Alleged disclosure of personal information without consent for secondary marketing by a telecommunications company

PIPEDA Case Summary #2002-80

[Principle 4.3, Schedule 1; and Section 2]

Complaint

An individual complained that a telecommunications company fails to obtain consent for the collection, use, or disclosure of personal information for secondary marketing purposes.

Specifically, the complainant alleged that the company does not bring to the attention of its customers its policy of sharing customer data with affiliates for secondary marketing purposes, nor does it provide them with the opportunity to opt-out of such disclosure.

This is one of several similar complaints filed by the individual against a number of organizations. In brief, the complainant's position may be summarized as follows:

• With respect to secondary marketing purposes, it is always appropriate to ensure customers' knowledge and consent.
• Marketers and the marketed differ on the issue of what form of consent is appropriate.
• Companies should not only state purposes in a policy document, but also "bring to the attention" of the individual customer the practices in question and the option of withdrawing consent.
• Companies fall short of meeting this obligation in several ways:

  (a) reliance on a document that has not been provided to the customer, but rather left up to the customer to find on his or her own initiative;

  (b) reliance on fine print that has been buried in a long document;

  (c) failure to use clear, plain language that is understandable to the ordinary customer;

  (d) failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and

  (e) failure to provide an easily executable opting-out procedure.

Summary of Investigation

The company helps its customers develop communications infrastructures, including information technology functions. The company does not provide services to individual customers and therefore does not collect personal information about individuals.

Commissioner's Findings

Issued October 16, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner has jurisdiction in this case because a telecommunications company is a federal work, undertaking, or business as defined in the Act.

Application: Section 2 of the Act states that personal information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Principle 4.3 of Schedule 1 to the Act states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

The information that the company deals with pertains to corporations - not "identifiable individuals". The Commissioner was satisfied that the company in question does not collect, use, or disclose the personal information of individuals. He, therefore, had no basis for making a determination in respect of Principle 4.3 of Schedule 1 to the Act.

Accordingly, the Commissioner concluded that the complaint was not well-founded.