Survey Fraud Solution May Breach Privacy Law

The practice of 'digital fingerprinting' may breach Canadian privacy laws - and by extension those of many European and Asian countries - according to a statement today by Canada's Marketing Research and Intelligence Association.

A legal opinion sought by the MRIA says the technology may fail the laws' 'reasonableness test' because it collects more information than is necessary to identify fraudulent and duplicate respondents in online research.

Digital fingerprinting technologies typically collect about 100 different data elements from respondents' computers, including items such as IP address, language settings, software programs and plug-ins installed: these are then processed to produce a unique ID for each computer that visits an online survey site.

While they are in themselves anonymised, the process of identifying and removing fraudulent and duplicate respondents requires the unique machine IDs to be linked to identifiable panel members. As a result, the MRIA says its legal opinion asserts that it is 'highly likely' the data constitutes Personal Information as defined in Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

MRIA President David Stark explains: 'Canada has a comprehensive privacy law that is broadly similar to data protection laws found in Europe, Argentina, Australia, New Zealand and Japan. Therefore, the privacy issues and potential liabilities associated with digital fingerprinting in Canada could be applicable to these and other jurisdictions.'

As a consequence, the MRIA says firms should not conduct digital fingerprinting in a surreptitious manner, and 'at a minimum, research firms that wish to use digital fingerprinting should create a specific consent document rather than rely on a simple amendment to their privacy policies. Easily understandable references to the type of information collected and the purposes for which it will be used should be presented to respondents before or at the time when their explicit consent is sought.'

PIPEDA places an obligation on organizations to exhaust other less privacy-invasive alternatives before they resort to collecting Personal Information in a privacy-invasive manner.

The opinion was prepared by Brian Bowman of Pitblado LLP, who the MRIA says is recognized as one of Canada's leading authorities in privacy law and technology matters. Says Stark: 'Our association is currently exploring alternative solutions that our members can use to identify fraudsters and duplicates in online research'.

Web site: www.mria-arim.ca .

All articles 2006-23 written and edited by Mel Crowther and/or Nick Thomas, 2024- by Nick Thomas, unless otherwise stated.