Consent provided to open joint credit account not sufficient to authorize subsequent credit checks of account holders

PIPEDA Report of Findings #2015-009

February 17, 2015

---

The complainant and her then-spouse had opened a joint credit account with a furniture retailer. Several months after they separated, she became aware that he had been using the joint account to make nearly $10,000 in purchases on credit in her name. Since the account statements were no longer being sent to her address (the former spouse had since asked the retailer to change it), the complainant did not find out about her former spouse's purchases until several months later.

She alleged that, for her former spouse to make these purchases and charge them to the account, the furniture retailer had to perform a "hard pull" credit check on her personally and that this was done without her knowledge or consent. The complainant also alleged that the retailer did not adequately safeguard her personal information when it allowed her former spouse to change the account address without her knowledge.

During the course of our investigation, the retailer indicated that it had obtained her consent by virtue of the joint credit account application signed by the complainant and her then-spouse when first opening their account. The retailer believed that the signed application provided her ongoing consent for credit checks at any time with any credit bureau.

In addition, the retailer believed that, as co-holders of the account, the complainant and her former spouse were jointly liable. This is also why it believed it did not need to seek the complainant's consent for the credit check performed on her even though it was initiated by her former spouse.

As for allowing the former spouse to change the address on the account, the retailer stated that it was not aware the complainant and her former spouse had separated since opening their account. The retailer also pointed out that account holders have equal authority to make administrative changes to a joint account, as necessary.

Our Office noted that the form of obtaining consent for the collection, use or disclosure of personal information depends on (i) the type of the information and (ii) the circumstances, as stated in Principle 4.3.4 of PIPEDA.

Credit information is very sensitive personal information and must not be collected or disclosed without the clear and explicit consent of the individual concerned. In our view, the broad consent provisions in the joint credit account application signed by the complainant and her then-spouse in 2008 did not meet this test. The retailer should have later sought the complainant's consent before performing the most recent credit check on her in 2013.

As such, our Office determined the complaint of disclosing personal information without consent was well-founded.

However, our Office accepted that each individual with full administrative rights to a joint account should be able to make certain administrative changes to the account, such as a change of address. Thus, we concluded that the complaint relating to failing to safeguard personal information was not well-founded.

---

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”)

Summary of Investigation

1. The complainant is a customer of a retail furniture store that has financing available for customers who wish to open an account with the retailer.
2. In 2008, the complainant and her spouse (who was listed as the co-applicant) opened an account with the retailer in order to purchase furniture. The complainant and her spouse signed a credit application form ("credit application form").
3. According to the complainant, she separated from her spouse in April of 2013 and her spouse moved to a new address. She did not immediately inform the retailer of the change in her domestic situation, believing that (i) her account with the retailer was not of the "revolving credit" type, but rather of the "installment" type, and (ii) her credit limit on her joint account was $0, as indicated on her most recent receipts for payment issued by the retailer.
4. From August to September 2013, the complainant's ex-spouse charged nine purchases totalling nearly $10,000 to their joint account with the retailer. The complainant became aware of these purchases in November 2013.
5. The complainant subsequently noticed on her credit report issued by a credit reporting agency that the retailer had made an inquiry (a "hard pull" ^{Footnote 1}) on her file on a date that coincides exactly with the first of the disputed purchases made by her ex-spouse.
6. The complainant claims that she had not provided the retailer with her consent for this inquiry into her credit. She claims that when she raised the issue with the retailer, it advised her that her spouse had the ability to make purchases on the account by virtue of his status as a co-applicant to their credit application in 2008.
7. In November 2013, she asked the retailer to remove her ex-spouse as a co-applicant on her account with the retailer. The retailer duly responded to her request and added notes to the account in their systems that indicate that her ex-spouse can no longer make purchases on the account.
8. However, the complainant was still responsible for the purchase debt.
9. She then filed a complaint with our Office.
10. In her complaint, the complainant alleges in the first place that the retailer disclosed her personal information without her consent when it performed a "hard-pull" credit check without her consent which enabled her ex-spouse to make a number of purchases under their joint account, resulting in a nearly $10,000 debt in her name.
11. In this regard, the complainant claims that whenever she had made previous purchases from the retailer, she had to sign a new contract and that she also had to consent to a credit check being performed. To this end, she provided a copy of a signed contract to our Office to demonstrate that when she made a purchase at the retailer in 2010 (her most recent purchase) on an installment basis, the contract included a section describing how the signatory is consenting to an evaluation of their credit application, a continued monitoring of their credit status and their ongoing eligibility.
12. In the second place, the complainant alleges that the retailer did not adequately safeguard her personal information when it allowed her ex-spouse to change the address on the account without her knowledge or consent. This resulted in her not being aware of the invoicing for the account.

Respondent's position

13. The retailer denies the allegation that it disclosed the complainant's personal information when it performed the credit check in August 2013. In its view, no disclosure occurred in the undertaking of the credit check.
14. The retailer also denies that it performed the credit check in August 2013 without consent, indicating that the complainant's consent was provided in the credit application in 2008 and, again, in the contract the complainant signed in 2010. In the retailer's view, the term of the complainant's contract from 2010 was not expired in August 2013 since payments were still outstanding at that time. From the retailer's standpoint, the complainant "understood from past experience how the system worked."
15. Lastly, the retailer denies that the credit check in August 2013 resulted in the complainant's ex-spouse charging nearly $10,000 in debt in the complainant's name since, in the retailer's view, the amounts were on a joint account in accordance with the terms of that account.

Personal credit checks

16. The retailer confirmed to our Office that for each purchase linked to a customer account, a new contract is required and must be signed by a holder of that account. The retailer stated that since the complainant and her spouse were equal joint account holders, both the complainant and her spouse could sign contracts in connection with the joint account. The retailer explained how, upon doing so, both account holders were jointly and severally liable. Further, it is the retailer's view that the credit application form the complainant and her spouse signed as joint applicants in 2008 provided express consent for ongoing credit checks at any time from, to or with any credit bureau.
17. The retailer explained to our Office when it can perform a credit check and what "0 Available Credit" means:

    … if a customer is a credit risk, having for example defaulted on ongoing payment obligations or has a history of doing so or there is a decline in the customer's credit score, the retailer will set the Credit Limit to 0 which will automatically also set Available Credit to 0. This is not an indication that credit is not available to the customer but rather means a credit check will be triggered for any proposed purchase on credit …. the last receipt for payment that [the complainant] received prior to her March 2010, similarly showed 0 for both the Credit Limit and Available Credit.

18. The retailer added that credit can also be checked in other circumstances:

    … where there is available credit (e.g., where a credit check will not be triggered at time of purchase) or a balance outstanding on a contract in connection with which no lien has been established, … [the retailer] periodically monitors customer accounts to determine the account holder's eligibility for credit which can fluctuate and to assess whether or not a lien should be filed.

19. The retailer also explained to us how the complainant's credit was checked at the time of her ex-spouse's first purchase in 2013:

    … at the time of the August 22, 2013 purchase by the co-applicant, given the 0 Available Credit, a credit check would have been triggered…. The results from the credit check inquiry that the cashier in this case would have seen, would have simply revealed an available credit and a credit limit of $10,000 on the account and no detail upon which that information was based. In the background, the system algorithm used for credit checks with [credit-reporting agency], would have run the primary applicant's (the complainant's) credit and since in this case it was sufficient, a check on the co-applicant's (spouse) would not have been run.

20. However, the retailer asserts that this credit check was not an "application" for new or increased credit, but merely a credit "update" for an existing account that warranted an increased amount.
21. On this note, our Office examined a system-generated audit trail of the account, provided by the retailer. It illustrates that a credit application for the complainant (i.e., "Primary") was sent to a credit bureau in the evening of August 22, 2013, and that the result was an approval for a credit maximum of $10,000. Below is the audit trail with third-party and identifying information removed:

    08/22/13 20:49:22 - […] Credit application […] sent to credit bureau […]
    Customer is approved for credit maximum of $10,000, classification P
    Credit report […] created for credit report.
    New credit report […] pulled for PRIMARY
    Credit Request Approved.
    Co-Applicant Application Updated.
    Application […] entered.

The Retailer's credit application and contract forms

22. The retailer seeks consent for the sharing of customers' personal information, including credit information, on two of its forms that we examined.
23. We noted that written in small print at the bottom of the retailer's credit application form, which the complainant and her then-spouse signed in 2008, was information regarding the retailer's record-keeping process and information about how it shares the applicants' personal information.
24. Further, at the bottom of the retailer's contract form, which the customer must fill out and sign at each purchase, it indicated the circumstances under which the credit application will be evaluated and the credit status will continue to be monitored.
25. Our Office noted that for the purchases made by the complainant's ex-spouse in 2013, this contract form was signed solely by the complainant's ex-spouse, as co-applicant.
26. Lastly, we reviewed the complainant's credit report that she provided to us, which showed an inquiry from the retailer in August 2013 and that the complainant had the retailer's credit limit of $10,000.
27. We also reviewed a copy of the retailer's privacy policy; the retailer's credit application policy, and; the province of Ontario's The Consumer Reporting Act.

Changes to joint account information

28. The retailer did not dispute the allegation that it had changed the address for the account held by the complainant and her ex-spouse at the request of the ex-spouse. The retailer has stated that it treats joint account holders as equal and that it was not aware that there had been a change in the domestic situation of the account holders.
29. Our investigation did not reveal any evidence to suggest that the retailer has a written policy or documented practices concerning the management of personal information associated with joint accounts.
30. In addition, the updated address on the complainant's account with the retailer was then reported to the credit-reporting agency when the credit check was obtained on her. This resulted in the complainant's address being incorrectly updated (to her ex-spouse's new address) on her credit file managed by the agency.
31. On the matter of family account management, our Office has published guidelines: Guidance on Managing Family Member/Household Accounts^{Footnote 2} ("Guidance document"). These state that "… because people may be related does not mean that they have a diminished expectation of privacy when it comes to their personal information vis-à-vis one another." The Guidance document also advises that organizations must take the necessary measures to mitigate the risk of giving out information to the wrong individual, sending information to the wrong address, not obtaining consent of all parties associated with an account, or not accurately updating or maintaining account information.

Subsequent action by the retailer

32. As a result of intervention from our Office, the retailer indicated that it has initiated a complete review of its privacy management framework with an eye to making refinements and enhancements to its policies and practices as appropriate and to keep pace with privacy law. The retailer stated that as a result it will begin to implement any changes through adjusting systems and forms as necessary and appropriate training initiatives. As part of its review, the retailer stated that it will also identify monitoring metrics, which will be tracked to monitor privacy policy compliance and effectiveness and inform ongoing refinements. The retailer anticipates that specific changes will be made to its credit application form to clearly explain the credit check process and, to individuals opening a joint account, that either individual can modify the personal information, such as the address, on the joint account.
33. Lastly, during our investigation, the retailer advised our Office that as a goodwill gesture, it has removed from the complainant all obligations in connection with the nine purchases that were made in August and September of 2013. The retailer has also contacted the credit reporting agency to remove the debt information from the complainant's credit report.

Application

34. In making our determinations, we applied Principles 4.3 and 4.3.4 from Schedule 1 of the Act.
35. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
36. Principle 4.3.4 states in part that the form of the consent sought by the organization may vary, depending on the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information.
37. Principle 4.7 specifies that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
38. Principle 4.7.1 stipulates that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

Findings

Consent for disclosure of personal information - Principles 4.3 and 4.3.4

39. At issue in the first place is whether the retailer disclosed the complainant's personal information without her knowledge and consent when the retailer made a (hard pull) credit inquiry about her in August 2013. By such inquiries, it is disclosed to the credit-reporting agency that the individual is seeking additional credit. The use of such inquiries is not without consequences for the individual whose personal information is at issue — e.g., inquiries can impact credit scores and eligibility for credit, and they can be visible to potential creditors who seek information about the individual's credit file.
40. At the outset, and due to conflicting evidence, we should state that our investigation could not clarify whether the complainant had a "revolving credit agreement" or an "installment account" with the retailer. We also could not establish with an acceptable degree of certainty whether it is the retailer's automatic practice to conduct a credit check on an account holder for each new contract signed as per the complainant's understanding, or whether these checks occur on an as-needed basis, as described by the retailer in paragraphs 17 and 18 of this report.
41. In our view, these distinctions are not relevant to the finding of our investigation. What remains important is that: (i) there clearly was a credit check that manifested itself as a "hard pull" on the complainant's personal credit report in August 2013; (ii) the complainant was subsequently approved by the retailer for a maximum credit limit of $10,000 (as indicated by the system-generated audit trail), and; (iii) the complainant (i.e., the individual directly impacted by the credit check) did not provide her specific, express consent for the retailer to perform the check for the exact circumstance and purpose for which it was needed (i.e., as per the contract drawn up for the purchase made by her ex-spouse in August 2013).
42. We do not accept the reasons that the retailer provided to explain why it did not obtain the complainant's specific and express consent for this credit check on her in 2013. The retailer explained that it was because, in its view: (i) joint account holders are equals who are jointly and severally liable; (ii) the complainant had signed the credit application form, giving her consent, in 2008, and; (iii) the consent clause for a contract that the complainant signed in 2010 for a purchase she then made was still in force in August 2013 because payments being made toward that purchase were still outstanding.
43. We do not agree that the retailer's credit application form, signed by the complainant and her then-spouse, the co-applicant, in 2008, and the contract signed in 2010 granted consent for the retailer to obtain, disclose or exchange credit information for either applicant "at any time to or with any credit bureau", without the retailer having to seek additional consent from the individual (i.e. in relation to a new purchase/contract).
44. Principle 4.3.4 clearly states that the form of obtaining consent for its collection, use or disclosure depends on (i) the type of the information, and; (ii) the circumstances. Credit information is clearly sensitive personal information. Further, the current complaint aptly illustrates circumstances that necessitate a specific, punctual and opt-in form of consent for the use of this type of information.
45. Moreover, shared liability for jointly held accounts on one hand, and individual credit checks on the other, are not interchangeable concepts from our Office's standpoint. We acknowledge that, pursuant to the terms of the retailer's joint accounts, either joint account holder may unilaterally make purchases under the account and sign a purchase contract to that effect. However, from a privacy perspective, since individual credit checks involve only the personal information of the individual who is the subject of them, each check requires the specific knowledge and consent of that individual; these checks cannot be initiated without their knowledge and consent, for example, merely at the behest of the joint account holder, as occurred in this case.
46. The retailer assumed, wrongly in our view, that because a new purchase was being made on the complainant's account, which was held jointly with the purchaser, the retailer could perform a "hard pull" credit check on the complainant herself without having to obtain her specific, express consent for it.
47. For these reasons, our Office determined that there was a contravention of Principles 4.3 and 4.3.4.

Safeguards - Principles 4.7 and 4.7.1

48. The complainant also alleged that the retailer failed to safeguard her information when, unbeknownst to her, it changed the address on her joint account at the request of her ex-spouse. Our investigation determined that the retailer treats joint account holders as equal and that it stated it was not aware that there had been a change in the domestic situation of the account holders.
49. We accept that each individual with full administrative rights to a joint account should be able to make certain administrative changes to the account, such as an update to an address. Therefore, there was no contravention of the Act when the retailer changed the address on the account at the request of one of the joint account holders.

Conclusion

50. Accordingly, we conclude that the matter is well-founded with regards to disclosure without consent and not-well founded in regards to safeguards.

Other

51. Notwithstanding the above, we remain concerned whether the retailer has information readily available to customers about its practices relative to the management of personal information associated with joint accounts. We were not presented with any evidence to suggest that this information exists.
52. The retailer should make it clear to anyone opening a joint account that both individuals are able to equally modify the personal information — such as the address — on the account.
53. We are encouraged however by the retailer's commitment to fully review its privacy obligations and its privacy procedures relative to the matters covered by this report and enhance the transparency of its joint account administration.

Footnotes