Ticketmaster Canada Limited revised its policies and practices with respect to PIPEDA to protect customers’ personal information

PIPEDA Case Summary #2008-388

[Principles 4.1.3, 4.3, 4.3.2, 4.3.3, 4.5, 4.8.1, 4.9, 4.9.3 of Schedule 1]

February 12, 2008


Synopsis:

The findings confirmed the complainant’s allegations that 1) Ticketmaster’s (TM) privacy policy was confusing and inconsistent, and 2) customers did not have fair opportunities to provide informed consent to its routine collection of their personal information, nor to its disclosure to and use by third parties for secondary marketing purposes. Our investigation shed direct light on two illicit information-collecting practices:

  • that of TM not informing its customers in a consistent manner (in some cases, not at all) that their personal information would be disclosed to and used by third parties for marketing, and;
  • that of devising and manipulating the on-line sales transaction in such a way that there was effectively no viable option for customers who did not wish TM to share their personal information.

We strongly recommended that TM correct these two unacceptable collecting practices, as well as revise its privacy policy. These were adopted and instituted by TM. Consequently, TM’s customers now are more consistently informed during sales transactions of the information-sharing policies and how they affect them, and they now also have an acceptable opt-in opportunity (e.g., a check box, if purchasing on-line), via which they may clearly, and in an informed way, consent to TM sharing their personal information for secondary marketing purposes.


Ticketmaster Canada Limited is an enterprise headquartered in the United States whose main commercial activity is selling tickets on behalf of event providers (e.g., venues, concert promoters, sports teams and leagues, etc.) for events held in Canada. In doing so, it routinely collects the personal information of its customers for its own use and for use by other parties.

A private citizen complained that that TM was allowing personal information to be used for marketing purposes by some parties. According to the complainant, customers were not properly informed of this practice nor provided a viable alternative during on-line or telephone purchases if they did not wish to share their information. The complainant alleged that the policies and practices of the company with regard to the collection, use and disclosure of the customers’ personal information contravened the principles of access, openness, accountability and consent of Schedule 1 of PIPEDA (the Act).

Summary of Investigation

I. The complainant believed that TM’s privacy policy was complicated and overly long. It thereby failed the test of openness.

The policy did not clearly state how TM collected, used and disclosed its customers’ personal information. The company’s practices of sharing a customer’s personal information with other parties were inconsistent and depended on factors such as the geographic location of the customer (i.e., United States or Canada), the kind of customer information provided and whether the transaction was initiated on-line or by telephone. TM routinely collects customer personal information for the event providers as per contractual agreements, but its policy did not indicate if there were limits on the ways that these parties could ultimately use customer information.

Our Office recommended to the organization that it significantly revise its privacy policy. The revised policy would have to unequivocally uphold Principle 4.8.1 of the Act.

Principle 4.8.1 requires organizations to be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

As a result of this investigation, TM agreed that it needed to overhaul its privacy practices. A new policy now communicates what personal information is collected, how the information is used and with whom it is shared. It is now easier to read and is more transparent. It was re-posted on TM’s web site on October 8, 2007, and is available by hard copy upon request.  

The Assistant Commissioner concluded that the openness complaint was well-founded and resolved.

II. The complainant believed that TM showed a general lack of accountability in the way it handled customers’ personal information when such information was disclosed to third parties: event providers, service providers and merchants (the latter group via their on-line pop-up special offers).

As evidence of poor accountability, the complainant referred to the company’s official policy, in which TM disclaimed any responsibility for the security of personal information disclosed to its third parties. The complainant believed that TM was in violation of Principle 4.1.3 of the Act because of this disclaimer.

Principle 4.1.3 stipulates that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The principle adds that an organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

TM explained to our Office that it is contracted by event providers to sell tickets on their behalf and that it also collects customer personal information for them. With regard to information protection, our Office determined that, in fact, TM has contracts in place that require event providers to use customers’ personal information in compliance with applicable laws as well as with their own privacy policies. Event providers are also required to implement and maintain security procedures and practices to protect customers’ personal information from unauthorized access, destruction, use, modification or disclosure.  TM’s service providers (e.g., delivery services and credit card companies) also have similar contractual agreements with TM to safeguard the information they receive.   

Regarding its merchants, TM stated that when customers decided to engage in Merchants’ Special Offers (available only on TM’s web site, by clicking on a pop-up box advertising an offer), customers are in essence authorizing TM to provide their contact information (e.g., e-mail address) to these merchants. The advertising merchant’s own privacy policy and practices would then apply to the use of the individual’s personal information which has been collected. The Assistant Commissioner concurs and believes that TM cannot be expected to ensure that customers’ personal information will be safeguarded by merchants if these customers have decided to participate in the merchants’ offers or programs.

Thus, although TM’s original policy and the notices to customers when they bought tickets did not spell out how personal information was protected, the Assistant Commissioner concluded that the accountability complaint was not well-founded since adequate protection was actually in place where it was needed. TM’s revised privacy policy is now consistent and clearly states that safeguards are in place.

III. The complainant asserted that express and informed customer consent was not sought by TM in all circumstances

Principle 4.3 states that knowledge and consent are required for the collection, use, or disclosure of personal information, except where inappropriate.

The complainant argued that TM collected personal information as a condition of service and without clearly providing opt-out options to customers who did not want their personal information shared for promotional or marketing purposes. For example, customers filling out the on-line registration form prior to buying tickets were advised in real time that by clicking on the “Submit Order” button, they were consenting to TM’s policy of sharing purchasers’ e-mail addresses with venues, teams, artists’ representatives, fan clubs, promoters and sports leagues, who would later contact them by e-mail or other means for marketing purposes. These customers were also informed that third parties could, in turn, use and disclose the collected information in other ways, subject to the parties’ own privacy policies. Although customers were advised that they could contact the third parties to learn how these organizations might use their personal information, customers were not informed that, in most cases, the personal information collected is retained in the United States and is subject to American law.

Our investigation established that TM provided no alternate way or real-time suggestions to internet customers who wanted to proceed with their purchases on-line but did not wish to consent to information sharing. For this reason, our Office concluded that, in contravention of the Act, TM made consent to the disclosures of personal information for secondary marketing purposes a condition of service.

Under Principle 4.3.3 of the Act, an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

Secondly, we investigated how, or even if, a customer purchasing a ticket was warned that her or his personal information would be shared. We determined that TM’s practices were inconsistent in the way they informed customers of their options. Hence, this Office recommended that more consistent practices be used since it was clear that customers buying their tickets by telephone were given less information about third-party disclosure than those buying on-line. For customers who did not want to provide personal information during the sales transaction, TM only offered the option of purchasing in person from the event provider or at TM’s in-store outlet, although it was not easy to find this opt-out option in the company’s privacy policy.

When customers telephoned TM during business hours, and prior to a ticket agent answering, an automated message simply informed the callers that any information given to the agent would be subject to TM’s privacy policy. The onus was placed upon the customer to read the policy on-line, who would then discover that her or his personal information would likely be disclosed for marketing purposes. We were also concerned that when the automated ticket agent answered telephone calls after business hours, the message was not played to customers at all. On-line purchasers were comparatively better informed in real time of the likelihood of information sharing.

Principle 4.3.2 requires “knowledge and consent.” It states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

Further, the Assistant Commissioner noted that, if telephone customers did not have internet access, they could not read the privacy policy, limiting their ability to understand what would happen to their personal information. Neither telephone nor on-line customers were able to give adequately informed consent prior to purchase with regard to the disclosure and use of their personal information.

Consequently, this Office recommended modifications to TM’s on-line notifications and call-centre telephone scripts, to improve transparency and consistency where customer consent is concerned.  TM’s customers now can choose to opt in or not to receiving marketing and other material from TM and its event providers. For example, TM’s on-line customers can opt in by checking off a box before their ticket payment is remitted. If customers do not check off the box, event providers (who are obligated by contractual agreement to comply) will not market these customers. For purchases by telephone, TM now uses scripts that provide customers with an option to receive marketing information from event providers. A ticket agent now explains the option and requests verbal customer consent, while automated telephone transactions invite the customer to press the # key on their phone pad to opt in. Under TM’s revised policy and practices, customers can now provide informed consent and are no longer subject to marketing as a condition of service to buy tickets.  

The Assistant Commissioner concluded that the consent complaint was well-founded and resolved.

IV. The investigation of the complaint concerning alleged difficulty of customer access to personal information (Principles 4.9, 4.9.3 and 4.5).

The investigation established that TM was clearly able to respond to requests to access for personal information, but that it only retained personal information up until the date of the event, unless the customer opens a MyTicketmaster account. The Assistant Commissioner noted that the Act is silent on the length of time that personal information should be retained, but Principle 4.5 indicates that personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected, except with the consent of the individual. Once the event is over, the ticket purchase information is no longer required by TM. Opening a MyTicketmaster account is tantamount to providing this consent for a longer retention period.

The Assistant Commissioner thus concluded that the access complaint was not well-founded.

Conclusion

Once these complaints were brought to the attention of the company in this investigation and the investigation carried out by Office of the Information and Privacy Commissioner of Alberta, the complaints were resolved in a satisfactory manner.

However, the Assistant Commissioner expressed grave concern when she discovered that allegations of violations of privacy laws made against a major on-line company operating throughout Canada were well-founded several years after the passing of the Act.

She stated that on-line companies operating in Canada must implement measures to ensure compliance with PIPEDA. In particular, they must observe the following:

1) If businesses collect their customers personal information with the intent of disclosing it to third parties for use in marketing and other secondary purposes, their customers must be explicitly informed and be provided a clear opt-in or opt-out opportunity to consent to the disclosure and use before payment is made. The customers’ choice to opt in or opt out of information sharing must neither advantage nor disadvantage them with respect to other customers obtaining or seeking to obtain the same service.

2) Businesses are responsible for protecting their customer’s personal information, by contractual or other means, which has been transferred to a third party for processing. The level of protection must be comparable with that provided by the business that collected the information.

3) Regardless of whether customer requests are issued on paper, in person, by telephone or via a web site, businesses must effectively communicate to customers in the same consistent manner their practices and policies regarding personal information collection, disclosure and use.

4) A business’s privacy policy must be easily accessible by any individual, and organized and written in such a way that knowledge of any of the business’s personal information management practices can be acquired without unreasonable effort.

Date modified: