The Privacy Commissioner of Canada has released the long-awaited decision on Bell’s targeted ads program. The Commissioner’s press release soft-pedals the outcome – “Bell advertising program raises privacy concerns” – but the decision is clear: Bell’s so-called relevant ads program violates Canadian privacy law. As I wrote earlier this year, the key issue in the case centered on whether Bell should be permitted to use an opt-out consent mechanism in which its millions of customers are all included in targeted advertising unless they take pro-active steps to opt-out, or if an opt-in consent model is more appropriate. Given the detailed information collected and used by Bell, I argued that opt-in consent was the right approach.
The Privacy Commissioner of Canada agrees:
In our view, for the reasons expressed above, the RAP clearly involves the use of sensitive personal information. As such, the sensitivity of the information at issue leads us to the conclusion that Bell must obtain express consent for the RAP in the circumstances. This conclusion is further supported by our assessment of the reasonable expectations of Bell Customers, which is set out below.
The decision includes detailed analysis of why the opt-in standard is appropriate and why Bell’s insistence that the personal information is not sensitive is wrong. The decision concludes:
we remain of the view that Bell cannot rely on the opt-out consent of its customers in order to implement the RAP. Both the sensitivity of the information at issue and the reasonable expectations analysis lead us to the conclusion that such consent is not appropriate in the circumstances. In our preliminary report, we recommended that Bell provide its customers with the opportunity to make an express opt-in choice regarding whether or not they consent to Bell’s use of their personal information for the RAP. Bell refused to comply with our recommendation. [emphasis added]
Bell’s decision to violate Canadian privacy law leaves the Privacy Commissioner of Canada with little alternative: it must pursue the case in the Federal Court of Canada. Yet that approach will takes years as the case will have to be mounted from scratch. In the meantime, Bell will presumably continue to violate the law.
[Update: Bell now says it will abide by the Privacy Commissioner of Canada’s ruling including the opt-in approach issue.]
The case is a perfect illustration of why Bill S-4, the Digital Privacy Act, should be amended to include order making power (I argued for order making power during my appearance before the Industry committee last month). The government cannot credibly claim that its bill offers Canadians strong privacy protections when the country’s largest telecommunications company can simply refuse to comply with the law and the Privacy Commissioner of Canada’s only recourse is lengthy, expensive litigation. Provincial privacy commissioners have order making power as do virtually all data protection and privacy commissioners around the world. As currently drafted, PIPEDA leaves the Privacy Commissioner of Canada with little power to fully protect Canadians’ privacy with companies such as Bell seemingly free to reject his decisions.