The federal privacy commissioner is telling Bell Canada to adopt an “opt-in” consent mechanism for its targeted advertising program, effectively changing the game for other companies seeking to use customer data.
Bell’s “Relevant Advertising Program” first raised concerns in the fall of 2013 when it was introduced. The RAP involves tracking the Internet browsing habits of customers, along with their app usage, TV viewing, and calling patterns.
By combining this information with demographic and account data already collected from customers, Bell can create detailed profiles that enable third parties to deliver targeted ads to Bell’s customers for a fee. The program involves combining customer information from several Bell affiliates that offer a range of mobile, home phone, Internet, and TV services.
To date, Bell has put the onus on customers to “opt out” if they do not want their information to be used as part of the advertising initiative by clicking on a link at the bottom of the program’s web page and following the prompts. Customers who don’t are automatically included in the program.
“Bell’s ad program involves the use of vast amounts of its customers’ personal information, some of it highly sensitive,” commissioner Daniel Therrien said in a statement today.
The privacy commissioner’s report, made public today, notes that when browsing and viewing habit information is combined with account and demographic information — such as age range, gender, average revenue per user, preferred language, and postal code — which the company has long collected, the end result is a rich multi-dimensional profile that most people are likely to consider highly sensitive.
In assessing the appropriate form of consent, the office of the privacy commissioner considered the sensitivity of the information in question and what customers would “reasonably” expect from their telecommunications service provider with whom they’ve entrusted their private communications.
The initiative drew an “unprecedented” 170 privacy complaints under the Personal Information Protection and Electronic Documents Act after it was announced. As a result, a commissioner-initiated investigation was launched.
In a statement today, a Bell spokesperson said the company will abide by the privacy commissioner’s decision including the opt-in approach.
“We’re dedicated to protecting customer privacy and thank the commission for clarifying the rules. These are rules that must apply not only to Canadian companies but to international companies operating here, like Facebook and Google, to ensure a fair and competitive marketplace,” said Jason Laszlo in an e-mail.
The commissioner acknowledged Bell is not alone in its endeavours to use customer information.
“This is not something exclusive to Bell,” Therrien said. “We will be reaching out to other organizations that are engaged in or considering this type of activity, including the wider telecommunications sector, as we believe others could benefit from our findings in this investigation.”
In his report, the commissioner has made an important distinction between a free service and a paid service, says Mark Hayes of Hayes eLaw LLP, marking a “huge development.”
“They’re saying Bell isn’t just some web site, they are a telecommunications provider and they have certain quasi monopolies and are required to provide them with personal information, not something that is optional like Facebook, and that gives them a different equation in terms of what they should be able to use the information for,” says Hayes.
When it comes to behavioural advertising many have looked at the privacy guidelines and interpreted them as allowing the use of personal information as long as it is done in a “reasonable” way. But Hayes says, the bar has now been raised significantly.
“For companies that collect personal information in respect of paid services, where the information is collected primarily for the provision of the paid services but now they want to use it for a secondary purpose of behavioural advertising that’s changed the game for many companies — financial institutions and insurance companies have a tremendous amount of information about you,” he says.
Hayes says it would appear Bell went to “great lengths” to try and exclude any sensitive information but the commissioner said if you use sensitive information to produce non-sensitive information that still requires opt-in consent.
“I think that’s a really doubtful conclusion, because what you’re really doing is if you go to great lengths to make sure there isn’t sensitive information we’re going to ding you anyway. We’re going to require opt-in to make it non-sensitive which is kind of defeating the purpose of the act.”
Hayes says the big business issue online right now is about trying to monetize all the information being collected about customers.
“The ramifications of this are huge in terms of the decision to say free services are going to be treated differently,” he says.