Privacy Implementation Notice 2024-01: Digital Advertising

4.1 Digital advertising in the Government of Canada

Government of Canada advertising placed on third-party digital platforms is an extension of the government’s presence on the Internet. Digital platforms are online spaces where producers and users of goods, services and content can engage and exchange information. The GC purchases advertising space on these digital platforms to deliver audience-targeted advertisements aimed at:

• promoting GC programs and services
• directing individuals to a GC website to obtain further information

Digital platforms commonly make use of data and personal information to customize the audience’s experience. This customization is enabled by segmentation, a marketing practice intended to deliver content appropriate to the audience’s demographic profile, region, interests or online behaviour. This approach helps ensure that the audience for whom the information is most relevant receives it at the appropriate time and place. Suppliers or contractors used for GC digital advertising collect information from the audience (also known as advertisement recipients, users, visitors or individuals) and use that information to further target advertising campaigns. The GC pays media suppliers when an advertisement is shown or clicked on. These metrics and sources of data can be captured through web analytics or ad servers to measure a campaign’s performance. Getting an accurate count of impressions, views and clicks is very important for:

• measuring the performance of advertising campaigns
• placing advertisements
• managing budgets
• ensuring effective and responsible use of public funds

A combination of digital advertising methods can be used to target an audience. Audience targeting segments all prospective advertising recipients into specific groups based on their demographic group, geographic location, interests and online behaviour. This information, which may include personal information, is subsequently collected by the advertising platform and used to tailor advertisements to groups that would be most likely to act on the advertisement. Digital advertising methods, including behavioural targeting, contextual targeting, first-party targeting and geo-targeting, carry varied levels of privacy risk, as detailed in Appendix C.

According to the mandatory procedures set out in Appendix B of Directive on the Management of Communications, when undertaking advertising activities, institutions must consult with their department’s communications branch to ensure that communications products and activities, including advertising initiatives, align with departmental plans. Furthermore:

• contracts must be established in alignment with the requirements set out in the Directive on the Management of Procurement
• all GC suppliers must adhere to PSPC’s Code of Conduct for Procurement

Regardless of any third parties involved, the GC is the ultimate steward of all information collected or handled on its behalf. Consequently, in addition to the Privacy Act and its related policy suite, personal information, like all information handled by the GC, must be managed as a strategic asset in accordance with the following:

• subsection 4.3.2 of the Policy on Service and Digital
• subsection 4.3.1 of the Directive on Service and Digital
• the Policy on the Planning and Management of Investments

Any information that includes elements of personal information or is deemed personal information must be managed in accordance with the Privacy Act and its related GC privacy policy instruments, which govern how personal information is collected, used or disclosed. See the Guidance section of this implementation notice for recommendations on how to mitigate privacy risks associated with handling personal information in a digital advertising context.

4.2 Agency of Record

Institutions subject to the Policy on Communications and Federal Identity purchase digital advertising either directly from media suppliers or indirectly through the AOR. Most GC media placement is done through the AOR, which is a private sector supplier contracted by PSPC’s Communications Procurement Directorate. Activities of the AOR are managed by PSPC’s Advertising Services Directorate. The AOR is responsible for providing services for media planning and strategizing, media buying, ad placement and trafficking, ad verification, reporting, and reconciliation to support a wide range of advertising initiatives. The AOR makes use of information and targeting capabilities offered by digital platforms to inform the purchase of advertising space and target GC advertisements to specific audiences based on media strategies and plans approved by individual GC institutions.

The AOR subcontracts GC digital advertising to third-party suppliers, including the following:

• media suppliers: publishers that sell advertising space, for example, websites, social media platforms and search engine platforms
• advertising technology platforms: suppliers that provide the information technology platforms required to enable the purchase of advertising space, ad delivery and tracking, verification of units purchased and viewability, and protection against impression and click fraud, and that ensure brand safety; these platforms include ad servers, demand-side platforms and ad verification technology
• data providers: suppliers that sell aggregated, de-identified audience data for the real-time placement of display advertisements (this is based on programmed algorithms, also known as programmatic media placement)

Note that the AOR’s suppliers and contractors used for GC digital advertising collect aggregated^{Footnote 1} and de-identified^{Footnote 2} information from individuals to deliver targeted advertising.

The AOR is responsible for:

• vetting all third-party suppliers it subcontracts with
• ensuring that third-party suppliers are compliant with all relevant privacy legislation, including informing individuals targeted by GC advertising of how their personal information (if any) will be handled

As such, PSPC and the AOR have established a privacy protocol that outlines how personal information will be handled to ensure it is protected throughout the course of the campaign (see Appendix A). Together, they also developed a measurement framework to define the metrics and the sources of information that will be collected. The AOR is also required to create a dashboard of results that aggregates and converts the information collected into user-friendly formats. This dashboard enables GC institutions to access and monitor the status of their campaigns.

4.3 Direct purchase

Some GC media placement is purchased directly by institutions rather than via the AOR. For advertising campaigns totalling $25,000 or less, heads of communications for institutions subject to the Policy on Communications and Federal Identity and its policy instruments have the option to purchase advertising space or time directly from media suppliers. Institutions listed in Schedules I, I.1 and II of the Financial Administration Act that buy advertising space or time directly from media suppliers cannot purchase strategic advice, media planning, ad hosting or creative development, as the authority to conduct these contracting activities lies solely with PSPC (see Buying advertising under $25,000).

5.1 Privacy protocol

As set out in subsection 4.2.5 of the Policy on Privacy Protection, institutions are required to establish a privacy protocol for the non-administrative collection, use or disclosure of personal information. A privacy protocol outlines the proportionate procedures to protect personal information in accordance with the Privacy Act. Institutions can demonstrate compliance in one of two ways:

1. when contracting digital advertising services through PSPC, they should either use PSPC’s existing privacy protocol or establish their own directly with the AOR
2. when contracting directly with third-party suppliers for the purchase of digital advertising, they should develop a separate privacy protocol; in this case, institutions may choose to base their privacy protocol on PSPC’s protocol (see Appendix A)^{Footnote 4}

When developing a privacy protocol, it is highly recommended that institutions include the following additional measures and best practices, derived from Appendix E: Standard on Privacy in Web Analytics of the Directive on Privacy Practices to strengthen privacy protections:

• limit collection to de-identified and aggregated information, whenever possible
• refrain from using precise geo-targeting, and use only broad geo-targeting when no other digital advertising method can achieve the desired effect and de-identify any Internet Protocol (IP) addresses when doing so
• limit the use of behavioural targeting due to its reliance on third-party cookies; if such targeting is used, confirm that digital platforms request the audience’s meaningful consent (including through implied consent with an option to opt-out) prior to the use, collection and disclosure of any personal information
• use any personal information collected only for non-administrative purposes, such as but not limited to research, statistical, audit, evaluation, and in some cases budgetary and financial purposes
• retain personal information (if collected) only for the purpose of digital advertising campaigns and dispose of it immediately following its last relevant use
• refrain from the collection, use and disclosure of sensitive personal information, including but not limited to anything financial, biometric or health-related
• refrain from intentionally targeting and tracking children

5.2 Contracting

Institutions must solicit and evaluate bids in accordance with the requirements set out in subsection 4.5 of the Directive on the Management of Procurement. Before entering into a contract with a third party, institutions are encouraged to evaluate suppliers to ensure they are equipped with the technical infrastructure, security safeguards and data governance strategies required to support a GC digital advertising campaign that involves the collection of personal information. Officials who work in the areas of privacy, procurement, security and information technology may be engaged in this exercise as needed.

To ensure the protection of personal information and limit the risk of privacy breaches, GC institutions must ensure that contracts established with third-party service providers or data providers clearly outline measures to protect personal information in accordance with the requirements of the following:

• section 4008 04 of PSPC’s Standard Acquisition Clauses and Conditions (SACC) Manual
• subsection 4.2.16 of the Policy on Privacy Protection
• subsections 4.2.23 to 4.2.27 of the Directive on Privacy Practices
• subsection F.2.3 of Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control of the Directive on Security Management

These measures include a requirement to:

• immediately notify the government institution of privacy breaches
• contain and mitigate privacy breaches if they occur

The Privacy Breach Management Toolkit provides guidance on how to prepare for, manage and mitigate privacy breaches. For further information on contracting, follow the guidance found in Guidance Document: Taking Privacy into Account Before Making Contracting Decisions.

In addition to the requirements listed above, institutions are encouraged to include the appropriate clauses in digital advertising contracts that:

• restrict suppliers from sharing any personal information collected with subsidiaries, parent companies, social media platforms or other entities unless other agreements or contracts allow otherwise
• restrict suppliers from scraping publicly available information online^{Footnote 5}
• restrict suppliers from using tracking methods that override individuals’ consent decisions and are difficult to control
• allow for regular audits and reviews to oversee suppliers’ compliance with contractual obligations

5.3 De‑identification

De-identifying and aggregating information can reduce the likelihood and impact of privacy breaches. Hence, these mechanisms are recommended for digital advertising activities. Although de-identification and aggregation are important mitigation tools, they carry a residual risk of re-identification and require appropriate and proportionate privacy protection. The risk of re-identification increases when targeting criteria (for example, age or city) leads to a small audience from which individuals can be identified.^{Footnote 6} For this reason, it is recommended that elements of information (such as location) not be matched with other identifiers or datasets unnecessarily. As a best practice, institutions, or any contractors acting on their behalf, should perform a risk analysis before using any techniques that could increase the risk of re-identification. Furthermore, institutions should ensure that plans and procedures are in place should there be an increased risk of re-identification. De-identified and aggregated information should not be intentionally re-identified without a valid, lawful purpose. For additional considerations regarding de-identification, refer to Privacy Implementation Notice 2023-01: De-Identification.

5.4 Collection

In the context of digital advertising, the collection of personal information is typically privacy invasive because the target audience may not be asked to provide consent for the collection and may be unaware of its purpose. Third-party suppliers are subject to private sector privacy legislation that requires, in most instances, the audience’s consent for the collection of personal information. According to section 4 of the Privacy Act, government institutions can collect personal information only if it relates directly to an operating program or activity of an institution. Individuals should be informed of the purpose for the collection and, unless an exception in section 7 or 8 of the Privacy Act applies, institutions require the consent of individuals to use and disclose their personal information. Therefore, when employing a third-party service or data provider, institutions should ensure that they have legitimately and legally obtained the personal information that will be provided to the institution.

5.5 Disclosure

Personal information can be disclosed by a GC institution only when the individuals from whom the information was collected provide consent or when the conditions listed in section 8(2) of the Privacy Act are fulfilled. According to subsections 4.2.23 to 4.2.27 of the Directive on Privacy Practices, disclosures of personal information between federal institutions require an information sharing arrangement. GC institutions should first consider the purpose and need to share personal information before completing an information sharing arrangement. It is highly recommended that privacy officials be consulted prior to any disclosures of personal information that was collected for digital advertising.

7.1 Legislation

• Financial Administration Act
• Privacy Act
• Personal Information Protection and Electronic Documents Act

7.2 Related Treasury Board Secretariat policy instruments

• Directive on Privacy Practices
• Directive on Service and Digital
• Directive on the Management of Communications
• Directive on the Management of Procurement
• Directive on Security Management
• Policy on Communications and Federal Identity
• Policy on Privacy Protection
• Policy on the Planning and Management of Investments
• Policy on Service and Digital
• Appendix E: Standard on Privacy in Web Analytics of the Directive on Privacy Practices

7.3 Other publications

• Agency of Record Contract EP361-191751/001/CZ (accessible only on the GC network)
• Buying advertising under $25,000
• Code of Conduct for Procurement
• Government of Canada advertising
• Government of Canada advertising annual reports
• Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
• Guidance on Preparing Information Sharing Agreements Involving Personal Information
• Privacy Breach Management Toolkit
• Privacy Implementation Notice 2020-03: Protecting Privacy When Releasing Information About a Small Number of Individuals
• Privacy Implementation Notice 2023-01: De‑Identification
• Privacy Implementation Notice 2023-02: Personal Information for Program Monitoring, Evaluation and Reporting Purposes
• Privacy Implementation Notice 2023-03: Guidance Pertaining to the Collection, Use, Retention and Disclosure of Personal Information That Is Publicly Available Online
• Standard Acquisition Clauses and Conditions (SACC) Manual

Data collection

GC institutions and the AOR collect data on GC ad recipients from other third-party suppliers operating under their own terms of service and privacy policies, subject to PIPEDA and/or other privacy legislation. Only aggregated, de-identified data is collected, and it is strictly used for non-administrative purposes (statistical, audit and evaluation purposes).

Media suppliers and advertising technology platforms subcontracted by the AOR collect data, including personal information, from GC ad recipients. These suppliers and platforms operate under their own terms of service and privacy policies and are subject to PIPEDA and/or other privacy legislation.

No data, including personal information, may be collected from GC ad recipients by the AOR or any other third-party supplier subcontracted by the AOR, for its own use, including to build profiles for advertising or to deliver audience-targeted ads, that are out of scope with their federal government contracts.

Data usage

The capabilities offered by digital platforms are used by the AOR to target GC ads to specific audiences, based on media strategies and plans approved by GC institutions. These platforms are public and not hosted on GC servers. All operate under their own terms of service and privacy policies, subject to PIPEDA and/or other privacy legislation. Users who choose to interact with them do so freely and are able to read their terms of service and privacy policies and those of any applications used to access them.

Geo-targeting may be used by the AOR depending on the objectives of a particular advertising campaign.

Behavioural targeting may be used by the AOR if unrelated to health and finance, and if a clear, meaningful and prominent opt-out mechanism is provided by digital platforms, for example, AdChoices.

No retargeting may be used by the AOR.

Other targeting techniques that may raise the risk of identification, re-identification or profiling should either:

• be supported by a risk analysis demonstrating appropriate measures have been taken to protect the privacy of individuals
• not be used by the AOR

Examples of such techniques include cross-referencing, data mining or data matching from multiple sources.

When advertising is planned in jurisdictions where requirements other than Canadian federal privacy legislation apply, compliance should be verified and documented by the AOR, and related documentation should be provided to GC institutions.

Data disclosure and retention

No data collected by the AOR or other third-party suppliers subcontracted by the AOR (as defined above) may be used or disclosed outside the AOR’s contractual terms (that is, Contract EP361-191751/001/CZ) (accessible only on the GC network).

Data collected by the AOR must be retained and disposed of in accordance with article 1.2.1 of Contract EP361-191751/001/CZ (accessible only on the GC network).

Content suitability and narrow targeting

The AOR should regularly review its targeting practices for any factors that may raise privacy risks to GC institutions and provide advice and recommendations as required. Such factors may be associated with but may not be limited to the following:

Geo-targeting and geo-fencing

Geo-targeting targets audiences with relevant advertisements based on their geographic location. This method uses radio frequency identification (RFID), postal codes forward sortation area, Wi-Fi and global positioning system (GPS) data to determine an audience’s location and provide advertisements that are relevant to the goods or services offered in close proximity. Geo-targeting uses location information received from Internet Protocol addresses or cell towers, in addition to the audience’s behaviours, interests or demographic, to tailor ads. The collection of location information, coupled with other elements of personal information, increases the possibility of identifying or re-identifying individuals, thus rendering it more privacy invasive than other digital advertising methods. Conversely, geo-fencing targets large audiences based solely on their location. Since geo-fencing is strictly reliant on general location (and no other factors) the risk of identifying individuals is reduced.

Behavioural targeting

Behavioural targeting uses third-party cookies to target specific audiences based on their search history and previous online behaviour. Because behavioural targeting is based on historical rather than current online activity, the information collected could be inaccurate. In addition, this method lacks transparency because third-party cookies do not request consent to collect data. As such, behavioural targeting has the potential to be more privacy invasive than first-party or contextual targeting.

First-party targeting

First-party targeting targets specific audiences based on their profile and relationship with the advertiser. Websites use information collected through direct user engagement in another activity separate from advertising. Examples include when a user signs into an account, makes a purchase, completes a survey, follows a social media account, consents to first-party cookies or subscribes to a mailing list. In this context, the user consents to receiving information from the advertiser. The privacy risks associated with first-party targeting are lower than behavioural targeting and geo-targeting because the user is generally aware of the targeting and provides some level of consent to it. That being said, all digital platforms, be they governmental or corporate in nature, can be vulnerable to cyber-attacks that could result in privacy breaches. Hence, the inherent risk of privacy breaches remains.

Contextual targeting

Contextual targeting targets specific audiences with relevant advertisements based on the current web content being viewed. Contextual advertising does not rely on information obtained from cookies. Instead, it relates the advertising to the subject matter of the web page. For example, a website for recipes displays advertisements for ingredients mentioned in the recipe. Contextual targeting does not collect elements of personal information and is, thus, the least privacy invasive of the digital advertising methods addressed here.

Retargeting

Retargeting is a digital advertising method that targets specific audiences with relevant advertisements after a previous event, for example, a visit to a website or web page. For instance, if an individual visits a web page but abandons the web page before clicking on a link or making a purchase, a cookie will silently follow the individual as they browse other content and provide advertisements for the web page they left, in an attempt to regain their attention. Due to the privacy invasive nature of retargeting, the Agency of Record and federal institutions do not use this advertising method.