This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Ottawa, March 20, 2002 - The Privacy Commissioner of Canada, George Radwanski, today released the following findings regarding complaints about Air Canada's Aeroplan Frequent Flyer Program under the Personal Information Protection and Electronic Documents Act. When this issue first appeared in the media, and the Commissioner first spoke with Air Canada officials, they agreed to comply with the Commissioner's request to suspend the activities in question until the end of the investigation. Due to public and media interest, the Commissioner has decided to release his report of findings in a letter to Air Canada's Manager of Privacy Compliance, Erik Grados.
Dear Mr. Grados:
This letter constitutes my report of findings with regard to the complaint filed by an individual against Air Canada under the Personal Information Protection and Electronic Documents Act (the Act). In his complaint received in my Office on August 14, 2001, the individual alleged that Air Canada is in contravention of the Act by virtue of having placed the onus upon individual members of its Aeroplan Frequent Flyer Program (Aeroplan) to opt-out of its practice of sharing members' personal information with external sources. She also expressed concern about Air Canada's provision of a possible four-month processing period for Aeroplan members' requests that their personal information not be shared.
I have determined, first of all, that the subject matter of the complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any airline company, such as Air Canada, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate the complaint.
I have also determined from the facts of the case that the information at issue is personal information as defined under the Act. Section 2 of the Act defines personal information to be ".information about an identifiable individual.". In my view, information pertaining to the complainant's membership in Aeroplan is personal information that identifies her as an individual.
Before I provide you with my findings, let me first outline the facts obtained in the course of my Office's investigation.
Aeroplan, a division of Air Canada, has approximately six million members. It is a program in which plan members may earn and redeem travel miles or "points" within what is known as the "Air Canada Family" (i.e., Air Canada divisions and affiliates) and with various partners.
The Air Canada Family and partners within the Aeroplan program are identified in the "Aeroplan Member Guide", which all plan members receive on enrolment. This guide also states that members will receive news "about exciting Aeroplan bonus offers, contests, promotions, and new services," but does not explain what personal information is collected or how it will be used and does not indicate that members' personal information will be disclosed outside the organization. In fact, the only reference the guide makes to personal information indicates to the contrary, as follows: "Personal information will be given only to the holder of the membership, or if pursuant to a court order .".
In June 2001, Air Canada's marketing agent, FCB Direct Montreal, distributed to 60,000 Aeroplan members a brochure entitled "All about your privacy". This brochure explains how the Air Canada Family and partners share personal information of Aeroplan members among themselves and with external sources. The brochure sets out five situations in which personal information may be shared under the program. Members are instructed to check off an adjacent box in each case where the member does not want Air Canada to collect, use, or disclose his or her personal information in the manner described. The brochure adds a note to the effect that it may take Air Canada up to four months to process members' requests that information not be collected, used, or disclosed. It is then left up to each plan member to mail the brochure back to Air Canada.
The first situation described in the brochure is "Information of interest from Aeroplan partners". Air Canada or any member of the Air Canada family provides mailing lists to Aeroplan partners so that they may send to plan members information of possible interest, notably on special promotions and special offers of "exclusive products and services tailored to [a member's] interests and needs".
The second situation is "Information of interest from companies outside of the Aeroplan program". For the same purpose as noted in the first situation above, Aeroplan "from time to time provides mailing lists to reputable non-Aeroplan partner companies." Neither the brochure nor the Aeroplan Member Guide names any such companies.
In these first two situations, the mailing lists include plan members' names, addresses, plan numbers and possibly, depending on the partner in question, other information such as personal and professional interests. My investigation has revealed that, even before the brochure was distributed, it was Air Canada's practice to provide mailing lists to agents/partners without first obtaining consent from Aeroplan members and without informing members that personal information would be used for a secondary purpose and disclosed outside the organization.
The third situation is "Exchange of information within the Air Canada Family". The description is the longest of the five, but also the vaguest and most confusing. I quote it in full as follows:
"The Air Canada Family is committed to expanding the opportunities for you to earn and redeem Aeroplan miles with an increasing range of both travel and non-travel partners. Whenever you contact any of the divisions or affiliates in the Air Canada Family, we want to ensure that you are fully recognized as an Aeroplan member and a valued customer, and that each contact point has all the necessary information. Should you wish to have your profile kept separately and not disclosed between members of the Air Canada Family, other than for travel or accumulation and redemption of mileage, please check the box at the right."
Such wording gives rise to many questions and concerns as to the nature and purposes of the information exchange envisaged here. What is this information that is so "necessary" at each contact point? What is a plan member's "profile", and what specifically does it contain? For what purposes other than "travel or accumulation and redemption of mileage" might such a profile conceivably be used? What does all this have to do with "expanding the opportunities . with an increasing range of both travel and non-travel partners." In sum, by omitting to check off the box at the right, what exactly would a plan member be consenting to?
My investigation has revealed that not even Air Canada knew precisely what it meant by this situation. On inquiry, the company provided my Office with elaborate and, frankly, mystifying explanations of both its current practice and its intentions with respect to the third situation, none of which, I must add, is even remotely discernible in the brochure description itself. Air Canada explained that its third situation actually represented a "forward-thinking strategy" to accommodate the eventual dissemination of the "Air Canada - Direct Marketing System Customer Club Profile Database" if Aeroplan ever became a separate legal entity. By seeking consent of a deliberately vague and open-ended sort, Air Canada was attempting to avoid the requirement for consent in the future organizational configurations of Aeroplan.
The question remains, consent for what? Ostensibly, if you check the adjacent box, you are asking to have "your profile kept separately" and not shared among the Air Canada Family, "other than for travel and accumulation and redemption of mileage." But if it is true, as Air Canada insists, that its database contains nothing but basic information on travel and accumulation and redemption of mileage, how could a member's profile be used otherwise? The brochure description thus itself implies that the third situation envisages much more than just an exchange of basic membership information within Air Canada.
Indeed, it was determined during our investigation that the "Air Canada - Direct Marketing System Customer Club Profile Database" affords potential for information usage of many kinds, including the tailoring of information to the personal purchasing habits and preferences of individual plan members. Even if Air Canada is limiting its usage at present, who knows what the future would bring, when its forward-thinking strategy came to fruition? In short, a plan member who out of sheer perplexity refrained from checking the box beside the third situation could be consenting to almost anything.
For all of the first three situations, the brochure descriptions indicate that the mailing lists in question are provided directly to the intended parties. However, my investigation has revealed that in most cases the lists are actually sent to a direct-mailing house, which reassembles the information to meet criteria specified by the intended party and then sends promotional material on that party's behalf to Aeroplan members. Air Canada has indicated that the various direct-mailing houses with which it deals act as its agents. The company currently has confidentiality agreements in place with most of these houses and is in the process of preparing confidentiality agreements with the remainder.
The fourth situation described in the brochure is "Seeking additional personal information to serve you better". Air Canada or a member of the Air Canada family collects information from external sources about members' personal or professional interests, demographics, and use of, or preference for, certain products and services. The brochure does not identify specific "external sources", but Air Canada has explained that these are meant to include companies that have compiled "any list of people who had consented to their personal information being accessed and overlaid with other information for the purpose of target marketing based on customer preferences". To illustrate this situation, the company has offered the example of a golfer who completes a survey for a direct-marketing firm and consents to the release of the survey information for the purpose of obtaining special offers and promotions; this information is in turn "overlaid" with Aeroplan members' information in order to provide special offers and promotions to plan members who play golf.
The fifth situation is "Seeking additional personal financial information". Again from external sources, Air Canada or a member of the Air Canada family collects financial information about plan members, including credit information. Air Canada then uses this information to determine members' eligibility for specific financial products and services, such as credit card or mortgage.
For the fifth situation, as for the fourth, the brochure does not identify any specific external sources. In developing the brochure, Air Canada's intention was to take a broad approach to defining external sources so as to be able to add new sources in future. At the time of distributing the brochure, Air Canada had already selected and made an arrangement with one external source for purposes of the fifth situation, but had not yet done so with any for purposes of the fourth.
Air Canada developed two versions of the brochure, one of which omits the fifth situation. This second version was sent to half (30,000) of the selected recipients. The purpose of dividing the mail-outs in this way was to analyse members' response rate as it related to the inclusion of personal financial information.
Air Canada has offered several reasons for its decision to use negative or "opt-out" consent rather than positive or "opt-in" consent in its brochure. First, it contends that managing an enrolment program requiring opt-in consent from each of six million members would be impossible, given the prohibitive costs of mailing and processing.
It contends that written consent should not be required in respect of the brochure since written consent has never been required under the current enrolment process.
It contends that Aeroplan members view Air Canada affiliates and partners in the same light as Air Canada itself; therefore, it should not be necessary to obtain specific and separate consent regarding each constituent of the group.
It contends that it is the responsibility of plan members to read the Aeroplan Member Guide for instruction in how their personal information is used.
As for the four-month processing period it allowed itself, Air Canada explained that it could not anticipate how many plan members would respond to the brochure and thus did not know whether sufficient resources would be available to process opt-out requests more quickly. Though realistically officials estimated that a one-month processing period would probably suffice, in the end they allocated four months in order to allow for unanticipated response levels. My investigation has revealed, however, that even this lengthy processing period may not have been sufficient, since the database initiative whereby Air Canada was intending to process Aeroplan members' opt-out requests was only under development and not due to be completed and functional until January 2002.
On the basis of these facts, I am required to determine whether Air Canada has met its obligations under the relevant provisions of the Act: specifically, Principles 4.1 (Accountability), 4.2 (Identifying Purposes), 4.3 (Consent), and 4.5 (Limiting Use, Disclosure, and Retention) of Schedule 1; and section 5(3) and section 7.
The central issue in this case is consent - the need for it and the form it may reasonably take. In this regard, the relevant principles of Schedule 1 are as follows:
4.2.4 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
4.3 The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
4.3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use.
4.3.4 The form of the consent sought by the organization may vary, depending upon the situations and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information.
4.3.5 In obtaining consent, the reasonable expectations of the individual are also relevant.
4.3.6 The way in which an organization seeks consent may vary, depending on the situations and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.
4.3.7 Individuals can give consent in many ways. For example:
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties.
4.5 Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
Sections 5(3) and 7(1) through 7(5) of the Act are also relevant to the consent issue. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Sections 7(1) through 7(5) specify exceptional situations in which an organization may collect, use, or disclose personal information without the knowledge and consent of the individual.
On the need for consent, I have determined, first of all, that even before distributing the brochure "All about your privacy" Air Canada made a practice of using or disclosing Aeroplan members' personal information, in the form of mailing lists and basic membership data, among the Air Canada Family, partners, and agents. It also collected plan members' personal financial information from at least one external source.
I have also determined, notwithstanding Air Canada's suggestion to the contrary, that the enrolment document "Aeroplan Member Guide" provides no instruction whatsoever on information sharing and, in fact, gives a strong indication that information is not disclosed under the program. I am satisfied therefore that the brochure distributed in June 2001 marked the first and sole instance in which Air Canada undertook to inform Aeroplan members that their personal information is collected, used, or disclosed and to seek consent for such practices.
As for the extent of that undertaking, it is noteworthy that brochures were sent to only 60,000, or about one percent, of Aeroplan's approximately six million members, leaving some 99 percent of the membership wholly uninformed, and unsolicited with regard to consent, in the matter of the sharing of their personal information. The Act requires observance of privacy rights in respect of every individual and does not allow for token compliance. I thus find Air Canada's attempt at seeking consent to have been grossly inadequate.
In sum, given that the brochure went out to only a scant minority of plan members and that personal information was previously disclosed and collected without any prior indication to plan members, it is plain that Air Canada did not inform Aeroplan members that their personal information was to be collected, used, and disclosed for purposes other than that for which it had been originally collected and did not seek consent for such additional collection, use, and disclosure.
I find therefore that Air Canada has not met its obligations under Principles 4.2.4, 4.3, 4.3.1, and 4.5 of Schedule 1 of the Act.
Nor do I find that any of the exceptions provided in sections 7(1) through 7(5) of the Act apply in this case.
Furthermore, I am satisfied, in consideration of section 5(3), that a reasonable person would not have expected Air Canada to collect, use, or disclose personal information without consent before June 2001 and subsequently would not have considered it appropriate for Air Canada to seek consent from only one percent of the Aeroplan membership.
The question now arises: Did Air Canada, in its recent undertaking to seek consent, at least seek it in an appropriate and reasonable form?
The brochure informs plan members that they may request that their personal information not be disclosed (in the first three situations) or not be collected (in the fourth and fifth situations). In other words, Air Canada chose to use negative or opt-out consent, which is provided for under Principle 4.3.7 of Schedule 1. However, under Principles 4.3.4 and 4.3.6, an organization must consider the information's sensitivity in determining the form of consent to be used. Furthermore, Principle 4.3.5 and section 5(3) stress the relevance of what a reasonable individual might expect or consider appropriate in the circumstances.
I should begin by making it clear that, like most other privacy advocates, I have a very low opinion of opt-out consent, which I consider to be a weak form of consent reflecting at best a mere token observance of what is perhaps the most fundamental principle of privacy protection. Opt-out consent is in effect the presumption of consent - the individual is presumed to give consent unless he or she takes action to negate it. I share the view that such presumption tends to put the responsibility on the wrong party. I am also of the view that inviting people to opt-in to a thing, as opposed to putting them into the position of having to opt-out of it or suffer the consequences, is simply a matter of basic human decency.
Accordingly, while acknowledging that the Act does provide for the use of opt-out consent in some circumstances, I intend, in this and all future deliberations on matters of consent, to ensure that such circumstances remain limited, with due regard both to the sensitivity of the information at issue and to the reasonable expectations of the individual. In other words, in interpreting Principle 4.3.7, I intend always to give full force to other relevant provisions of the Act, notably 4.3.4, 4.3.5, and 4.3.6 and section 5(3).
Since the complaint focuses on the sharing of information with "external sources", I will first deal with the fourth and fifth information-sharing situations described in the brochure.
In my view, the types of information-sharing contemplated in these two situations are of a manifestly high order of sensitivity. Furthermore, I am satisfied that a reasonable person would consider it inappropriate for Air Canada to collect, from unnamed external sources, without the express consent of the individuals concerned, information about plan members' personal or professional interests, use of and preference for certain products and services, and financial status.
I find therefore that, by failing to seek opt-in consent for the collection of information about plan members from external sources as described in the fourth and fifth situations, Air Canada is in contravention of the Act.
Although this specific complaint related mainly to external parties such as figure prominently in the fourth and fifth situations, after due consideration I have come to the same conclusion about the first three situations as well. I have determined, in other words, that negative or opt-out consent is not sufficient for any of the five situations described in the brochure.
As you know, this determination differs considerably from a preliminary indication I issued several months ago. On July 18, 2001, I sent to Air Canada a letter that I subsequently made public in the interests of openness and transparency. In that letter, I advised Air Canada as follows:
"On the face of it, I consider the first three [situations] to be ones that members would more or less normally expect from the Aeroplan program. Providing information to Aeroplan partners so that they can inform members of various promotions and exclusive products would seem to be something that a member would routinely expect to happen."
Why have I changed my mind about the first three situations?
The answer is simply that I have discovered some troubling implications in the brochure descriptions of these situations. Specifically, I am troubled about the extent to which each of the three may involve the use and disclosure of customized information on individual plan members' personal or professional interests and uses of or preferences for certain products and services.
These are types of information that I believe to be sufficiently sensitive in themselves to warrant obtaining positive consent from the individuals concerned. Although in my view the practice of sharing plan members' information for purposes of offering special promotions and products remains unobjectionable in itself, I am satisfied that a reasonable person would not expect such practice to extend to the "tailoring" of information to the individual's potentially sensitive interests, uses, and preferences without the positive consent of the individual.
All things considered, therefore, I find that Air Canada has not met the requirements of Principles 4.3.4, 4.3.5, and 4.3.6 of Schedule 1.
With particular reference to the third situation described in the brochure, I am obliged to point out that not even the seeking of positive consent would bring the information-sharing practice described into compliance with the Act. Principle 4.3 of Schedule 1 states that both the consent and the knowledge of the individual are required for the collection, use, or disclosure of personal information. In other words, consent is not valid unless the individual knows what he or she is consenting to; conversely, in seeking consent an organization must inform the individual of its specific intentions. As I have indicated above, the description of the third situation provides the individual with no way of knowing how Air Canada intends to collect, use, or disclose his or her personal information. The description is so vague and open-ended as to render any consent invalid.
It remains for me to address the complainant's concern about the four-month period that Air Canada allowed itself for processing opt-out requests. Principle 4.1.4 of Schedule 1 states the following:
4.1.4 Organizations shall implement policies and practices to give effect to the principles, including: .
(b) establishing procedures to receive and respond to complaints and inquiries; . and
(d) developing information to explain the organization's policies and procedures.
In soliciting a possible 60,000 inquiries in the form of opt-out requests, Air Canada should have had appropriate procedures in place for the reasonably expeditious processing of such requests. In fact, given that the database initiative for processing opt-out requests was still under development and not expected to be functional until January 2002, it is obvious that Air Canada had no appropriate procedures in place at the time the brochure was distributed and could not have processed the requests even within the generous period it had allotted itself. I find that Air Canada was by no means prepared to handle a potentially large response to its brochure and therefore has failed to meet the requirements of Principle 4.1.4.
Lastly, I turn to Principle 4.1.3, which states:
"An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."
My investigation has shown Air Canada to have been negligent in this regard, notably in failing to establish appropriate confidentiality agreements with some of the agents it employs in processing Aeroplan members' personal information. I find therefore that Air Canada is not in compliance with Principle 4.1.3 of Schedule 1.
In sum, I have found Air Canada to be in contravention of all provisions of the Act relevant to the complaint. Accordingly, I conclude that the complaint is well-founded.
I make the following recommendations:
- Air Canada should inform all Aeroplan members as to the collection, use, and disclosure of their personal information.
- Air Canada should clearly explain to all Aeroplan members the purposes for the collection, use, and disclosure of their personal information. This is not done adequately in the current version of the "All about your privacy" brochure.
- Air Canada should seek positive (i.e., opt-in) consent from all Aeroplan members regarding all information-sharing situations outlined in the brochure.
- Air Canada should establish appropriate procedures for obtaining positive consent.
- Air Canada should execute appropriate agreements with all the direct-mailing houses it employs as agents to ensure that the personal information of Aeroplan members is protected in accordance with the Act.
I should also mention that, before undertaking my investigation of the complaint, I requested that Air Canada suspend its activities regarding the brochure. Air Canada responded by assuring me that, pending the outcome of my investigation, the company would not further collect or process any of the types of information described in the brochure's fourth and fifth situations and would not mail out any more brochures. I appreciate Air Canada's conduct in this regard.
Pursuant to the present findings, I am further recommending that Air Canada suspend all information-sharing activities under the Aeroplan program until my other recommendations have been implemented. I am also requesting that Air Canada inform me within 60 days of its plan of action to implement my recommendations.
You should know that the complainant has been informed that pursuant to section 14 of the Act, she has the legal right to apply to the Federal Court - Trial Division for a hearing in respect of any matter that she complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), 8(6) or 8(7) or in section 10. The complainant has been informed that such an application must be made within 45 days of the date of this letter.
This concludes the investigation of the complaint.
Privacy Commissioner of Canada
- 30 -
For more information, contact:
Office of the Privacy Commissioner of Canada
Tel.: (613) 995-0103
- Date modified: