Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2005-288
Identification requirements for cell phone services
(Principle 4.4 of Schedule 1)
The complainant alleged that a telecommunications company required him to provide four pieces of identification to activate a cellular phone service.
Summary of Investigation
When the complainant contacted the company to apply for a special cell plan service available to employees of the company he worked for, he was asked to provide four pieces of identification: date of birth, major credit card, driver's licence, and his social insurance number (SIN). While he provided his date of birth and credit card number, he was unwilling to give all four pieces of identification and instead offered a bank contact for a reference. He alleged that because he would not provide all of the requested information, he was refused the service.
Upon learning of his difficulties, his employer suggested that he call the company's head office. The company agreed to provide him with service if he sent a copy of his and his wife's passports. The complainant did so, and received the requested service.
The company stated that it only requires three pieces of identification and not four. A review of the company's identification requirements showed that identification is collected to obtain an accurate and complete credit check and to ensure that the applicant is actually who he or she claims to be. The company stated that it requires documentation with date of birth; two forms of identification, one of which must have a photograph of the customer; and documentation showing the customer's current address. The company prefers a driver's licence, passport, SIN (which is optional but will increase the chance of obtaining a credit file), and a credit card or banking information (such as cheques with the name and address on them). Other acceptable identification included such cards as a citizenship card or university student card, to name a few.
The company stated that all forms of identification and credit documentation must be visually verified by a sales representative during the activation process. However, it was noted that the complainant sent his photo identification by facsimile to the a company representative in another city.
According to the company, the date of birth, along with either a credit card, the SIN, or bank information is necessary to ensure that the correct credit bureau information is obtained for the credit evaluation. The driver's licence (or alternative) is needed for positive identification of the applicant to prevent subscription fraud.
The company stated that bad debt costs pose a serious problem in the communications industry. It further noted that identity fraud was also a major concern, and provided data on both fraud losses and bad debt costs. In its view, the personal information the company gathers helps ensure that it can collect on debts owed to it and prevent identity theft. The company also contended that all Canadian communications companies had similar practices in place with respect to identification requirements.
The Office reviewed the practices of other telecommunications companies with respect to identification requirements and found that three major wireless companies and two regular telephone companies all required two pieces of identification. Of the five we reviewed, all provided three or more choices and only one did not request date of birth.
Issued February 1, 2005
Application: Principle 4.4, which states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- The Assistant Privacy Commissioner began her deliberations by noting that in previous findings involving telephone or wireless services issued by the Office, it was determined that the collection of two pieces of identification for the purposes of confirming creditworthiness or identity was reasonable. (This fact was noted during the investigation, but the company continued to maintain its position.)
- The investigation into this complaint established that the company was requiring three pieces of identification to activate an account: two were needed to ensure that the company obtained the correct credit bureau information and a third was required to positively identify the applicant.
- Although the company maintained that its purposes could only be achieved with three pieces of identification, the Assistant Commissioner disagreed. For example, she noted that a driver's licence or passport meets the need to visually authenticate identity and provides verification of the date of birth, which is needed to obtain accurate information from the credit bureau. By asking for one of those, in combination with a credit card or bank information (which supports both identity authentication and accurate credit information), the company could still achieve its objectives. In the Assistant Commissioner's view, a third piece of identification is not needed, and is not in fact industry practice.
- She therefore found that the company was requiring more personal information than necessary, contrary to Principle 4.4 of Schedule 1.
Accordingly, the Assistant Commissioner concluded that the complaint was well-founded.
The Assistant Commissioner recommended that the company amend its policy to require only two pieces of personal identification and report back to her within 60 days on its progress in this regard.