WHAT THE LAW SAYS
Excerpts from the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs this behaviour:
"When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
"In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual's name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual's request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.
"In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual."
WHOM DID THE RESEARCH TRACK?
The Office of the Privacy Commissioner did not disclose the 25 companies being studied. But all the websites studied have the following characteristics:
-"A high volume of Canadian traffic;"
-"targets Canadians, generates revenues from interactions with Canadian users, or is operated by an organization with an office located within Canada;"
-"involves the input of personal information, such as the creation of user accounts;"
-"includes third-party marketing tools, for direct advertising or other purposes, such as analytics."
HOW DID THE RESEARCHERS FIND THAT WEBSITES WERE SHARING PERSONAL INFORMATION?
When a website sells products through ads, its servers may interact with the servers of an advertising network from which the ad is actually retrieved. Retrieving that ad involves commands in the HTTP programming language of the website – known as a "GET" command, which asks the advertising server for input, and a "REFERRER" command that identifies the website making the GET request.
Each of these commands includes fields (spaces) that could be used to contain personal data. The research found that the fields were filled not only with information about the site, but also – to the surprise of the Privacy Commissioner's office – information about the individual user, such as e-mail address or postal code.
Websites also share information through the familiar practice of placing cookies on the user's computer that track their online behaviour. Some of that information (some of which was personal) was also shared. Late last year, the commissioner released new guidelines requiring advertisers to be more transparent about how they track consumer behaviour online and share with other companies.