Privacy Commissioner Should Disclose the Identities of Privacy “Leakers”

Last week, Privacy Commissioner of Canada Jennifer Stoddart released the results of a disturbing new study conducted by her office that found many leading websites “leaking” personal information. My weekly technology law column (Toronto Star version, homepage version) notes the study, which came on the heels of similar findings by researchers in the United States, found that one in every four websites examined suffered from privacy leaks that included disclosing names, email addresses, postal codes, and location data to third party advertisers (in the interests of full disclosure, I am a member of the Stoddart’s external advisory board).

The study only covered 25 of the most popular e-commerce and media websites in Canada, suggesting that many more organizations may be violating Canadian privacy law by failing to adequately safeguard the personal information they collect and providing users with insufficient information about how their data is used and disclosed.

The source of the problem appears to be relationships with third party advertising companies, website analytics services, and electronic flyer providers. Using software that captures data sent between a user’s browser and a website, along with the data sent between the user’s browser and third-party sites, the study identified significant violations.

For example, it found a Canadian-based shopping site that revealed email addresses to 11 third party organizations after asking users to register for an email promotion service. It also found a Canadian media site that disclosed username, email address, and postal code to a content delivery and marketing service, an advertising network, and a news content provider after asking for registration to manage user subscriptions.

Stoddart responded to the report by writing to 11 of the 25 organizations covered in the study to ask how they plan to address potential violations of the law. Yet despite the obvious cause for concern, Stoddart declined to name names, as a release from her office indicated that the “Privacy Commissioner of Canada has not exercised her discretion to publicly name the tested organizations at this time.”

The decision to keep the public in the dark about privacy leakage raises its own set of concerns. While the study may cause some embarrassment for the affected sites, the preliminary findings suggest that those sites are violating Canadian law. Moreover, by keeping the identities of the sites secret, Canadians are unable to take action to mitigate the risks they face due to the privacy leakage.

The secrecy approach is particularly surprising since Stoddart has publicly admitted that she is uncomfortable with the practice. In her first speech following the renewal of her mandate in January 2011, Stoddart acknowledged “to be candid, I have a growing discomfort with the secretive nature of how we work under PIPEDA.” She added that “it seems to me that not naming names is robbing the Canadian public of much of the educational value of our investigative findings.”

While this study is not identical to a formal PIPEDA finding, if the concern was sufficient to merit its release and follow-up letters, then the same concern for maximizing the educational value to the public should apply.

The Commissioner has named names without the benefit of a full investigation in the past, disclosing investigations of Google and Facebook privacy practices in 2010. Moreover, Stoddart has been a vocal advocate for security breach disclosure legislation, new rules that would require organizations that suffer a security breach to disclose it to anyone whose personal information may be at risk.

Stoddart’s focus on greater transparency – both for organizations that collect personal information and for its own investigations – is a welcome development that should increase public confidence and awareness of privacy law. The decision to keep the names of organizations leaking personal information secret runs counter to the commitment to transparency and should be reversed.


  1. But there are more
    The Q&A on the Commission website indicates the study of dozen offending sites was not very comprehensive and the offensive practices are widespread if not prevalent. So it would be unfair to single out those few when so many are doing it, as opposed to a general consumer warning and alert to responsible politicians.

  2. How about first warning the companies of ‘leaking’ when detected, give them a chance to tighten their security & procedures. If that does not work, then shove them out of the closet.

  3. To be fair, given that a number of national companies have regional flyers, it basically means that you must give the third party that is handling the electronic flyers the postal code so they know what flyer to present to the person. For instance, Best Buy and Future Shop both have regional flyers; they ask for my postal code so that I can see the Ontario area flyer rather than, for instance, the BC flyer. If they ONLY provide the postal code to the third party (and in the case of organizations 7 and 10 that is all that was noted) the risk is very small.

  4. Please join this
    “I got my legal questions answered by MAARS ask a lawyer, they have the biggest international listing of lawyers. Registration is free” .

  5. monster beats pro says:
  6. Steve Smith says:

    Michael –

    Thanks for the post.

    As a professional in the marketing technology space, I think the conclusion that personal information is being shared with “third party advertisers” is not necessarily correct. These third parties may in fact not be advertisers at all. For example, it is a pretty common practice for companies to store the email address of people who opt into their newsletter with their web analytics platform, so that they can tailor their content and offers based on their customer’s specific interests. If that platform is provided by a third-party software-as-a-service company whose business is to provide an analytics service to companies (e.g. IBM Coremetrics, Adobe Site Catalyst, and many others), and sufficient contractual language is in place with that vendor to protect the data, is this a violation of privacy law? Similarly, it is pretty common for companies to use third-party email marketing platforms (e.g. ExactTarget, Eloqua) to facilitate the creation and delivery of tailored marketing messages for those customers that have opted in.

    I guess I fail to see how these practices are any different that the software-as-a-service platforms that are used by many companies today for things like ecommerce, billing, fulfillment, etc. that also routinely process personal information?

    It seems like conclusions are being drawn before the Privacy Commissioner has established exactly what the relationship are with these third parties and what is being done with the information. They are not necessarily advertisers at all and may very well be beholden to safeguard this information. I also think that beyond the 25 companies that were picked, you probably would find that the majority of online direct marketers in Canada and worldwide have similar practices.

    Am I missing the boat?

    I am looking forward to seeing how this unfolds.