Social Media – a Good Source of Data About Insurability?

People have expressed concern about behavioural advertising, in which advertisers watch what one does online in order to send out ads that are likely to appeal to the person watched. A number of big online services are now developing a ‘do not track’ command to allow their users to prevent their information from being collected for that purpose.

A more interesting, and more intrusive, usage of behavioural information collected online is by insurance companies that may decide whether someone is a good risk to insure based on that information. Fans of XXX’s double-cheese-and-bacon deep-dish pizzas may find themselves having a harder time getting life insurance, or paying more for it, than fans of YYY’s brown rice or ZZZ’s aerobics.

A note on some of the legal implications in the US of this trend has been published in the ABA Cyberspace Committee’s newsletter [PDF].

Would PIPEDA be an effective block — or at least a legal impediment — to the collection and use of such information for such purposes in Canada? The information is said to come to the insurers from data aggregators. The Federal Court has held that the Privacy Commissioner of Canada has at least theoretical jurisdiction over the activity of US-based aggregators who collect information in Canada on Canadians. Is this a help?

At some level this is another manifestation of the ‘reasonable expectation of privacy’. How private does one expect that kind of information to be, and does one have to ‘expect’ data aggregation of pieces of information that are on their own harmless but when aggregated may be meaningful in prejudicial ways?

Looked at another way, it suggests that ‘personal information’ for privacy purposes is much less about substantially significant pieces of information – credit card number, medical record (though these are still important) – and more about collections of data points that can be made to be significant for different purposes.

Is PIPEDA or its provincial equivalents up to the task of dealing with these new forms of personal information? If not, how could they be adapted?

Comments are closed.