Canadian businesses are subject to regulations that protect the online privacy of Canadians. This article covers an overview of the regulations, our interpretation of the legal requirements for regulated activities, and frequently asked questions about how to comply while using Feathr. While most activities of charitable and non-profit organizations are not subject to these regulations, please review this guidance to determine if your organization is engaging in any commercial activities. Your legal counsel should also approve all changes to your privacy policy.
PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) gives Canadians the right to control how their personal information is handled by businesses. It requires organizations to obtain consent for data collection, disclose how it will be used, and provide a method for individuals to access and correct their information.
Online Behavioural Advertising (OBA)
The act defines OBA as the tracking and targeting of individuals’ web activities, across sites and over time, in order to serve advertisements that are tailored to those individuals’ inferred interests.
PIPEDA has a specific position on OBA which differs from what is regularly considered “personal information”. This is important because OBA is a major component of the Feathr platform. Understanding PIPEDA’s stance on the subject is critically important to maintain compliance.
- The Office of the Privacy Commissioner of Canada (OPC), which is responsible for overseeing the compliance of Canadian privacy acts, has taken the position that data collected for OBA including (but not limited to) device, network, and browser details will generally be considered “personal information,” however such an evaluation will need to be taken on a case-by-case basis.
- PIPEDA has taken the position that OBA is an appropriate purpose for data collection, and is recognized as a legitimate value add to the targeted end user.
- Opt-out (implied) consent for OBA is considered acceptable if the following criteria are met
- Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their OBA practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
- Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;
- Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
- The opt-out takes effect immediately and is persistent;
- The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical
or health information); and - Information collected and used is destroyed as soon as possible or effectively de-identified
Feathr’s interpretation and commitment to PIPEDA and OBA:
OBA is one of the core features of the Feathr platform. We utilize anonymous web activity to measure the effectiveness of digital advertising campaigns. PIPEDA and the OPC state that data collected for the purposes of OBA, in general, will be viewed as personal information.
While the information collected by the default implementation (non Feathr ID module customers) does not allow us to re-identify the individual without the explicit permission and cooperation of the individual in question, Feathr has taken the steps necessary to be fully compliant in the way customer data is handled, processed, stored, and secured. We regularly review our own privacy policies and security measures to stay current with data regulations.
It is the responsibility of the organization working with Feathr to only send data that have been disclosed and consented to by the end user who is generating the web activity. The following section is Feathr’s recommended approach for disclosure and consent (implied via opt-out).
Steps you should take as a Feathr customer
In order to maintain the implied consent status of OBA, you must clearly demonstrate that you have notified the end user of the data collection. This is most typically done in the form of a pop-up at the bottom of your organization’s website. The notification should contain the following attributes:
- Notify the users of your website that you are collecting anonymized web traffic data for the purposes of digital advertising.
- Disclose that you are working with Feathr for the purposes of online behavioural advertising
- Provide a link to Feathr’s Privacy Policy and opt-out link
Find example privacy policy language and website notice best practices in this article.
CASL
Canada's Anti-Spam Legislation (CASL) has three basic requirements for businesses that send commercial electronic messages (CEMs) to electronic addresses, “(1) obtain consent, (2) provide identification information, and (3) provide an unsubscribe mechanism.” Source
First, what is an electronic address?
CASL defines an electronic address as, “an email account, a telephone account, an instant messaging account, and any other similar accounts.” This includes messaging through social media platforms, but it excludes advertisements placed on websites and blogs.
Email Recommendations
Feathr customers using the Invites module or running Email Marketing campaigns should use the following guidelines to facilitate CASL compliance for your organization and your Partners.
Obtaining Consent
The first step to compliance is properly communicating what information is collected and how it will be used. There are two types of consent: implied consent and express consent.
Implied consent occurs when an individual has a business or non-business relationship with your organization. Customers who have purchased items from your web store or members of your trade association would both have implied consent. Implied consent expires after 2 years of the termination of the relationship (e.g., since their last purchase or the end of their membership period).
Express consent is obtained when an individual provides explicit consent to receive messages. Web visitors who sign up for your email newsletter or opt-in to receive messages have given express consent. Express consent is not time-limited.
You have implied consent from most Partners, since they are often sponsors or exhibitors of your event or members of your organization. When your Partners distribute the collateral you share with them, they are required to send CEMs only to individuals who have consented to receiving such messages. Feathr recommends maintaining detailed contact data to record consent methods and expiration dates for your own organization and encouraging your partners to do the same. Source
Providing Identification Information
Every CEM must identify the following sender identity and contact information:
- Organization name,
- a valid mailing address,
- and either a telephone number, email address, or web address.
Feathr recommends including contact information for your organization as well as your Partners’ information (using merge tags) in your Invites module Email templates.
Providing an Unsubscribe Mechanism
Every CEM should have a clear way to unsubscribe from additional messages, and contact records should reflect the change in consent. All Feathr-generated Email templates contain an “Unsubscribe” button that will remove the recipient from receiving any further emails sent through Feathr. Learn more about subscription preferences in Feathr's Email Marketing campaigns here.
FAQs from Feathr customers
Ads Module (Retargeting)
Cookies
Should we add a cookie consent pop-up to our website?
While the OPC does not specify pop-up requirements, your website should notify visitors about the presence and purpose of data tracking and provide a method to opt in, guided by this directive, "... online advertisers can only track your personal information if you are made aware of the tracking, of the purpose of the tracking and you agree to it." See our list of Steps you should take as a Feathr customer above, and find example privacy policy language and website notice best practices in this article. Source
Email List Campaigns
Can Canadian organizations run Email List Campaigns in Feathr?
Suggested reading for using email lists
Consent
When working with email lists, it is crucial that you have consent to collect the address as well as consent to use the address for the specific purpose. That is to say, if you collected an address for one purpose (newsletters) you cannot use it for another purpose (digital advertising) without verifying consent.
Third Party Lists
If the email list is provided from a third party, you are still responsible for the consent requirements of an ethical collection of email addresses. You should speak to the vendor and ask how the addresses were collected, how they obtained consent to collect these addresses, and specifically what did the users consent to (digital advertising).
Invites Module
Do we already have implied consent from our Partners?
The collateral you provide your Partners with sends data to Feathr and is viewable by you. Your partners should be made aware of this fact, and disclose that they are collecting web analytics data for the purposes of digital marketing. Much in the same way you as a customer of Feathr would disclose that you are collecting this data, your partners too must disclose who, what, when, and why they are collecting web analytics. Additionally, your partners should provide a link to Feathr for opting out of data collection as well as a link to your organization. When working with partners who you will be sharing data with, it is important that your partners are following the guidelines of ethical collection and disclosure set forth by PIPEDA.
The following steps are what your partners can do to remain compliant with PIPEDA and fulfill the requirements of an Opt-Out (implied) consent
- Your partner should notify the users of their website that they are collecting anonymized web traffic data for the purposes of digital advertising.
- Disclose that they are working with your organization for the purposes of online behavioral advertising
- Provide a link to your organization’s (Feathr customer’s) web page
- Disclose that you are working with Feathr for the purposes of online behavioral advertising
- Provide a link to Feathr’s Privacy Policy and opt-out link
These steps should fulfill the necessary requirements for an ethical collection of data, and allow you, your partner, and Feathr, to collect data for the purposes of OBA under the implied consent principles of PIPEDA.
Additionally, it is your responsibility to confirm that your partners are following the guidelines set forth by CASL when it comes to digital advertising, and especially in the case of email marketing.
- Feathr recommends that you ask your partners about their familiarity with the CASL laws
- Confirm with your partners that any email sent has been consented to (the collection of the email address, the sending of the email, and the data collection for OBA)
- Follow the guidelines in the CASL section in the article above
Monetization Module
Do we need to change our policy if we add the Monetization Module?
“Subsection 2(1) of PIPEDA states that “commercial activity” means “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” Source
While use of the Feathr Monetization Module does not share individuals’ personal information with Partners who purchased Sponsored Retargeting packages, it would be considered a commercial use of your membership (or equivalent) list. Therefore, organizations must disclose this commercial activity with the affected users. This use of data must be added to your privacy policy, and users must have the ability to opt-out. Find example privacy policy language and website notice best practices in this article.