Are companies responsible for privacy practices of third-party links on their Web site?

Companies often put disclaimers on their Web sites, suggesting that they have no control over the third-party Web site and that visitors should refer to that Web site’s privacy policy. In a variation on the theme, companies sometimes require their business partners to implement an acceptable privacy policy. But I would think that none would go so far as to accept responsibility for the third parties’ compliance with the privacy laws.

I’ve recently noticed a public-sector Web site that uses a Web counter that links back to an American Internet advertiser or information broker. The American Web site would likely provide certain services to the hosting Web site – for example, providing information about the visitors to the hosting site.

I checked the privacy policy of the American Internet advertiser. They collect the standard information – for example IP address, browser type, access times, referring URL, etc. – that is of some concern to Internet users. However, an issue of concern in the privacy policy is a statement that they use “pixel tags” (also known as clear GIFs or Web bugs) in their e-mail messages. (Technically, the counter on the hosting Web site is not a Web bug or pixel tag because it is clearly visible. But it does accomplish the same goal as the Web bug.) When embedded in e-mail the Web bugs return personally identifiable information to the Internet advertiser.

When used on a Web site, Web bugs return information similar to that of a cookie. But unlike cookies, Web bugs cannot be blocked unless images are turned off – an unacceptable compromise for most surfers.

Combined, Web bugs in e-mail and Web pages provide a rich source of information to the Internet advertiser. Once the advertiser has your identity (perhaps because you have used a service requiring registration or read their e-mail containing a Web bug), the advertiser will continue to collect personally identifiable information about your surfing habits on their client’s Web sites, even if cookies are blocked but not deleted.

But the issue here is whether the hosting Web site (i.e., the public sector Web site in this case) is responsible for the collection practices of the Internet advertiser. It’s a pretty safe assumption that the hosting Web site is not collecting personally identifiable information in this process.

I think that a reasonable case could be made that the owners of the hosting Web site either authorized the collection by the Internet advertiser in return for site usage information, or more likely, the owners did not exercise reasonable management control over the design and content of the site which resulted in the offending collection.

In either case, the owners of the hosting Web site allowed the disclosure of, or the indirect collection of, personal information without knowledge and/or consent of the individual. Either of these conditions would result in contravention of various privacy acts across Canada. As a result, management needs to focus on privacy requirements in addition to business issues such as marketing, sales and service delivery.

I would prefer that improper collections and disclosures of personal information never occur. But realistically, responsible management will sometimes find themselves in a situation where they have inadvertently crossed the line – either contravening the legal interpretation, or perhaps the spirit and intent of the law. The litmus test of responsible management is how they respond to these issues when brought to their attention.

Boufford, ISP, is president of e-Privacy Management Systems, a consulting firm specializing in privacy and information technology. He can be reached at or