ETHI Committee Meeting

    Order. We will begin. As you know, in accordance with today's agenda, we are continuing the study on privacy and social media.

    With us today is Mr. Bartus, who is here on behalf of Nexopia. He is joined by Mark Hayes, from the Heydary Hayes law firm. He will be able to answer more specific questions, if the committee wishes.

    Without further ado, I will let Mr. Bartus begin his 10-minute presentation. Following that, as usual, we will have some time to ask him questions.

    Mr. Bartus, go ahead.

     Thank you, Mr. Chairman.

    My name is Kevin Bartus. I’m the CEO and owner of Nexopia Incorporated, the operator of nexopia.com. With me is Mark Hayes, the managing director of Heydary Hayes PC. Mark is a well-known privacy lawyer in Canada who is advising Nexopia on privacy matters, and I would ask the committee’s indulgence in allowing Mark to join me in order to assist with any technical privacy questions.

    Thank you for inviting us to join you today. I want to apologize in advance for any areas in which my knowledge is lacking. As you know, we were made aware of this meeting less than a week ago and we’ve only owned Nexopia for a month. That said, my own background in digital media is fairly extensive. I own and run Ideon Media, a Canadian digital advertisement network. I also own and run Maple Media, a Canadian digital publisher. I was the original vice-president of Digital Media for Rogers Media in Toronto, and I built one of the early dot-com web developers called Blue Spark.

    Nexopia was founded, as many of you know, in 2004 by an Edmonton-based teenager as an open community for Canadian youth, a sort of MySpace for Canadians. The site grew rapidly and attracted professional investment a few years later. With the meteoric rise of Facebook, however, sites like Nexopia and MySpace retreated to a core user base. Nexopia had over two million members a few years ago, but focuses on a core of about 200,000 today.

    Comscore Canada currently lists 70 social networking sites larger than Nexopia in Canada, including major U.S. sites such as Facebook, which has about 22.4 million monthly unique visitors, according to Comscore Canada in September 2012. LinkedIn has about 5.3 million; Pinterest has about 2.8 million; MySpace, 1.4 million. And there are sites that are closer to Nexopia's size, such as Tagged, with 219,000; Multiply, with 181,000; and Hi5 with 152,000.

    Over the past few years, major newspaper, magazine, and broadcast media websites have introduced extensive social networking capabilities, allowing users to post personal profiles in addition to participating in online forums. Meanwhile, social networks like MySpace have begun to integrate original content relevant to their core audience. In MySpace's case, it's content like music and entertainment. The line between social networks and media sites has become blurry indeed.

    Smaller sites like Nexopia generally focus on a niche, and Nexopia focuses on young Canadian adults, aged 16 to 24. The focus has worked. Nexopia members are more engaged than members on most other social networks, with about six minutes and 14 pages per visit, compared to an average of about five minutes and 10 pages for the Comscore category overall of social networking sites.

    Nexopia fills a vital niche for young Canadians. In addition to being the only major Canadian-based social network, Nexopia allows young Canadians to meet others who may not already be in their offline social network, as opposed to Facebook and LinkedIn, which focus on real-world identities. This social discovery function of meeting people who users don’t already know is particularly important in Canada, where members may live in smaller physical communities and have trouble finding like-minded others. It's also critical for young Canadians who may not yet have been able to find like-minded others who share their experience.

    Nexopia’s ambition is to be a clean, well-lit community place for social discourse, and as such, Nexopia is a rigorously moderated community. There are about 20 moderators who review every picture before it's posted, every forum post, and every abuse complaint.

    Nexopia does not use profile or other personal information to target advertising. This is both a commitment to the community and also a practical reality, because such advertisement targeting really only works at a large scale. Advertisers who are interested in Nexopia’s demographic become less interested when the membership is subdivided into smaller and smaller segments, simply because there are then too few members to constitute a meaningful advertising campaign.

    Partly because of Nexopia’s success among young Canadians and its open nature, Nexopia attracted the interest of the Privacy Commissioner in 2010, and in March 2012 the Privacy Commissioner issued a detailed finding.

    This report includes 24 recommendations. In case you haven't read it, it's broadly in three areas: first, the completeness of the site’s privacy policy and the ease with which informed consent could be given; second, the openness with which profiles were being shared, particularly among non-members and with members who were not friends; and third, assuring members that when they leave the community, their data is permanently deleted.

    For a number of reasons, the prior owners chose to sell the company following the release of the commissioner’s recommendations. I purchased Nexopia Incorporated from the prior owners on September 30, 2012—about a month ago. Since that time, we've been actively engaged with the Privacy Commissioner to ensure that all privacy issues are addressed.

    Some of the required changes to the site will require significant time and development. We've worked out a schedule with the commissioner’s office for dealing with all of the commissioner’s concerns and expect to be fully compliant with the commissioner’s recommendations by April 30, 2013.

     I'm happy to report that we've already completed the implementation of some of the recommendations.

     We believe that young Canadian adults deserve an online home. In our view, this should be a clean, well-lit community with ample moderation that also integrates relevant content in areas such as music and entertainment. Nexopia members have been incredibly loyal over the past few years, and we intend to reward that loyalty with new investments in functionality and content.

    Most Canadians experience the Internet primarily as a U.S. phenomenon, with a few local sites from Canadian newspapers and broadcasters. We are deeply committed to the belief that the Canadian experience is enriched with Canadian-owned and Canadian-operated websites. However, the scale economies of running an online business mean that the same costs in content and technology are simply spread over a user base and advertising market one-tenth the size of the U.S. This creates financial and technological hurdles that can be a challenge.

    In the past year we have witnessed many of the large Canadian media companies backing away from advertising-driven, online-only initiatives. During 2012, Rogers Media closed down virtually every online-only acquisition it had made over the last few years, including branchez-vous.com, sweetspot.ca, and canadianparents.com. Also during 2012, Transcontinental shuttered WOMAN.ca, and Torstar closed parentcentral.ca. Last month, both Torstar and the Globe and Mail announced paywalls, which may or may not have been wise long-term financial decisions, but the resulting smaller audience will most certainly erode their ability to attract digital advertising. There are precious few successful online-only initiatives that focus on Canadian consumers and Canadian advertisers, and we are proud that Nexopia is one of them.

    Canadian privacy regulations serve an important role in protecting Canadians and in levelling the playing field among digital corporations. But launching a major advertising-sponsored online initiative already takes significant capital resources and several years. I ask that you tread carefully when making this any more challenging than it needs to be.

    Mr. Hayes and I would be pleased to try to answer any questions the members of the committee may have for us.

    Thank you very much for your presentation.

    Let's now move on to a question and answer period.

    Mr. Angus, you have seven minutes.

    Thank you, Mr. Chair.

    Thank you, Mr. Bartus and Mr. Hayes, for coming. We really are appreciative that you have come on relatively short notice. As you know, as a committee, we are looking at what steps we need to take as legislators, if any, in terms of ensuring that we're developing the incredible online potential for innovation and for communication, while also ensuring protection of Canadians' data.

    We've learned again and again that our Privacy Commissioner has a very high level of respected expertise worldwide in being able to adjudicate these issues, probably much greater expertise than we parliamentarians do. We would prefer, at least in the New Democratic Party, to rely on the Privacy Commissioner's judgment as much as possible.

    I understand that there were 24 recommendations following the investigation into Nexopia. You are now the new owner, so you are dealing with what was done before you came on.

    We were under the impression, from reading the Privacy Commissioner's report, that there were four recommendations that the previous owners of Nexopia had refused to implement. Will you be in compliance with the 24 recommendations? Is that the plan?

    Yes, it is.

    Are you saying that what you need is time to meet that because of the technical issues?

    Yes. In fact, we were in discussion with the Privacy Commissioner prior to the closing of the acquisition. One of the things I wanted to look into was whether the timeframe would be able to be reset from what was given to the previous owners. Mark and I spoke with them at some length, and we were able to establish a timeframe that we think works.

    That's excellent.

    Again, wherever we have met with experts, players in the field...we keep hearing very good things about the Privacy Commissioner.

    Have you found the Privacy Commission to be reasonable in terms of...? Well, they're expecting compliance, but in understanding that as new owners you are trying to be compliant, are they willing to work with you on this?

    Yes, I would agree.

    In fairness, I don't have experience with many other privacy commissioners, but this one has been reasonable with us, for sure.

    Excellent.

    One of the recommendations that the previous owners had not moved on was recommendation 19, which was to develop and make available on its website appropriate information to explain the policies and procedures to non-users and users alike. They had not been in compliance with that.

    I noticed today that the privacy policy at Nexopia has not been updated since November 2, 2009. That seems to be a long time behind us. Do you expect that you'll be able to update that policy statement soon enough?

     Yes. We've broken the timeframe into a few main chunks. Updating the privacy policy is obviously easier than some of the other stuff. We expect to do that pretty quickly.

    The closing has had a number of elements, and there have been some delays in it, including access to both the technology and the financial records, and that kind of stuff. We haven't done that as quickly as we'd like, but it should all be within the timeframe.

    Mark, do you want to add anything?

    I think the privacy policy should be updated. I think the timing we're looking at is somewhere about the end of November or early December. We should be able to deal with it relatively quickly.

    Excellent.

    It seems that most of the concerns that were causing a dispute were on the deletion of information and the deletion of accounts. The Privacy Commissioner said:

    In this respect, Nexopia is retaining personal information without users' knowledge and consent. To us, that's a very serious issue, and we've heard that again and again, not in terms of your business model, but on the overall participation of especially young people, who, if they want to pull out, should be able to pull out.

    Is it a technical issue that is going to be a barrier to meeting this recommendation? Do you see this as taking a bit longer? What is it? Is it technical or was it just part of a business model?

    Both. I think it's probably the latest chunk and the reason the timeframe is April and not December.

    There are a couple of issues. One of them is the technical definition of what needs to be deleted—for example, a posting in a forum that another person started, so one person starts a thread and somebody else contributes to that thread and then that person leaves. It's both technically challenging and really without precedent anywhere else on the web for that whole thread to disappear. So that person's comments....

    For example, if you go to a newspaper site today and you comment on a story and then you decide that you no longer want to be a member on that newspaper site, or whatever it might be, they don't delete your comments in those threads in any one that I've come across.

    So I think to some degree there wasn't an engagement with the definition of what the owners were supposed to delete.

    The second challenge is this. Nexopia has had a long track record of cooperating with law enforcement authorities on different investigations and didn't want to compromise that. Again, it's hard for me to speak on behalf of the previous owners, but there were a number of reasons—some voiced in those recommendations and findings and some voiced privately—that caused them not to move.

    The technical part of deleting older data is less challenging than defining what exactly they were supposed to delete.

    Okay. Yes, I noticed that the Privacy Commissioner had recognized your willingness to work with law enforcement. She did say, though, that it:

    That was something they had clarified.

    Your company sounds really interesting, and I'm really glad you're here to be able to get your side on the record. Dr. Valerie Steeves, who is very respected, made comments about you, and also John Lawford was here, and I'm sure you're very well aware of him. Both of them talked about the problem of.... She said that Nexopia seemed more interested in the monetary benefit of keeping data than privacy considerations.

    You have the online forum; you have the advertising component. How do you balance out those two sometimes competing interests when the issue of privacy is put in the prism?

    I'm unaware of any financial benefit of keeping the data longer than some period of time. I did listen to her testimony. I haven't spoken with her and I don't know what she was getting at.

    Regarding keeping data of users who have gone, the only reason it's there is we're trying to figure out how to get rid of it technically, and from a business perspective, which parts of it to get rid of. Our feeling now is that certainly the profile data and any data—a blog, for example, that the user has posted—should vanish when the user leaves. Our thought is that perhaps you want to keep the data around for a little while in case the user wants to come back, so for a few months certainly you want to be able to say to the user, “Are you sure you don't want to come back? Here is what your friends have been doing”—that sort of thing. But certainly there is no business reason that I'm aware of for keeping the data longer than perhaps two years.

    Thank you very much.

    Thank you.

    I yield the floor to Ms. Davidson, who has seven minutes.

    Thank you, Mr. Chair.

    Thank you, gentlemen, for being with us this afternoon.

    It's certainly an interesting topic, and it was interesting to hear what you had to say regarding your company. You've only owned it for about a month.

     Yes.

    I want to go back to the Privacy Commissioner. It sounds as though you have established a fairly reasonable working relationship with the Privacy Commissioner, so I'm glad to hear that. As my colleague across has said, we've heard that from many different people who have dealt with the commissioner, so I'm glad to hear that you've had the same experience.

    There were 24 recommendations that were made to the prior owners of your company, and there were 20 that were agreed to be implemented. As my colleague said, there were four that weren't. Did the former company implement any of those recommendations, or are they all outstanding? There were dates, I see, June, September.

    Yes. It's probably unfair for me to comment on much of what they did. At present there are, I believe, four of the recommendations implemented, primarily around a program that used to be called Earn Plus, where the sensitivity was that the data may have been shared outside of the organization. So that's fixed.

    As the previous gentleman stated, the privacy policy is the next up to be fixed. That's relatively straightforward. The difficult ones are the true deletion one, which you referred to, and also the adjustment of profile settings, keeping some stuff public and some private, some to other members. That involves functionality changes that need to be thought through.

    But it's your intention, then, to carry forth with the outstanding recommendations—

    Oh yes.

    —and you gave the date of April 2013. Was that for the remainder of the outstanding ones?

    For the totality of all of them, yes.

    I don't know, Mark, if you want to come in on the interaction with the Privacy Commissioner.

    Yes. We had a discussion with the Privacy Commissioner even before Mr. Bartus purchased the company. We came to an arrangement with respect to the timing. As you saw in the recommendations, they were done in two steps. These are going to be done in two steps. The first set have to be done by, I believe, January 31 and the rest of them by April 30. We've told the Privacy Commissioner's office that we expect to have these recommendations done, in many cases, before that time, and we've committed to the commissioner's office that we will give them a report on a regular basis. We actually were going to give the first report, I think, today or tomorrow, but our appearance here has perhaps delayed it by a couple of days.

    Certainly we've had a very good working relationship with the commissioner's office. I can't speak for them, obviously, but it's worked out quite well, we think. Everybody's moving forward extremely positively. As Mr. Bartus said earlier, it's been something that has been a very useful thing in terms of the company turning around its practices and turning around its business.

    Thank you.

    Some of the people we've had give testimony here before this committee have stated that the Privacy Commissioner might need increased powers in order to compel companies to follow the privacy laws. Do you think that's necessary, or do you think that based on your experiences there are enough teeth in what the Privacy Commissioner is directing?

    I'll answer to the best of my ability, and then Mark probably has a better thought-out perspective on this.

    The process that we've engaged in is working. I would not have purchased the company had we not been able to engage with the Privacy Commissioner prior to the transaction. It just would have been unknown what was going on.

    In terms of having more teeth, again, the process works, and I don't know what other teeth there could have been. People have discussed penalties and there are all kinds of unintended consequences of any of that stuff happening. I mentioned in passing that I haven't dealt with another privacy commissioner, and I don't know in other countries what works and what doesn't work. This has worked. They've flagged the recommendations. We've set out a pattern of remedying those recommendations. It's not clear to me what else would work better.

    The only comment I'd make is that the current federal Privacy Commissioner has a very interesting role as an ombudsman, as a privacy advocate, that she's able to do because she's not also judge and jury. She doesn't do any adjudication. Once you change that role, where now the Privacy Commissioner is also adjudicating, is also instituting penalties and so on, to some extent, then, it can affect the other role. So if the Privacy Commissioner were to have those kinds of powers, it's entirely possible that the balance that now exists in terms of the ability to be able to advocate, the ability to be able to work with privacy commissioners around the world, as this commissioner has done extremely well, may in fact be somewhat compromised. It just changes the nature of the balance.

    So far we've had this law in place for well over a decade. It's worked reasonably well. It has allowed a certain flexibility and a certain ability to make recommendations without a heavy hand, with the backup of the Federal Court if in fact there is a problem that can't be resolved. I think most people in the industry think it's actually worked quite well.

    I think you'd want to be very, very careful in upsetting the balance that now exists, in terms of giving powers when we don't know how exactly they're going to work.

    One of the things we've heard over and over again is that privacy policies can't be understood by any users, that you need to be a lawyer to wade through the pages of the policy.

    What would give users a better understanding of what those privacy policies are? Could they can be simplified, put in plainer language, shortened?

    The PIPEDA legislation and related legislation is complicated. In order to be comprehensive enough to respond to it, it has to be written by a lawyer. There are some companies that have taken shots at doing plain language versions. Getting a version written by a lawyer is costly, and then trying to transfer it to plain language is costly as well. Trying to, as some people have suggested, translate it to something a child can understand is unfathomable to me.

    I think it's more important that the sites follow their own policies—that they don't keep information over a period of time and that they allow informed consent—than it is for the policy itself to be readable. The reality is that most people just click on the policy and accept it. Even my 11-year-old child has already learned that's how you navigate the Internet.

    I think it's important that the policies be comprehensive and that they actually say what the site is going to do with the information. In all candour, I am completely unaware of any way in which you can make them more legible. I've tried, and it's a genuine talent.

    The other thing is, things change. A new technology evolves or a new regulation evolves, and then you have to change it. A large company may have the resources to devote to writing a policy and then rewriting it in more easily readable language, but it's a high challenge, and I don't know how to tackle it.

    Thank you.

    Unfortunately, the time is up. However, Mr. Hayes, if you have anything to add, you have a few seconds to do so.

     I've helped hundreds of companies deal with privacy policies, and you're stuck in the middle. If it's too detailed, then people complain because it's hard to understand. If it's not detailed enough—and this happened with some of the early decisions when PIPEDA first came in—then you're not giving enough information to allow informed consent. So you're caught in the middle.

    It can't be too long and complicated, but sometimes it has to be. At the same time, it can't be too simple and too short because then you're leaving things out and you're not telling them enough to give informed consent. It's a very difficult balance to get. Clearly, if you're risk averse, you're going to say more rather than less, and that makes it more complicated. I don't think there's an easy answer. Some people have tried. I must say that the efforts that have been made are sometimes very amusing, but they're not particularly informative.

    Thank you.

    I now yield the floor to Mr. Andrews, who has seven minutes.

     Mr. Hayes, what have they tried to do to make this simpler? We've heard this debate. I get exactly what you just said. You want to make sure it's neither complicated nor incomplete. But what have they tried?

    I can't give you chapter and verse, but there are some sites in the U.S. that have privacy policies that are three lines long: “We won't use any of your information for anything. We promise.” It's that kind of thing. It's not particularly informative. It doesn't really tell you, as we're required to do under our law, who is the contact, who is the person, how you withdraw your information, how you withdraw consent, etc. We have a lot of requirements in our law that the U.S. companies don't address, because they don't have privacy laws like ours.

    Some of them are quite amusing, but they're not useful in providing information to consumers. If there were an easy answer, I think people would be doing it. We've had 13 or 14 years of doing these policies. If there were an easy way to make them both really simple and also compliant with all the technical rules, I think we would have already done it. I think most of us are trying our best to explain the policies in language that is not overly technical but that also covers the waterfront.

    Would you give any other recommendations to the Privacy Commissioner's office? I'm pretty impressed by the way you guys have worked with that office. Is there anything you would recommend that she'd be able to streamline a little bit better, the whole process you went through? Or was it acceptable?

    I was very impressed with their willingness to discuss with us before the transaction what they would do if we did a transaction. I honestly think it was pretty good.

     The federal commissioner's office is a very reasonable, very business-like sort of office. The problem the previous owners of this site had is they didn't engage with the commissioner's office, and if there's one piece of advice I would give to any Canadian business, it would be that if you have a privacy issue, engage with the commissioner's office. You may not like all the advice you get, but you're going to be able to work something out.

    One of the things we heard when we were in Washington was that they didn't want to stifle business. They didn't want to try to stifle this industry so that it can't develop.

    Your perspective is interesting, sir. You came into this while you were purchasing a company and had to go through this. Where was this privacy issue on your radar when you were trying to purchase this company? Was it a challenge? Did you get cold feet and wonder what you were getting involved with?

    Is this an official question?

    If you Google Nexopia, it's one of the first things that comes up. You'd have to be incompetent to not know this was an issue, and the previous owners brought it up as well. It's a pretty obvious issue.

    I would not have bought it had I not, in all candour, found a privacy lawyer who understood the process and who to call. I wouldn't have known who to call or what to ask. I would not have bought it, but we were able to engage and they were able to provide direction, and then they stood by their word. They did what they said they were going to do. They certainly weren't on the hook to do it, but they have played the role we hoped they would play.

    We haven't finished implementing all the recommendations, but like anything else, when you really engage in what it is, the true deletion thing that your colleague brought up earlier...once you're really engaged in what it is, it gets a little easier. You get them up closer and ask if you can do this or that and if you can get that done.

    Again, I don't want to speak too much for the prior owners, but I think they froze up a bit at the enormity of it and they said they were done.

    I have a question on advertising. You talked about no targeted advertising, and this is something we've had a discussion on, how sophisticated targeted advertising can be. You mentioned that if you try to break it up, the samples get too small.

    Just fill us in on your views on targeted advertising. Should we be concerned about targeted advertising?

    As you're aware, there are industry bodies. You had the CMA up. IAB Canada is also well versed in this, and they can probably better answer what concerns you should or shouldn't have about targeted advertising.

    My point with scale is that targeted advertising only works at scale. If you're trying to reach mothers who have two kids who live in Ottawa, you're not going to reach them on any one particular site. There might be an Ottawa-based parenting site—I'm sure there is. Most of our advertisers are big advertisers. They have a lot of boxes of stuff, right, so they want to reach a lot of these people. You have to do it at scale, and the only way to do it is with targeting advertising using some sort of database of information. Nexopia is really too small to be much of a contributor to that database. Many data providers do that, and you've had people testify for you who are very adept at that sort of targeting.

    As to whether you should be scared or looking at it for regulation—I forget if it was you, I'm sorry, but one of you mentioned that when you went down to the U.S., they said they didn't want to stifle innovation. There's a lot of innovation in advertising technology. It's not my area of expertise. It's not something we use particularly heavily. It doesn't work as well in Canada because the scale simply isn't there. When you're dealing with 300 million Internet users in the U.S., or whatever the number is exactly, it works better. Data providers in the U.S. are far more numerous. The technology is far more sophisticated. In Canada it has been a struggle.

    It is coming along, but my own feeling in that area is that the data targeting stuff is not as useful as it is in the U.S.

    Could I just add one little point? It is really important to distinguish between anonymous, targeted advertising where what you're trying to do is serve the ads to people who would be closest to their interests. So if they've been browsing auto sites, they are going to get auto ads. If they have been browsing skiing sites, they're going to get skiing ads. If that's done completely anonymously and is just based on their browsing habits, it's pretty benign. The only criticism I've ever heard, and you've probably heard it, is that some people find it creepy, which is not exactly a phrase I've seen in PIPEDA or any other legislation.

    The thing you have to worry about is where those particular profiles are then matched with offline information and then brought into a profile that allows you to identify people. That can be a problem, and that is something that has to be closely looked at, but those are two very different problems. Sometimes you have to be careful not to mix the two.

    Thank you.

    Unfortunately, your time is up, Mr. Andrews.

    I now yield the floor to Mr. Dreeshen.

     Thank you very much, Mr. Chair.

    Thank you, gentlemen, for being here today.

    A number of the things you have mentioned in answers to other members, certainly on the concept of media companies.... You were talking in your presentation about how they are breaking away from advertising-driven online initiatives and that type of thing. Of course, one of the things we heard when we were in the States talking to different companies is that you end up stifling innovation. Is part of the concern that Canada seems to be a place where you or your companies don't feel it's worthwhile, that we may not end up being able to bring in different types of products from other places, or that they will ignore us? That's the first part.

    As an extension of that, perhaps we could get a bit of an idea of what the business models actually are so that people realize—whenever we're talking about social media and data brokers—what is it they want from us. This isn't a free service because it has to be paid for. But I think a lot of people don't quite put those two things together.

    So I wonder if you could give us a bit of a thumbnail sketch that you see in that regard, and then perhaps talk about some of the basics that are in your own business model.

    Sure. That's a fairly broad suite of questions. Tell me if I miss any of them.

    Certainly.

    What consumers mostly want out of advertising is no advertising. If that's not available, then targeted advertising is the next best thing. Targeted advertising is, as Mark says, if you happen to ski and you see ads on skiing, presumably that's a more welcoming experience than seeing ads on diapers, if that's not what you do.

    Most of our experience—I will talk now as an online person. The experience of watching television is largely one of irrelevant advertising. We have been sitting through ads and asking, “How did I sign up to be targeted with this ad? This doesn't make any sense to me.” Online, it's an extremely measurable media. So what advertisers do is they literally pay more for an ad to a relevant person. It is done through exchanges. I can list names of them, but they are much like the New York Stock Exchange. An impression goes up and everybody bids on that impression in microseconds. If somebody says, “That guy has been skiing and I want to sell ski equipment”, they will pay more. They may $2.50 CPM—cost per thousand impressions—rather than the 25¢ CPM. As you have had people testify to you, that's a more efficient market. That ski advertiser wants to reach somebody who is skiing, so they will pay for that data.

    How they get that data is an interesting question. Typically, in the U.S., many publishers will sell them that data. They will say in the privacy policy that they are going to sell data. I may not be up-to-date with which sites, so I won't name the sites, but in the U.S. there are many car sites—places where you go to buy or price a car or that sort of stuff. They will sell their data to the big data brokers—Blue Kai Inc. and eXelate are both leaders in this in the U.S. The data guys will in turn sell it to the exchanges, so that when you buy an impression on a large site—Yahoo!, Microsoft, or whatever it is—you will pay a very low CPM if it's not targeted and a little more if there is some data behind it.

    That's a very efficient marketplace. I mentioned that it's not as well developed in Canada because the scale is smaller. It seems like a lot of people to us; it's just not a lot in some of these larger countries. So the scale is smaller.

    The other thing is that the publishers, by and large, don't sell their data as freely. I don't think that's a privacy law thing. I think to some degree it's an evolutionary thing, but they simply don't sell that data as freely.

    If you are trying to target auto intenders—it's a term in our industry for somebody who is about to buy an auto—it's a lot easier in the U.S. than it is in Canada. There aren't as many sites that have auto data that will sell it.

    To your point, is it scary, is it efficient—that's beyond me to say. It does make the advertising a lot more efficient if you are trying to serve up an ad to somebody who is relevant.

    In terms of Nexopia's own business, it's just not at a scale where that is an interesting proposition. We have about 200,000 members. Let's say they are about half male and half female. If you want to target a young Canadian, particularly right now one who lives in the west coast—Alberta and B.C. as the primary audience—Nexopia is a great place to do it. But once you start cutting it down to people who live in Edmonton, people who are women, people who are a certain age, you're not going to have a lot of advertisers. You're only going to reach 10,000 people.

    So that business works a lot better if you are a very large company. You guys all know the names of large companies.

    Does that cover all or some of it?

    I think so. Part of it, though, was whether other companies are coming into Canada. Are we going to see them just sort of ignore us because we don't have the size? I think you more or less covered that.

     We were talking about privacy policies. You do have a lawyer with you who is aware of how these things are written. I think you did touch on it a bit, but you are at the stage where you are going to be presenting sort of a new state-of-the-art policy because of the model you now have. I'm just wondering whether you have put any extra thought into that, or even if you have a bit of an addendum beside it so that you can say what the last five pages meant, and then the same thing for the other, just so that you have a balance. Maybe instead of one or the other you have something that shows a bit of a balance and that you are at least trying to help out those who actually try to read through the policies.

     Do you want to take that, Mark?

     We haven't got to that stage yet. As Mr. Bartus said, he has just closed, and we've been essentially running around getting all of these arrangements made. We're going to look at the privacy policy over the next couple of weeks. Certainly, we're going to do our best to make sure that it explains to Nexopia's users what Nexopia does with its information, what options they've got, what alternatives there are. We're quite confident that we'll satisfy the Privacy Commissioner's recommendations and make it a place that's good for Canadian youth.

    People have concerns about personal information being deleted, so I'm wondering if you would run us through what that process is, as far as a business is concerned. How do you guarantee that you are no longer keeping that on file? How would that happen?

    We've talked about this a bit. We believe there is a period of time—we think reasonably six months—during which you ought to be able to contact a previous user and say “Are you sure you want to leave?” That seems to be common practice, and that seems like a good business idea.

    After about two years, they're gone; they're not coming back. At that point, I think it's reasonable to completely delete the data. From a business standpoint.... That's audited by checking and making sure that the person isn't actually there any more and making sure the data is truly gone.

    I guess that's been mostly our approach, the six months, and the two-year window as far as permanent deletion.

    Don't forget that the previous set-up was such that you deleted your profile, you went away for a day, you came back, and it was still there. So there wasn't a true delete. There wasn't a false delete; there wasn't any delete. That's certainly going to be fixed. That's a commitment the company has made.

    One clarification—

    Very quickly, please.

    One clarification I should make is that, as you've probably heard in the past, search engines—Google, Yahoo!—are cache things. They store them locally so that they can be called on more quickly. I don't know what their caching policy is or how long it lasts, but you can delete something and still have it being Googled for a period of several days or weeks. That's out of anybody's control but theirs. So that won't be covered in our policy. As long as a search engine caches, we can't do anything about it.

    Thank you.

    I now yield the floor to Mr. Boulerice for five minutes.

    Thank you very much, Mr. Chair.

    I want to thank our guests for joining us.

    Your being here is very appreciated. I am also happy to hear you say that you are working with the Privacy Commissioner and that you mean to have a game plan for implementing the four recommendations that have not yet been carried out.

    However, one issue piques my curiosity. It seems to me that certain things could be done more quickly. I understand that personal information can normally be deleted by clicking on the button “delete my account”, but I don't understand why I have to wait until April 31, 2013, for my account, personal information and profile to really be deleted.

    Again, I'm trying to be careful not to speak too much for the prior owners, but when that first communication happened in 2010, there was a serious list of problems and they had to be addressed. Any business owner goes through an analysis of whether to continue to invest or not to invest, or whatever they're going to do. By and large, the company completely stopped development at that point.

    The code, I should mention—not that anybody cares but me—is in a language called Ruby, but it's not the Rails framework. It's basically custom code. So getting anybody to dig in and do anything is a challenge. What's happening right now is that two of the guys who originally coded and developed it are helping me out as I bring in new staff, but getting new people to understand this stuff is a genuine challenge. I think with anything in business, and I've done technology businesses for a while, you've got to pick your battles and you have to focus on something, so we've chosen to focus on the wording changes, the privacy policy. That seems like an easy place to start.

    The deletion thing...look, if that had been easy to do, the previous owners would have done it; they wouldn't have sold the company. It's genuinely challenging to do.

    It is not only because having that information is practical. That information has value, even from a business perspective. So the idea was to keep the information as long as possible. When the commissioner said that you were breaking the law, one of the issues pointed out was the lack of valid consent for communicating personal information to advertisers. That is worth something. So it pays off to keep the information as long as possible. I hope you have resolved that issue.

     I am unaware of any business reason for keeping the data for a long period of time.

    Earlier, you said that your website targeted young people from 16 to 21 years of age. However, according to our information, 34% of your users are between 13 and 18 years of age. So they are young people and minors who are exposed to a huge amount of advertisement.

    I visited your website today. I saw that there was a great deal of advertisement, and that reminded me that, in Quebec, the Office de la protection du consommateur has worked with Club Penguin to reduce the exposure of our young people to reams and reams of advertisements.

    Do you feel comfortable with exposing a bunch of minors to a huge amount of advertisement on your website?

    They're not exposed to more or less advertising than anybody else. As I think somebody mentioned before, the site has real costs and they need to be paid for.

    You may have mentioned Club Penguin. I'm not sure if that's the Penguin you meant. If that's the one you meant, it's a paid service. We're not a paid service; we're a free service. Free services have to be paid for somehow.

    We have the same age requirement that Facebook and many social networks have, which is to be 13 years old. It's self-reported, so you can't really verify some of that stuff. We could, I suppose, show less advertising based on your age, but I'm not sure that we want to go down that road.

    Do you have anything to add?

    No.

    That's okay. Thank you very much.

    Mr. Carmichael, you have the floor for five minutes.

    That's not a lot of time. Thank you Chair.

    Gentlemen, as I read through the profile of the company and listen to your testimony today, I'm curious about how long you had been negotiating for this company before your September 30 close?

    The detailed findings came out on March 30, so it's the period roughly from that date.

    So it's from March 30 on.

    I would say since April.

    Prior to that, or at about that time, the previous owners had been given the series of recommendations, some 13 of them, with a June 30 completion date.

    I think, Mr. Bartus, you said that they became overwhelmed with the scale of what they had to accomplish with these recommendations. Am I correct on that?

    It's very difficult for me to speak for the previous owners. I have only met one of them.

    Let me go back, then. DId you have a previous relationship with the ownership of the company?

    No.

    So this all began on March 30.

    How about you, Mr. Hayes?

    No, I had never heard of them, and I still have never met any of them.

    Okay.

    One of the concerns I have, particularly dealing with databases and social media aimed at children and youth, concerns the security of the data that is being maintained and managed by a company such as yours.

    I look at your demographics, and I guess it's all self-declared, but 23% of your subscribers are between the ages of 13 and 18. I don't know what the balance is.

    What is the actual demographic breakdown, in terms of age?

    I don't have that with me.

    Looking at the site, which we have just gone on without a password, I see that it goes right up to 55 or 57 years of age. So you have quite a breadth of people communicating on this site. The issue that concerns me most is what happens to the data.

    We were told early on in our study that the information divulged by people entering any type of social media site is...it's a very open and free type of release of information. Clearly, people give all kinds of information, to the point that we see situations of horrific tragedy like the one in B.C., a situation with a young woman who likely regretted the information that was on the site, but had no recourse—she couldn't pull that information back.

    One concern I have is how secure the data is. Are you aware of any breaches of the database? Have there been any questions about the security of the database?

    And going back to the issue of full deletion of the data—you talk about six months to two years—I would think that if I had given you my data and wanted to have the information deleted, I would like to have it deleted the day I made that decision, regardless of the business model. I come from a business background, so I understand that there are complications with that, but I am concerned about this part of it.

    As to your commitment to the full deletion of that information, are you committed to this being where you are headed?

     Yes. The timeframe is the one we've discussed, six months to two years.

    On the case you refer to, I have an 11-year-old and a 14-year-old and I walked them both through that case. It is indeed horrific.

    Nexopia vets every picture before it goes up, sometimes to the consternation of the members who want the picture to go up right away, but our feeling is that we don't want to get anywhere near what happened in that unfortunate incident.

    In terms of the data security, there have been no breaches that I'm aware of. Again, the interest of the previous owners primarily was in helping law enforcement. In every conversation I had with them, that was what they reiterated, and in fact there have been cases in which the data was used for that. So the compromise we're trying to make is this. You can't keep it forever for privacy reasons, even if the law enforcement people need it, so we're going to delete it, period, after two years. Whether or not there are any law enforcement requests, it will be gone.

    In your short time in the business, one of the things that I've seen in our study is that it appears that within the social media environment some of these companies and some of your competitors out there have been caught doing this. They tend to push the envelope. They push the envelope to the extreme, to the limits, and then they apologize once they're caught.

    The question I have is this. What's your position on that? When you look at some of the majors that have been caught in this type of stretching of technologies, boundaries, as they have, how would you recommend we manage our recommendations as we complete our study?

    It's a broad question. Spending time here today doesn't make me more money. My preference would be to steer well clear of anything that even smelled like it might be an issue.

    Larger companies, sometimes because they're innovative, do push the envelope and then later on get caught. Also, it's a big, wide open world out there and there are people with all kinds of different motivations. There are whole industries that, as you say, do trade on treading the line. It's never been my business practice. I find you spend way more time worrying about that edge than actually running up the middle making money. There is a lot of money to be made going straight up the middle and not getting anywhere near any violations.

    So in terms of how you set regulations to encourage that behaviour, I don't know. We've talked about whether the Privacy Commissioner should have penalty enforcement or whether it works now and again. Our feeling is that it works quite well now.

    You need reasonable privacy—

    Mr. Carmichael, your time is unfortunately up.

    Thank you, Mr. Chair.

    As we have a bit of time left, I could let you continue, if the members of the committee agree. There is currently no one on the list.

    You can continue, Mr. Carmichael.

    Mr. Mayes.

    Thank you, Mr. Chair.

    Could I just ask a question of Mr. Hayes, please?

    Mr. Chair, a point of order.

    Mr. Andrews.

    I wonder if we could go to another round, because I'd like to get back in on the questioning. I know I don't get another question for another round, so if we're going to get in on this, I'd like to have another round, if possible.

    I have no problem with that, if you have any other questions, as we have some time left. So, if the members of the committee want to ask any other questions, they can.

    Mr. Andrews, do you have a specific question?

    Mr. Calkins.

    Mr. Chair, I have a point of order. Could you, for the edification of the committee, please tell us what point during the second round of questioning we're at and at which point members would be eligible to ask a second set of questions? The point is that if Mr. Andrews has a question, which I don't have a problem with, or if there's time permitting, why can't we just all have a few questions, if that's what the case is? But if we're going to follow the rules, then we should know what the rules are and proceed that way.

    If the second round has not run its course yet, then it would be inappropriate to be having just random questions coming from the floor, unless we have general consent from the committee to do so.

    We had come to a question by the New Democratic Party, and as there were no other questions, I gave the members an opportunity to ask an additional question because we had another five minutes left.

    Mr. Angus.

    Mr. Chair, we will take a third round if someone has a supplementary question, which I think is fair. If anyone has a supplementary question, I don't have a problem with that, but if we're going to continue with rounds, then we'll take our rounds.

    My supplementary question would be the date, to confirm the date of compliance. Was it April 30, 2013?

     Yes.

    Okay, we're satisfied.

    There is no one left on the speakers list, unless someone has a specific question to ask. As I said, we had five minutes left, and I asked everyone this question. If someone wanted to ask a question....

    We don't have anyone left on the list. This is the end.

    The list follows parties.

    Do you have a short question, Mr. Andrews? You have one minute at the most.

    In one of the questions I had, you talked about matching of the data offline. We've heard a bit about that process, how that actually works. My question is this. What kind of concern is that of yours? Should this committee be looking at that matching up of offline data?

    Your mandate is more expansive than mine. You're interested in offline and online, all privacy and ethics. I'm only in online. So should you be interested? Yes, I think it's a very lucrative area in the U.S. It works particularly in retail locations where a large retailer can match a loyalty points card to behaviour online and target somebody's real interests. It's a large, growing, lucrative area in the U.S.

    I do think there are several players in Canada that are large enough to take advantage of it. We're not one of them. We have no offline operation. We have no retail or commerce operation.

    Thank you.

    I want to thank our witnesses very much for joining us today. We don't have anything else on the agenda, unless someone has something to add. If not, this concludes the meeting, and we will see each other again on Tuesday, November 20, 2012, after the parliamentary break week. The meeting is adjourned.