Are companies responsible for privacy practices of third-party links on their Web site?
I’ve recently noticed a public-sector Web site that uses a Web counter that links back to an American Internet advertiser or information broker. The American Web site would likely provide certain services to the hosting Web site – for example, providing information about the visitors to the hosting site.
When used on a Web site, Web bugs return information similar to that of a cookie. But unlike cookies, Web bugs cannot be blocked unless images are turned off – an unacceptable compromise for most surfers.
Combined, Web bugs in e-mail and Web pages provide a rich source of information to the Internet advertiser. Once the advertiser has your identity (perhaps because you have used a service requiring registration or read their e-mail containing a Web bug), the advertiser will continue to collect personally identifiable information about your surfing habits on their client’s Web sites, even if cookies are blocked but not deleted.
But the issue here is whether the hosting Web site (i.e., the public sector Web site in this case) is responsible for the collection practices of the Internet advertiser. It’s a pretty safe assumption that the hosting Web site is not collecting personally identifiable information in this process.
I think that a reasonable case could be made that the owners of the hosting Web site either authorized the collection by the Internet advertiser in return for site usage information, or more likely, the owners did not exercise reasonable management control over the design and content of the site which resulted in the offending collection.
In either case, the owners of the hosting Web site allowed the disclosure of, or the indirect collection of, personal information without knowledge and/or consent of the individual. Either of these conditions would result in contravention of various privacy acts across Canada. As a result, management needs to focus on privacy requirements in addition to business issues such as marketing, sales and service delivery.
I would prefer that improper collections and disclosures of personal information never occur. But realistically, responsible management will sometimes find themselves in a situation where they have inadvertently crossed the line – either contravening the legal interpretation, or perhaps the spirit and intent of the law. The litmus test of responsible management is how they respond to these issues when brought to their attention.
Boufford, ISP, is president of e-Privacy Management Systems, a consulting firm specializing in privacy and information technology. He can be reached at John.Boufford@e-Privacy.ca or www.e-Privacy.ca.