Toyota advertising case raises privacy issues

November 4, 2011

In 2009, a woman initiated a lawsuit against a Californian advertising firm and Toyota U.S.A. because of an aggressive advertising campaign that she claimed was designed to make individuals believe they were being stalked by a criminal (which, in fact, turned out to be fictitious).  While the charges are now being dealt with by the Los Angeles Superior Court the case raises issues in respect of the application of privacy principles here in Canada.

In 2008, Toyota Matrix advertised the “Your Other You” campaign which targeted young males. It encouraged individuals to provide someone else’s personal information, who would then receive an invitation to a fake personality test.  What really happened was, the “victim” ended up receiving numerous disturbing emails from an imaginary soccer hooligan with a pitbull named Trigger.  This impersonator claimed to be on their way to the victim’s house, who had no idea it was a hoax. In order to promote the advertising campaign, a fake social networking account for the stalker was even set up.

How would a similar case play out here in Canada? Under the PIPEDA framework , there would possibly be a violation of the law because of the alleged collection, use and disclosure of personal information without consent. Further, PIPEDA’s requirement that the “identified purposes” of any collection, use or disclosure of personal information would not likely met. Finally, the reasonableness test, enshrined in PIPEDA, would probably be violated. In short, the facts pertaining to the case could put the relevant parties in the crosshairs of the Office of the Privacy Commissioner of Canada and courts. As a result, the case should serve as a warning to advertising agencies to ensure that privacy law considerations are thoroughly canvassed with legal counsel before initiating campaigns involving personal information – especially where people are submitting friends’ data.

1 Comment | Facebook, Marketing, PIPEDA, Privacy, Social Networking Websites | Tagged: , , | Permalink
Posted by Brian Bowman

Is there such a thing as a “good” records retention service provider?

March 17, 2011

Of course, the answer is yes. But who’s the best service provider in Canada?

You see Canada’s private-sector privacy legislation (PIPEDA) requires organizations to retain personal information only “as long as necessary”, regardless of the format in which such information is held. So emails and paper records alike should only be retained as long as necessary.

I know that many organizations across Canada are struggling to develop business-friendly retention schedules that comply with the law. In some cases, these businesses are outsourcing their efforts. Do you work with such a company? Does your company offer these services? If so, I know that readers of this blog would welcome any positive recommendations. Feel free to post a “Comment” below with your thoughts.

Leave a Comment » | PIPEDA, Privacy, Retention | Tagged: , | Permalink
Posted by Brian Bowman

What is device fingerprinting, or machine ID?

November 4, 2010

Some online banks, e-commerce merchants and Internet-based market research firms are turning to a new technology called device fingerprinting (or machine ID as it’s often called) for online verification and fraud detection. Unlike cookies, however, which can be blocked, filtered and deleted, device fingerprinting is invisible to consumers. For website owners that use the technology, adequate disclosures, consent and safeguards are required, at minimum, to comply with privacy laws.  

In fact, device fingerprinting works so well that many businesses that use it might not even be aware that they’re doing so. Is your organization using the technology? If so, it’s vital that your organization’s use of device fingerprinting complies with applicable privacy laws.

To learn more about device fingerprinting click here to view a presentation that I recently delivered alongside Steven Johnston (Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada) and David Stark (CIPP, Vice President, Compliance and Privacy Officer, GFK Group) to the International Association of Privacy Professionals in Baltimore, Maryland. As you’ll see, the presentation includes an overview of device fingerprinting, identifies relevant privacy law issues (my contribution to the presentation), the OPC’s perspective and provides practical examples.   

Thanks to the IAPP for the opportunity to present and compliments to Steven Johnston and David Stark for excellent remarks.

Leave a Comment » | Device Fingerprinting, PIPEDA, Privacy, Technology | Tagged: , , , , | Permalink
Posted by Brian Bowman

B.C.’s Privacy Commissioner releases Privacy Guidelines for Landlords and Tenants

October 22, 2010

B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.

In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.

Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.

Leave a Comment » | PIPA, Privacy, Privacy Commissioner | Tagged: , , , | Permalink
Posted by Brian Bowman

How safe is your scan? Hard drives on copy machines pose risk

October 20, 2010

Does your office have a copy machine? If so, then this post is worth reading.  CBC news has just released the results of an investigation that exposes the security risks associated with modern copy machines, specifically, the ease at which information scanned into certain copiers can be tapped. Just think about the information that gets scanned into your office copier. Personal information. Confidential corporate information such as client data. Even intellectual property. It’s a scary thought if you haven’t done your due diligence, especially considering that privacy laws can apply to certain data undoubtedly scanned into your copy machine. Check out CBC’s online story here or TV segment here. And if you’d like to learn more, you may also want to read my post from earlier this year which provided a link to a similar CBS news story.

Leave a Comment » | Data Encryption, Data Protection, Identity Theft, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security, Technology | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Lessons from the Veteran Affairs Canada privacy breach

October 8, 2010

The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.

In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.

The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:

  • “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
  • Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
  • Provide training for employees about appropriate personal information-handling practices.
  • Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”

Leave a Comment » | Privacy, Access to Information, Privacy Breach, Security Breach, Safekeeping, Government, Safeguarding, Due Diligence, Training, Data Protection, Privacy Commissioner of Canada | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Another day, another privacy breach…

October 6, 2010

CBC News is reporting that ”[g]arbage bags filled with confidential financial information were found blowing around in a [Winnipeg] North End back lane Tuesday, and people living in the area say they’re furious because of it. The bags contain tax return documents that include people’s names, social insurance numbers and in many cases, addresses and other sensitive financial information.”

This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.

Leave a Comment » | Identity Theft, PIPEDA, Privacy, Privacy Breach, Security Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Rite Aid Fined $1 Million (U.S.) for Improperly Disposing Personal Information

August 9, 2010

Hogan Lovells LLP is reporting that Ride Aid has agreed to pay $1 million dollars (U.S.) to settle violations of U.S. health information privacy requirements. Interestingly, the FTC has ordered Rite Aid to cease misrepresenting its information security practices to customers and establish other personal information management securities safeguards.

As I have previously posted, we’ve seen million dollar privacy awards here in Canada but what’s interesting is the fact that the FTC took issue with an organization “misrepresenting” its privacy protection practices. It’s a good reminder that simply having a privacy policy doesn’t cut it. Businesses must ensure that internal policies and procedures exist and are enforced on an ongoing basis in order to live up to commitments made in privacy policies.

Leave a Comment » | Privacy | Tagged: , , | Permalink
Posted by Brian Bowman

Today’s “buzz” on Google Buzz offers lesson for new service roll-outs

April 20, 2010

Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.

The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
  • giving people simple procedures for deleting their accounts and honouring their requests in a timely way.”

    • The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.

    Leave a Comment » | Data Protection, Due Diligence, Ontario's Information and Privacy Commissioner, Personal Information, Privacy, Privacy Commissioner of Canada, Social Networking Websites, Technology | Tagged: , , , , , , | Permalink
    Posted by Brian Bowman

    A Conversation with Frank Work, Alberta’s Information and Privacy Commissioner

    February 3, 2010

    Continuing a series of blog posts that I’m calling “A Conversation with…” (the first being A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada), I’m delighted to post the following conversation with Frank Work.

    Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first!  As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.

    Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.

    Q.  Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?

    A.  A couple of years ago the Edmonton police raided a hang out for meth users.  They found a lot of papers from businesses in the area, which they gave to us.  Cell phone contracts, credit bureau checks, credit card information and so on.  The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high.  They don’t sleep.  They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.

    Q.  So what can the public do to protect itself from that kind of identity theft?

    A.  Individuals should shred bank and credit card statements.  They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft.  Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports.  Check your bank and credit card statements to make sure someone else isn’t using them.  Do a credit bureau reference on yourself maybe once a year.  If your score is lower than you think, find out why.  If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.

    The other side of the problem is organizations that have peoples’ info.  They must take proper care of it.  As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away.  These papers all have potential for fraudulent use.  Businesses need to shred this stuff.  Furthermore, for businesses that have customer databases, how well secured is it?  Who on their staff has access to it?  We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.

    Q.  Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?

    A.  It is early days yet.  Hopefully it will make organizations extra careful with personal information.  Will that raise the bar for organizations in other provinces?  Maybe.  If you are going to change your practices here, you might as well change them everywhere.  Possibly more provinces will legislate.  A big piece of the picture will be when the Federal government amends PIPEDA in this regard.  Maybe this will increase pressure to do so.  It will be a challenge to figure out what “a real risk of significant harm” is.  It will be a challenge to figure out in which cases there should be notice given and what kind of notice.

    Q.  You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?

    A.  We aren’t perfect but we are way ahead of most other jurisdictions.  The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy.  Commissioners can and do advocate.  I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada.  Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce.  We need some rich people to endow some of these groups.  The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy.  We get it to some extent.  I like to think it is because we are, yes, polite, and respectful of other people.  That makes us respect each other’s space.  We must not lose that as the world becomes one big facebook/google culture.  Teach your children well.

    Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

    A.  Cyber attacks, hacks and other losses will continue.  Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed.  I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening.  Governments like surveillance.  Heck, the public likes surveillance because we are just so bad at risk assessment.  We are scared of everything it seems and we want someone to keep an eye on everything for us.  It will be interesting to see if technology begins to fail us.  For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it?  They bring in new technology.  And that doesn’t prevent the next one (God forbid).  Maybe they run out of technology, although, for the money involved I don’t see that happening.  Someone will come up with a new toy.  Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?”  I think that will be a social shock.

    5 Comments | Airport Security, Identity Theft, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security | Tagged: , , , , , , , | Permalink
    Posted by Brian Bowman

    « Previous Entries
    Follow

    Get every new post delivered to your Inbox.

    Join 73 other followers