Privacy Refresh: 5 Key Privacy Tips for Marketers

In support of Data Privacy Day, a global campaign that highlights easy ways to protect personal information, the CMA has rounded up some of our top privacy tips and reminders to help marketers build trust with their customers and stay within the rules. Check them out below.

Tip 1: Make sure your online behavioural advertising (OBA) lines up with privacy rules

The information involved in online tracking and targeting to serve OBA is generally considered personal information. That means it’s subject to privacy rules, including consent.

In Canada, marketers can rely on opt-out consent for OBA. You just have to make sure certain conditions are met, including providing consumers with clear and understandable notice (e.g. an online banner), and an easy way to opt out. You should also avoid collecting and using sensitive information, like health information.

For the full list of requirements, check out the OPC’s guidelines on privacy and online behavioural advertising. Marketers can also sign up for AdChoices, the Digital Advertising Alliance of Canada’s self-regulatory program for OBA. 

Tip 2: Check in on your service providers to ensure consent for e-mail marketing

Even if you didn’t collect or generate your own e-mail address lists for marketing, your organization can be held accountable under PIPEDA. This could happen if, for example, you acquired a list from a vendor or hired an agency that used addresses collected without consent.

Some simple due diligence upfront can go a long way in protecting your organization. Ensure privacy requirements are in your contracts, and ask your service provider or list vendor questions about how they collect, update and get consent for their lists. Check out the OPC’s guidance for businesses doing e-marketing to learn more.

Tip 3: Remember what publicly available information you can use without consent

In the online world, the line between public and private can be blurred. So if something is posted publicly online, can it be used for marketing purposes without consent?

The answer is that it depends. According to PIPEDA, you can only collect personal information without the knowledge or consent of the individual if the personal information is publicly available, but their definition is limited to specific categories of information, like information appearing in public telephone directories, or information published in a magazine, book or newspaper (where the individual has provided that information themselves).

For more on how marketers can evaluate their use of publicly available on a case-by-case basis, check out our blog.

Tip 4: Use geolocation data from trusted sources 

If you or your agency are relying on geolocational data, be sure the data is privacy compliant. 

Find out how your provider sourced the data and obtained consent, and make sure you have privacy requirements in your contracts. You should also ensure you have adequate transparency with customers in your own privacy policy, letting them know you use third-party data in this way. 

Consider how granular the data is relative to the insights you need – in many cases, macro insights can be just as useful as more specific data.   

We look forward to sharing new CMA guidance for marketers on this topic later in 2021. Stay tuned.

Tip 5: Be familiar with indicators that might trigger the GDPR 

Even if you don’t have any operations abroad, it’s important to remember when you might be subject to privacy rules in other jurisdictions, such as the EU’S General Data Protection Legislation (GDPR).

The GDPR applies to your organization if you have a physical presence in the EU, offer goods or services to EU residents (even at no charge), or if you intentionally monitor or profile the behaviours of individuals in the EU.

The fact that individuals might be able to purchase products or services on your website might not be enough to trigger the law. Rather, it could be triggered if you localize your website to an EU domain, accept payments in EU currencies, or offer materials translated to local languages.

Depending on context, consider how you can avoid certain “intent indicators”. For example, avoid collecting the IP address of a public website visitor without first masking their IP address, and be careful not to add addresses with an EU domain to your marketing list (unless you know an individual is not in the EU). Where you can, state clearly your offerings are not intended for individuals in the EU.

For more on GDPR compliance, check out our GDPR webpage. And if you’re more concerned with California’s Consumer Privacy Act (CCPA), check out our CCPA blog series.

Keep in touch and stay informed

With privacy rules set to change in Canada and across the provinces, you can rely on the CMA to keep you up to date. Find out more in our recent blog.

For additional privacy and data protection information, resources and guides for marketers, be sure to check out the CMA’s privacy and data protection webpage, or drop us a line.

Note: Most marketers are subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA), but if you’re not sure which privacy rules apply to you, you can use this handy tool from the Office of the Privacy Commissioner (OPC).

Author: Fiona Wilson | Director, Government Relations @CMA
Questions or comments? E-mail us – we want to hear from you.