Canada’s Privacy Commissioner has just released the final report of her Office’s consultations on the online tracking, profiling and targeting of consumers by marketers and other businesses. “Most people have no idea about the rich trail of data they leave behind when they browse the Internet, use social networking sites, or engage the geo-location functions of their mobile devices,” the Commissioner observed. Organizations that track the online activities of Canadians must be more upfront about their practices, Privacy Commissioner Jennifer Stoddart has concluded… “it comes down to meaningful consent, which entails informed consent”.
Privacy Commissioner releases report on online tracking, profiling and targeting, and cloud computing
May 6, 2011
Leave a Comment » | 
Device Fingerprinting, Facebook, Marketing, Monitoring, Privacy, Privacy Commissioner of Canada, Social Networking Websites, Technology | Tagged: Cloud Computing, Facebook, Internet, Privacy, Privacy Commissioner, Social Networking | 
Permalink
Posted by Brian Bowman
Fines needed to help stem growing data breaches, Privacy Commissioner says
May 4, 2011
The Privacy Commissioner of Canada has called for legislation empowering her to impose substantial fines against major corporations that fail to adequately protect Canadians’ personal information from preventable breaches.
“I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians,’’ Jennifer Stoddart said in a speech today at the Canada 3.0 forum in Stratford, Ont. “It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.” To learn more, read the complete news release.
Leave a Comment » | Data Protection, Legislation Update, Privacy, Privacy Breach, Privacy Commissioner of Canada | Tagged: PIPEDA, Privacy, Privacy Breach, Privacy Commissioner | Permalink
Posted by Brian Bowman
The case against Big Brother at work
April 14, 2011
Here’s a good article in the Globe & Mail’s Report on Business about the thorny issue of workplace monitoring. As I’m quoted by the Globe & Mail, “I recognize employers have risks and obligations to manage data, but on the other hand going to a more Big Brother approach isn’t the answer. And the privacy commissioner and the courts would agree with that.” Read the full article here>
Other related blog posts include Employee monitoring in today’s workplace and Social media: Is your organization’s head in the sand?
Leave a Comment » | Employee Monitoring, Facebook, Privacy, Social Networking Websites | Tagged: Employees, Facebook, Privacy, Social Networking | Permalink
Posted by Brian Bowman
Privacy and compliance in digital market research
March 24, 2011
David Stark of GfK has penned an excellent article about how technology is affecting the marketing research industry. In his article, David highlights broad trends, notably in quantitative research, and the increase in observational research and passive data collection. Among other things, he also discusses cookies, device identification and web scraping. This is a ”must read” for marketing researchers and a valuable read for others. I hope you check it out.
Leave a Comment » | Device Fingerprinting, Internet, Marketing, Privacy, Social Networking Websites, Technology | Tagged: Internet, Privacy, Social Networking | Permalink
Posted by Brian Bowman
Fraud Prevention Month to focus on online fraud
March 4, 2011
The Competition Bureau announced earlier this week its participation in Fraud Prevention Month, which this year focuses on the growing problem of online fraud. Fraud Prevention Month is an annual education and awareness campaign held in Canada and around the world. The Competition Bureau’s website provides some great education and prevention information including a new interactive quiz designed to test consumers’ and businesses’ fraud awareness. I’d encourage you to take the quiz!
1 Comment | Competition Law, Data Protection, Identity Theft, Online Shopping, Phishing, Privacy, Security, Theft | Tagged: Customers, Identity Theft, Phishing, Privacy, Safeguarding | Permalink
Posted by Brian Bowman
Buses, bingo and bins – and the need for privacy to be designed
January 21, 2011
Buses, bingo and bins. Probably not the first things that come to your mind when you think of privacy.
Yet in recent days, privacy issues have impacted school buses, casinos and garbage bins. This may seem odd when most privacy news stories these days deal with Facebook and other websites. But the world of privacy is increasingly affecting just about every segment of society. Read more>>
Leave a Comment » | Due Diligence, Monitoring, Personal Information, Privacy, Technology | Tagged: Due Diligence, Privacy, Technology | Permalink
Posted by Brian Bowman
Supreme Court of Canada releases electric meter privacy decision
November 24, 2010
The Supreme Court of Canada (SCC) released an important decision today that considered whether an individual home owner had a reasonable expectation of privacy in electric meter data.
The police had asked a local utility company to attach a digital recording ammeter (DRA) to the electric meter on a home in order to monitor electrical usage. The data gleaned from the DRA and from other sources was then used to obtain a warrant to search the home. The search resulted in exposing a marijuana grow op. The defence argued that the installation of the DRA infringed the privacy rights of the accused to be secure against unreasonable search contained in Canada’s Charter of Rights and Freedoms.
A critical factual consideration, on which much of the disagreement in the case turned, was the degree to which the use of DRA technology reveals private information. The SCC ultimately decided that DRA technology merely indicates electricity use, not what the electricity was used for, so it was a reasonable loss of privacy.
Here’s an excerpt from the decision:
The central issue in this case is thus whether the DRA discloses intimate details of the lifestyle and personal choices of the individual that form part of the biographical core data protected by the Charter’s guarantee of informational privacy. The evidence available on the record offers no foundation for concluding that the information disclosed by the utility company yielded any useful information at all about household activities of an intimate or private nature that form part of the inhabitants’ biographical core data. The DRA’s capabilities depend of course on the state of the technology at the time of its use. As DRA technology now stands, it is not capable of giving access to the occupants’ personal information. Instead, the DRA data merely yield an additional piece of information to evaluate suspicions — based on an independent evidentiary foundation — police already have about a particular activity taking place in the home.
A final factor affecting the informational privacy analysis is the fact that G’s interest in the electricity use data was not exclusive. G’s electricity consumption history was not confidential or private information which he had entrusted to the utility company. As the supplier of electricity, the utility company had a legitimate interest of its own in the quantity of electricity its customers consumed. Consequently, it is beyond dispute that the utility company was within its rights to install a DRA on a customer’s line on its own initiative to measure the electricity being consumed. The utility company was not an interloper exploiting its access to private information to circumvent the Charter at the behest of the state; rather, its role is limited to the wholly voluntary cooperation of a potential crime victim.
While a territorial privacy interest involving the home is a relevant aspect of the totality of the circumstances informing the reasonable expectation of privacy determination, the Charter’s protection of territorial privacy in the home is not absolute. Where, as in the case at bar, there was no direct search of the home itself, the informational privacy interest should be the focal point of the analysis. The fact that the home was the focus of an otherwise non-invasive and unintrusive search should be subsidiary to what the investigative technique was capable of revealing about the home and what information was actually disclosed. The fact that the search includes a territorial privacy aspect involving the home should not be allowed to inflate the actual impact of the search to a point where it bears disproportionately on the expectation of privacy analysis.
2 Comments | Monitoring, Personal Information, Privacy, Technology | Tagged: Government, Privacy | Permalink
Posted by Brian Bowman
When Barbie invades your privacy
November 19, 2010
Mattel’s Barbie doll is now wired. Literally.
The new Barbie Video Girl, which retails for just over $100, has a built-in camera in the doll’s necklace and an LCD screen on her back. The doll also comes equipped with a USB cable that enables you to transfer video recordings to your home computer and then online to YouTube or Facebook.
Not surprisingly, some are calling for a ban on Barbie Video Girl because of the potential that children will post online videos which infringe their privacy. Should we ban Barbie Video Girl? If so, should we ban all children’s toys with cameras? Read more>>
Leave a Comment » | Internet, Monitoring, Privacy, Technology | Tagged: Internet, Privacy, Video Surveillance | Permalink
Posted by Brian Bowman
What is device fingerprinting, or machine ID?
November 4, 2010
Some online banks, e-commerce merchants and Internet-based market research firms are turning to a new technology called device fingerprinting (or machine ID as it’s often called) for online verification and fraud detection. Unlike cookies, however, which can be blocked, filtered and deleted, device fingerprinting is invisible to consumers. For website owners that use the technology, adequate disclosures, consent and safeguards are required, at minimum, to comply with privacy laws.
In fact, device fingerprinting works so well that many businesses that use it might not even be aware that they’re doing so. Is your organization using the technology? If so, it’s vital that your organization’s use of device fingerprinting complies with applicable privacy laws.
To learn more about device fingerprinting click here to view a presentation that I recently delivered alongside Steven Johnston (Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada) and David Stark (CIPP, Vice President, Compliance and Privacy Officer, GFK Group) to the International Association of Privacy Professionals in Baltimore, Maryland. As you’ll see, the presentation includes an overview of device fingerprinting, identifies relevant privacy law issues (my contribution to the presentation), the OPC’s perspective and provides practical examples.
Thanks to the IAPP for the opportunity to present and compliments to Steven Johnston and David Stark for excellent remarks.
Leave a Comment » | Device Fingerprinting, PIPEDA, Privacy, Technology | Tagged: Information Technology, Internet, Privacy, Privacy Compliance, Technology | Permalink
Posted by Brian Bowman
B.C.’s Privacy Commissioner releases Privacy Guidelines for Landlords and Tenants
October 22, 2010
B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.
In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.
Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.
Leave a Comment » | PIPA, Privacy, Privacy Commissioner | Tagged: Due Diligence, Privacy, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
