Marketing firm accused of improper disclosure of survey information
PIPEDA Case Summary #2002-91
[Principles 4.1, 4.2.3, 4.3, 4.3.2, 4.3.4, 4.3.5, 4.4, 4.4.2, 4.8, and 4.8.2, Schedule 1]
An individual alleged that a marketing firm, which conducts consumer product surveys, improperly discloses the personal information of survey respondents. The complainant raised three specific concerns regarding the surveys:
- whether the company adequately specifies the extent to which personal information collected is disclosed for marketing purposes or whether the company misleads or deceives individuals as to the purpose of collection;
- what type of consent arrangement (opt-in versus opt-out) is used on the survey forms and the appropriateness of the arrangement given the sensitivity of the information in question; and
- whether the company clearly informs the public of its personal information management policies and practices.
Summary of Investigation
- In the surveys, sent to households across the country, there is a general information section that requests from the respondent such information as age, marital status and income of householders. In addition to this section, personal information, dealing with health and personal finances, is also solicited in the survey proper.
- The survey materials do not explicitly mention any intention to disclose personal information from the survey to any third parties for marketing purposes. Companies commissioning the surveys are not identified. The materials explain purposes only in terms of fact-finding, opinion gathering, and product quality improvement.
- The survey materials offer "bonuses" of coupons and discounts as rewards for completing a survey, but give no clear indication that such bonuses will come from any source other than the marketing firm itself.
- The survey form seeks consent for further mailings and offers. The consent mechanism is presented as one of the general information questions, which are designated as optional, and consists of a statement followed by both a "Yes" and a "No" check-off box. It is not made clear whether the mechanism is meant to be a positive (opt-in) or negative (opt-out) form of consent or how the company would treat the case where a respondent omitted to check off either box. The statement itself is vague and open-ended, with no indication that the further mailings and offers in question would come from third parties to whom the company had disclosed the survey information.
- The company acknowledges that a significant number of respondents do not address the consent mechanism in any way. In such cases, the company's practice is to disclose to third parties, but only such personal information as it deems to be non-sensitive. However, the survey materials do not distinguish between sensitive and non-sensitive information. Also, commissioning companies may ask for survey information according specific criteria - e.g., the names and addresses of respondents claiming a household income above a certain level. In such cases, though the information provided may be non-sensitive in itself (i.e., names and addresses), the context clearly renders it sensitive.
- The package provides no information on how to withdraw consent, or even that it is possible. No telephone number or e-mail address is provided to respondents regarding any concerns or questions that they may have. The company's website is not referred to in the survey package. No company representative is mentioned. Indeed, at the time of the complaint, no individual had been designated as accountable for the organization's compliance under the Act.
- The policy also indicates that respondents may withdraw consent by e-mail or postal mail and that participating companies are regularly updated on survey respondents who no longer wish to participate. However, no toll-free telephone number is provided, nor is any company representative identified by either name or position title as being responsible for privacy-related matters and inquiries.
Issued November 22, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies not only to any federal work, undertaking, or business, but also to any organization that discloses personal information across borders for consideration. The Commissioner had jurisdiction in this case because this company falls into the latter category.
Application: Principle 4.1 states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. Principle 4.2.3 states that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; for consent to be meaningful, purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.4 states in part that, in determining the form of consent to use, organizations shall take into account the sensitivity of the information. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Principle 4.4 states in part that information must be collected by fair and lawful means. Principle 4.4.2 clarifies that the foregoing requirement is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. Principle 4.8 states that an organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information. Principle 4.8.2 states that the information made available must include, among other things, the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom the complaints or inquiries can be forwarded.
The Commissioner found the complainant's expectations as outlined in the complaint to be reasonable and in keeping with the Act.
The Commissioner determined that the company did not adequately specify the extent to which personal information was to be used for marketing purposes. The survey materials did not make it clear that the respondent's personal information was intended to be disclosed to third parties for marketing purposes. The Commissioner did not consider these materials a reasonable effort on the company's part to inform individuals of the purposes for which their personal information was gathered.
Since the company had failed to meet the requirement for the individual's knowledge through Principles 4.2.3 and 4.3.2, he determined that it did not obtain valid informed consent of individual respondents to the collection, use or disclosure of their personal information via the surveys. The Commissioner therefore found it in contravention of Principle 4.3.
The Commissioner determined that the check-off arrangement provided on the survey forms was vague, not prominently placed, and ambiguous as to the form of consent that it sought. The Commissioner is already on record as having concluded that any personal information may be sensitive in a given set of circumstances. He therefore could not accept the company's practice of disclosing information it deemed to be non-sensitive in cases where a survey respondent did not indicate either "Yes" or "No" to such disclosure. He considered the consent arrangement inappropriate given the potential sensitivity of the personal information in question. He therefore found that the company was not in compliance with Principle 4.3.4.
Given that at the time of the complaint the company did not have a representative accountable for the organization's compliance with the Act, and that specific information about the company's privacy-related policies and practices were not readily and reasonably available, the Commissioner found that the company did not meet its obligations under Principles 4.1, 4.8, and 4.8.2.
He therefore concluded that the complaint was well-founded.
The Commissioner made the following four recommendations to the company that would bring it into compliance with the Act:
- The company should take appropriate steps to specify purposes clearly and fully in its survey materials so that individuals may reasonably understand, at the time of responding to a survey, the manner in which and extent to which their personal information will be used or disclosed. The company should identify third parties to which it intends to disclose personal information and the uses those parties may make of the information.
- The company should improve its consent mechanism for direct marketing by third parties by placing the mechanism more prominently on the survey form, by clarifying the language so as to indicate that direct-marketing is the purpose and that third parties are the marketers, and by resolving the ambiguity about the form of consent in question. Given the sensitivity of the information collected, strict opt-in consent should be used.
- The company should take appropriate steps to bring itself into compliance with all requirements under Principle 4.1 (Accountability) and Principle 4.8 (Openness). These steps should include designating a representative to be responsible for the company's compliance with the Act and identifying that individual by name or title and contact particulars in the survey materials distributed to households.
- The company should clearly indicate in its survey materials the opportunity for respondents to withdraw consent to uses and disclosures of their personal information and a method whereby such withdrawal may be executed easily, immediately, and inexpensively. The method should include a toll-free telephone number.
- Date modified: