Ticketmaster Canada Limited revised its policies and practices with respect to PIPEDA to protect customers’ personal information
PIPEDA Case Summary #2008-388
[Principles 4.1.3, 4.3, 4.3.2, 4.3.3, 4.5, 4.8.1, 4.9, 4.9.3 of Schedule 1]
February 12, 2008
- that of TM not informing its customers in a consistent manner (in some cases, not at all) that their personal information would be disclosed to and used by third parties for marketing, and;
- that of devising and manipulating the on-line sales transaction in such a way that there was effectively no viable option for customers who did not wish TM to share their personal information.
Ticketmaster Canada Limited is an enterprise headquartered in the United States whose main commercial activity is selling tickets on behalf of event providers (e.g., venues, concert promoters, sports teams and leagues, etc.) for events held in Canada. In doing so, it routinely collects the personal information of its customers for its own use and for use by other parties.
A private citizen complained that that TM was allowing personal information to be used for marketing purposes by some parties. According to the complainant, customers were not properly informed of this practice nor provided a viable alternative during on-line or telephone purchases if they did not wish to share their information. The complainant alleged that the policies and practices of the company with regard to the collection, use and disclosure of the customers’ personal information contravened the principles of access, openness, accountability and consent of Schedule 1 of PIPEDA (the Act).
Summary of Investigation
The policy did not clearly state how TM collected, used and disclosed its customers’ personal information. The company’s practices of sharing a customer’s personal information with other parties were inconsistent and depended on factors such as the geographic location of the customer (i.e., United States or Canada), the kind of customer information provided and whether the transaction was initiated on-line or by telephone. TM routinely collects customer personal information for the event providers as per contractual agreements, but its policy did not indicate if there were limits on the ways that these parties could ultimately use customer information.
Principle 4.8.1 requires organizations to be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
As a result of this investigation, TM agreed that it needed to overhaul its privacy practices. A new policy now communicates what personal information is collected, how the information is used and with whom it is shared. It is now easier to read and is more transparent. It was re-posted on TM’s web site on October 8, 2007, and is available by hard copy upon request.
The Assistant Commissioner concluded that the openness complaint was well-founded and resolved.
II. The complainant believed that TM showed a general lack of accountability in the way it handled customers’ personal information when such information was disclosed to third parties: event providers, service providers and merchants (the latter group via their on-line pop-up special offers).
As evidence of poor accountability, the complainant referred to the company’s official policy, in which TM disclaimed any responsibility for the security of personal information disclosed to its third parties. The complainant believed that TM was in violation of Principle 4.1.3 of the Act because of this disclaimer.
Principle 4.1.3 stipulates that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The principle adds that an organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
TM explained to our Office that it is contracted by event providers to sell tickets on their behalf and that it also collects customer personal information for them. With regard to information protection, our Office determined that, in fact, TM has contracts in place that require event providers to use customers’ personal information in compliance with applicable laws as well as with their own privacy policies. Event providers are also required to implement and maintain security procedures and practices to protect customers’ personal information from unauthorized access, destruction, use, modification or disclosure. TM’s service providers (e.g., delivery services and credit card companies) also have similar contractual agreements with TM to safeguard the information they receive.
III. The complainant asserted that express and informed customer consent was not sought by TM in all circumstances
Principle 4.3 states that knowledge and consent are required for the collection, use, or disclosure of personal information, except where inappropriate.
The complainant argued that TM collected personal information as a condition of service and without clearly providing opt-out options to customers who did not want their personal information shared for promotional or marketing purposes. For example, customers filling out the on-line registration form prior to buying tickets were advised in real time that by clicking on the “Submit Order” button, they were consenting to TM’s policy of sharing purchasers’ e-mail addresses with venues, teams, artists’ representatives, fan clubs, promoters and sports leagues, who would later contact them by e-mail or other means for marketing purposes. These customers were also informed that third parties could, in turn, use and disclose the collected information in other ways, subject to the parties’ own privacy policies. Although customers were advised that they could contact the third parties to learn how these organizations might use their personal information, customers were not informed that, in most cases, the personal information collected is retained in the United States and is subject to American law.
Our investigation established that TM provided no alternate way or real-time suggestions to internet customers who wanted to proceed with their purchases on-line but did not wish to consent to information sharing. For this reason, our Office concluded that, in contravention of the Act, TM made consent to the disclosures of personal information for secondary marketing purposes a condition of service.
Under Principle 4.3.3 of the Act, an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
Principle 4.3.2 requires “knowledge and consent.” It states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
Consequently, this Office recommended modifications to TM’s on-line notifications and call-centre telephone scripts, to improve transparency and consistency where customer consent is concerned. TM’s customers now can choose to opt in or not to receiving marketing and other material from TM and its event providers. For example, TM’s on-line customers can opt in by checking off a box before their ticket payment is remitted. If customers do not check off the box, event providers (who are obligated by contractual agreement to comply) will not market these customers. For purchases by telephone, TM now uses scripts that provide customers with an option to receive marketing information from event providers. A ticket agent now explains the option and requests verbal customer consent, while automated telephone transactions invite the customer to press the # key on their phone pad to opt in. Under TM’s revised policy and practices, customers can now provide informed consent and are no longer subject to marketing as a condition of service to buy tickets.
The Assistant Commissioner concluded that the consent complaint was well-founded and resolved.
IV. The investigation of the complaint concerning alleged difficulty of customer access to personal information (Principles 4.9, 4.9.3 and 4.5).
The investigation established that TM was clearly able to respond to requests to access for personal information, but that it only retained personal information up until the date of the event, unless the customer opens a MyTicketmaster account. The Assistant Commissioner noted that the Act is silent on the length of time that personal information should be retained, but Principle 4.5 indicates that personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected, except with the consent of the individual. Once the event is over, the ticket purchase information is no longer required by TM. Opening a MyTicketmaster account is tantamount to providing this consent for a longer retention period.
The Assistant Commissioner thus concluded that the access complaint was not well-founded.
Once these complaints were brought to the attention of the company in this investigation and the investigation carried out by Office of the Information and Privacy Commissioner of Alberta, the complaints were resolved in a satisfactory manner.
However, the Assistant Commissioner expressed grave concern when she discovered that allegations of violations of privacy laws made against a major on-line company operating throughout Canada were well-founded several years after the passing of the Act.
She stated that on-line companies operating in Canada must implement measures to ensure compliance with PIPEDA. In particular, they must observe the following:
1) If businesses collect their customers personal information with the intent of disclosing it to third parties for use in marketing and other secondary purposes, their customers must be explicitly informed and be provided a clear opt-in or opt-out opportunity to consent to the disclosure and use before payment is made. The customers’ choice to opt in or opt out of information sharing must neither advantage nor disadvantage them with respect to other customers obtaining or seeking to obtain the same service.
2) Businesses are responsible for protecting their customer’s personal information, by contractual or other means, which has been transferred to a third party for processing. The level of protection must be comparable with that provided by the business that collected the information.
3) Regardless of whether customer requests are issued on paper, in person, by telephone or via a web site, businesses must effectively communicate to customers in the same consistent manner their practices and policies regarding personal information collection, disclosure and use.
- Date modified: