Online dating service used former customer’s personal information without consent and failed to provide him access to his personal information

PIPEDA Case Summary #2013-015

December 18, 2013


Complaint

After cancelling his membership to an online dating service, an individual requested that he be removed from the service’s mailing list and have his information deleted.  Despite his request, the individual continued to receive marketing emails.

The complainant also requested access to his personal information held by the organization.  He was told that his information was the property of the service, and that the personal profile information that he sought was not found in any database.

Our investigation

When our Office became involved in the matter, the owner of the organization informed us that all of the complainant’s personal information had been purged from the service’s computer systems and that other information about the complainant had been destroyed in a shredder. The organization also claimed to us ─ despite a lack of proof ─ that it had in fact provided the complainant with his online profile.

Unexpectedly, about midway through our investigation, the dating service changed owners.  The sales agreement stipulated that the new owner would inherit all customer profiles and their contacts (i.e., “the database”).

Our follow-up with the new owner revealed that the complainant’s information had been transferred to the new owner, including his profile information.  Our discussions with the new owner also revealed that the new owner received the database from the former owner and that it contained the complainant’s email address.  Consequently, the complainant was provided with access to certain of his personal information that the new owner had found.  The complainant brought to our attention certain records that were not provided, including photographs.  The current owner acknowledged that she had deleted the photographs since she could not ascertain whether they included the complainant's personal information.  Later, the new owner confirmed to our Office that it had destroyed all of the complainant’s personal information under its control.  To our knowledge, the complainant received no further communication from the dating service.

After the complainant received confirmation that the information was destroyed, the complainant contacted our Office to determine whether the organization failed to retain the information for as long as necessary to allow the complainant to exhaust any recourse under the Act.

What we found

In his complaint to our Office, the complainant alleged that he had not been provided with access to all his personal information by the organization.  Also, because of the marketing emails he had received, he alleged that the organization had not respected his request for the withdrawal of his consent for the collection, use and disclosure of his personal information after he cancelled his agreement.

Our Office found that the organization denied the complainant access to his personal information in violation of Principle 4.9 of Schedule 1 of PIPEDA.  The organization failed to respect the 30-day time limit set out under subsection 8(3).  Since the complainant was only granted access to certain personal information several months later by the new owner, after our Office’s involvement in the matter, we found this aspect of the complaint to be well-founded.  Further, by destroying the photographs, the complainant’s ability to exhaust any recourse available to him in relation to his access request was limited.  Accordingly, we found this to be a contravention of subsection of 8(8) of the Act.

Our Office also found that the organization retained the complainant’s information after it was no longer required to deliver dating services, in contravention of Principle 4.5.3.  However, given that the new owner deleted the records and informed the complainant of such, we considered this aspect of the complaint to be well-founded and resolved.

Our Office further found that the organization continued to use the complainant’s personal information, specifically his email address, to send marketing emails, after he had clearly withdrawn his consent for any such purposes.  This continued use of the complainant’s personal information contravened Principle 4.3.8 of Schedule 1 of PIPEDA.  However, in light of the fact that the new owner ultimately removed the complainant’s email address from marketing lists before our investigation was completed, and that there is no evidence of any subsequent misuses of his personal information, we consider this aspect of his complaint well-founded and resolved.  

We also found that there was no privacy policy in place at the time of the complainant’s initial dealings with the organization in contravention of Principle 4.1.4(d).  Following our involvement, the new owner posted a detailed privacy policy on the website.  We therefore considered this aspect of the complaint to be well-founded and resolved.

Finally, our Office determined that the organization failed to safeguard the complainant’s personal information, a requirement under Principle of 4.7.1.  The organization made commitments that the information was not stored on computerized databases and kept safe in inactive files, which turned out to be false.  Since the privacy policy developed by the new owner included information on the safeguards, this aspect of the complaint was considered well-founded and resolved.

Lessons Learned

  • Organizations must inform individuals of the existence, use and disclosure of their personal information and shall be given access to that information, unless a valid exception to access under PIPEDA can be applied.
  • Under the consent principle of PIPEDA, an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization must inform the individual of the implications of such withdrawal.
  • Personal information must be retained only as long as necessary for the fulfilment of the purpose(s) identified by an organization, and personal information that is no longer required to fulfill identified purposes should be destroyed, erased, or made anonymous. However, when organizations have personal information that is the subject of an access request under the Act, they must retain the information for as long as is necessary to allow the individual to exhaust any recourse in relation to the request
  • An organization’s security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
  • Organizations must be open about their policies and practices with respect to the management of personal information. Individuals must be able to acquire information about an organization’s policies and practices without unreasonable effort.
Date modified: