From the Office of the Privacy Commissioner of Canada:
Some leading websites in Canada are inappropriately “leaking” registered users’ personal information – including names, email addresses and postal codes – to third-party sites such as advertising companies, research by the Office of the Privacy Commissioner of Canada has found.
“The research findings raise concerns for the privacy rights of Canadians. Web leakage can involve the disclosure of personal information without an individual’s consent– or even knowledge,” says Privacy Commissioner Jennifer Stoddart. “Our research also raises questions about compliance with Canadian privacy law in the online world.”
The research identified significant privacy concerns with approximately one in four of the sites tested. Websites were disclosing information to third parties, apparently without the knowledge or consent of the people affected – and possibly in violation of federal privacy law. For example, the research showed that when people registered to receive promotions from a shopping site, their email address, username and city were disclosed to a number of analytics and marketing firms.
The leakage identified in the testing occurred in a way that would be invisible to most people using these websites. In some cases, it did not appear to be in keeping with statements made in the organizations’ privacy policies.
Although the sample size was relatively small (25 websites), the sites examined are among the most popular sites targeted to Canadians and represented a range of sectors, including media, shopping and travel services. All are sophisticated websites operated by large organizations which account for billions in combined annual revenues.
At the time tests were conducted this summer, researchers identified significant privacy concerns with six sites. They also had questions about the practices of a further five sites. The remaining 14 sites tested did not appear to be leaking personal information.
Commissioner Stoddart has written to eleven organizations to ask them to provide information about their practices, and, where appropriate, to explain how they will correct any problems to ensure compliance with privacy law.
The Privacy Commissioner has not exercised her discretion to publicly name the specific tested organizations at this time. The research was designed to offer a snapshot of the Canadian context and it is likely that a significant number of other Canadian sites may also be leaking personal information.
The Office of the Privacy Commissioner of Canada is also contacting industry associations in order to discuss web leakage and to request their support in raising awareness about the issue.
“Our research serves as a wake-up call to all online services to ensure they are complying with Canadian law – and respecting the privacy rights of people who use their sites,” says Commissioner Stoddart. “It is clearly possible for organizations to operate successfully in the online world without leaking people’s personal information – a majority of the websites we looked at were not doing it.”
The research was prompted by international studies that have found many websites were leaking users’ personal information to third-party sites.