Privacy Implementation Notice 2024-01: Digital Advertising

1. Effective date

This implementation notice takes effect on January 18, 2024.

2. Authorities

This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Purpose

This implementation notice provides guidance to federal institutions on how to protect the privacy of individuals when purchasing advertising for placement on digital platforms. This notice sets out to:

  • provide an overview of the Government of Canada’s (GC’s) digital advertising practices
  • inform institutions of the privacy implications of digital advertising
  • enable compliance with the Privacy Act and its supporting policy suite
  • provide guidance to mitigate privacy risks and protect the privacy of individuals
  • provide Public Services and Procurement Canada’s (PSPC’s) Privacy Protocol with the Agency of Record (AOR) (see Appendix A)

See Appendix B for definitions of terms used throughout this implementation notice.

4. Context

4.1 Digital advertising in the Government of Canada

Government of Canada advertising placed on third-party digital platforms is an extension of the government’s presence on the Internet. Digital platforms are online spaces where producers and users of goods, services and content can engage and exchange information. The GC purchases advertising space on these digital platforms to deliver audience-targeted advertisements aimed at:

  • promoting GC programs and services
  • directing individuals to a GC website to obtain further information

Digital platforms commonly make use of data and personal information to customize the audience’s experience. This customization is enabled by segmentation, a marketing practice intended to deliver content appropriate to the audience’s demographic profile, region, interests or online behaviour. This approach helps ensure that the audience for whom the information is most relevant receives it at the appropriate time and place. Suppliers or contractors used for GC digital advertising collect information from the audience (also known as advertisement recipients, users, visitors or individuals) and use that information to further target advertising campaigns. The GC pays media suppliers when an advertisement is shown or clicked on. These metrics and sources of data can be captured through web analytics or ad servers to measure a campaign’s performance. Getting an accurate count of impressions, views and clicks is very important for:

  • measuring the performance of advertising campaigns
  • placing advertisements
  • managing budgets
  • ensuring effective and responsible use of public funds

A combination of digital advertising methods can be used to target an audience. Audience targeting segments all prospective advertising recipients into specific groups based on their demographic group, geographic location, interests and online behaviour. This information, which may include personal information, is subsequently collected by the advertising platform and used to tailor advertisements to groups that would be most likely to act on the advertisement. Digital advertising methods, including behavioural targeting, contextual targeting, first-party targeting and geo-targeting, carry varied levels of privacy risk, as detailed in Appendix C.

According to the mandatory procedures set out in Appendix B of Directive on the Management of Communications, when undertaking advertising activities, institutions must consult with their department’s communications branch to ensure that communications products and activities, including advertising initiatives, align with departmental plans. Furthermore:

Regardless of any third parties involved, the GC is the ultimate steward of all information collected or handled on its behalf. Consequently, in addition to the Privacy Act and its related policy suite, personal information, like all information handled by the GC, must be managed as a strategic asset in accordance with the following:

Any information that includes elements of personal information or is deemed personal information must be managed in accordance with the Privacy Act and its related GC privacy policy instruments, which govern how personal information is collected, used or disclosed. See the Guidance section of this implementation notice for recommendations on how to mitigate privacy risks associated with handling personal information in a digital advertising context.

4.2 Agency of Record

Institutions subject to the Policy on Communications and Federal Identity purchase digital advertising either directly from media suppliers or indirectly through the AOR. Most GC media placement is done through the AOR, which is a private sector supplier contracted by PSPC’s Communications Procurement Directorate. Activities of the AOR are managed by PSPC’s Advertising Services Directorate. The AOR is responsible for providing services for media planning and strategizing, media buying, ad placement and trafficking, ad verification, reporting, and reconciliation to support a wide range of advertising initiatives. The AOR makes use of information and targeting capabilities offered by digital platforms to inform the purchase of advertising space and target GC advertisements to specific audiences based on media strategies and plans approved by individual GC institutions.

The AOR subcontracts GC digital advertising to third-party suppliers, including the following:

  • media suppliers: publishers that sell advertising space, for example, websites, social media platforms and search engine platforms
  • advertising technology platforms: suppliers that provide the information technology platforms required to enable the purchase of advertising space, ad delivery and tracking, verification of units purchased and viewability, and protection against impression and click fraud, and that ensure brand safety; these platforms include ad servers, demand-side platforms and ad verification technology
  • data providers: suppliers that sell aggregated, de-identified audience data for the real-time placement of display advertisements (this is based on programmed algorithms, also known as programmatic media placement)

Note that the AOR’s suppliers and contractors used for GC digital advertising collect aggregatedFootnote 1 and de-identifiedFootnote 2 information from individuals to deliver targeted advertising.

The AOR is responsible for:

  • vetting all third-party suppliers it subcontracts with
  • ensuring that third-party suppliers are compliant with all relevant privacy legislation, including informing individuals targeted by GC advertising of how their personal information (if any) will be handled

As such, PSPC and the AOR have established a privacy protocol that outlines how personal information will be handled to ensure it is protected throughout the course of the campaign (see Appendix A). Together, they also developed a measurement framework to define the metrics and the sources of information that will be collected. The AOR is also required to create a dashboard of results that aggregates and converts the information collected into user-friendly formats. This dashboard enables GC institutions to access and monitor the status of their campaigns.

4.3 Direct purchase

Some GC media placement is purchased directly by institutions rather than via the AOR. For advertising campaigns totalling $25,000 or less, heads of communications for institutions subject to the Policy on Communications and Federal Identity and its policy instruments have the option to purchase advertising space or time directly from media suppliers. Institutions listed in Schedules I, I.1 and II of the Financial Administration Act that buy advertising space or time directly from media suppliers cannot purchase strategic advice, media planning, ad hosting or creative development, as the authority to conduct these contracting activities lies solely with PSPC (see Buying advertising under $25,000).

5. Guidance

The GC must protect individuals’ personal information in accordance with the Privacy Act. Hence, when purchasing digital advertising, either directly or indirectly, GC institutions must ensure that the contracts they become a party to respect the requirements set out in the Privacy Act and its related policies and directives.

In the context of digital advertising, personal information should be used only for non-discriminatory targeted advertising and for non-administrative purposes (such as but not limited to research, statistical, audit, evaluation and in some cases budgetary and financial purposes). Furthermore, when personal information is involved, institutions must take steps to ensure that entities acting on their behalf do so legally and provide appropriate privacy protections to enable the GC to meet its legal and policy requirements.Footnote 3 To protect individuals’ personal information and foster trust, institutions must consider the privacy implications of digital advertising and implement the appropriate measures to mitigate privacy risks.

5.1 Privacy protocol

As set out in subsection 4.2.5 of the Policy on Privacy Protection, institutions are required to establish a privacy protocol for the non-administrative collection, use or disclosure of personal information. A privacy protocol outlines the proportionate procedures to protect personal information in accordance with the Privacy Act. Institutions can demonstrate compliance in one of two ways:

  1. when contracting digital advertising services through PSPC, they should either use PSPC’s existing privacy protocol or establish their own directly with the AOR
  2. when contracting directly with third-party suppliers for the purchase of digital advertising, they should develop a separate privacy protocol; in this case, institutions may choose to base their privacy protocol on PSPC’s protocol (see Appendix A)Footnote 4

When developing a privacy protocol, it is highly recommended that institutions include the following additional measures and best practices, derived from Appendix E: Standard on Privacy in Web Analytics of the Directive on Privacy Practices to strengthen privacy protections:

  • limit collection to de-identified and aggregated information, whenever possible
  • refrain from using precise geo-targeting, and use only broad geo-targeting when no other digital advertising method can achieve the desired effect and de-identify any Internet Protocol (IP) addresses when doing so
  • limit the use of behavioural targeting due to its reliance on third-party cookies; if such targeting is used, confirm that digital platforms request the audience’s meaningful consent (including through implied consent with an option to opt-out) prior to the use, collection and disclosure of any personal information
  • use any personal information collected only for non-administrative purposes, such as but not limited to research, statistical, audit, evaluation, and in some cases budgetary and financial purposes
  • retain personal information (if collected) only for the purpose of digital advertising campaigns and dispose of it immediately following its last relevant use
  • refrain from the collection, use and disclosure of sensitive personal information, including but not limited to anything financial, biometric or health-related
  • refrain from intentionally targeting and tracking children

5.2 Contracting

Institutions must solicit and evaluate bids in accordance with the requirements set out in subsection 4.5 of the Directive on the Management of Procurement. Before entering into a contract with a third party, institutions are encouraged to evaluate suppliers to ensure they are equipped with the technical infrastructure, security safeguards and data governance strategies required to support a GC digital advertising campaign that involves the collection of personal information. Officials who work in the areas of privacy, procurement, security and information technology may be engaged in this exercise as needed.

To ensure the protection of personal information and limit the risk of privacy breaches, GC institutions must ensure that contracts established with third-party service providers or data providers clearly outline measures to protect personal information in accordance with the requirements of the following:

These measures include a requirement to:

  • immediately notify the government institution of privacy breaches
  • contain and mitigate privacy breaches if they occur

The Privacy Breach Management Toolkit provides guidance on how to prepare for, manage and mitigate privacy breaches. For further information on contracting, follow the guidance found in Guidance Document: Taking Privacy into Account Before Making Contracting Decisions.

In addition to the requirements listed above, institutions are encouraged to include the appropriate clauses in digital advertising contracts that:

  • restrict suppliers from sharing any personal information collected with subsidiaries, parent companies, social media platforms or other entities unless other agreements or contracts allow otherwise
  • restrict suppliers from scraping publicly available information onlineFootnote 5
  • restrict suppliers from using tracking methods that override individuals’ consent decisions and are difficult to control
  • allow for regular audits and reviews to oversee suppliers’ compliance with contractual obligations

5.3 De‑identification

De-identifying and aggregating information can reduce the likelihood and impact of privacy breaches. Hence, these mechanisms are recommended for digital advertising activities. Although de-identification and aggregation are important mitigation tools, they carry a residual risk of re-identification and require appropriate and proportionate privacy protection. The risk of re-identification increases when targeting criteria (for example, age or city) leads to a small audience from which individuals can be identified.Footnote 6 For this reason, it is recommended that elements of information (such as location) not be matched with other identifiers or datasets unnecessarily. As a best practice, institutions, or any contractors acting on their behalf, should perform a risk analysis before using any techniques that could increase the risk of re-identification. Furthermore, institutions should ensure that plans and procedures are in place should there be an increased risk of re-identification. De-identified and aggregated information should not be intentionally re-identified without a valid, lawful purpose. For additional considerations regarding de-identification, refer to Privacy Implementation Notice 2023-01: De-Identification.

5.4 Collection

In the context of digital advertising, the collection of personal information is typically privacy invasive because the target audience may not be asked to provide consent for the collection and may be unaware of its purpose. Third-party suppliers are subject to private sector privacy legislation that requires, in most instances, the audience’s consent for the collection of personal information. According to section 4 of the Privacy Act, government institutions can collect personal information only if it relates directly to an operating program or activity of an institution. Individuals should be informed of the purpose for the collection and, unless an exception in section 7 or 8 of the Privacy Act applies, institutions require the consent of individuals to use and disclose their personal information. Therefore, when employing a third-party service or data provider, institutions should ensure that they have legitimately and legally obtained the personal information that will be provided to the institution.

5.5 Disclosure

Personal information can be disclosed by a GC institution only when the individuals from whom the information was collected provide consent or when the conditions listed in section 8(2) of the Privacy Act are fulfilled. According to subsections 4.2.23 to 4.2.27 of the Directive on Privacy Practices, disclosures of personal information between federal institutions require an information sharing arrangement. GC institutions should first consider the purpose and need to share personal information before completing an information sharing arrangement. It is highly recommended that privacy officials be consulted prior to any disclosures of personal information that was collected for digital advertising.

6. Application

This implementation notice applies to government institutions as defined in section 3 of the Privacy Act that are subject to the Policy on Communications and Federal Identity and its underlying policy instruments. These institutions should consult their privacy offices, legal services and communications branches to ensure that their digital advertising practices comply with the Privacy Act, its supporting policy suite and any existing departmental plans.

Parent Crown corporations and any wholly owned subsidiary of these corporations that are not listed in Schedules I, I.1 and II of the Financial Administration Act are not subject to the Policy on Communications and Federal Identity and its underlying instruments. Regardless, the guidance contained in this implementation notice serves as a series of best practices.

This notice does not apply to the Bank of Canada.

7. References and resources

7.1 Legislation

7.2 Related Treasury Board Secretariat policy instruments

7.3 Other publications

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this implementation notice.

Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data Division at ippd-dpiprp@tbs-sct.gc.ca for information about this implementation notice.

Appendix A: PSPC’s privacy protocol with the Agency of Record

The following guidelines reflect the current understanding and operating rules established with the AOR, including the types of advertising practices that should or should not be used. These will be reviewed and updated as the media environment and GC digital advertising practices evolve.

The nature of the Internet is such that digital platforms automatically collect certain information from ad recipients. This may include but may not be limited to a user’s Internet Protocol (IP) address, device identification number, country, region and city. The IP address, on its own, does not identify an individual; however, it may be associated with an identifiable individual whose computer is using that address at any given time and thus may, particularly when combined with other data collected by digital platforms, constitute personal information within the meaning of section 3 of the Privacy Act. For this reason, the GC considers the IP address to be personal information in all circumstances. This interpretation may differ from other privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA). In the context of this protocol, the meaning of “personal information” is based on the GC’s interpretation.

The AOR should ensure that all third-party suppliers associated with GC digital advertising operations have clear, meaningful and prominent privacy notices that provide enough details to allow any individual or organization using or interacting with them to understand the following:

  • what personal information is collected and how it is used
  • the rights of individuals and the choices available to them with regard to the collection and handling of their personal information
  • whether and how personal information collected is shared with or transmitted to third parties
  • for how long personal information is retained and the method of disposal
  • what measures are taken to protect the privacy of individuals

Data collection

GC institutions and the AOR collect data on GC ad recipients from other third-party suppliers operating under their own terms of service and privacy policies, subject to PIPEDA and/or other privacy legislation. Only aggregated, de-identified data is collected, and it is strictly used for non-administrative purposes (statistical, audit and evaluation purposes).

Media suppliers and advertising technology platforms subcontracted by the AOR collect data, including personal information, from GC ad recipients. These suppliers and platforms operate under their own terms of service and privacy policies and are subject to PIPEDA and/or other privacy legislation.

No data, including personal information, may be collected from GC ad recipients by the AOR or any other third-party supplier subcontracted by the AOR, for its own use, including to build profiles for advertising or to deliver audience-targeted ads, that are out of scope with their federal government contracts.

Data usage

The capabilities offered by digital platforms are used by the AOR to target GC ads to specific audiences, based on media strategies and plans approved by GC institutions. These platforms are public and not hosted on GC servers. All operate under their own terms of service and privacy policies, subject to PIPEDA and/or other privacy legislation. Users who choose to interact with them do so freely and are able to read their terms of service and privacy policies and those of any applications used to access them.

Geo-targeting may be used by the AOR depending on the objectives of a particular advertising campaign.

Behavioural targeting may be used by the AOR if unrelated to health and finance, and if a clear, meaningful and prominent opt-out mechanism is provided by digital platforms, for example, AdChoices.

No retargeting may be used by the AOR.

Other targeting techniques that may raise the risk of identification, re-identification or profiling should either:

  • be supported by a risk analysis demonstrating appropriate measures have been taken to protect the privacy of individuals
  • not be used by the AOR

Examples of such techniques include cross-referencing, data mining or data matching from multiple sources.

When advertising is planned in jurisdictions where requirements other than Canadian federal privacy legislation apply, compliance should be verified and documented by the AOR, and related documentation should be provided to GC institutions.

Data disclosure and retention

No data collected by the AOR or other third-party suppliers subcontracted by the AOR (as defined above) may be used or disclosed outside the AOR’s contractual terms (that is, Contract EP361-191751/001/CZ) (accessible only on the GC network).

Data collected by the AOR must be retained and disposed of in accordance with article 1.2.1 of Contract EP361-191751/001/CZ (accessible only on the GC network).

Content suitability and narrow targeting

The AOR should regularly review its targeting practices for any factors that may raise privacy risks to GC institutions and provide advice and recommendations as required. Such factors may be associated with but may not be limited to the following:

Content

  • Content tied to health and finance is more sensitive and requires special consideration when planning. The AOR should refrain from using behavioural targeting for campaigns involving content of this nature.

Target audience

  • The target audience may also affect the sensitivity of the content, particularly if it includes members of vulnerable groups. The AOR should exercise caution in using behavioural targeting if this is the case.
  • The fewer people in a segment, the more invasive the advertising:
    • There is no clear determination of what density would be considered acceptable for GC digital advertising. The minimum level of segmentation needed should be used by the AOR to target an audience.
    • When advertising has the potential to be overly personalized or intrusive, segmentation should be supported by a risk analysis.

Execution

  • Execution of a targeted ad campaign may trigger awareness that advertising is highly “personalized” or dependent on invasive data collection practices:
    • Geo-fencing and other targeting methods using a narrow radius should be used with caution. Situations that present unpredictable density should be avoided, for example, after visiting a specific location within a specific parameter.
    • Data scraped from the web (for example, social media platforms) to profile individuals or groups without their knowledge may be detrimental to public trust in GC digital advertising placements and practices.

Appendix B: definitions

administrative purpose

The use of personal information about an individual “in a decision-making process that directly affects that individual” (section 3 of the Privacy Act). This includes all uses of personal information for confirming identity (that is, authentication and verification purposes) and for determining eligibility of individuals for government programs (see the Policy on Privacy Protection).

advertising

Government of Canada advertising is defined as any message conveyed in Canada or abroad and paid for by the government for placement in media, including but not limited to newspapers, television, radio, cinema, billboards and other out-of-home media, mobile devices, the Internet, and any other digital medium (see the Policy on Communications and Federal Identity).

aggregate information

Personal information that has been modified to remove direct personal identifiers and grouped into a summary for statistical analysis. Aggregated information is a form of de‑identified information. This is a working definition. As the term is not defined in federal Canadian law or policy at the time of writing this Privacy Implementation Notice, this definition is used solely for the purposes of this Privacy Implementation Notice.

consent

The informed, voluntary agreement of an individual for the direct or indirect collection or for the disclosure, retention and subsequent uses of personal information collected from the individual for a legally authorized purpose (see Guidance on Preparing Information Sharing Agreements Involving Personal Information).

data

Set of values of subjects with respect to qualitative or quantitative variables representing facts, statistics or items of information in a formalized manner suitable for communication, reinterpretation or processing (see the Policy on Service and Digital).

de-identified information

Personal information that has been modified through a process to remove or alter identifiers to a degree that is appropriate in the circumstances. De‑identified information carries a residual risk of re-identification (see Privacy Implementation Notice 2023-01: De‑Identification).

first-party cookies

A cookie is a data file sent by a web server to the web browser on a visitor’s computer that the web server uses to track or record visitor information. First-party cookies are those cookies set by the website that the visitor is visiting (see the Directive on Privacy Practices). Users consent to first-party cookies when browsing.

handling

Any process involving personal information, including collection, correction, creation, modification, use, retention, disclosure and disposal (see the Directive on Privacy Practices).

information

Knowledge captured in any format, such as facts, events, things, processes or ideas, that can be structured or unstructured, including concepts that within a certain context have particular meaning. Information includes data (see the Policy on Service and Digital).

information-sharing arrangement

A written record of understanding that outlines the terms and conditions under which personal information is disclosed between parties. An information-sharing arrangement is usually employed to facilitate the disclosure of personal information between and within federal institutions. An information-sharing arrangement is not legally binding (see the Directive on Privacy Practices).

Internet Protocol address

A numerical label assigned by the Internet service provider to each computer. It is how the computer user communicates on the Internet. An Internet Protocol (IP) address may, in some circumstances, be linked with an identifiable individual whose computer is using that address at any given time. Therefore, the Government of Canada considers the IP address to be personal information that must, in all cases, be dealt with in accordance with the requirements of the Privacy Act (see the Directive on Privacy Practices).

non-administrative purpose

The use of personal information for a purpose that is not related to any decision-making process that directly affects the individual. This includes the use of personal information for research, statistical, audit and evaluation purposes (see the Policy on Privacy Protection).

personal information

Information about an identifiable individual that is recorded in any form. See section 3 of the Privacy Act for additional information.

privacy breach

The improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal information (see the Policy on Privacy Protection).

privacy protocol

A set of documented procedures to be followed when using personal information for non-administrative purposes including research, statistical, audit and evaluation purposes. These procedures are to ensure that the individual’s personal information is handled in a manner that is consistent with the principles of the Privacy Act (see the Policy on Privacy Protection).

sensitive personal information

While virtually any personal information may be sensitive in certain contexts (for example, disclosure of a home address may expose an individual to risk for personal or professional reasons), there are other categories of personal information that are always considered sensitive for most individuals. These categories include medical, financial, criminal history and widely used personal identifiers such as the social insurance number or other personal information, the unauthorized disclosure of which could be injurious to the individual to whom it relates (see Guidance on Preparing Information Sharing Agreements Involving Personal Information).

third-party cookies

Cookies sent by a domain that is different from the website the visitor is currently visiting. Third-party cookies do not request consent to collect data. This is a working definition. As the term is not defined in federal Canadian law or policy at the time of writing this Privacy Implementation Notice, this definition is used solely for the purposes of this Privacy Implementation Notice. Note that Google is expected to phase out the use of third-party cookies in 2024, which will alter the digital advertising landscape.

web analytics

The collection, analysis, measurement and reporting of data about web traffic and user visits for the purposes of understanding and optimizing web usage (see Appendix E: Standard on Privacy in Web Analytics of the Directive on Privacy Practices).

Appendix C: digital advertising methods

Geo-targeting and geo-fencing

Geo-targeting targets audiences with relevant advertisements based on their geographic location. This method uses radio frequency identification (RFID), postal codes forward sortation area, Wi-Fi and global positioning system (GPS) data to determine an audience’s location and provide advertisements that are relevant to the goods or services offered in close proximity. Geo-targeting uses location information received from Internet Protocol addresses or cell towers, in addition to the audience’s behaviours, interests or demographic, to tailor ads. The collection of location information, coupled with other elements of personal information, increases the possibility of identifying or re-identifying individuals, thus rendering it more privacy invasive than other digital advertising methods. Conversely, geo-fencing targets large audiences based solely on their location. Since geo-fencing is strictly reliant on general location (and no other factors) the risk of identifying individuals is reduced.

Behavioural targeting

Behavioural targeting uses third-party cookies to target specific audiences based on their search history and previous online behaviour. Because behavioural targeting is based on historical rather than current online activity, the information collected could be inaccurate. In addition, this method lacks transparency because third-party cookies do not request consent to collect data. As such, behavioural targeting has the potential to be more privacy invasive than first-party or contextual targeting.

First-party targeting

First-party targeting targets specific audiences based on their profile and relationship with the advertiser. Websites use information collected through direct user engagement in another activity separate from advertising. Examples include when a user signs into an account, makes a purchase, completes a survey, follows a social media account, consents to first-party cookies or subscribes to a mailing list. In this context, the user consents to receiving information from the advertiser. The privacy risks associated with first-party targeting are lower than behavioural targeting and geo-targeting because the user is generally aware of the targeting and provides some level of consent to it. That being said, all digital platforms, be they governmental or corporate in nature, can be vulnerable to cyber-attacks that could result in privacy breaches. Hence, the inherent risk of privacy breaches remains.

Contextual targeting

Contextual targeting targets specific audiences with relevant advertisements based on the current web content being viewed. Contextual advertising does not rely on information obtained from cookies. Instead, it relates the advertising to the subject matter of the web page. For example, a website for recipes displays advertisements for ingredients mentioned in the recipe. Contextual targeting does not collect elements of personal information and is, thus, the least privacy invasive of the digital advertising methods addressed here.

Retargeting

Retargeting is a digital advertising method that targets specific audiences with relevant advertisements after a previous event, for example, a visit to a website or web page. For instance, if an individual visits a web page but abandons the web page before clicking on a link or making a purchase, a cookie will silently follow the individual as they browse other content and provide advertisements for the web page they left, in an attempt to regain their attention. Due to the privacy invasive nature of retargeting, the Agency of Record and federal institutions do not use this advertising method.

Page details

Date modified: