Meanwhile in Canada: Selling Browsing History


Anybody who is even remotely privacy minded is losing their minds right now.


Because the US government (by a slim margin of 215 to 205) has decided to dismantle rules preventing ISPs from collecting data on users' online activity (including browsing history) and selling it to third parties. These rules weren't yet in effect; they were going to be in force later this year.

The response in the US was... very American. For example, the creator of Cards Against Humanity tweeted this:

This tweet is almost as amusing as the Holiday Hole.

Despite our differences and their regrettable election of a Cheeto coloured mad-man, I love Americans. They're plucky.

Meanwhile in Canada...

Yes - this is a thing. I was in Ottawa recently and almost purchased Trudeau socks. Not because I'm a Liberal (I self identify and a general political nomad) but because they were socks with a PMs face on them. Ridiculous.

Canadian reporters (including the CBC) have undertaken to relieve the typical Canadian anxiety:

The Americans are doing weird things.
Are we doing the same weird things?

Short answer: We are not. For the time being.

PIPEDA (Personal Information Protection and Electronic Documents Act) protects personal information in the hands of private companies. As opposed to the Privacy Act, which protects personal information in the hands of the government.

PIPEDA applies to any company who is collecting, using, or disclosing private information.

So... basically every company - including ISPs.

Those companies can only disclose personal information "for purposes that a reasonable person would consider are appropriate in the circumstances."

This was the reaction of every single human I spoke to about US ISPs selling user browsing history and other information:

So it's safe to say a reasonable person would NOT consider sale of the private browsing history of a Canadian to another private company (potentially outside of Canada) to be appropriate under... well... any circumstances.

Generally, disclosure of private information can only be made without the user's knowledge or consent where illegal activity is being investigated or prosecuted (there are other reasons, but that's another post).

"Personal information" means "information about an identifiable individual". That's it. The definition doesn't go into any more detail than that. Interestingly, the definition of "personal information" under the Privacy Act (Canada), specifically includes information regarding personal views/opinions, education level, etc.

If the browser information is attached to your name (or you could be identified from that browser history), it's personal information.

Let's pick on Bell. Why? Because Bell got in trouble with the Privacy Commissioner of Canada in 2013 for their "Relevant Ads Program" - there's a euphemism that makes me cringe. As part of this program Bell created profiles of individual users based on their browsing history and used that information to target ads at the individual user. It was not possible to opt out of the program (Bell would receive an opt out request and simply stop the targeted ads while continuing to collect the user's browsing history).

Bell argued the information they were gathering was "non-sensitive", but the Privacy Commissioner was having none of that. They asked, would a user visiting a website for HIV-positive individuals consider the URL to be non-sensitive?

Well done.

Bell has since scrapped the program and says that any similar program will be opt-in. Does this mean your browsing history is no longer being collected? No. Bell can still collect and store that information for one of the legitimate reasons contemplated by PIPEDA. It's worth noting the Privacy Commissioner ruled the collection of browsing history for legitimate business purposes would be ok.


On this note, Bell's privacy policy states that they can share your private information within their organization or with their subsidiaries. This includes potential transfer to suppliers and authorized agents outside of Canada. Here's the clause in Bell's privacy policy.

Once information is transferred OUT of Canada (to somewhere like the US), it's subject to the laws of that jurisdiction. Hypothetically, that information could be sold.

Is Bell allowed to collect that information for the purpose of targeting ads? No. Not without your explicit consent (the "opt-in").

You have the Canadian Radio-television and Telecommunications Commission (CRTC) and the Privacy Commissioner to thank for that. The CRTC decided that ISPs can monitor internet traffic for the purpose of managing internet traffic, but not collect and store it without the consent of the user.

Consent of the user. This brings us back to opting in to an ISP collecting your browsing history. What does that opt-in look like?

Opting in looks like a woman being happy she doesn't have to look at all those pesky ads that aren't relevant to her. Soooo annoying. Also, it will help her get information on shoe sales.

Seriously, Bell. Seriously.

I'm not really a shoe person. I mean I have some shoes... if only because I live in Canada and I need them, and I would get kicked out of court with the quickness if I showed up in running shoes, but I'm not willing to let Bell snoop my browsing history just so I can more efficiently buy more crap I don't need.

It's none of your business that I found an awesome tutorial on how to make felted kitten figurines using waste yarn, Bell.

The opt-in model is based on PIPEDA's requirement for the consent of users prior to disclosure of their personal information. If the user consents, the information can be disclosed. Could consent via a or terms of service that nobody reads?

Hypothetically: Yes.

Overall, we're in pretty good shape in Canada. Our privacy protections, although not perfect, are robust enough to protect us from the weird stuff happening south of the border.

Allow me to get political-ish for a moment. Canadians. We have a lot of paperwork. Paperwork sucks. Sometimes libertarianism (and the deregulation that would come with it) is so attractive. Libertarians says things like this:

Sounds pretty good, right? Allowing US ISPs to sell user's personal information without their consent is the result of deregulation of the telecommunications industry. Is that something libertarians want? Maybe. I don't know. They're kind of elusive up here.

All I know is that deregulation of ISPs with regard to the collection and use of users' data is an incredibly dangerous thing.

Remember that when you hear of any cuts in funding to the Office of the Privacy Commissioner and the CRTC - they're not the only ones fighting for the consumer - but they're certainly leading the pack.

I'm not hating on libertarians (please don't shoot my mailbox). I too want gay married couples to be able to protect their marijuana plants with guns.

I also want privacy. 

You Might Also Like


Popular Posts