Some of Canada's most popular websites are flouting federal privacy laws by sharing visitors' valuable personal information without their knowledge or permission.
The Office of the Privacy Commissioner of Canada declined to name the websites that raised privacy red flags in research released on Tuesday. But the federal watchdog said major sites operated by large companies including retailers, travel services, and media, have been giving user information they had collected to other companies, without those users knowing about it or agreeing to it.
The watchdog looked into 25 of "the most popular sites targeted to Canadians," and found that roughly one-quarter of them raised "significant privacy concerns."
"It is likely that a significant number of other sites may also be leaking personal information," the office said.
Ironically, the announcement of the findings protected the privacy of those companies: It did not disclose the names of any of the 25 websites it looked into, including the ones that could be violating Canada's privacy laws.
In an interview, Commissioner Jennifer Stoddart said this was because the research is intended to give a snapshot of the wider problem – and because her office wanted to contact those websites and give them a chance to change their practices. Ms. Stoddart says if she does not receive an adequate reply, she would consider naming those websites in future.
The specific information the sites gave to other firms included full names, e-mail addresses, postal codes, the city each user was in when using the site, and parts of their search history.
This unauthorized sharing of data is known as Web leakage. It occurs often when a website is dealing with third parties in order to sell them advertising space on its site.
It is common for a shopping or media site to require users to set up personal accounts to manage their orders or subscriptions, which involves turning over personal information. Websites also commonly place cookies on a user's computer to track their online behaviour. Some of the sites examined in the study then shared some of that information with advertisers, analytics firms which can give them a better understanding of their customers, and other marketing companies.
"If the law is being ignored to this extent, then Canadians should be really concerned," Ms. Stoddart said.
Michael Geist, an Ottawa law professor and online privacy expert, said the Commissioner should have gone further, naming the sites in question. "It is unfair to stir public concern about current privacy practices and not provide Canadians with the information they need to better protect their own privacy."
The issue has come to the fore as more advertisers demand increasing levels of information about media audiences in order to better target their ads to the right consumers. Media companies, websites and others that sell advertising are under pressure to deliver that information as part of the exchange with advertisers.
The research was prompted by other studies indicating that web leakage is a global problem, with many websites around the world sharing user information without their consent.
Countries such as Australia have strengthened penalties for violating consumer privacy, Ms. Stoddart said, but Canada has lagged, especially since her office can take firms to court to order them to change their practices but does not have the power to fine those that break the rules.
"If there isn't a major alignment with privacy rules – and I think a lot of them are simply being ignored – we should move to a more up-to-date model of privacy enforcement which … means there are monetary penalties," she said. "I think in order for privacy to be taken seriously, we're going to have to start to attach a price tag to it."
John Lawford, counsel with the Public Interest Advocacy Centre, agrees. "We'd like to see them have order-making power and fining power," he said, though he expressed concerns about the reluctance of the report to name the companies it found had shared consumers' information. "It certainly loses a lot on transparency."
In addition to the websites that raised serious concerns, the watchdog had questions about the practices of another five sites in the study. It has contacted all of those companies to ask for more information, and in some cases, to tell them how to change their systems to fall in line with federal privacy laws.
The Privacy Commissioner is also reaching out to industry associations to discuss the problem and ask them to do so with their members.