Marking 20 years
of bold journalism,
reader supported.

Tell Us Which Websites Improperly Share Private Info

One in four top sites leak personal data. Expose the culprits, privacy commissioner.

Michael Geist 2 Oct

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at [email protected] or online at

image atom
Privacy Commissioner of Canada Jennifer Stoddart: Clear the air.

Last week, Privacy Commissioner of Canada Jennifer Stoddart released the results of a disturbing new study conducted by her office that found many leading websites "leaking" personal information. The study, which came on the heels of similar findings by researchers in the United States, found that one in every four websites examined suffered from privacy leaks that included disclosing names, email addresses, postal codes, and location data to third party advertisers (in the interests of full disclosure, I am a member of the Stoddart's external advisory board).

The study only covered 25 of the most popular e-commerce and media websites in Canada, suggesting that many more organizations may be violating Canadian privacy law by failing to adequately safeguard the personal information they collect and providing users with insufficient information about how their data is used and disclosed.

The source of the problem appears to be relationships with third party advertising companies, website analytics services, and electronic flyer providers. Using software that captures data sent between a user's browser and a website, along with the data sent between the user's browser and third-party sites, the study identified significant violations.

For example, it found a Canadian-based shopping site that revealed email addresses to 11 third party organizations after asking users to register for an email promotion service. It also found a Canadian media site that disclosed username, email address, and postal code to a content delivery and marketing service, an advertising network, and a news content provider after asking for registration to manage user subscriptions.

Stoddart responded to the report by writing to 11 of the 25 organizations covered in the study to ask how they plan to address potential violations of the law. Yet despite the obvious cause for concern, Stoddart declined to name names, as a release from her office indicated that the "Privacy Commissioner of Canada has not exercised her discretion to publicly name the tested organizations at this time."

Turn on the lights

The decision to keep the public in the dark about privacy leakage raises its own set of concerns. While the study may cause some embarrassment for the affected sites, the preliminary findings suggest that those sites are violating Canadian law. Moreover, by keeping the identities of the sites secret, Canadians are unable to take action to mitigate the risks they face due to the privacy leakage.

The secrecy approach is particularly surprising since Stoddart has publicly admitted that she is uncomfortable with the practice. In her first speech following the renewal of her mandate in Jan. 2011, Stoddart acknowledged "to be candid, I have a growing discomfort with the secretive nature of how we work under PIPEDA." She added that "it seems to me that not naming names is robbing the Canadian public of much of the educational value of our investigative findings."

While this study is not identical to a formal PIPEDA finding, if the concern was sufficient to merit its release and follow-up letters, then the same concern for maximizing the educational value to the public should apply.

The commissioner has named names without the benefit of a full investigation in the past, disclosing investigations of Google and Facebook privacy practices in 2010. Moreover, Stoddart has been a vocal advocate for security breach disclosure legislation, new rules that would require organizations that suffer a security breach to disclose it to anyone whose personal information may be at risk.

Stoddart's focus on greater transparency -- both for organizations that collect personal information and for its own investigations -- is a welcome development that should increase public confidence and awareness of privacy law. The decision to keep the names of organizations leaking personal information secret runs counter to the commitment to transparency and should be reversed.  [Tyee]

Read more: Politics

  • Share:

Get The Tyee's Daily Catch, our free daily newsletter.

Tyee Commenting Guidelines

Comments that violate guidelines risk being deleted, and violations may result in a temporary or permanent user ban. Maintain the spirit of good conversation to stay in the discussion.
*Please note The Tyee is not a forum for spreading misinformation about COVID-19, denying its existence or minimizing its risk to public health.


  • Be thoughtful about how your words may affect the communities you are addressing. Language matters
  • Challenge arguments, not commenters
  • Flag trolls and guideline violations
  • Treat all with respect and curiosity, learn from differences of opinion
  • Verify facts, debunk rumours, point out logical fallacies
  • Add context and background
  • Note typos and reporting blind spots
  • Stay on topic

Do not:

  • Use sexist, classist, racist, homophobic or transphobic language
  • Ridicule, misgender, bully, threaten, name call, troll or wish harm on others
  • Personally attack authors or contributors
  • Spread misinformation or perpetuate conspiracies
  • Libel, defame or publish falsehoods
  • Attempt to guess other commenters’ real-life identities
  • Post links without providing context

Most Popular

Most Commented

Most Emailed


The Barometer

Are You Concerned about Your Municipality’s Water Security?

Take this week's poll