Privacy Abuses and Leaks

Two current privacy stories are worth mentioning. First, see this CBC news article entitled Political parties operate outside Canada’s privacy laws. The controversy arises from an email sent by a Cabinet Minister to those who signed a petition.

Also see this article entitled Websites leaking customers’ personal info, says privacy watchdog  and the PrivacyCommissioner’s news release. The issue here is the revelation by the Canadian Privacy Commissioner, Jennifer Stoddart, that 1 in 4 of the 25 websites her office looked at were passing on personal information of users to third party advertising and marketing firms without user consent. 

Here is an infographic on web leakage provided by the Commissioner.

Click on image to enlarge

While on the surface, privacy issues can appear to be simple, there is often room for interpretation, and viewpoints can vary. Those accused of abusing privacy may not understand the issues, may not have educated employees on what they can and can’t do, or may be burying their heads in the sand because they don’t want to face that they may not be able to use personal information to their advantage without permission.

UPDATE: Sept 27 And see this article about an MP’s email exposing 1500 addresses.


  1. It would be interesting to know to what extent someone creating a web page could end up doing this disclosure without intending to, presumably because others that are given access to the site (such as advertisers placing ads there) tap into information on the site itself. I note the Commissioner’s background document:

    The research did not examine whether personal information disclosures were intentional (for example, a website was being paid for the personal information) or unintentional (for example, a disclosure was the result of a lack of attention.)

    So organizations, whether law firms or not-for-profit organizations, that intend to ‘be good’ and comply with privacy laws may apparently find themselves violating the law.

    Is the answer to this good contract provisions, or must one perform some kind of technical analysis on one’s own site from time to time, using the tools that the Commissioner mentions or similar ones?

  2. David Collier-Brown

    It’s easiest to pass just a “referred to you by” string to an advertiser than it is to pass other values.

    The second easiest, however, is to send the entirety of the filled-in data from a web form.

    It’s much more work to pass selected subsets.


  3. This came up early on with Facebook also. As Dave suggests, they would include profile info in the URL, which then typically (and automatically) gets attached as the referrer to any link you click on. I think in many cases (as it was with Facebook), the leakage is in fact inadvertent, but it’s no less a violation of PIPEDA’s technical safeguards obligations.