One of the most significant innovations regarding the digitalization of telemarketing activities and business marketing is the ability to target groups of individuals in order to deliver advertising material that is relevant, and at the right time. Targeted advertising is certainly one of the most common forms of profiling, although it can also be used in other situations. In sum, profiling is the analysis and prediction of behaviour based on personal information.

Examples of automated profiling include:

  • pricing a product based on the interests, reliability, behaviour and location of a physical person;
  • suggesting products based on a consumer's purchase history, economic situation, preferences and interests;
  • creating human resources profiles based on work performance, statistics on technology use and other attributes automatically collected by work tools;
  • and, of course, the famous consumer credit report based on financial health, purchases and debt ratio, for example.

Some types of profiling are already subject to significant regulatory restrictions. For example, case law has established that insurance premiums must be based on actuarial evidence in order not to be discriminatory.1 To this set of rules, must now be added the proposed amendments under Bill 64.

What is profiling under Bill 64?

In fact, the definition under Bill 64 is almost an exact copy of the one under the General Data Protection Regulation (the "GDPR") and reads as follows:

"the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person's work performance, economic situation, health, personal preferences, interests or behaviour."2

Note the use of the terms "collection" and "use," which excludes the "disclosure" of personal information. As a result, when the collection is on behalf of a third party, it is the final user who must ensure compliance with all requirements under the Law.

The new profiling obligations that are proposed are for both public bodies and private companies.

What new obligations are proposed under Bill 64?

Before using any technology that enables the profiling of an individual, two requirements must be considered:

  1. informing the person to be profiled of the use of such technology;
  2. informing that person of the means available, if any, to deactivate the functions that enable such profiling.

The right to deactivate the profiling functions must be analyzed on the basis of the "free" business model provided in exchange for the opportunity to engage in profiling, such as for targeted marketing.

In such circumstances, can such a business refuse to provide the service, given that section 9 of the Private Sector Act currently provides certain exceptions to when the collection of personal data may be required in order to provide a service?

It should be noted that, in addition to profiling, the obligations set out above also apply to any technology that allows an individual to be identified or located.

With regard to identification, one can expect practical difficulties when applying the proposed amendments in this context. For example, predictive algorithms can identify individuals, but only with the use of personal information. In this case, is it the technology that identifies individuals or the individuals who identify themselves by providing their personal information? Is this distinction relevant? These nuances have to be clarified in order to determine the scope of these new sections.

In addition to the means to deactivate the profiling functions, bear in mind that under the amendments, individuals will also benefit from the following rights:

  • the right to withdraw their consent to the processing of their personal data;
  • consent must be clear and express as soon as the information "entails a high level of reasonable expectation of privacy," in which case the individual's consent must be given in advance;
  • the parameters of technological products and services must, by default, provide the highest level of confidentiality, without any intervention by the individual.

In practice, companies will have to review their practices, such as with regard to the tracking "cookies" they use.

Cookies, Profiling and Consent – Key Takeaways

In many cases, electronic profiling occurs through the use of cookies or other similar profiling technologies. Cookies are basically small files that that store different information regarding the behaviour of internet users while online, such as their buying habits, interests and active hours online.

Based on case law and legislative developments in other jurisdictions, it is expected that targeted marketing and other forms of profiling and/or the automated processing will constitute sensitive data processing. If necessary, explicit consent will be required.

At any rate, even in cases where the processing does not involve sensitive data, technological services will have to use the highest level of confidentiality, without requiring the intervention of the particular individual. If applicable, it seems that the installation of targeted marketing cookies would not be possible without some type of positive action by the individual, because the parameter must, by default, be confidential.

These interpretations are to be confirmed; however, the use of cookie consent banners in connection with targeted marketing may be on the horizon. 

It will be interesting to monitor the interaction between the rules under the federal anti-spam legislation that is applied and interpreted by the Canada Radio-television and Telecommunications Commission and the interventions of the Commission d'accès à l'information with regard to profiling obligations.

Some Practical Tips …

  • prepare an inventory recording personal data processing administered by your organization;
  • identify personal data processing that could constitute profiling as well as the personal information used for this purpose;
  • determine how consent, its withdrawal and the default parameters must be implemented;
  • update your confidentiality policy;
  • ensure that you verify whether the profiling is resulting in a decision based solely on the automated processing of personal information.

Footnotes

1 See, inter alia, Zurich Insurance Co. v. Ontario (Human Rights Commission), [1992] 2 SCR 321.

2 Sections 18 and 99 of Bill 64.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.