Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2005-297

Unsolicited e-mail for marketing purposes

(Section 2; Principles 4.3; paragraphs 7(1)(d) and 7(2)(c.1); and Principles 4.1 and 4.1.3)

The Office of the Privacy Commissioner recently had occasion to investigate collection and use complaints concerning unsolicited e-mail. In one instance, the complainant's personal information was collected from two publicly available directories, while in the other case, it was collected from a directory available only to a particular association's membership. The following is a summary of each complainant's concerns.

Complaint A

An individual complained that a sports organization had collected and used his personal information, specifically, his business e-mail address, without his consent.

Summary of Investigation

The complainant received an unsolicited e-mail promoting the purchase of tickets at his place of work. When he asked the sales representative how his e-mail address had been obtained, he was told that it had been collected from his employer's web site. The sales representative told the complainant that he would not be marketed further; however, a few weeks later, the complainant received a second e-mail solicitation from the same organization.

The sports organization did not dispute that it had sent the complainant a solicitation on two occasions at his place of work. The two sales representatives in question had obtained the same e-mail address through web site directory searches, and did not cross-reference his request that he be deleted from the marketing lists. One of the agents was responsible for soliciting ticket sales through contacting the employees of educational institutions, while the other generated his contact lists through the web sites of law firms, including the one with which the complainant was associated.

The organization subsequently instituted cross-selling controls to ensure that the name of any individual who did not want to be solicited was deleted from all marketing lists, and removed the complainant's name from its lists. The company also engaged a different ticketing and sales firm that was more knowledgeable of the requirements of PIPEDA.

The complainant's employer took the view that the e-mail addresses of its staff were business information. Although the employer might under very exceptional circumstances allow an employee to suppress his or her e-mail address, the employer requires its employees to agree to publish their business e-mail addresses, consistent with its business model and its expectation that employees be easily accessible. The employer also expects any business or organization to obtain its permission before contacting staff for purposes unrelated to the promoting the employer's interests.

Findings

Issued December 1, 2004

Application: Section 2 defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Principle 4.3 of Schedule 1 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Two exceptions to consent are set out in paragraph 7(1)(d), which states that an organization may collect personal information without the knowledge or consent of the individual only if the information is publicly available and is specified by the regulations; and paragraph 7(2)(c.1), which stipulates that an organization may, without the knowledge or consent of the individual, use personal information only if it is publicly available and is specified by the regulations.

For the purposes of paragraphs 7(1)(d) and 7(2)(c.1), the regulations specify that publicly availably information includes the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

  • The interpretation section of the Act prescribes the types of information that are not subject to the protections of the Act, specifically, the name, title or business address or telephone number of an employee of an organization. As a business e-mail address is not specified in section 2, the Assistant Commissioner concluded that it was an individual's personal information for the purposes of the Act.
  • The Assistant Commissioner did not think that the organization could rely on the exceptions to consent set out in paragraphs 7(1)(d) and 7(2)(c.1) to collect and use the complainant's e-mail address because the purposes for which the organization collected and used his personal information were entirely unrelated to the intent of the employee directory. The employer published the complainant's name and e-mail with the expectation that businesses, organizations, and individuals might contact its staff members to further the employer's interests. The sale of tickets was not related to the purpose for which the employer made a listing of its employees publicly available. The same analysis could also be applied to the web site of the law firm with which the complainant is associated.
  • The Assistant Commissioner thus found that the organization collected the complainant's business e-mail address and used it to contact him for marketing purposes without his consent, contrary to Principle 4.3. Even after the complainant told the organization that he did not want to be marketed further, the company collected his e-mail from another source and used it again to market him, against his explicit instructions, in contravention of Principle 4.3.

The Assistant Commissioner concluded that the collection and use complaints were well-founded.

Complaint B

In the second set of complaints from one individual, the allegations again involved collection and use of personal information, namely a business e-mail address, without knowledge and consent. In this case, complaints were filed against two organizations: a company selling a product (the seller) and a marketing company acting on its behalf.

Summary of Investigation

The complainant received an unsolicited commercial e-mail advertising a product. The e-mail was directed to her business e-mail address and appeared to have been issued from the seller. The e-mail invited recipients to have their name removed from the seller's mailing list, upon request. In fact, the e-mail had been issued by the company providing the marketing services.

The company that provides marketing services also maintains a web site and business e-mail address on behalf of the seller. It only shares with the seller the personal information of potential clients who express an interest in purchasing an advertised product.

Both the complainant and the president of the marketing company were members of a professional association. Access to the membership list of this association is restricted, and its membership directory is not to be used by its members to solicit or market products to other members.

The marketing company acknowledged that it had collected and used the complainant's business e-mail address without the complainant's consent to market the seller's products. At the complainant's request, the marketing company suppressed her personal information from its marketing list, and apologized for the use of her personal information.

The seller for its part denied any knowledge of or responsibility for the privacy practices of the marketing company acting on its behalf, and denied obtaining the complainant's e-mail address without her consent.

Findings

Issued March 31, 2005

Application: Section 2 defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Principle 4.3 of Schedule 1 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

In making her determinations, the Assistant Commissioner deliberated as follows:

  • The interpretation section of the Act prescribes the types of information that are not subject to the protections of the Act, specifically, the name, title or business address or telephone number of an employee of an organization. As a business e-mail address is not specified in section 2, the Assistant Commissioner concluded that it was an individual's personal information for the purposes of the Act.
  • It was clear that the marketing company contravened Principle 4.3, when it collected and used the complainant's personal information without her consent for marketing purposes. The company apologized to the complainant and suppressed her name from its marketing lists.

The Assistant Commissioner thus concluded that the collection and use complaints against the marketing company were well-founded.

  • The Assistant Commissioner noted that the seller only obtains the personal information of potential clients who express an interest in the product that is advertised through e-mail solicitations. As the complainant did not express an interest in the advertised product, her personal information was not shared with the seller. The seller of the product did not collect or use the complainant's e-mail address, nor did it have control of her personal information.
  • The Assistant Commissioner indicated that she could not thus find that the seller was in contravention of Principle 4.3.

The Assistant Commissioner concluded that the collection and use complaints against the seller were not well-founded.

Further Considerations

The Assistant Commissioner advised the seller that in ignoring the privacy practices of a company that acts on its behalf, it has, in her view, exposed itself to a risk that its business reputation will be tarnished.