Company collecting consumer personal information without identifying purposes halts practice and implements privacy policies and practices

PIPEDA Case Summary #2005-300

(Principles 4.1, 4.1.4(d), 4.2 and 4.4 of Schedule 1)

Complaint

An individual complained that a company was collecting personal information of consumers without consent and without identifying the purpose for the collection and use of the information. He also alleged that the company did not have a privacy policy in place.

Summary of Investigation

After unpacking a product the complained had just purchased, he noticed a label stating "For important product information call before using (a telephone number appeared here)." When he called the number, an automated attendant asked him to provide the model number of the device, his name, address, home and work telephone numbers, his employer's name, and where he purchased the unit.

As a result of the complaints, the company instituted some changes with respect to the label asking consumers to call the company. Specifically, the Canadian division of the company removed product sticker add-ons on products leaving the manufacturer, directing consumers to call for warranty registration. The company did so as it could not at the time be reasonably assured that the information would be handled in accordance with Canadian privacy legislation (the information was being gathered by a U.S-based company). The company also reviewed all warranty and registration cards for its various divisions.

As for the labels already on in-store products, the company indicated that if a consumer called the toll-free number, the company would not collect personal information from the caller.

As a result of the complaints, the company also implemented a privacy policy and designated a privacy representative.

Findings

Issued April 29, 2005

Application: Principle 4.1 states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the principles; Principle 4.1.4 (d) stipulates that organizations shall implement policies and practices to give effect to the principles, including developing information to explain the organization's policies and procedures; Principle 4.2 requires that the purposes for which personal information is collected be identified by the organization at or before the time the information is collected; and Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• It was clear that the company was attempting to collect the complainant's (and other consumers') personal information without properly identifying its purposes, contrary to Principles 4.2 and 4.4.
• It was also the case that the company did not have a privacy policy in place at the time the complainant purchased the product, in contravention of Principles 4.1 and 4.1.4(d).
• The company did not follow up with the complainant when he contacted it.
• However, as a result of the complaints, and the Office's investigation, the company made a number of necessary changes to comply with the Personal Information Protection and Electronic Documents Act (the Act). It removed the labels on new products. For those that still have the labels, the company will no longer collect personal information from customers who call in. The company also implemented a privacy policy and designated an official who will be responsible for ensuring the company's compliance with the Act. The Assistant Commissioner reminded the company, however, that it must respond to privacy complaints when they are brought to its attention.

The Assistant Commissioner therefore concluded that the complaint was resolved.