Application form asks for consent to open-ended collection, use and disclosure of personal information
PIPEDA Case Summary #2003-184
[Principles 4.3, 4.3.2 and 4.3.3 of Schedule 1]
An individual complained that the consent clause on a bank's credit card application form was asking customers to consent to the open-ended collection and disclosure of their personal information. The complainant also objected to the vague wording of the consent to use the customer's social insurance number, and noted that the field where the SIN is collected does not indicate that its provision is optional.
Summary of Investigation
After reviewing the complainant's concerns and the previous findings in related cases, the bank agreed to modify the language of its consent clauses. It specifically agreed to ensure that the consent clause specifies that providing the SIN is optional and that it is only used to match the applicant's information with the correct credit bureau file, if provided.
The bank did not provide a firm commitment with respect to the wording that it would adopt. It indicated that it would take six to eight months to implement changes to the application form. The Commissioner advised the bank that he was pleased with its commitment to undertake a comprehensive review of the language of its consent clauses.
Issued July 10, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 establishes that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 specifies that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
In making his findings, the Commissioner referred to an earlier finding regarding the same application form. In that finding, it was determined that the application form did not represent a reasonable effort on the bank's part to ensure that the individual customer is advised of the purposes for which his or her personal information will be used or disclosed. The wording was deemed to be so broad as to virtually preclude understanding, unless the individual is to understand that the bank intends to use personal information however it sees fit and disclose it to whomever it may see fit. The wording was found to be legalistic, and as it was printed in miniscule lettering, difficult to read and understand.
Given that the language of the application form had not changed since this finding, the determinations remained unchanged. The Commissioner thus found that the bank was in contravention of Principles 4.3, 4.3.2 and 4.3.3.
As for the matter of providing SINs, the Commissioner referred to another recent finding with respect to a different bank's credit card application form. In that case, the focus was on the fact that this form did not clearly indicate that providing the SIN for identification purposes was optional. It was determined that bank had not made a reasonable effort to ensure that the customer was adequately informed of this and, as a result, was not obtaining valid, meaningful consent.
In light of this finding, the Commissioner determined that the bank in this particular case is similarly not obtaining meaningful consent and is therefore in contravention of Principles 4.3 and 4.3.2.
The Commissioner concluded that the complaint was well-founded. He was pleased to note that the bank had committed to a review of the language of its consent clauses.
The Commissioner suggested the bank change the wording of its consent clause to ensure that it:
- explicitly specifies the purposes of and sources for the collection of personal information;
- limits the type of information that is collected and disclosed; and
- clearly indicates in the field for the SIN that its provision is optional.
- Date modified: