Publisher collected and used e-mail addresses for marketing without consent

PIPEDA Case Summary #2009-013

[Section 2; Principles 4.3 and 4.3.1; Paragraphs 7(1)(d) and 7(2)(c.1); Regulations 1(e)]

The complainant was perturbed by the number of unsolicited e-mails he received from a publisher marketing a Canadian directory of funding sources. Even when he asked the company to remove his various e-mail addresses from its list, the company continued to send him messages. For its part, the company contended that the complainant’s business e-mail address was not personal information and that, in any event, his e-mail addresses were publicly available.

The Assistant Privacy Commissioner established that business e-mails are personal information as defined by the Act, and as determined in an earlier complaint. Furthermore, all but one of the e-mail addresses in question could not be considered publicly available as defined in the Regulations. She concluded that the company was collecting and using e-mail addresses from the Internet without the addressee’s knowledge or consent. She recommended that the company cease this practice, and that it also cease using e-mail addresses that it had collected from other businesses in the past without consent. The company would not and did not implement the Assistant Commissioner’s recommendations.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

The complainant had a number of e-mail addresses from various web sites with which he had affiliations. He continued to receive solicitation e-mails from a publishing company at these addresses despite his requests to have them removed from the company’s marketing lists.

This Office’s investigation noted that, while the solicitation messages appeared to originate from different entities, they all concerned the same product, a funding directory, which is marketed by the respondent company. The text of the messages was nearly always the same. Our investigation established that all of the messages originated from the owner of the publishing company.

This Office reviewed the complainant’s requests to unsubscribe, which he had sent to three web addresses belonging to the respondent. Although the respondent claimed to have no record of receiving these requests, he nonetheless removed the complainant’s addresses from marketing lists, at this Office’s request.

The respondent presented a number of arguments in defense of his e-mail collection practices. He argued that the complainant’s e-mail addresses were business addresses and since section 2 of the Act precludes “business contact information”, the complainant’s addresses did not constitute “personal information.” The company also contended that even if the complainant’s e-mail addresses could be considered personal information, paragraphs 7(1)(d) and 7(2)(c.1) of the Act would then apply. These paragraphs permit the collection or use of personal information without knowledge or consent if the information is publicly available and is specified in the Regulations. Subsection 1(e) provides that personal information can be considered publicly available when it appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, and where the individual has provided the information. The organization believed that the e-mail addresses in question were provided by the complainant on a publicly available source, and a web site. In the organization’s view, it could therefore collect and use the addresses without the complainant’s knowledge or consent.

This Office searched the Internet for the complainant’s e-mail addresses. On one web site, the complainant’s name, title and telephone number appear. The web site indicated that he could be contacted at the site’s business address. By clicking on his name, the e-mail client application was opened and one of his e‑mail addresses was revealed. Another web site, which related to a publication that the complainant edited, contained his name, title, address, and telephone and fax numbers. Beneath this information, the tag “drop me a line” appeared. By clicking on this, another of his e‑mail addresses was shown.

The company maintained that it no longer harvests e-mails. Instead, it claimed that it buys marketing lists from data brokers. The lists include addresses, fax and telephone numbers, web sites and e-mail addresses. It also maintained that it had stopped sending solicitation messages to the complainant at his addresses, although the complainant disagreed.

Findings

Issued June 2, 2009

Application: Section 2 defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.1 notes that consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified). Paragraphs 7(1)(d) and 7(2)(c.1) outline certain exceptions to consent: Paragraph 7(1)(d) states that an organization may collect personal information without the knowledge or consent of the individual if the information is publicly available and is specified by the regulations. Paragraph 7(2)(c.1) stipulates that an organization may, without the knowledge or consent of the individual, use personal information if it is publicly available and is specified by the regulations.

For the purposes of paragraphs 7(1)(d) and 7(2)(c.1), the following class of information pertaining to this complaint is identified in the Regulations: 1(e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

In making her determinations, the Assistant Commissioner deliberated as follows:

• The interpretation section of the Act prescribes the types of information that are not subject to the protection of the Act, specifically, the name, title or business address or telephone number of an employee of an organization. As a business e-mail address is not specified in section 2, the Assistant Commissioner determined that it is an individual’s personal information for the purposes of the Act. 
• The addresses at issue in this complaint are business e-mail addresses. Thus, pursuant to section 2, they are the complainant’s personal information.
• The Assistant Commissioner then examined the argument that the complainant’s e-mail addresses were publicly available, as specified by Regulation 1(e). 
• She determined that the complainant’s various e-mail addresses were not captured under the Regulations and could not, therefore, be considered publicly available information. However, she noted one exception: an e-mail address that appeared on a web site devoted to a publication of which the complainant had been the editor.
• Nonetheless, she reasoned that, when the complainant’s publication web site invited people to “drop me a line” and provided the complainant’s “editor” e-mail address for the publication, it is doubtful that he intended this to be an invitation to receive unsolicited e-mails. Rather, it could be understood that he meant for this to be an invitation for feedback to the editor on the contents of his web site or the publication.
• Regulation 1(e) does not require that the collection or use of the information relate directly to the purpose for which the information appeared in the publication. It simply allows for an organization to collect or use personal information in a publication without knowledge or consent. Nonetheless, the complainant also received messages at another e-mail address associated with the web site—an address not connected to his position as editor of the publication. The complainant also indicated that others at the same web domain name had received messages from the company over the years even though their addresses were not listed on the web site.
• The Assistant Commissioner came to the conclusion that the respondent did not simply collect the e-mail addresses of individuals listed in association with publications. Therefore, while it may have been the case that the respondent could rely on the exceptions to consent outlined in paragraphs 7(1)(d) and 7(2)(c.1) for its use of one particular e-mail address, it could not rely on these paragraphs in relation to the numerous other e-mail addresses to which it had sent messages.
• The company asserted that, by putting one’s e-mail address on a web site, one is making it available to the public. However, as the Assistant Commissioner explained, this does not make it “publicly available” as defined in the Regulations, nor does it follow that the individual has given his or her implied consent to receiving marketing messages.
• Since most of these e-mail addresses used by the respondent were not “publicly available personal information” as defined in the Regulations, the Assistant Commissioner refuted the company’s contention that it could rely on the exceptions to consent to collect and use the personal information.
• With regard to the issue of obtaining consent, according to the respondent, it does not itself harvest e-mail addresses, but rather purchases them from various data brokers. The implication here seems to be that an organization purchasing personal information from another organization has no responsibility in the matter of consent, that being the sole province of the organization that originally collected the information.
• Principle 4.3 does not say that only the collecting organization is responsible for consent. Rather, it says that the individual’s consent “is required”. This means that the organization originally collecting an individual’s information is required to “obtain” the individual’s consent, but it also means that any organization subsequently renting or purchasing the information from the original collector is required to “have” the individual’s consent. An organization that rents or purchases personal information from a data broker does not necessarily have to seek consent from the individual, but must at least take reasonable steps to ensure that consent exists – that is, that the individual’s consent has been duly obtained by the data broker.
• In other words, a renting or purchasing organization must exercise due diligence in respect of compliance with Principle 4.3. It may do so in any way it chooses, but at a minimum it must ensure that
  • personal information comes from reputable sources;
  • agreements concerning the sale or rental of personal information are reduced to writing; and
  • renters/sellers have appropriately warranted, by means of appropriate contractual terms in a written agreement, that the personal information has been collected with consent in a manner compliant with the Act. 
• In the present case, there is no evidence that the respondent exercised due diligence in the matter of individuals’ consent to the collection and use of personal information. Nor is there any evidence of consent duly obtained by either the respondent or the parties from which it purports to purchase information.
• In sum, the Assistant Commissioner found that the respondent had been collecting and using the e-mail addresses of the complainant and others for marketing purposes in continuing contravention of Principles 4.3 and 4.3.1. Furthermore, she noted that it could not be said that the complainant “withdrew his consent” when he contacted the company since he never gave his consent to the collection of his e‑mail addresses in the first place.
• The Assistant Commissioner therefore recommended that the company cease collecting and using e‑mail addresses without consent, and that it also cease using the e‑mail addresses it had already collected from other businesses.
• The company did not respond to – nor did it implement – either of our recommendations.

Conclusion

The Assistant Commissioner concluded that the complaint was well-founded.