering, behaviourally targeted advertising, we will be conducting further outreach to sectors where the findings are likely most pertinent, including the Telecommunications sector.
Notes
- Date modified: