Bank complies with consent principles
PIPEDA Case Summary #2003-241
[Principles 4.3 and 4.3.3]
Three individuals complained that their bank was not providing its credit cardholders with the opportunity to refuse to consent to certain collection and disclosure practices outlined in a revised cardholder agreement sent to clients.
Two practices were singled out for objection: (1) the collection of information from third parties regarding purchase details, such as flight numbers and arrival and departure times; and (2) the disclosure of personal information to such third parties as loyalty program providers.
Summary of Investigation
The bank receives information about corporate credit cardholder transactions, such as flight numbers and arrival times. Corporations request this information for the purpose of reconciling employee expense reporting. The bank, however, does not collect such information for consumer products.
The bank explained that, when it updated its card product technology to read the data for corporate cardholders, it decided to amend its cardholder agreement to reflect the fact that such data is collected. However, as it does not collect this data for consumer cardholders, it decided to remove this clause from all future consumer cardholder agreements and applications.
With respect to the bank's disclosure practices, it shares the following information with loyalty program providers:
- Customer name, address and telephone number
- Credit card number
- Membership number
- Points information
The bank pointed out that applicants for credit cards with loyalty programs cannot participate in the program and at the same time opt out of the disclosure of identifying and points information. Such information is needed to ensure that the cardholder receives the benefits of the program.
Issued December 4, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.
Application: Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.3, which specifies that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
Regarding collection, since there was no actual collection of the consumer's personal information, the Assistant Commissioner determined that the bank had not contravened the consent provision, as set out in Principle 4.3. The Assistant Commissioner was nevertheless pleased that the bank had decided to change the wording of its agreement to more accurately reflect its current practice.
She concluded that the collection complaint was not well-founded.
Regarding disclosure, the Assistant Commissioner deliberated as follows:
- In consideration of Principle 4.3.3, the purpose, specified in the agreement, of disclosing customer personal information is to ensure that the cardholder receives the points to which he or she is entitled under the loyalty program.
- Such a purpose is legitimate, as well as logical — if one is applying for a credit card with a loyalty program attached to it, it follows that one's pertinent personal information must be shared with the loyalty program provider in order for the cardholder to enjoy the benefits of the program.
- The information being disclosed is not excessive and is clearly for a legitimate purpose.
- Should an individual not want his or her information shared in such a manner, or should he or she not want to become a member of a loyalty program, the bank still offers a variety of cards that do not have the loyalty component so that the individual may still obtain a credit card.
- Thus, the Assistant Commissioner determined that the bank's consent practices conform to the requirements of Principles 4.3 and 4.3.3.
Accordingly, she concluded that the disclosure complaint was not well-founded.
- Date modified: