Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2002-83

Alleged disclosure of personal information without consent for secondary marketing purposes by a bank

[Principles 4.3, 4.3.2 and 4.3.3, 4.3.5, Schedule 1; and section 5(3)]

Complaint

An individual complained that a bank fails to obtain consent for the collection, use, or disclosure of personal information for secondary marketing purposes.

Specifically, the complainant alleged that the bank does not bring to the attention of its customers its practice of using and sharing customer data with affiliates for secondary marketing purposes; it fails to provide clear information as to potential secondary uses and sharing of customer data; and it does not provide them with the opportunity to opt-out of such uses and disclosures.

This is one of several similar complaints filed by the individual against a number of organizations. In brief, the complainant's position may be summarized as follows:

  • With respect to secondary marketing purposes, it is always appropriate to ensure customers' knowledge and consent.
  • Marketers and the marketed differ on the issue of what form of consent is appropriate.
  • Companies should not only state purposes in a policy document, but also "bring to the attention" of the individual customer the practices in question and the option of withdrawing consent.
  • Companies fall short of meeting this obligation in several ways:

    (a) reliance on a document that has not been provided to the customer, but rather left up to the customer to find on his or her own initiative;

    (b) reliance on fine print that has been buried in a long document;

    (c) failure to use clear, plain language that is understandable to the ordinary customer;

    (d) failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and

    (e) failure to provide an easily executable opting-out procedure.

Summary of Investigation

The bank's privacy-related documents were examined during the investigation, which revealed the following:

  • The bank indicates its information-sharing practices on its credit card application form and in its cardholder/credit card agreement.
  • In brief, the agreement refers broadly to the organizations to which it discloses information.
  • The application form requests consent to disclose personal information for credit report purposes, as well as consent to collect, use, or disclose information as set out in its terms and conditions, which are listed on the reverse side in tiny lettering.
  • For on-line credit card applications, a link to the agreement is absent and there is no specific reference to a disclosure of information.
  • Consent is requested when the customer makes an application over the telephone; however, it is worded very broadly.
  • The bank has a privacy policy statement that is more extensive with regard to its practices, but it is not provided as a matter of course and customers must request a copy or gain access through the bank's website.
  • Both the application and the agreement state that the customer may withdraw consent to receiving marketing materials or future offers by writing to the bank.

In sum, the bank's position is that these materials form a sufficient basis for its customers' knowledge and consent.

Commissioner's Findings

Issued October 16, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner has jurisdiction in this case because a bank is a federal work, undertaking, or business, as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. It further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant. Section 5(3) states that an organization may collect, use or disclose personal information only for the purposes that a reasonable person would consider appropriate in the circumstances.

The Commissioner found the complainant's expectations as outlined in the complaint to be reasonable and in keeping with the Act.

On the matter of consent, the Commissioner determined that:

  • The bank's materials do not represent a reasonable effort on the bank's part to ensure that the individual customer is advised of the purposes for which his or her personal information will be used or disclosed.
  • The wording in the materials is so broad in each case as to virtually preclude understanding, unless the individual is to understand that the bank intends to use personal information however it may see fit and disclose it to whomever it may see fit. This, the Commissioner noted, would hardly be a purpose that any reasonable person would expect or consider appropriate in any circumstances.
  • The bank's privacy policy document is too broadly written and in any case would not be a sufficient basis for inferring consent since it is not supplied to individuals and is thus not immediately available as a reference in making the decision regarding consent.
  • The script used when taking applications over the phone is too broad and not informative.
  • The wording of the bank's credit card application is legalistic and is printed in minuscule lettering making it difficult to read and understand.
  • The bank does not adequately inform customers that some products and services offered on its behalf will ultimately be provided by third-parties to which it will disclose customers' personal information.

Having determined that the materials in questions are inadequate, the Commissioner found, therefore, that the bank was in contravention of Principle 4.3.2 of Schedule 1 of the Act. As these materials do not suffice as a basis for consent, the Commissioner also found the bank was in contravention of Principle 4.3.

It also follows that by using the materials in question, the bank is in effect requiring individuals to consent, as a condition of the supply of a product or service, to the collection, use and disclosure of information beyond that required to fulfill explicitly specified purposes. The Commissioner, therefore, also deemed the bank in contravention of Principle 4.3.3.

The Commissioner was also satisfied that a reasonable person would not consider the collection, use or disclosure of personal information for the secondary purposes as contemplated in these materials to be appropriate in any circumstances without the knowledge and consent of the individual. Therefore, the bank had not complied with section 5(3) of the Act.

Lastly, on the matter of the opting-out procedure, the Commissioner found that the bank's omission to provide a convenient, immediate, and easy means of withdrawing consent to optional practices did not meet the reasonable expectations of the individual as deemed relevant in Principle 4.3.5.

Having determined the bank to be in contravention of the relevant provisions of the Act, the Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner made the following recommendations:

  • The bank should redraft its communications materials for credit applicants and new customers with a view to facilitating knowledge as required under Principles 4.3 and 4.3.2 of Schedule 1 and in doing so should address the following questions:
    • What personal information of mine is to be disclosed?
    • To whom will my personal information be disclosed?
    • How exactly will my personal information be used?
  • When offering a product or service that will ultimately be supplied by a third-party, the bank should identify the third-party to the customer. If the customer chooses the product or service, the bank should then obtain the customer's express consent to the disclosure of specified personal information to the third-party.
  • The bank should take steps to meet the reasonable expectation of its credit card customers for an immediate, easy, and inexpensive means of withdrawing consent to the optional collection, use and disclosure of their personal information. Specifically, the Bank should provide either a check-off box on the materials in question or a 1-800 number for the convenience of customers who wish to withdraw consent.