Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2003-207
Cellphone company meets conditions for "opt-out" consent
[Principles 4.3, 4.3.2, 4.3.4, and 4.3.5, Schedule 1]
Two individuals complained, upon receiving a cellular telephone company's privacy brochure, that the company had failed to seek their consent in an appropriate form to its secondary marketing purposes.
Summary of Investigation
The company sent out, as an insert in its monthly bill, a privacy brochure that outlined, among other things, the company's intended practices regarding the collection, use, and disclosure of customers' personal information for secondary purposes of marketing and listed all parties concerned. The brochure also indicated that customers could have their names removed from marketing lists by calling a toll-free number, sending an e-mail, or using the company Web site. It further notified that the company would otherwise assume the customer's consent to the continued collection, use, and disclosure of personal information for the identified purposes.
The complainants both objected to this assumption of their consent - in other words, to the company's use of the negative or "opt-out" form of consent rather than positive or "opt-in".
One of the complainants experienced some difficulty in exercising the "opt-out" procedure by telephone. It was determined, however, that this difficulty was due largely to a misunderstanding on the complainant's part. The Commissioner's Office found the procedure to be relatively easy to follow, accommodating, and effective.
The company's customer database has a privacy function that sets out several suppression options regarding the use of customers' personal information for marketing purposes - for example, "No direct mail", "No e-mail", "No telemarketing", "No market research". A customer wishing to have his or her name suppressed from marketing or research activities may choose any or all of these options by any of the means indicated in the brochure.
Issued August 6, 2003
Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction because the telecommunications company in question is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used and that, in order for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.4 states that the form of consent sought by the organization may vary depending upon the circumstances and the type of information; in determining the form of consent to use, organizations must take into account the sensitivity of the information; although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive depending on the context. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are also relevant.
The Commissioner began by stating that he regards and promotes positive or "opt-in" consent as the most appropriate and respectful form for organizations to use in any circumstances. Nevertheless, in deference to Principle 4.3.4, he recognized that the negative or "opt-out" form was acceptable in some strictly defined circumstances - notably, where the personal information is demonstrably non-sensitive, where the consent-seeking process meets the individual's reasonable expectations under Principle 4.3.5, and where the organization is otherwise in compliance with all relevant provisions of the Act.
The Commissioner noted that a number of conditions that must be met in order for an organization to justify reliance upon the opt-out form of consent were developed and established previously. He agreed with these and summarized them as follows:
- The personal information must be clearly non-sensitive in nature and context.
- The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
- The organization's purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected.
- The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.
He concluded that the complaints were not well-founded.
The Commissioner clarified that, despite the difficulty experienced by one of the complainants, he was satisfied with the company's opt-out procedure on the whole. He added that, especially now that the company had agreed to provide customers with a distinct opportunity for exercising their opt-out right at the time of cellphone activation, he was even inclined to recommend the procedure as exemplary.