The Office of the Privacy Commissioner of Canada has released new research concerning the disclosure of the personal data of visitors to certain Canadian Web sites:
Some leading websites in Canada are inappropriately “leaking” registered users’ personal information – including names, email addresses and postal codes – to third-party sites such as advertising companies, research by the Office of the Privacy Commissioner of Canada has found.
“The research findings raise concerns for the privacy rights of Canadians. Web leakage can involve the disclosure of personal information without an individual’s consent– or even knowledge,” says Privacy Commissioner Jennifer Stoddart. […]
The research identified significant privacy concerns with approximately one in four of the sites tested. Websites were disclosing information to third parties, apparently without the knowledge or consent of the people affected – and possibly in violation of federal privacy law. For example, the research showed that when people registered to receive promotions from a shopping site, their email address, username and city were disclosed to a number of analytics and marketing firms.
The leakage identified in the testing occurred in a way that would be invisible to most people using these websites. In some cases, it did not appear to be in keeping with statements made in the organizations’ privacy policies.
Although the sample size was relatively small (25 websites), the sites examined are among the most popular sites targeted to Canadians and represented a range of sectors, including media, shopping and travel services. All are sophisticated websites operated by large organizations which account for billions in combined annual revenues.
At the time tests were conducted this summer, researchers identified significant privacy concerns with six sites. They also had questions about the practices of a further five sites. The remaining 14 sites tested did not appear to be leaking personal information.
Commissioner Stoddart has written to eleven organizations to ask them to provide information about their practices, and, where appropriate, to explain how they will correct any problems to ensure compliance with privacy law.
The Privacy Commissioner has not exercised her discretion to publicly name the specific tested organizations at this time. The research was designed to offer a snapshot of the Canadian context and it is likely that a significant number of other Canadian sites may also be leaking personal information.