Air Canada allows 1% of Aeroplan membership to "opt out" of information sharing practices
PIPEDA Case Summary #2002-42 (Update)
[Principles 4.1.3, 4.1.4, 4.2.4, 4.3, 4.3.1, 4.3.4, 4.3.5, 4.3.6, 4.5, Schedule 1; and sections 5(3) and 7]
Five individuals filed similar complaints about Air Canada's method of obtaining consent for information sharing under its Aeroplan Frequent Flyer Program (Aeroplan). All five complained that Air Canada was putting the onus on individual plan members to "opt out" of its practice of sharing personal information with external sources. Four of the five also complained that Air Canada had allowed itself too much time to process members' opt-out requests.
Summary of Investigation
In June 2001, Air Canada distributed to 60,000 of the 6 million Aeroplan members a brochure entitled "All about your privacy". The brochure presents five situations in which plan members' personal information may be shared (i.e., collected, used, or disclosed) under the program, among Air Canada, its affiliates and partners, and other organizations. The brochure's recipients are asked to check off the opt-out box beside the situation description if the member does not want Air Canada to share his or her personal information in the manner described. It is then left up to each member to mail the brochure back to Air Canada. The brochure notes that it may take Air Canada up to four months to process members' opt-out requests; in fact, the processing system Air Canada intended to use was not expected to be functional until seven months after the brochure was published.
According to the first situation described in the brochure "Information of interest from Aeroplan partners", Air Canada or any member the Air Canada family provides mailing lists to Aeroplan partners so that they may send to plan members information of possible interest, notably on special promotions and offers of "exclusive products and services tailored to [a member's] interests and needs".
The second situation is "Information of interest from companies outside of the Aeroplan program". Here Air Canada provides mailing lists to non-Aeroplan partner companies. The reason for doing this is the same as described above in the first situation. Neither the brochure nor the Aeroplan Member Guide names the companies.
The third situation described is entitled "Exchange of information within the Air Canada Family", but the description is extremely vague and confusing as to the nature and purposes of the exchange in question. On inquiry, Air Canada explained that its third situation is actually a "forward-thinking strategy". By seeking consent in a deliberately vague and open-ended manner, Air Canada was attempting to avoid the requirement for consent in future organizational configurations of Aeroplan. However, the description provides no information whereby the plan member could know to what in particular he or she was consenting.
In the fourth situation described, Air Canada collects, from "external sources" unidentified in the brochure, information about members' personal or professional interests, demographics, and use of or preference for certain products and services. In the fifth situation described, Air Canada collects personal financial information, from likewise unidentified external sources, to determine members' eligibility for specific financial products and services. Half of the 60,000 selected recipients were given a different version of the brochure, in which the fifth situation was omitted.
The investigation determined that, regardless of whether external parties were implicated or not, all five of the described information-sharing situations afforded significant potential for customizing or "tailoring" of personal information to plan members' personal or professional interests and preferences.
The "Aeroplan Member Guide", the enrolment document issued to all plan members, indicates that members will receive information about special promotions, new services, et cetera, but does not indicate what personal information will be used, how it will be used, or that it will be disclosed or collected outside the organization. In fact, the guide indicates to the contrary, as follows: "Personal information will be given only to the holder of the membership, .".
Before distributing its privacy brochure, Air Canada had already disclosed Aeroplan members' personal information under the first three situations described and had collected members' personal financial information from at least one external source under the fifth situation. In administering Aeroplan mailing lists, Air Canada employs direct-mailing houses as agents, but does not yet have confidentiality agreements in place with some of the direct-mailing houses it employs.
Air Canada offered several reasons for its decision to use "opt-out" or negative consent rather than "opt-in" or positive consent for its information-sharing practices. Its main contention was that managing an enrolment program requiring opt-in consent from 6 million members would be impossible, given the prohibitive costs of mailing and processing. Air Canada also contended that it is the responsibility of plan members to read the Aeroplan Member Guide for instruction in how their personal information is used.
Issued March 11, 2002
Jurisdiction: As of January 1, 2001, PIPEDA applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because Air Canada is a federal work, undertaking, or business, as defined in the Act.
Application: Principle 4.1.3 requires an organization to use contractual or other means to protect personal information being processed by a third party. Principle 4.1.4 requires an organization to establish procedures to receive and respond to complaints and inquiries. Principle 4.2.4 requires an organization to identify the new purpose and obtain the consent of the individual where it intends to use personal information for a purpose not previously identified. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Principle 4.3.1 stipulates that consent for use or disclosure should normally be sought at the time the information is collected and in any case before it is used. Principle 4.3.4 states that, although the form of consent may vary, an organization must take the sensitivity of the information into account in determining what form to use. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant. Principle 4.3.6 stipulates that express consent should be sought in cases of sensitive information, but that implied consent would be appropriate for cases of less sensitive information. Principle 4.5 states that personal information must not be used or disclosed for purposes other than those for which it was collected without the individual's consent. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Sections 7(1) through 7(5) specify exceptional situations in which the knowledge and consent of the individual are not required.
On the issue of the need for consent, the Commissioner considered the following facts compelling:
- Before distributing its privacy brochure, Air Canada had already made a practice of using and disclosing Aeroplan members' personal information among its affiliates, partners, and agents and had collected members' personal financial information from at least one external source.
- The standard enrolment document "Aeroplan Member Guide" provides no instruction whatsoever on Air Canada's information-sharing practices and, in fact, gives a strong indication that information is not shared under the Aeroplan program.
The Commissioner concluded that the privacy brochure distributed in June 2001 marked the first and sole instance in which Air Canada had undertaken to inform Aeroplan members that their personal information is shared with third parties and to seek consent for its information-sharing practices. Regarding Air Canada's undertaking to seek consent by means of the brochure, the Commissioner noted that the brochures had been sent out to only 1% of plan members. Remarking that the Act does not allow for token compliance, he found the attempt at seeking consent to have been grossly inadequate.
In sum, he determined that Air Canada had not informed plan members that their personal information had previously been collected, used, and disclosed for purposes other than that for which it had been originally collected and that Air Canada had not sought consent for such additional collection, use, and disclosure. He also determined that a reasonable person would not have expected Air Canada to collect, use, or disclose personal information without consent and subsequently would not have considered it appropriate for Air Canada to seek consent from only 1% of the Aeroplan membership. The Commissioner found therefore that Air Canada had not met its obligations under Principles 4.2.4, 4.3., 4.3.1, and 4.5 of Schedule 1 and section 5(3) of the Act.
On the issue of the appropriate form of consent, the Commissioner noted that an organization must take the sensitivity of the information into account in determining the form of consent to use. He expressed concern about the potential, in each of the five information-sharing situations, for use and disclosure of information customized according to individual plan members' purchasing habits and preferences. He determined that information of this kind is sufficiently sensitive to warrant obtaining positive or "opt-in" consent, as opposed to negative or "opt-out" consent, from the individuals concerned. Although in the Commissioner's view the practice of using plan members' information for purposes of advertising products, services, and special promotions remains unobjectionable in itself, he was satisfied that a reasonable person would not expect such practice to extend to the "tailoring" of information to the individual's potentially sensitive personal or professional interests, uses of or preferences for certain products and services, and financial status, without the positive consent of the individual. The Commissioner found that Air Canada was not in compliance with Principles 4.3.4, 4.3.5, and 4.3.6.
With particular reference to the brochure's third situation, the Commissioner noted that, even with positive consent, the information-sharing practice described would not comply with the Act. He pointed out that Principle 4.3 requires the knowledge as well as the consent of the individual. He regarded the third situation's description as not being sufficiently conducive to knowledge on the part of the individual. It was so vague and open-ended as to render any consent invalid.
On the matter of the four-month processing period, the Commissioner noted that, in soliciting a possible 60,000 inquiries in the form opt-out requests, Air Canada should have had appropriate procedures in place for the reasonably expeditious processing of such requests. He noted also that, with its processing system not expected to be operational until 2002, Air Canada could probably not have handled the opt-out requests even in the generous time it had allotted itself. He found that Air Canada had not met the requirements of Principle 4.1.4.
Lastly, the Commissioner found that, since confidentiality agreements had not yet been made with some of the mailing houses employed under Aeroplan, Air Canada had failed to comply with Principle 4.1.3.
Thus finding Air Canada to be in contravention of all the relevant provisions of the Act, the Commissioner concluded that the complaint was well-founded.
The Commissioner made the following recommendations:
- Air Canada should inform all Aeroplan members as to the collection, use, and disclosure of their personal information.
- Air Canada should clearly explain to all Aeroplan members the purposes for the collection, use, and disclosure of their personal information. This is not done adequately in the current version of the "All about your privacy" brochure.
- Air Canada should seek positive (i.e., opt-in) consent from all Aeroplan members regarding all information-sharing situations outlined in the brochure.
- Air Canada should establish appropriate procedures for obtaining positive consent.
- Air Canada should execute appropriate agreements with all the direct-mailing houses it employs as agents to ensure that the personal information of Aeroplan members is protected in accordance with the Act.
- Air Canada should suspend all information-sharing activities in respect of the Aeroplan program until the Commissioner's other recommendations have been implemented. Air Canada must inform the Commissioner within 60 days of its plan of action to implement his recommendations.
In beginning his deliberation on the appropriate form of consent, the Commissioner commented as follows:
"...[L]ike most other privacy advocates, I have a very low opinion of opt-out consent, which I consider to be a weak form of consent reflecting at best a mere token observance of what is perhaps the most fundamental principle of privacy protection. Opt-out consent is in effect the presumption of consent - the individual is presumed to give consent unless he or she takes action to negate it. I share the view that such presumption tends to put the responsibility on the wrong party. I am also of the view that inviting people to opt in to a thing, as opposed to putting them into the position of having to opt out of it or suffer the consequences, is simply a matter of basic human decency.
"Accordingly, while acknowledging that the Act does provide for the use of opt-out consent in some circumstances, I intend, in this and all future deliberations on matters of consent, to ensure that such circumstances remain limited, with due regard both to the sensitivity of the information at issue and to the reasonable expectations of the individual. In other words, in interpreting Principle 4.3.7, I intend always to give full force to other relevant provisions of the Act, notably 4.3.4, 4.3.5, and 4.3.6 and section 5(3)."
Much to its credit, Air Canada took these findings and recommendations very seriously. With some guidance from the Commissioner's Office, in a process that the Office found to be both positive and productive, the company undertook to rethink and rewrite its information-sharing policy under Aeroplan. The Office reviewed the finished product and verified that the policy does now address the Commissioner's concerns in the following ways:
- It explains to Aeroplan members, in clear and understandable terms, the purposes for the collection, use, and disclosure of personal information under the program.
- It explains clearly that Aeroplan does not collect any details of the transactions whereby members accumulate points under the program.
- It specifies that Aeroplan does not provide individualized profiles of members to partner companies or other third parties, and further clarifies that any information provided to partners can be used only for purposes related to the Aeroplan program.
- It explicitly and clearly states that members who wish to have their personal information used only for redemption of Aeroplan points can so stipulate, and it identifies an easily-executable procedure for members to exercise this option.
As for the matter of consulting the full Aeroplan membership, Air Canada set out a very specific plan whereby all active members of the program would receive a copy of the revised policy with their next account statements. Moreover, the policy was to be made available on the Aeroplan website.
The Office has also confirmed that Air Canada now has appropriate confidentiality agreements in place with all agents it employs under Aeroplan.
All in all, the Office was satisfied that Air Canada had responded appropriately to the recommendations, and was pleased with the spirit of co-operation the company had shown.
- Date modified: