Company collecting consumer personal information without identifying purposes halts practice and implements privacy policies and practices
PIPEDA Case Summary #2005-300
(Principles 4.1, 4.1.4(d), 4.2 and 4.4 of Schedule 1)
Summary of Investigation
After unpacking a product the complained had just purchased, he noticed a label stating "For important product information call before using (a telephone number appeared here)." When he called the number, an automated attendant asked him to provide the model number of the device, his name, address, home and work telephone numbers, his employer's name, and where he purchased the unit.
As a result of the complaints, the company instituted some changes with respect to the label asking consumers to call the company. Specifically, the Canadian division of the company removed product sticker add-ons on products leaving the manufacturer, directing consumers to call for warranty registration. The company did so as it could not at the time be reasonably assured that the information would be handled in accordance with Canadian privacy legislation (the information was being gathered by a U.S-based company). The company also reviewed all warranty and registration cards for its various divisions.
As for the labels already on in-store products, the company indicated that if a consumer called the toll-free number, the company would not collect personal information from the caller.
Issued April 29, 2005
Application: Principle 4.1 states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the principles; Principle 4.1.4 (d) stipulates that organizations shall implement policies and practices to give effect to the principles, including developing information to explain the organization's policies and procedures; Principle 4.2 requires that the purposes for which personal information is collected be identified by the organization at or before the time the information is collected; and Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- It was clear that the company was attempting to collect the complainant's (and other consumers') personal information without properly identifying its purposes, contrary to Principles 4.2 and 4.4.
- The company did not follow up with the complainant when he contacted it.
The Assistant Commissioner therefore concluded that the complaint was resolved.
- Date modified: