Privacy Implementation Notice 2024-01: Digital Advertising

4.1 Digital advertising in the Government of Canada

Government of Canada advertising placed on third-party digital platforms is an extension of the government’s presence on the Internet. Digital platforms are online spaces where producers and users of goods, services and content can engage and exchange information. The GC purchases advertising space on these digital platforms to deliver audience-targeted advertisements aimed at:

• promoting GC programs and services
• directing individuals to a GC website to obtain further information

Digital platforms commonly make use of data and personal information to customize the audience’s experience. This customization is enabled by segmentation, a marketing practice intended to deliver content appropriate to the audience’s demographic profile, region, interests or online behaviour. This approach helps ensure that the audience for whom the information is most relevant receives it at the appropriate time and place. Media suppliers acting on behalf of the GC collect information, which may include elements of personal information, from the audience (also known as advertisement recipients, users, visitors or individuals) and use that information to further target advertising campaigns. The GC pays media suppliers when an advertisement is shown or clicked on. Metrics and other data can be captured through web analytics (with the support of digital markers) or ad servers to measure a campaign’s performance. Getting an accurate count of impressions, views and clicks is very important for:

• measuring the performance of advertising campaigns
• placing advertisements
• managing budgets
• ensuring effective and responsible use of public funds

A combination of digital advertising methods can be used to target an audience. Segmentation categorizes all prospective advertising recipients into specific groups based on their demographic group, geographic location, interests and online behaviour. This information, which may include personal information, is collected by the advertising platform and used to tailor and target advertisements to groups that would be most likely to act on the advertisement. Digital advertising methods, including behavioural targeting, contextual targeting, first-party targeting and geo-targeting, carry varied levels of privacy risk, as presented in more detail in Appendix B.

Segmentation should not be confused with profiling. Segmentation groups audiences based on shared or contextual attributes, often at an aggregate level. Profiling involves analyzing known data and personal information (including interests, page views, or purchase history) to extrapolate individual-level characteristics or behaviours in order to personalize advertising. In a digital advertising context, profiling can often involve data matching, which allows platforms to compare personal information associated with a single individual across datasets. Note that profiling and data matching can increase the risk of identification and re-identification and, thus, is prohibited for third parties under section E.2.2.3.9 of Appendix E: Standard on Web Analytics of the Directive on Privacy Practices, unless expressly pre-authorized in writing by the institution.

According to the mandatory procedures set out in Appendix A of the Directive on the Management of Communications and Federal Identity, when undertaking an advertising initiative, institutions must confirm with Public Services and Procurement Canada’s (PSPC’s) Advertising Services Directorate (ASD) that the initiative meets the definition of advertising. Contracts must also be established in alignment with the requirements set out in the Directive on the Management of Procurement and all GC suppliers must adhere to PSPC’s Code of Conduct for Procurement.

Regardless of any third parties involved, the GC is the ultimate steward of all information collected or handled on its behalf. Consequently, in addition to the Privacy Act and its related policy suite, personal information, like all information handled by the GC, must be managed as a strategic asset in accordance with the following:

• subsection 4.3.2 of the Policy on Service and Digital
• subsection 4.3.1 of the Directive on Service and Digital
• the Policy on the Planning and Management of Investments

Any information that includes elements of personal information must be managed in accordance with the Privacy Act and its related GC privacy policy instruments, which govern how personal information is collected, used or disclosed. In the context of digital advertising, web analytics may be used to collect, analyze, measure, and report on data about web traffic and user visits. As such, any personal information collected for digital advertising purposes that is supported by web analytics must be safeguarded in accordance with Appendix E: Standard on Privacy in Web Analytics of the Directive on Privacy Practices.

4.2 Indirect versus direct purchasing

Institutions subject to the Policy on Communications and Federal Identity can purchase digital advertising either directly, from media suppliers or, indirectly, via PSPC. Most GC media placement is done through the agency of record (AOR), which is a private sector supplier contracted by PSPC that performs a centralized function by negotiating, consolidating, purchasing and verifying advertising time and space for the GC. Some digital advertising is purchased directly by institutions rather than via PSPC’s contract with the AOR. For advertising campaigns totalling $40,000 or less, heads of communications for institutions subject to the Policy on Communications and Federal Identity have the option to purchase advertising space directly from media suppliers (see Buying advertising that does not exceed $40,000).

When purchasing digital advertising that totals more than $40,000, institutions subject to the Policy on Communications and Federal Identity must use the AOR’s services under PSPC’s contract. The AOR is responsible for providing services for media buying, ad placement and trafficking, ad verification, reporting, and reconciliation to support a wide range of advertising initiatives for all the institutions it contracts with. If requested, the AOR can also provide services for media planning and strategizing. The AOR makes use of information and targeting capabilities offered by digital platforms to inform the purchase of advertising space and targets GC advertisements to specific audiences based on media strategies and plans approved by individual institutions.

The AOR subcontracts GC digital advertising to third-party suppliers, including the following:

• media suppliers: publishers that sell advertising space, for example, websites, social media platforms and search engine platforms
• advertising technology platforms: suppliers that provide the information technology platforms required to enable the purchase of advertising space, ad delivery and tracking, verification of units purchased and viewability, and protection against impression and click fraud, and that ensure brand safety. These platforms include ad servers, demand-side platforms and ad verification technology
• data providers: suppliers that sell aggregated, de-identified audience data for the real-time placement of display advertisements (this is based on programmed algorithms, which is also known as programmatic media placement)

Note that the AOR’s suppliers and contractors used for GC digital advertising collect aggregated^{Footnote 1} and de-identified^{Footnote 2} information from individuals to deliver targeted advertising.

The AOR is responsible for:

• vetting all third-party suppliers it subcontracts with
• ensuring that third-party suppliers are compliant with all relevant privacy legislation, including informing individuals targeted by GC advertising of how their personal information (if any) will be handled

Together, PSPC and the AOR have developed a measurement framework to define the metrics and the sources of information that will be collected. This framework helps ensure that digital advertising performance is measured and verified for optimal accountability and transparency.

5.1 Privacy checklist and privacy protocol

Prior to undertaking a new program or activity that could involve the creation, collection, use, disclosure, retention or disposal of personal information or substantially modifying an existing one, institutions must determine whether they need to conduct a privacy assessment. This decision must be documented in a privacy checklist^{Footnote 4}, as per subsection C.2.2.6 of the Directive on Privacy Practices. Consequently, should the results of any related privacy checklist indicate that a privacy assessment is required, this will likely take the form of a privacy protocol. As set out in subsections 4.1.13 and 4.2.16.1 and Appendix C: Standard on Privacy Impact Assessment of the Directive on Privacy Practices, institutions must ensure that a privacy protocol is established, prepared and updated for any program or activity that uses personal information for a non-administrative purpose. Subsections C.2.2.18 to C.2.2.22 of the Directive on Privacy Practices contain the minimum requirements for a privacy protocol. In the context of digital advertising, institutions can demonstrate compliance with these requirements by establishing their own privacy protocol with the AOR or directly with third-party suppliers (depending on which entity is contracted with).

When web analytics is used to support digital advertising, institutions must abide by the requirements contained within Appendix E: Standard on Privacy in Web Analytics of the Directive on Privacy Practices. These requirements include:

• de-identifying any collected Internet Protocol (IP) addresses
• retaining information for the applicable maximum retention period
• refraining from linking IP addresses or information in digital markers
• using only first-party cookies for the purpose of web analytics
• abstaining from any practices what would increase the risk of identification, re-identification or profiling

In addition to these requirements, when developing a privacy protocol, it is highly recommended that institutions document and implement the following additional measures and best practices to strengthen privacy protections, unless there is a clear program need to do otherwise:

• limit collection of personal information to de-identified and aggregated information, whenever possible
• refrain from using precise geo-targeting which narrowly targets specific neighbourhoods, postal codes or small radiuses around locations, due to its privacy invasiveness^{Footnote 5}. Use only broad geo-targeting to target large areas, such as countries, regions, or provinces and territories, when no other digital advertising method can achieve the desired effect and de-identify any IP addresses when doing so
• refrain from retargeting due to its reliance on collecting personal information across multiple websites
• confirm that digital platforms request the audience’s meaningful consent (including through implied consent with an option to opt-out) prior to the use, collection and disclosure of any personal information
• use any personal information collected only for non-administrative purposes, such as but not limited to research, statistical, and audit and evaluation
• retain personal information, if collected, only for the purpose of digital advertising campaigns
• do not collect, use or disclose sensitive personal information, including but not limited to anything financial, biometric or health-related for the purpose of digital advertising
• do not intentionally target or track children

5.2 Contracting

Institutions must solicit and evaluate bids in accordance with the requirements set out in subsection 4.5 of the Directive on the Management of Procurement. Before entering a contract with a third party, institutions are encouraged to evaluate suppliers to ensure they are equipped with the technical infrastructure, security safeguards and data governance strategies required to support a GC digital advertising campaign that involves the collection of personal information. Officials who work in the areas of privacy, procurement, security, information technology and information management may be engaged in this exercise as needed.

To ensure the protection of personal information and limit the risk of privacy breaches, institutions must ensure that contracts established with media suppliers clearly outline measures to protect personal information in accordance with the following:

• personal information clause of PSPC’s Standard Contract Clause Inventory
• subsection 4.2.16 of the Policy on Privacy Protection
• subsections 4.2.33 to 4.2.37 (related to contracts, agreements and arrangements) of the Directive on Privacy Practices
• subsection E.2.2.3 of Appendix E: Standard on Web Analytics of the Directive on Privacy Practices , including the requirement to restrict suppliers from disclosing or sharing any personal information they collect on behalf of the GC (including, but not limited to subsidiaries, parent companies and social media platforms) unless it is with the express written authorization of the institution, or if required to do so by law
• subsection F.2.3 of Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control of the Directive on Security Management

Of note, all digital platforms, be they governmental or corporate in nature, can be vulnerable to cyber-attacks that could result in privacy breaches. Hence, the inherent risk of privacy breaches remains. As such, the mandatory contractual measures listed above include requirements to:

• immediately notify the government institution of privacy breaches
• contain and mitigate privacy breaches if they occur

For additional guidance on how to prepare for, manage and mitigate privacy breaches, refer to the Privacy Breach Management Toolkit. For further information on contracting, follow the guidance found in Guidance Document: Taking Privacy into Account Before Making Contracting Decisions.

In addition to the requirements listed above, institutions are encouraged to include clauses in digital advertising contracts that:

• restrict suppliers from unlawfully scraping publicly available information online^{Footnote 6}
• restrict suppliers from using tracking methods that override individuals’ consent decisions and are difficult to control
• allow for regular audits and reviews to oversee suppliers’ compliance with contractual obligations

When contracting with third parties, institutions retain ultimate responsibility for any personal information collected or used on their behalf, even when the institution itself is not directly handling the personal information (including de-identified and aggregated information). Section 4.2.34.6 of the Directive on Privacy Practices also requires that contracts include a provision to ensure that institutions have continued control^{Footnote 7} over any personal information disclosed to or collected by a third party. It is important to note that contracts do not replace the requirement for institutions to complete a privacy protocol for any program or activity that uses personal information for a non-administrative purpose.

5.3 De‑identification

De-identifying and aggregating information can reduce the likelihood and impact of privacy breaches and is required when engaging in web analytics that supports digital advertising (as per sections E.2.2.3.4 and E.2.2.3.5 of Appendix E: Standard on Web Analytics of the Directive on Privacy Practices). Although de-identification and aggregation are important mitigation tools, they carry a residual risk of re-identification and require appropriate and proportionate privacy protection. The risk of re-identification increases when targeting criteria (for example, age or city) leads to a small audience from which individuals can be identified.^{Footnote 8} For this reason, it is required that elements of information (such as location and IP address) and digital markers not be matched with other identifiers or datasets unnecessarily. As a best practice, institutions, or any suppliers acting on their behalf, should perform a risk analysis before using any techniques that could increase the risk of re-identification. Furthermore, institutions should ensure that plans and procedures are in place should there be an increased risk of re-identification. De-identified and aggregated information should not be intentionally re-identified without a valid, lawful purpose. For additional considerations regarding de-identification, refer to the Privacy Implementation Notice 2023-01: De-Identification.

5.4 Collection

In the context of digital advertising, the collection of personal information could be privacy invasive when the target audience is not asked to provide consent for the collection or may be unaware of its purpose. Third-party suppliers are subject to private sector privacy legislation that requires, in most instances, the audience’s consent for the collection of personal information. According to sections 4 and 5(2) of the Privacy Act, government institutions can collect personal information only if it relates directly to an operating program or activity, and individuals must be informed of the purpose for the collection. Therefore, when employing third-party suppliers, institutions must ensure that suppliers have obtained the individual’s consent where required, and informed the individual of the purpose for the collection.

5.5 Disclosure

Personal information can be disclosed by an institution only when the individuals from whom the information was collected provide consent or when the conditions listed in section 8(2) of the Privacy Act are fulfilled. Disclosures or transfers of personal information must follow the required contractual clauses listed in section 5.2 of this notice.

According to subsections 4.2.33 to 4.2.37 of the Directive on Privacy Practices, disclosures of personal information between federal programs require an information sharing arrangement. Institutions should first consider the purpose and need to share personal information before completing an information sharing arrangement. It is highly recommended that privacy officials be consulted prior to any disclosures of personal information that was collected for digital advertising.

7.1 Legislation

• Financial Administration Act
• Privacy Act
• Personal Information Protection and Electronic Documents Act

7.2 Related Treasury Board of Canada Secretariat policy instruments

• Directive on Privacy Practices
• Directive on Service and Digital
• Directive on the Management of Communications and Federal Identity
• Directive on the Management of Procurement
• Directive on Security Management
• Policy on Communications and Federal Identity
• Policy on Privacy Protection
• Policy on the Planning and Management of Investments
• Policy on Service and Digital

7.3 Other publications

• Buying advertising that does not exceed $40,000
• Code of Conduct for Procurement
• Government of Canada advertising
• Government of Canada advertising annual reports
• Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
• Guidance on Preparing Information Sharing Agreements Involving Personal Information
• Privacy Breach Management Toolkit
• Privacy Implementation Notice 2020-03: Protecting Privacy When Releasing Information About a Small Number of Individuals
• Privacy Implementation Notice 2023-01: De‑Identification
• Privacy Implementation Notice 2023-02: Personal Information for Program Monitoring, Evaluation and Reporting Purposes
• Privacy Implementation Notice 2023-03: Guidance Pertaining to the Collection, Use, Retention and Disclosure of Personal Information That Is Publicly Available Online
• Standard Contract Clause Inventory

Geo-targeting and geo-fencing

Geo-targeting targets audiences with relevant advertisements based on their geographic location. This method uses radio frequency identification (RFID), forward sortation areas of postal codes, IP addresses, cell towers, Wi-Fi and global positioning system (GPS) data to determine the audiences’ location and provide advertisements that are relevant to the goods or services offered in close proximity. Geo-targeting uses location information in addition to the audiences’ behaviours, interests or demographic, to tailor ads. The collection of location information, coupled with other elements of personal information, increases the possibility of identifying or re-identifying individuals, thus rendering it more privacy invasive than other digital advertising methods. Conversely, geo-fencing targets large audiences based solely on their location. Since geo-fencing is strictly reliant on general location (and no other factors) the risk of identifying individuals is reduced.

Behavioural targeting

Behavioural targeting uses digital markers to target specific audiences based on their search history and previous online behaviour. Because behavioural targeting is based on historical rather than current online activity, the information collected could be inaccurate. Behavioural targeting has the potential to be more privacy invasive than first-party or contextual targeting.

First-party targeting

First-party targeting targets specific audiences based on their profile and relationship with the advertiser. Websites use information collected through direct user engagement in another activity separate from advertising. Examples include when a user signs into an account, makes a purchase, completes a survey, follows a social media account, consents to first-party cookies or subscribes to a mailing list. In this context, the user consents to receiving information from the advertiser. The privacy risks associated with first-party targeting are lower than behavioural targeting and geo-targeting because the user is generally aware of the targeting and provides some level of consent to it.

Contextual targeting

Contextual targeting targets specific audiences with relevant advertisements based on the current web content being viewed. Contextual advertising does not rely on information obtained from cookies. Instead, it relates the advertising to the subject matter of the web page. For example, a website for recipes displays advertisements for ingredients mentioned in the recipe. Contextual targeting does not collect elements of personal information and is, thus, the least privacy invasive of the digital advertising methods addressed here.

Retargeting

Retargeting is a digital advertising method that targets specific audiences with relevant advertisements after a previous event. For example, if an individual visits a web page but leaves before clicking on a link or making a purchase, an advertisement related to that page may later appear as the individual browses other content, in an attempt to regain their attention. Retargeting is a form of behavioral targeting. However, it is often considered more privacy invasive than other forms of digital advertising because it collects information such as individuals’ behaviour, interests, and IP addresses as they browse other websites, thus creating the perception of “being followed” across websites.