U.S. internet service providers get green light to sell user data — but what about Canada?

Privacy protections designed to prevent U.S. internet service providers from sharing or selling subscribers' personal information with third parties — without permission — were dismantled by U.S. Congress on Tuesday.

It means that information about the apps American internet subscribers use, the websites they visit, and the things they purchase online — among other things — can potentially be tracked, shared, and monetized by third parties, unless those users opt out.

You might be pleased to learn that Canada, which often follows the U.S. lead on technology issues, has taken a different approach. Here, internet service providers can only share your personal information with third parties with your express consent.

Tamir Israel, a staff lawyer at the Canadian Internet Policy and Public Interest Clinic, says you have the privacy commissioner of Canada and the CRTC to thank. 

Both organizations have released decisions in recent years that effectively limit the information internet service providers can collect and use for secondary purposes, such as marketing, without your consent.

Pitfalls of relevant ads

In 2013, the privacy commissioner launched an investigation into a new Bell initiative called the "relevant advertising program." The Canadian telco used network usage information, as well as account and demographic information, to build advertising profiles that could be used by third parties to target specific audiences with ads.

In other words, advertisers could target Bell users that visited certain websites. Browsing history or frequently used apps could also be used to infer users' interests. Users could be further targeted by age, phone model or credit score. Bell also indicated that it might use home internet usage, television viewing history and calling patterns to build ad profiles in the future.

This sort of thing is fine — but only if customers opt in, or choose to allow their personal information to be used in this way. In this case, however, Bell designed the relevant advertising program to be opt-out, the default for Bell users unless they said otherwise. This is the current reality for internet users in the U.S.

"Bell should not simply assume that, unless they proactively speak up to the contrary, customers are consenting to have their personal information used in this new way," Privacy Commissioner Daniel Therrien said at the time, recommending that Bell make its program opt-in.

By combining a user's personal information with their usage information, "they kind of crossed a line in what they proposed they wanted to do," said David Fraser, a partner at the law firm McInnes Cooper, who specializes in privacy issues. "If any other telco was looking at doing that before, they've mostly changed their mind."

Even earlier, in 2009, the CRTC reviewed the internet traffic management practices of Canadian ISPs — the hardware and software ISPs use to track and manage how customers are using the network, for the ISPs' own business purposes.

Although the review was not specifically focused on marketing or ads, the CRTC said in its decision it was taking steps "to ensure that personal information collected for the purpose of managing internet traffic is not used for other purposes and is not disclosed."

Bell ultimately chose to close its old marketing program, but it now has a new program — one that, following the privacy commissioner's recommendation, is opt-in.

So there's no data sharing at all?

Even though Canadian ISPs can't share personal information with third parties without your consent, it doesn't mean they're not sharing any data at all. 

Rogers, Bell and Telus, for example, say they may share de-identified information — data that has been stripped of personal information — with third parties, without your consent.

This may be done for "research, planning, or product and service development," according to Telus, while Bell says it may be done "to provide social benefits (such as assisting municipalities with traffic planning) and to develop analytic marketing reports for our use and for the use of our partners."

What's the problem with that? Researchers have shown that, in some cases, users can be re-identified when de-identified data is combined with other sources of data. It's enough of a concern that some companies explicitly forbid re-identification in their terms of use. 

But by and large, Fraser sees the collection of de-identified data as much less of a concern than other types of data. "It's aggregate information," he said. On its own, "it really doesn't tell you anything about any individual."

Of course, knowing things about individuals is exactly what marketers want from ISPs. In Canada, they'll have to keep waiting. In the U.S., not so much.