Alleged disclosure of personal information without consent for secondary marketing by a company
PIPEDA Case Summary #2002-78
[Principles 4.2.3, 4.3, 4.3.1, 4.3.2, and 4.3.5 of Schedule 1]
An individual complained that a company that discloses personal information across borders for consideration fails to obtain consent for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, the complainant alleged that the company does not bring to the attention of its customers its practice of using and sharing customer data with affiliates for secondary marketing purposes; it fails to provide clear information as to potential secondary uses and sharing of customer data; and it does not provide them with the opportunity to opt-out of such uses and disclosures.
This is one of several similar complaints filed by the individual against a number of organizations. In brief, the complainant's position may be summarized as follows:
- With respect to secondary marketing purposes, it is always appropriate to ensure customers' knowledge and consent.
- Marketers and the marketed differ on the issue of what form of consent is appropriate.
- Companies should not only state purposes in a policy document, but also "bring to the attention" of the individual customer the practices in question and the option of withdrawing consent.
- Companies fall short of meeting this obligation in several ways:
(a) reliance on a document that has not been provided to the customer, but rather left up to the customer to find on his or her own initiative;
(b) reliance on fine print that has been buried in a long document;
(c) failure to use clear, plain language that is understandable to the ordinary customer;
(d) failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
(e) failure to provide an easily executable opting-out procedure.
Summary of Investigation
The company is composed of a number of divisions, which are not separate corporate entities. One of these divisions is a frequent-buyer program that rewards members with points for purchases made from sponsors. The company acknowledges that it uses and discloses personal information about members for marketing purposes. The investigation confirmed that the personal information disclosed is limited and is only disclosed to sponsors of the program.
The company's privacy-related documents were examined. The investigation revealed the following:
- When a customer enrols in the program, consent is given either by signing the form, if in person; verbally, if over the telephone; or by clicking the appropriate box, if on-line.
- On the enrolment form, there is a privacy pledge, which clearly identifies the purposes of collecting, using, and disclosing personal information, describes the company's use of personal information for promotional activities, and specifies the restrictions under which it discloses personal information. A withdrawal option is also provided, which indicates that withdrawal must be done in writing.
- The wording of the privacy pledge is the same for both on-line and hard copy forms.
The investigation also reviewed the company's telephone script for enrolment and revealed the following:
- While the script does state the purposes, it contains none of the other privacy-related information that appears on the printed and on-line enrolment forms.
- The wording suggests that the applicant has no option to withdraw consent to any of the stated purposes.
The company also has a privacy commitment document, which is available both in brochure form and on its website. The company has sent out privacy-related information to its members in various forms, in whole or in part, since the Act came into force.
In sum, the company's position is that these materials form a sufficient basis for its customers' knowledge and consent.
Issued October 16,2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business, as well as to any company that discloses personal information across borders for consideration. The Commissioner has jurisdiction in this case because the company discloses personal information across borders for consideration.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Though not specifically at issue in the complaint, two other provisions of the Act guided the Commissioner in his deliberations regarding the general position expressed by the complainant. These are Principle 4.2.3, which states in part that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected, and Principle 4.3.1, which states in part that an organization will typically seek consent for the use or disclosure of the information at the time of collection.
The Commissioner found the complainant's expectations as outlined in the complaint to be reasonable and in keeping with the Act.
In making his findings, the Commissioner was favourably impressed with the company's privacy-related communications effort in general. He noted, however, that the only means whereby the company endeavoured to inform customers during the subscription process of its disclosure practices are the pledge that appears in both the hard copy and on-line application forms and the telephone script. Only the pledge makes explicit reference to obtaining consent to terms and conditions via its application forms.
The Commissioner felt that the company's purpose statements were clear and understandable. The written application forms also advertised with reasonable clarity the opportunity for individuals to opt-out of receiving marketing communications. He noted the absence of a toll-free telephone number or a check-off box on application forms that would make this option even more clear.
On the whole, the Commissioner was satisfied that the company has made a reasonable effort to inform customers of the secondary purposes of marketing.
However, he did make special mention of the telephone script and noted his concern that customers applying by telephone are not receiving the same information as those who use a written application form. The telephone script is not as clear or informative as the forms. It does not indicate that marketing purposes are optional and that consent to such purposes may be withdrawn.
With the exception of telephone applications, the Commissioner was satisfied that the communications materials as well as the process of obtaining consent, constitute a reasonable effort to ensure that the individual is advised of the secondary purposes for which personal information will be disclosed. This serves as a valid basis for knowledge and consent. However, he determined that the problematic telephone script and the lack of a toll-free number to withdraw consent did not satisfy the requirements of Principles 4.3, 4.3.2 and 4.3.5 of Schedule 1 to the Act.
He therefore concluded that the complaint was well-founded.
The Commissioner recommended that the application forms include a check-off box for those who wish to withdraw consent to marketing or the company should provide a toll-free number for the same purpose.
He also recommended that company revise its communications materials, notably the texts used in obtaining consent during the application process and the telephone script to ensure clarity and consistency in the following respects:
- specifying the items or types of personal information it collects, uses and discloses for marketing purposes;
- defining its disclosure activities; and
- advertising the opportunity for program members to withdraw consent to marketing purposes and the method of doing so.
- Date modified: