Thinking About Privacy and Online Advertising

May 13, 2015

Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.

Online shopping has become a competitive and highly profitable sphere for business, and has contributed to the rapidly expanding world of the online advertising industry. Advances in technology have facilitated the commercialization of the internet, as more and more people seek the convenience that comes as they carry out daily activities in online spaces. The increasing ability of individuals to conduct much of their daily routine in online space has its benefits, such as better access to information, communication, and the resulting overall increases in quality of life. This online presence has, however, brought with it its own concerns and potential hazards.

Advances in online advertising, coupled with the merging of private lives with the very public space of the internet, has created an unprecedented demand for personal information and a sharp rise in data collection activities by private companies. Information has become a form of currency, treated like a valuable commodity, and it is being monitored and stored in order to tailor online advertising to the individual. This is accomplished in a number of ways: contextual targeting (ads tailored to what you are generally viewing on a web page at any given moment), geo-targeting (ads tailored to your location), and behavioural targeting (ads tailored to your overall online behaviour). All of these raise questions concerning data collection and how privacy is being breached by the advertising industry. Links are being created between individuals and companies without a direct business relationship. These links include the collection of personally identifiable information including data related to online activity and behaviour, as well as geographical location. Problems with this become apparent when considering that most people are not aware of how much tracking and surveillance by private advertising companies is taking place. Furthermore, it is not always clear where all the data is being stored, and how it is being used.

All of these types of online advertising require the existence of a body of information about the intended targets. Behavioural targeting, the most invasive form of online advertising, operates on the basis of profiles compiled with data collected about any one individual, or “target”, based on their online habits and preferences. The data is collected in various ways, such as text files known as cookies that are stored on your device by a website to identify you when and if you return, and keyword tracking in online search engines. The information is then used to compile profiles about users, which are used to tailor online advertising. Data on what subject a person reads about, what websites are visited, what music they listen to, what language they speak, and how long a person remains on one particular page or advertisement, is collected and analyzed in an effort to use this information for profit generation.

Many privacy issues arise as a result of this reality. Firstly, many private companies operate in order to collect all this information and design targeted advertising for their own benefit. When ads are being designed to target individuals online, information is not only collected by one company, but is exchanged between companies to compile ever more detailed personal profiles. This is done to personalize the ads, to increase the likelihood that it will interest the consumer and generate revenue. Having permutations of this data shared and stored in so many places also facilitates the possibility of malicious activity and identity theft, leaving your data at the mercy of online criminals.

In one recent example from the United States, a shopper looking for a new car found himself in the complex web of online advertising. After deciding on a car manufacturer that he was interested in, the shopper visited a local dealer’s website and filled out a brief online form with his name and contact information in an attempt to get assistance from the car dealer. What he didn’t realize was that the information that he provided online was being routed through an online advertising company that compared the data that he sent to the dealer to data that they had stored about him, his computer, and his online activity (the code used by the advertising company to track shoppers is found in over 10,000 automotive websites). As a result, the dealer now had access to much more information about the shopper than he had initially intended to provide, which included what other car manufacturers the potential buyer was looking at, price ranges, options, and a great deal of other identifiable personal information about the person’s online habits. The dealer had a view of the shopper’s personal life based on personal information that the shopper did not know was available. Besides the privacy breach, the shopper also lost their advantage – the dealer already knew exactly what he was looking for.

Questions are posed regarding who has control over your private personal information. In the above context, unknown private companies collect and have access to your personal behavioural data without explicitly asking for your permission to collect and store it. It’s almost like a group of people from various corporations are constantly following you around, observing your routine, your reactions, how long you stand in front of a shelf at a store, where you go and for how long, who you associate with… all the while recording absolutely everything that they observe. Then they store that data somewhere out of your reach and use it to their own advantage without asking you – in effect treating it as though it were their own property, and not yours. It can be reasonably assumed that most people would not consent to that kind of arrangement. Some might argue that the above scenario is not quite the same as online tracking for the benefit of advertising, but when you realistically take into account the fact that the internet has become intertwined with our daily lives, the above parallel becomes that much clearer.

Important questions are raised with regards to tracking and online advertising. How do advertisers engage in identifying individuals online? What kind of information is used? How is this information used? How and where is it stored? Is it stored domestically or offshore? As can be seen, each of these questions raises even more questions.

It appears that the aforementioned concerns have resounded with Canada’s privacy watchdog. In January 2015, the Interactive Advertising Bureau of Canada notified its members that the Office of the Privacy Commissioner of Canada will be conducting a research project regarding advertising on popular websites in Canada, to find out whether advertisers are complying with Canadian privacy laws, specifically the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Commissioner of Canada will likely publish its findings in the spring of 2015.

All of these issues point towards a need for better protection in online space. People should not need to be experts in technology and advertising in order to protect themselves against invasions of privacy. Individuals should be made aware of what is involved in online tracking and advertising, and should have some kind of recourse from it. People should not only be made aware of what kind of information is being collected about them, but should also have the ability to inquire about what sorts of data is stored about them, and have the right to have it deleted if they so choose. Consumers deserve more information, more choice, and more control.