Privacy Abuses and Leaks
Two current privacy stories are worth mentioning. First, see this CBC news article entitled Political parties operate outside Canada’s privacy laws. The controversy arises from an email sent by a Cabinet Minister to those who signed a petition.
Also see this article entitled Websites leaking customers’ personal info, says privacy watchdog and the PrivacyCommissioner’s news release. The issue here is the revelation by the Canadian Privacy Commissioner, Jennifer Stoddart, that 1 in 4 of the 25 websites her office looked at were passing on personal information of users to third party advertising and marketing firms without user consent.
Here is an infographic on web leakage provided by the Commissioner.
While on the surface, privacy issues can appear to be simple, there is often room for interpretation, and viewpoints can vary. Those accused of abusing privacy may not understand the issues, may not have educated employees on what they can and can’t do, or may be burying their heads in the sand because they don’t want to face that they may not be able to use personal information to their advantage without permission.
UPDATE: Sept 27 And see this article about an MP’s email exposing 1500 addresses.
It would be interesting to know to what extent someone creating a web page could end up doing this disclosure without intending to, presumably because others that are given access to the site (such as advertisers placing ads there) tap into information on the site itself. I note the Commissioner’s background document:
So organizations, whether law firms or not-for-profit organizations, that intend to ‘be good’ and comply with privacy laws may apparently find themselves violating the law.
Is the answer to this good contract provisions, or must one perform some kind of technical analysis on one’s own site from time to time, using the tools that the Commissioner mentions or similar ones?
It’s easiest to pass just a “referred to you by” string to an advertiser than it is to pass other values.
The second easiest, however, is to send the entirety of the filled-in data from a web form.
It’s much more work to pass selected subsets.
–dave
This came up early on with Facebook also. As Dave suggests, they would include profile info in the URL, which then typically (and automatically) gets attached as the referrer to any link you click on. I think in many cases (as it was with Facebook), the leakage is in fact inadvertent, but it’s no less a violation of PIPEDA’s technical safeguards obligations.