Google Violated Canadian Privacy Law With Retargeted Health Ads
The Canadian privacy commissioner this week criticized Google for allowing an advertiser to send retargeted ads to people based on “sensitive” information -- their activity at health-related sites.
The regulator said in a statement that Canada's June 2012 online behavioral advertising guidelines “make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads.”
Canada's interim privacy commissioner, Chantal Bernier, stated that the authorities intend to reach out to other ad networks in order “to share these investigation results and remind them of their privacy obligations.”
Bernier tells Online Media Daily that this week's publication of the report about Google is the first step toward alerting other ad networks about Canada's stance on retargeted health ads.
The Canadian authorities began investigating Google last January, in response to a Web user's complaint that he started seeing ads for devices that treat sleep apnea after he searched for those devices online. The regulators conducted their own tests, which confirmed the allegations.
Google's policies prohibit advertisers from sending interest-based ads that relate to “sensitive” health issues, but the company also admitted that some of the companies that use its ad platform don't comply with that policy, according to the Canadian commissioner's report. Google said it will monitor retargeting campaigns more closely, in order to ensure that advertisers are complying with the company's policies.
Google said in a statement that it is “pleased to be resolving this issue."
In the U.S., no law prohibits advertisers from serving targeted ads based on activity at health-related sites.
Self-regulatory codes of both the Network Advertising Initiative and the Digital Advertising Alliance also largely allow companies to target Web users, based on health information on an opt-out basis, but require opt-in consent in some situations. But targeting users based on data about visits to sites related to sleep apnea doesn't appear to require opt-in consent under any U.S. self-regulatory codes.
The DAA's principles call for opt-in consent before collecting "pharmaceutical prescriptions or medical records related to a specific individual.”
The NAI says that opt-in consent is required for health-related targeting based on "precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic and family medical history." Factors that go into determining whether a condition is precise include whether an “average person” would consider it private, according to the group's code.
The NAI adds that conditions like cancer and sexually transmitted diseases are considered “precise,” meaning that marketers must obtain users' opt-in consent before sending behaviorally targeted ads. Conditions like high blood pressure and cholesterol are considered “generic,” so marketer need not obtain explicit consent before sending targeted ads centered on those conditions. The NAI also requires members to disclose behavioral-advertising segments based on any activity related to health or medical issues.
Google is one of the few major Web companies that doesn't allow advertisers to create interest-based marketing categories centered on health conditions. But the company allows advertisers to retarget people who have visited medical sites, as long as the ads “do not imply that the users have a particular medical condition or disease,” according to a report released by Canadian authorities.
Other large Web companies tend to say in their privacy policies that they serve health-related ads to users based on whether they have visited sites with information about conditions like diabetes, cholesterol or osteoporosis. Yahoo, for instance, discloses on its Web site that it allows companies to target users based on categories including hypertension, blood sugar management and arthritis. AOL reveals on its site that standard categories include asthma, blood pressure and infections.
A number of U.S. ad networks that serve ads in Canada might need to now examine their practices, says Jules Polonetsky, executive director and co-chair of the industry-funded think tank Future of Privacy Forum. “It is going to be important for ad networks to ensure that they have a policy against retargeting based on data that Canadian law might consider sensitive,” he says.