Email regarding vehicle repair complaint used for marketing without consent

PIPEDA Report of Findings #2009-023

An individual complained to our Office that a car manufacturer had, without consent, used the email address he’d provided in connection with a vehicle repair dispute to send him advertising materials.

The complainant also alleged the company had denied him access to his personal information.

The complaints arise out of a dispute involving the complainant and both the car manufacturer and one of its dealerships. The individual had made an access request in order to prepare for Small Claims Court proceedings.

In response to the complaints to our Office, the car manufacturer argued that the issue was not subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The company further argued that the complainant had filled in a customer survey advising him his personal information would be used for marketing purposes. It acknowledged the complainant provided his email address two years after completing the survey, but claimed there was implied consent.

With respect to the access complaint, the company said it had provided copies of a print-out from his customer service centre file and a summary of his telephone conversations with call centre staff.

However, the investigation found those files were incomplete. They did not include copies of two letters from the complainant as well as audio recordings of the telephone conversations. The company also failed to provide other information, including information from a database that tracks vehicle information from production to sale, as well as other systems used to track warranty-related information and advise car owners of recalls.

The organization submitted this information did not constitute personal information. It argued that some of the information set out in the document requested was set out using internal codes which were confidential commercial information and, therefore, could not be released.

The company said it was willing to provide further information in redacted form, but at a significant cost.

We found that the organization’s explanation for why the codes were confidential commercial information was perfunctory. We also concluded that the manufacturer was incorrect in claiming that the individual was not entitled to access his personal information because it had been combined with confidential commercial information.

As well, we found that the organization’s proposal to impose an exorbitant charge to respond to the access request to be in contravention of PIPEDA.

Our Office recommended that the organization:

  • Provide the complainant with the personal information it inadvertently failed to provide, including the coded information, subject to redactions for the confidential commercial information;
  • Provide an explanation for the various codes used in recording the complainant’s personal information subject to reasonable redactions;
  • Commit to advise individuals making access requests of the existence of all of their personal information; and
  • Stop imposing excessive charges for access to personal information.

The organization also agreed to implement all of our Office’s recommendations. It also agreed to stop sending the complainant emails.

As a result, we concluded that the complaints to be well-founded and resolved.

Lessons Learned

  • In responding to access requests, organizations must search all their files and locations for personal information, not only those that are obvious sources of such data.
  • Before an organization refuses an access request so as not to reveal confidential commercial information or third-party information, it must consider whether such details can be severed from the records. If the confidential commercial information can be removed, then access to the personal information must be granted.
  • If personal information contains codes, the organization should clearly explain them to the individual requesting access.
  • Access to personal information must be provided at minimal or no cost to the requester

Report of Findings

Complaints under the Personal Information Protection and Electronic Documents Act (the Act)

1. The Complainant filed two complaints against the Respondent, a car manufacturer.

Use

2. First, the Complainant alleges that the Respondent collected his email address which he provided to the company in connection with a complaint about a vehicle repair and used it for a purpose he had not authorized. The Complainant alleges that the Respondent used his email address to send him advertising materials about its brand of automobiles on May 30, 2008. It is alleged that the Respondent did this after the Complainant called the Respondent’s customer service centre and asked the Respondent not use his email address for this purpose on May 12, 2008 and spoke to a customer service representative. He therefore complains that his personal information was used without his knowledge and consent.

Access

3. Second, the Complainant wrote to the Respondent and requested access to his personal information, which he believed included (but was not necessarily limited to) records of telephone conversations on May 12, 20, 21, 28, August 25, 28 and September 8, 2008. He alleges that the Respondent denied him access to his personal information.

Summary of Investigation

4. These complaints arise out of a dispute the Complainant was having with the Respondent and one of its dealers concerning repairs to his motor vehicle. The Complainant made his access request on or about December 1, 2008 in order to obtain documents for a Small Claims Court pre-trial conference that was to take place in February 2009.

5. It is not disputed that the Respondent took longer than 30 days to provide the Complainant with a response to his access request. The Respondent indicates its reply was delayed because its corporate office was closed for two weeks over the Christmas period.

6. The Respondent’s primary position in response to these complaints was that it is not subject to the Act. The Respondent relied on a previous decision of the Assistant Commissioner, which considered whether the collection of information by event data recorders (“EDRs”) in automobiles contravened PIPEDA. The Assistant Commissioner found, “on the facts of this case”, that the car manufacturer, itself, was not collecting personal information in the course of a commercial activity and that PIPEDA accordingly did not apply. The collection activity in that case occurred in crashes and near-crash situations when the EDRs would automatically switch-on and record an automobile’s rate of speed, engine RPM, depression of gas and brake pedals and use of seatbelts and warning lights without transmitting this information back to the manufacturer.

7. The Respondent’s position was that it has not engaged in a commercial activity because it had not sold or provided goods or services to consumers in exchange for financial remuneration. The Respondent submitted that the Complainant purchased his vehicle and obtained any servicing from its authorized dealers, not the Respondent, and that the vehicle in question was manufactured outside Canada by the Respondent’s parent company.

8. In the course of its investigation, the Office learned the following with respect to the Respondent’s operations:

  1. the Respondent manufactures engines and assembles motor vehicles that are sold to Canadian consumers by authorized dealers;
  2. the Respondent is a wholesaler of motor vehicles and motor vehicle parts that are sold to Canadian consumers by authorized dealers;
  3. the Respondent generates revenues through sales of its vehicles and parts to authorized dealers;
  4. the Respondent’s financial results are rolled up into its parent company, which is listed and traded publicly on certain foreign stock exchanges;
  5. the relationship between the Respondent and its dealers is governed by contractual agreements (namely franchise agreements), which mandate or encourage the sale of the Respondent’s products in defined circumstances;
  6. the Respondent provides support to dealers as part of its business ventures, including providing dealer assistance with respect to sales, service and marketing, uniform accounting systems, computerized warranty claims systems, training and funding dealer advertizing associations;
  7. the Respondent acts as the Canadian importer for customs purposes in connection with the importation of vehicles into Canada;
  8. the Respondent takes title (i.e., assumes ownership) of vehicles in the course of the commercial transactions whereby its brand of vehicles are brought into Canada and sold to consumers;
  9. the Respondent purchases television, radio and print advertisements that are designed to create awareness of its brand and increase consideration of its products with Canadian consumers; and
  10. the Respondent operates a customer service centre that is made available to purchasers of its brand of motor vehicles.

9. The Respondent also provided further responses to these complaints in case the Act should be found to apply.

10. With respect to the first complaint concerning the use of the Complainant’s email, the Respondent noted that the Complainant completed a printed survey in August 2006 that advised that the Respondent would use his personal information for marketing purposes.

11. The survey in question pertained to a repair that took place on August 11, 2006 and was completed around that time. The Respondent acknowledged that the Complainant did not provide his email address with this 2006 customer survey.

12. The Respondent collected the Complainant’s email in connection with a subsequent repair approximately two years later, on or about April 29, 2008.

13. According to the Respondent, the Complainant impliedly consented to the use of his email address by completing and submitting it in 2008. The Respondent further submitted that it ceased sending marketing emails when the Complainant advised that he did not wish to receive them.

14. With respect to the second complaint concerning the Complainant’s access request, the Respondent advised that it provided the Complainant with copies of a print-out from his customer service centre file and a summary of his telephone conversations with the Respondent’s customer service representatives.

15. The investigation nevertheless indicates that the disclosure of customer service centre files was incomplete in that the Respondent inadvertently omitted to provide the Complainant with copies of two letters he had written and because it provided summaries of audio recordings instead of the recordings themselves. The Respondent also did not provide the Complainant with information that was held elsewhere in the company. The Office learned that the following categories of information were not provided to the Complainant:

  1. Information from the Respondent’s ”System W”, which is a system the Respondent uses to administer its outbound communications to people such as the Complainant;
  2. Information from the Respondent’s “System X”, which is a searchable database that tracks vehicle information from the time a vehicle is produced until it is sold to a customer by a dealer;
  3. Information from the Respondent’s “System Y”, which the Respondent uses to advise car owners of recalls and other owner notification programs; and
  4. Information from the Respondent’s “System Z”, which dealers use to provide warranty coverage information and repair claims histories to the Respondent and which also records amounts the Respondent pays to dealers for such repairs.

16. The Respondent submitted that information recorded in its Systems X and System Y does not constitute personal information but is rather about the production of vehicles, vehicle shipments and its vehicle programs. The Respondent similarly submitted that information from the System Z is not personal information as it is in substance about payments between the Respondent and its dealers.

17. The Respondent advised this Office that it was willing to provide the foregoing information to the Complainant, in redacted form, but it would charge the Respondent for the collection and production of this material. The Respondent advised that:

  1. Information from the System W could be provided at a cost of approximately $200;
  2. Information from Systems X, Y and Z would be provided at rate of $50 per hour of time spent, which would typically cost between $100 and $200; and
  3. The Complainant would be required to pay $400 for copies of the omitted documents.

18. The Office inquired into the basis upon which these charges would be levied and the reasons for the proposed redactions.

19. With respect to the issue of redactions, the Respondent advised that Systems X, Y and Z contain very sensitive confidential information that includes the pricing applicable to vehicle sales and services transactions. The Respondent advised that the redacted information is known only to select individuals within the company and its dealerships. Employees having access to this information are required to keep it confidential by provisions in their employment agreements.

20. With respect to the issue of costs, the Respondent advised that the charges reflect the cost of an access request to it in terms of employee time (including the hourly cost of employee pensions and benefits).

21. The Respondent advised that no person making an access request has ever persisted in asking for the records it is withholding from this Complainant.

22. There are approximately 200 pages in these files and, as such, the Respondent was seeking reimbursement at a rate of approximately two dollars per page.

Application

23. In making my determinations, I applied ss. 2(1), 9(1) and 9(3)(b) of PIPEDA and principles 4.3, 4.3.1 and 4.9 and 4.9.4 of Schedule 1.

24. Subsection 2(1) of the Act defines commercial activity as any conduct or any regular course of conduct that is of a commercial character.

25. Principle 4.3 of the Act provides that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.1 indicates that typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use.

26. Principle 4.9 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. Principle 4.9.4 provides that an organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

27. Portions of the Act clarify an organization’s obligations under Principle 4.9. Subsection 8(3) states that an organization shall respond to a request for access with due diligence and in any case not longer than thirty days after receipt of the request. Subsection 9(3)(b) provides that an organization is not required to give access to personal information if to do so would reveal confidential commercial information. However, subsection 9(3) also provides that if confidential commercial information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

Findings

December 10, 2009

28. On August 14, 2009, I issued a preliminary report of findings, in which I noted that the Respondent’s actions were not in compliance with various provisions of PIPEDA and I made recommendations to the Respondent, with the view of helping the organization meet its obligations. The Respondent responded to the recommendations.

29. What follows is the original text from the preliminary report:

Jurisdiction

30. I find that the Respondent collected and used the personal information of the Complainant in the course of a commercial activity. The definition of commercial activities set out in the Act is broad and does not, as the Respondent contends, require a direct sale between the Complainant and the Respondent.

31. It is clear from the evidence and other information collected in connection with this investigation that the Respondent is involved in a course of conduct that is of a commercial character. While the dealers are the legal entities who sell automobiles and parts directly to consumers, the dealers are doing so pursuant to contracts (i.e., franchise agreements) with the Respondent. It is through this “course of conduct”, described in greater detail in the Summary of Investigation, above, that the Respondent earns revenues, which flow up to its parent company and out to its shareholders.

32. Even if a direct connection between the Respondent and Complainant were required for PIPEDA to apply, I would find one in this case. The Respondent advertises its brand of automobile directly to the public and has a customer service centre where its employees have direct dealings with individuals such as the Complainant. The Respondent engages in this direct contact to further its commercial purposes with Canadian consumers.

Use

33. The Complainant’s email address is his personal information (see e.g., PIPEDA Case Summary 2005-287). Principles 4.3 and 4.3.1 provide that the knowledge and consent of an individual are required for the collection and use of personal information.

34. While I note that the Respondent completed a customer survey that notified him that the Respondent would be collecting his personal information for marketing purposes, I am unable to conclude that he consented to the Respondent using his email address for marketing purposes.

35. The survey in question pertained to a repair that took place on August 11, 2006 and was completed around that time. The Respondent collected the Complainant’s email in connection with a subsequent repair approximately two years later, on or about April 29, 2008. The Respondent has confirmed that the Complainant did not provide his email address when completing the 2006 survey. I do not believe the Complainant can reasonably be said to have impliedly consented to his email address being used for marketing purposes in these circumstances. The Complainant also advises that these emails were sent to him notwithstanding an express request that the Respondent not do so.

36. The Respondent has however stopped emailing the Complainant.

Access

37. Section 4.9 of PIPEDA provides that an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.

38. Section 2(1) defines personal information as being “information about an identifiable individual”. In Gordon v. Canada (Minister of Health) (2008), 79 Admin. L.R. (4th) 258 (F.C.), Mr. Justice Gibson of the Federal Court agreed with the Privacy Commissioner that information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.

39. I am satisfied that some of the material withheld from the Complainant and contained in the Respondent’s Systems W, X, Y and Z meets this test and constitutes personal information of the Complainant. In particular, some of these records track information about the demographic traits of individuals, their education, income, number of children, home ownership, mortgages, addresses, telephone numbers, vehicles, and detailed information about the repairs that have been performed on their vehicles. While not all of these fields have been completed with respect to this Complainant, the Respondent evidently has the ability to do so when car-buyers provide it with this kind of information.

40. I do not agree that the intermingling of the Complainant’s personal information with the Respondent’s confidential commercial information disentitles the Complainant to access to his personal information.

41. I do however agree that the Respondent is entitled to redact its sensitive wholesale and warranty pricing information from these records. The pricing of parts and other information as between the Respondent and its dealers is distinct and severable from the Complainant’s personal information. Given the exception in section 9(3)(b) of the Act, this information is not something the Respondent is required to disclose pursuant to Principle 4.9.

42. Some of the information set out in these documents is printed using codes.

43. Disclosing personal information using such codes will mean that an individual may not understand the information the Respondent is collecting. Principle 4.9.4 of PIPEDA requires information to be provided to a requesting individual in a generally understandable format. Accordingly, where similar codes are used to record an individual’s personal information, the Respondent should provide explanations to the individual making the access request. These explanations should be clear and allow the individual to understand the nature of the information the Respondent is collecting.

44. Having been advised of the possibility that this Office might recommend that it decrypt its coded information, the Respondent made further submissions asserting that certain source codes contained confidential commercial information.

45. My analysis of the decoding issue is aided by the findings in PIPEDA Case Summary #2002-63, which considered whether a bank was required to provide access to certain internal credit scoring information. Three principles arise from this finding. First, the use of the word “would” in section 9(3)(b) is significant. This section provides that an organization is not required to give access to personal information if to do so “would” reveal confidential commercial information. As the Commissioner observed, this threshold “sets a very high standard for justifying the withholding of personal information”. Second, the impact of the disclosure on the industry and the public should be considered. I believe this factor is relevant because the Commissioner took note of the effect of the disclosure on the public and the Canadian banking community in that matter. Third, the ultimate focus of my inquiry must be on maintaining a reasonable balance between the privacy rights of individuals and the legitimate interests of organizations.

46. The Respondent’s further submissions with respect to decoding are insufficient for me to conclude which codes it proposes be withheld from the Complainant. In making its further submissions, the Respondent has redacted the information that is considers to be sensitive information from this Office, which makes a code-by-code assessment of its assertions impossible. The Respondent’s submissions group codes together, further impeding our ability to assess the propriety of the Respondent’s claims. Finally, with the exception of its submission regarding inter-company pricing codes, the Respondent’s explanations for why its codes are confidential commercial information are perfunctory and do not include sufficient detail for me to conclude that the exception in section 9(3)(b) has been properly claimed.

47. I also wish to note that the Respondent’s letter of January 19, 2009 responding to the Complainant’s access request did not advise the Complainant that it was holding additional personal information about him in its Systems W, X, Y, and Z, as described above.

48. I find this lack of disclosure to be a contravention of Principle 4.9, which requires organizations to advise individuals of the “existence” of personal information. Principle 4.9.1 similarly provides that organizations shall inform individuals of whether or not they hold personal information about individuals and encourages organizations to indicate the source of this information.

49. In addition, the Respondent admits it did not respond to the Complainant’s access request within 30 days. There is provision for an extension of the thirty day limit for an additional thirty days in the circumstances set out in section 8(4) of the Act; however, an organization must give notice where it needs an extension as the individual making the request may object.

Fees for Access

50. Principle 4.9.4 states in part that an organization must respond to an individual’s access request at minimal or no cost to the individual. In PIPEDA Case Summary 2002-70, the Commissioner found that a charge of $200 for an access request contravened Principle 4.9.4. Similarly, a fee of $150 was found to contravene Principle 4.9.4 in PIPEDA Case Summary 2002-111. In PIPEDA Case Summary 2004-285, the Assistant Commissioner indicated that Principle 4.9.4 at most permits a “token” fee that will not deter access requests. Even a $25 fee has been found to be contrary to Principle 4.9.4 (see PIPEDA Case Summary 2004-283).

51. The Respondent indicates that it received 22 access requests in 2008 alone. None of these individuals, or individuals making access requests in years prior, agreed to pay the fees the Respondent proposes, which suggests that the policy of charging for access is having a deterrent effect.

52. The Respondent’s proposal to fully recoup the notional cost of employee time spent working on responding to access requests would result in an exorbitant charge and, in my opinion, contravenes Principle 4.9.4. Contrary to the Respondent’s submissions, the legislation does not contemplate that the cost of processing access requests should be entirely or even significantly passed on to parties making the requests. It moreover appears that these costs result, in part, from the notional cost of the Respondent redacting its confidential commercial information from the Complainant’s personal information. Such redactions are permitted but are not required pursuant to section 9(3) of the Act. As the Respondent is redacting this information in furtherance of its commercial interests, it should bear the associated costs.

Recommendations from preliminary report

53. In my preliminary report, I made four recommendations.

54. With respect to the access request, I recommended that the Respondent:

  1. provide the Complainant with the personal information it inadvertently failed to provide along with the audio recordings of his calls to the Respondent’s call centre, and copies of the personal information in the Respondent’s Systems W, X, Y, and Z, subject to redactions for the confidential commercial information discussed above;
  2. provide the Complainant with an explanation of the various codes it used in recording the Complainant’s personal information subject to reasonable redactions pursuant to section 9(3)(b) and provide this Office with a chart showing, in separate columns, on a code-by-code basis:
    1. the code that has been redacted;
    2. a decoding of that code into plain language; and
    3. an explanation as to why that code is confidential commercial information having regard to the principles set out in paragraph 39 above;
  3. commit to advise individuals making access requests of the existence of all of their personal information in its Systems W, X, Y, and Z, update its policies and employee training in this regard and provide access to such information upon request; and
  4. cease its practice of imposing excessive charges for access to personal information in its Systems W, X, Y and Z and amend its Privacy Policy to reflect this change in practice.

55. I asked that I receive, within 30 days of the date of the preliminary report, confirmation that the Respondent has provided the aforementioned documents and information to the Complainant. I also asked to receive, within 30 days of the date of the preliminary report, the respondent’s response in writing, outlining how it intended to implement the recommendations.

The Respondent’s responses to recommendations

56. The Respondent requested an extension to reply; this Office granted an extension of four weeks. The respondent replied on October 13, 2009.

57. With respect to recommendations a) and b), the Respondent advised this Office that on October 13, 2009, it provided the Complainant with a package of information at no charge that contained the following:

  • audio recordings of calls made to the Respondent’s customer service centre and other documentation
  • the System W record
  • the System X Record
  • the System Y report
  • the System Z report
  • documents explaining the codes used by these systems (redactions are limited to confidential commercial information and personal information of third parties)

58. On October 30, 2009, the Complainant confirmed to this Office that he received his personal information from the Respondent.

Our Office received and reviewed copies of the material as well.

59. With regard to recommendation c), it advised that it is planning to revise its privacy policy and augment employee training so that individuals processing requests for access are aware that personal information may be contained in the above-mentioned data systems. At the same time, the Respondent informed us that its System Z would be purged of the name and address of customers, since this information is not required for the system’s purpose.

60. Concerning recommendation d), the Respondent advised that it does not—and has no plans to—charge for providing personal information for access requests.

Conclusion

61. Accordingly, the complaint regarding consent for use is resolved, while that concerning access is well-founded and resolved.

Other

62. The Complainant also alleged that on September 8, 2008 one of the Respondent’s call centre workers became agitated with the persistence of his complaints and told him that if he pursued the “privacy escalation” the Complainant would end up having to repay certain repair costs that were previously covered under his vehicle warranty.

63. The Office questioned the Complainant and the call centre worker about this allegation. The call centre worker ultimately denied making this threat, but our investigator found the Complainant’s account appeared plausible whereas the call centre worker’s account was vague and he was somewhat unforthcoming.

64. The Respondent’s legal department advised that the Respondent took these allegations extremely seriously. The Respondent conducted an investigation that revealed the only direct evidence with respect to the events of September 8 came from the call centre worker, the Complainant, and his wife (who participated in the call); no audio recordings were made, or at least retained. The Respondent also provided character evidence and circumstantial evidence it submitted had bearing on the plausibility of the allegations.

65. Although I am not prepared to issue a finding with respect to the conflicting evidence on this particular issue, I would denounce the use of tactics that seek to dissuade privacy complaints in the strongest possible terms. Threats and disincentives are simply not acceptable and organizations must take prudent steps both in training staff and in responding to non-compliance with the Act by their employees and other public representatives for whom they are responsible.

Date modified: