Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2005-316

ARCHIVED - Hotel revises privacy policy and consent form

(Principle 4.3.3 of Schedule 1)

Complaint

An individual complained that a hotel had required him, as a condition of service, to consent to the hotel disclosing his personal information, such as his credit card number, to any other member or franchisee of the hotel chain.

Summary of Investigation

When the complainant arrived at the hotel to check in, he was told that he had to sign a form related to the new federal privacy law. The form in question asked customers to consent to the collection of their personal information for customer service, security and marketing research purposes. It also referred to the collection, use, handling and disclosure of personal information by or to the hotel or any member of the hotel chain. In addition, the form contained a reference to liability issues and safety deposit boxes, which the complainant felt did not properly belong on a privacy consent form.

The complainant was told by staff that if he did not sign the form, he would be denied a room. He stated that he was told that all Canadian hotels require that the consent form be signed by guests and that the hotel had the right to disclose his credit card and other information provided, as stated on the form. After discussions with the staff, the complainant signed the form when it was agreed that he could remove the clause relating to the disclosure of his information to other members of the hotel chain.

The complainant also stated that he was required to provide his licence plate number even though he had not used the hotel parking lot. He did not believe that the hotel required this information.

The hotel indicated a willingness to review its privacy policy and procedures. In consultation with our Office, the hotel revised its consent form to clearly state what information is being collected and the reasons for the collection and use of that information. Customers are asked whether they want to receive promotional material from the hotel chain. If they do not respond either way, the hotel will presume that they do not.

In addition, the hotel’s new consent form addresses the licence plate issue. It specifically outlines that the number will only be collected if parking is required. The form no longer contains any reference to liability issues and safety deposit boxes.

The hotel provided privacy training to its staff and now distributes a two-page document in the guest’s room, outlining the hotel’s privacy policy. This document contains further reference to and instructions for opting out of marketing.

Findings

Issued October 12, 2005

Application: Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.

The Assistant Privacy Commissioner deliberated as follows:

  • She first referred to an earlier finding made by this Office on marketing, in 2002 regarding consent and the disclosure of customer personal information for the purposes of secondary marketing. In this finding, the differences in views held by organizations and individuals when it comes to marketing (referred to in the finding as “secondary marketing”) were noted. It was indicated that while the marketing itself may not be secondary in a marketer’s technical sense, to the individual customer, there was no doubt that the organization’s marketing purposes were secondary to those for which he or she initially provided personal information.
  • In this case, the original consent form that the complainant was asked to sign indicated that personal information was being collected for three reasons: customer service, security and marketing research. The Assistant Commissioner noted that when an individual registers at a hotel, he or she would reasonably expect to provide personal information for customer service and security reasons as these directly relate to receiving a hotel room. It is not likely that they would expect to be compelled to provide such information for marketing purposes as a condition of service. Although the form indicated that the customer could withdraw consent, the wording was not entirely clear about what the customer could withdraw consent to, nor did the employees give the impression, initially, that the complainant could do so. Ultimately, the complainant agreed to sign the form once the clause referring to marketing was removed, and he was provided with a room.
  • As a result of the complaint and our Office’s involvement, the hotel revised its privacy policy and consent form to allow individuals to choose whether they want their personal information collected, used, or disclosed for marketing purposes.
  • In light of this, the Assistant Commissioner was satisfied that the hotel’s revised privacy policy and consent form met the requirements of Principle 4.3.3 in particular, and the Personal Information Protection and Electronic Documents Act, generally.

She therefore concluded that the complaint was resolved.