New credit card customers required to consent to use or disclosure of personal information for secondary marketing purposes

PIPEDA Case Summary #2003-238

[Principles 4.3, 4.3.3, and 4.3.5 of Schedule 1]

Complaint

An individual complained that a bank was requiring new customers to consent to the use or disclosure of their personal information for the secondary purpose of marketing — a purpose indicated as optional on the credit card application form.

Summary of Investigation

The complainant received a credit card offer in the mail. While he wanted to take advantage of the benefits offered by the card, he was concerned about the wording of the agreement on the form. At issue was a consent clause that indicated: (1) that the bank might use or disclose the client's personal information for secondary marketing purposes; (2) that consent to such purposes was optional; (3) and that if the applicant opted out, it would take eight weeks for such a request to take effect. The complainant did not want his personal information disclosed to other companies that might use it to market their products to him during the eight-week period.

The bank indicated that when a customer makes a request to opt out of secondary marketing, it registers their wishes and provides this information to the company that prepares its marketing lists. However, the bank explained that, given the different production timelines of various mail and telemarketing campaigns, it could take up to 90 days after the opt-out request had been made for all such marketing to cease. Therefore, had the complainant chosen to apply for the card and simultaneously requested to have his name removed from marketing lists, his request would have been registered, but he would have continued to receive telephone calls and direct mail promoting a variety of banking products for a period of time.

In response to the Office's suggestion that it modify its business practices so that an opt-out request from a prospective customer could take effect immediately, the bank indicated that this would not be possible. It explained that a customer should have the benefit of seeing the various products and services a relationship with the bank makes possible before individualized opt-out requests are processed.

Findings

Issued December 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.3 provides that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Principle 4.3.5 obliges us to consider the reasonable expectations of the individual in obtaining consent.

In a previous complaint against the same bank, the Office determined that the bank had failed to obtain the meaningful consent of its customers to its practice of using their personal information for the secondary purpose of marketing. Among its conclusions, the Office stated that, by not providing a means of withdrawing consent to secondary marketing, the bank was in effect requiring individuals to agree, as a condition of the supply of a product or service, to the collection, use, and disclosure of information beyond that required to fulfil explicitly specified purposes. To rectify this, the Office recommended that the bank take steps to meet the reasonable expectations of its customers for an immediate, easy and inexpensive method of withdrawing consent. In response the bank publicized its toll-free number for withdrawing consent.

In this case, while the Assistant Commissioner acknowledged that the method adopted by the bank was easy and inexpensive, it could not be construed as immediate. She agreed with the complainant that most new applicants would reasonably expect that their desire to opt out would be honoured at the time of applying for the new card — not in eight weeks time (or 12, as the case may be). She thus found that the bank was not meeting the new applicants' reasonable expectations, as provided under Principle 4.3.5. She also determined that, as a result of this delay, the bank was requiring, for the first eight weeks, that all new account holders consent to the use or disclosure of their personal information for a secondary purpose as a condition of obtaining the product. Thus, she found that the bank was still not providing for the meaningful consent of new applicants, contrary to Principles 4.3 and 4.3.3.

The Assistant Commissioner concluded that the complaint was well-founded.

Further Considerations

The Assistant Commissioner recommended that the bank modify its business practices to ensure that the decision of new customers to opt out of the use or disclosure of their personal information for the secondary purpose of marketing is put into effect immediately, at the time they apply to become a cardholder.