Common menu bar links

Home > Commissioner's Findings > Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

Institutional links

Got Spam? Learn how to protect yourself Securing Personal Information: A Self-Assessment Tool for Organizations Privacy For Small Business Online Tool Privacy Quiz for businesses Research funded by the OPC Privacy Breach? Information for Organizations How to lodge a Privacy complaint

Commissioner's Findings

Search Findings
Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2005-323

Bank’s assumptions about consent to marketing challenged

(Principle 4.3 of Schedule 1)

Complaint

Tired of receiving marketing calls from his bank, the complainant repeatedly asked it to stop calling him at home.  Although his file was eventually flagged as “do not solicit,” he continued to be called, much to his dismay.  It turned out that the bank developed internally generated sales leads that would override the customer’s request not to be solicited.  We agreed with the complainant that this was unacceptable and recommended that the bank cease this practice, which the bank agreed to do. 

The following is a detailed overview of the investigation and the Privacy Commissioner’s findings.

Summary of Investigation

Prior to filing a complaint with the Office, the complainant had contacted the bank on at least three occasions to verbally withdraw his consent to marketing.  He did not, however, have the names of the employees to whom he spoke. 

He nevertheless continued to receive calls at home, which he forwarded to his cell phone so that he could track them.  He provided the Office with dates, times, and the number of the caller.  The Office confirmed that the number was listed under the bank’s credit card service.  After receiving yet another call, this time concerning life and disability insurance, he contacted the Office.

The bank was unable to find a record of the complainant’s earlier requests to have his name removed from the bank’s marketing lists.  It did learn that, around the same time the complaint was filed, the complainant had apparently contacted the bank by telephone, requesting to have the solicitations stop.  The bank accordingly flagged his file as “do not solicit.”

However, several months later, the complainant stated that an employee of one of the bank’s branches left him several home voice mail messages.  The complainant finally spoke to the employee, asking him how he received his name, and why he had left so many messages.  According to the complainant, the employee stated that he receives a monthly list of names from the bank’s credit card office to solicit.  The complainant indicated that he had left specific instructions with the bank to delete his name from telemarketing lists.  The employee apologized to the complainant and assured him that his name would be removed from prospective lists.

The bank explained that branches obtain what it called “sales leads” in two different ways.  One of these ways occurs when a branch employee, often a Customer Service Representative, notices a customer conducting an “over the counter” transaction that might lend itself to a sales call by a personal banker (or equivalent) from the same branch.  For example, perhaps the customer is paying a bill from an account drawn on another financial institution, or perhaps the customer makes a comment to the effect that another financial institution has treated him or her poorly.  In such situations, the representative would make a note of the comment, and pass it along to one of the personal bankers in the branch.  The personal banker would then call the customer, extending an invitation to discuss with him or her if there was any way the branch might be able to better serve the customer’s financial needs.

The bank stated that in these types of situations, the centrally managed “do not solicit” (DNS) designation does not override the internally generated sales lead.  The bank was of the view that most customers who request a DNS designation are doing so only to prevent contact from telemarketers or bulk mail marketing programs.  These same customers, according to the bank, still wish to have their local branch contact them if an offer beneficial to them arises based on circumstances the branch has reason to believe may be specifically applicable to the customer.

The complainant confirmed with the Office that he had not visited the branch where the latest calls originated.  This particular scenario therefore did not apply in his case.

The bank stated that the second way that leads are generated is through various forms of database mining.  Branches are sent sales leads generated centrally from the marketing area.  The bank stated that, for most of these leads, the DNS designation is fully respected, with the exception being those situations where a lead might be placed centrally to follow up on a term deposit, GIC, or mortgage renewal.  In the latter cases, the bank stated that it was possible that the branch might also take the opportunity during the call to see whether the customer might be interested in other products if the circumstances were deemed appropriate.

In the complainant’s case, the only bank product or service he had was a credit card that required no renewal or any other regular service follow ups.  The bank confirmed that according to its marketing department, the complainant was not the subject of any sales leads during the months leading up to the time he claimed he had been contacted by the branch employee (early 2005).  As the employee in question received numerous leads each month, he could not recall why he might have left several messages for the complainant to return his calls. 

The bank confirmed that the branch has since placed a message on the complainant’s file not to call him even if there was a branch-generated lead in the future.

Findings

Issued December 22, 2005

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

In making her determinations, the Privacy Commissioner deliberated as follows:

  • The complainant alleged that prior to filing his complaint, he had verbally withdrawn his consent to the use of his personal information for marketing purposes. 
  • The bank indicated that it had no record of any such withdrawal until after he filed his complaint. 
  • In spite of the do not solicit flag placed on his file at this time, the complainant received calls from a bank employee attempting to market additional products and services to him.
  • The Commissioner therefore found that the bank had used the complainant’s personal information without his consent, contrary to Principle 4.3.  The bank confirmed that, following the investigation, a message was placed on the complainant’s customer file indicating that he was not to be called, even if there was a branch-generated lead in the future.
  • In reviewing the bank’s practices with respect to internally generated sales leads, the Commissioner was extremely concerned with the bank’s assumptions with respect to what a customer means when he or she does not want to be solicited and has a DNS flag placed on his or her file.
  • The bank admitted that branches would still contact customers with the DNS designation because it believed that these customers would want to be informed of certain offers and that when they have a DNS flag on their file, it is really telemarketing and bulk mail marketing programs that they do not want. 
  • It is the Commissioner’s view, however, that when a customer withdraws consent to marketing, the bank should assume that the customer does not want marketing of any kind – whether it is from a telemarketer or a local branch employee. 
  • When the customer withdraws consent, the bank can inform the individual of the consequences of such a withdrawal (i.e. you will not be contacted by telemarketers, receive bulk mail, or be called by your branch in the event of an offer that might be of particular interest to you).  The Commissioner felt, however, that the bank should not be interpreting the customer’s wishes according to its own needs. 
  • The Commissioner did not think that the bank’s practice respected the requirements of Principle 4.3.  She wrote to the bank, recommending that it respect the DNS designation when using internally generated sales lists to solicit products or services to customers, and gave it 30 days to respond.
  • The bank agreed to implement the recommendation.  It stated that it was proceeding on the premise that these changes to the manner in which “sales” preferences are recorded and respected would not have an impact on the manner in which “service” diaries are maintained and followed up on.  For instance, the bank believes that even those customers who have requested a DNS designation on their account would still expect the bank to communicate with them to advise of such things as GIC or mortgage renewals, as well as periodic reviews of their existing investment portfolios, in line with the terms of their account agreements.  The Commissioner was of the view that such a premise appeared to be reasonable.
  • The bank stated that, given the system changes that will need to be made to the sales tools, it intended to have the DNS designation fully override its two sales tools by the beginning of 2006.
  • The bank indicated that it was revamping its training and scripting materials for all affected staff to reinforce the message that, from here on in, the DNS designation will apply to all sales activities, both the database mining initiatives, as well as the internally generated sales lead applications.  The bank also stated that customers who have already withdrawn their consent to marketing were being removed from internally generated sales lists.

The Commissioner therefore concluded that the complaint was well-founded and resolved.



Date Modified: 2006-05-12
Return to Top of Page
Top of Page
Important Notices