Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
Backgrounder – Ticketmaster Investigation
February 12, 2008
Ticketmaster Canada Limited (TM) is an enterprise headquartered in the United States whose main commercial activity is selling tickets on behalf of venues, concert promoters, sports teams and leagues for events held in Canada. In doing so, it routinely collects the personal information of its customers for its own use and for use by other parties.
The Privacy Commissioner of Canada launched an investigation into the information collection practices of TM after a private citizen filed a complaint with the Commissioner, alleging that the policies and practices of the company with regard to the collection, disclosure and use of customers’ personal information did not comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
According to the complainant, TM was allowing the collected information to be used for marketing purposes by some parties and customers were not properly informed of this practice nor provided a viable alternative during on-line or telephone purchases if they did not wish to share their information.
The Assistant Privacy Commissioner launched an investigation, and found that TM did not uphold the principles of openness and consent of Schedule 1 of PIPEDA. In making her decision, the Commissioner considered the following:
The Commissioner noted that TM’s purpose for collecting customers’ personal information is reasonable since TM must process ticket payments, deliver tickets, notify customers of cancellations or postponements, verify customer identity when tickets are picked up, and replace lost tickets at the box office.
On the other hand, it is not reasonable for the personal information to be used for marketing purposes without customer consent. Consent to being the target of marketing activities should not be a condition for buying a ticket. Marketing is a secondary use, and, as such, requires fully informed customer consent (i.e., an opt-in option) or an opportunity to opt out without being penalized. Furthermore, TM’s original policy was not specific about whether event providers used customer information for marketing purposes, and, if so, how they used it.
Customers who have set up a MyTicketmaster account online can control which information they want to receive from TM by noting their preferences within their account. For telephone customers, TM now uses scripts that fully inform them and provide them with an option to receive marketing information from event providers. TM now relays each customer’s preference to the event provider at the time TM transfers the personal information to it.
The event provider is responsible for ensuring that it complies with the customer’s preference.
The Assistant Commissioner noted that a clause in TM’s agreement with event providers specifies that event providers will honour all purchaser opt-out preferences whether they are received directly by the event provider or indirectly through TM.
Once these complaints were investigated and brought to the attention of the company, they were resolved in a satisfactory manner.
However, the Assistant Commissioner expressed grave concern that allegations of violations of privacy laws made against a major online company operating throughout Canada were determined to be well-founded, even several years after the passing of PIPEDA.
The Assistant Commissioner stated that online companies operating in Canada must implement measures to ensure compliance with PIPEDA. In particular, they must observe the following:
- If businesses collect their customers’ personal information with the intent of disclosing it to third parties for use in marketing and other secondary purposes, their customers must be explicitly informed and be provided a clear opt-in or opt-out opportunity to consent to the disclosure and use before payment is made. The customers’ choice to opt in or opt out of information sharing must neither advantage nor disadvantage them with respect to other customers obtaining or seeking to obtain the same service.
- Businesses are responsible for protecting their customers’ personal information, by contractual or other means, which has been transferred to a third party for processing. The level of protection must be comparable with that provided by the business that collected the information.
- Regardless of whether customer requests are issued on paper, in person, by telephone or via a web site, businesses must effectively communicate to customers in the same consistent manner their practices and policies regarding personal information collection, disclosure and use.