If you have identified your company as a Service Provider, it means that the service you provide enables you to have access to all, or substantially all, URLs accessed by your users and that in the course of your activities as such a provider, you collect and use such user data for online interest-based advertising (IBA) purposes. As an example, you may provide internet access service or desktop application software such as browsers or web toolbars.
Below is a detailed explanation of each of the requirements for Service Providers:
1. Ensuring Transparency
You should provide notice of your data collection practices on your own website. This notice should be clear, meaningful, and prominent, and should describe the following:
The types of data collected online for IBA purposes, including any personal information;
The uses of such data, including whether the data will be disclosed to another entity for IBA purposes;
An easy-to-use way for consumers to exercise choice with respect to the collection and use of data for IBA purposes, or to the disclosure of such data to another entity for IBA purposes; and
The fact that you adhere to the DAAC principles.
2. Providing Choice
Service Providers that collect, use, or disclose data for IBA purposes should provide consumers with the ability to exercise choice with respect to the collection and use of data for IBA purposes, or to the disclosure of such data to another entity for such purpose.
3. Maintaining Data Security
You should maintain appropriate physical, electronic, and administrative safeguards to protect the data collected and used for IBA purposes. You should retain data that is collected and used for IBA only as long as necessary to fulfill a legitimate business need, or as required by law.
The principles identify the following four additional steps that you should take regarding data collection and use when you are engaged in IBA:
Alter, randomize, or make anonymous (e.g. through “hashing” or appropriate redaction) any personal information or unique identifiers in order to prevent the data from being reconstructed into its original form;
Disclose the circumstances in which data that is collected and used for IBA is subject to the above process;
Take reasonable steps to protect the non-identifiable nature of data if it is disclosed to another entity, including not disclosing the algorithm or other mechanisms used for anonymizing or randomizing the data, and obtaining satisfactory written assurance that such entities will not attempt to re-construct the data and will use or disclose the de-identified data only for purposes of IBA or other uses as specified to users. This assurance is considered met if the recipient entity does not have any independent right to use the data for its own purposes under a written contract.
Take reasonable steps to ensure that any company that receives anonymized data will itself ensure that any further companies to which such data is disclosed agree to restrictions and conditions set forth in this subsection. This obligation is also considered met if the recipient entity does not have any independent right to use the data for its own purposes under a written contract.
4. Refraining from Collecting Sensitive Information
Companies shall not collect personal information for IBA purposes from children they have actual knowledge are under the age of 13 or from sites primarily directed to children under the age of 13 for IBA, or otherwise engage in IBA directed to children they have actual knowledge are under the age of 13, unless such collection and other treatment of personal information is in accordance with Canadian privacy legislation.
Companies shall not collect, use, or disclose sensitive personal information for IBA purposes without consent, as required under and otherwise in accordance with applicable Canadian privacy legislation.
A Note About First & Third Parties
If your company also acts as a First Party under the principles and hosts online interest-based advertising on its website, or if it also engages in IBA on other First Party websites by means of a relationship with an advertising network or data company (a Third Party), the principles may impose additional requirements on your activities.