Company revises privacy policy to clarify why it keeps personal information for a specific length of time, and designates privacy officer

Settled case summary #24

Complaint

An individual complained that a web-based company retained his personal information for too long after he cancelled his free trial membership.  He also alleged that the company was not fully accountable under the Act, as it did not answer all of his privacy-related questions and had no designated person responsible for handling privacy issues.

Outcome

The company stated that individuals wishing to sign up for a free trial membership were required to provide their name, address, telephone number, e-mail address and credit card information.  This personal information enabled the company to process rental requests and ship items, as well as prevent fraud.  It explained that some individuals try to obtain an additional free trial period by providing a different name, address or credit card.  In order to prevent this, the company tracks the personal information against new free-trial requests.

As a result of the complaint, the company revised its privacy policy.  It clarified under what circumstances and for what purposes personal information was retained, and specified the retention periods for information.  Credit card information was to be kept for a total of three years, in order to meet a two-year requirement for charge-backs and to allow an additional year due to fraud issues.  Contact and shipping information were to be retained for seven years to comply with the Income Tax Act.  The company also trained its customer service staff with respect to its revised policy, and designated a privacy officer.

The complainant was satisfied with the outcome, and the complaints were considered settled during the course of the investigation.

Date modified: