Institute of Canadian Advertising
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
February 27, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
Before I address some of the specific points in the Act, I'd like to say a couple of things I hope will put this legislation in perspective for you.
First, this is not some bureaucrat's dream of the way society should be. The new Personal Information Protection and Electronic Documents Act (or C-6) is based on the principles contained in the Model Code for the Protection of Personal Information drawn up by the Canadian Standards Association. The Code is based on several years of consultation with government, business and consumer groups. It is based on the reality of the marketplace.
The second is that this legislation does not set Canada apart.
Virtually every other industrialized nation in the world either has legislation like this, or is in the process of having legislation like this. The only significant exception is the United States, and even there, the question is not whether these principles are valid, but what is the best way to put them into practice.
So, while the new private sector Act is definitely a step forward for privacy in Canada, in terms of the rest of the world, it really does no more than bring us up to speed.
As you know, the Act is being implemented in stages, over a period of three years, and will be in full effect as of January 2004-with one significant exception. In provinces where privacy legislation that is "substantially similar" to the federal Act is in force by 2004, the federal government can exempt all or part of the private sector from the application of the Act. Otherwise, the federal act will apply to the whole private sector.
To put that another way, while the new federal privacy law may or may not apply to your business now, it, or a provincial law very much like it, will apply to your business within a few short years.
In the first stage-where we are now-the Act applies to personal information collected, used or disclosed in the course of commercial activities by certain organizations: so-called federal works, undertakings and businesses. These are primarily the banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees of these companies.
The application of this act has nothing do with federal or provincial incorporation. A good test is that if your business comes under the jurisdiction of the Canada Labour Code, chances are it is a federal work, business or undertaking.
As of now, the Act also covers any disclosure of personal information across a provincial or international boundary for consideration.
That means if a company in Ontario were to sell or lease something like a mailing list to a company in Alberta, that information is subject to the protections contained in the Act.
For the time being, with the exception of the federal works, undertakings and businesses, the act does not apply to organizations as such - it applies to transactions carried out by organizations and the information involved in the transactions. This is a distinction that may be of interest to those of you here this morning.
That is how the Act applies now.
The second stage begins on January 1, 2002 when the act will extend to the personal health information of all employees and customers of federal works and undertakings. It will also apply to this personal health information if it is traded outside a province for consideration.
Most of you here today will be affected by the third and final stage, beginning as of January 2004, when the new federal act-or a provincial law very much like it-will apply to all personal information, collected, used or disclosed in the course of commercial activities by all private sector organizations. The federal act will capture interprovincial transfers while provincial ones will capture intra-provincial transactions (except those conducted by federal, works and undertakings).
Some of the terms in the act merit an explanation. For example, the term "commercial activity" is given a very broad definition in the Act. It includes any regular course of conduct that is of a commercial nature. So the act would apply to commercial organizations and their activities but it could also apply to organizations such a charities (which would not ordinarily be considered as commercial ventures) if those charities sell or rent donor lists across boundaries. The emphasis is on the nature of the transaction rather than the nature of the enterprise.
As well, the Act makes a distinction between "disclosure" of information and "transfer" of information that is worth noting.
A "disclosure" of personal information involves providing the information to and for the use of a third party-that includes an organization that is affiliated with the organization that's making the disclosure. Disclosure requires the consent of the people to whom the information pertains in all but a very few, specific situations.
A "transfer" of personal information involves providing information to a third party for processing purposes. Say, a bank giving personal information to a printer in order to have a batch of personal cheques made up, or a business transferring personal information to another company to conduct a direct mail campaign on its behalf.
The information remains the responsibility of the organization that initiated the transfer, and consent is not required, as long as the information is not used for any other purpose, and is either returned to the company that initiated the transfer or is destroyed.
This could certainly apply in your industry. Suppose a client has collected some personal information, and then approached your agency and asked you to use this information to conduct a marketing campaign of some sort on their behalf.
This would be considered a transfer. The client would retain responsibility for the information and the agency would not be required to obtain consent to use the information. This assumes of course, that the client had obtained consent to use the information for a marketing campaign at the time it was collected.
I know many of your agencies are involved in organizing contests on behalf of clients from time-to-time, and certainly many of you do a lot of research. Both of these are likely to involve the collection and use of personal information, and any time you're doing that, you have to look at the issue of consent.
For example, marketers collect information from a variety of sources-contests, market research, warranty cards-and any time you collect and use personal information you have to look at the issue of consent.
The new Act does allow for implied consent in certain circumstances, but the circumstances are limited. The information cannot be considered sensitive and the context must give the individual a good idea of how the information will be used.
For instance, when individuals fill out a warranty card, they assume that the information will only be used to inform them of a defect or product recall or in the event that they need to return the product. The information can be used for these purposes without obtaining explicit consent.
But that's as far as it goes: The individual would not reasonably expect the information to be sold, or used for any other purpose to which they had not given their express consent.
It's the same for personal information collected through research activities like telephone and in-person surveys or focus groups. The information can only be used for the purposes to which the individual has consented, and of course, consent is needed to collect the information in the first place.
The easiest way to do that is to explain the purpose of the research and how the information will be used, and if the individual agrees to answer the questions, you have consent.
Organizations should also keep in mind that consent must be meaningful-the individual has to have a reasonable idea what it is they're consenting to, and how the information will be used. If consent is too broad, it ceases to have any meaning.
Needless to say, consent obtained by deceit is not consent at all. Organizing a contest to collect information for some other purpose is not acceptable, unless that other purpose is specified.
Although there is no time limit on consent in the Act, the individual does have the right to withdraw consent. As well, personal information can be retained only as long as it is required to fulfill the purpose for which it was collected. Organizations cannot hold personal information forever just because someone thinks it might come in handy some day. Organizations should have appropriate retention and disposal schemes to ensure that information that is no longer required is destroyed or otherwise disposed of.
I should make one more note about the notion of implied consent to which I referred a moment ago. The same note applies to so-called "opt-out" consent-where individuals are required to do something to show they do not consent to something, such as checking the "no, I don't want to receive information about related products" box on a form.
Implied and opt-out consent should be used only in situations where the information being collected is not sensitive, and the use is readily apparent.
For instance, an organization can safely assume that someone ordering a subscription to a magazine is giving the organization permission to use his or her name and address in order to deliver the magazine and send a bill.
The organization cannot assume the person is also consenting to have their name and address sold to some other organization. This is not necessarily a safe assumption even if they did not check the "no thanks" box. We don't all read the fine print.
Relying on implied or opt-out consent means a greater risk that the collection, use or disclosure of the information can be challenged under the Act, because there is no record of the person having consented to anything.
I should mention here that consent is not open-ended. Just because a person gives consent does not mean that you can collect anything for any purpose.
A key aspect of the act is that organizations need to restrict their collection, use, and disclosure of personal information to "purposes that a reasonable person would consider appropriate in the circumstances."
This provision of the Act, as loosely worded as it may seem, needs to be taken seriously. An allegation that an organization has not respected it can be the basis of a complaint to my office. It is not enough for an organization to identify, and stick to, its purpose for collecting, using and disclosing personal information. An organization needs to ensure that it collects, uses, and discloses personal information for reasonable purposes only.
And what happens if someone complains to me about the way you handle personal information? I generally take a non-confrontational approach and, as an ombudsman, try to resolve the complaint through mediation and discussion. I do however, have considerable powers - the law does have teeth. I can subpoena a witness, and, if necessary, search premises. If a company refuses to comply, I can go to Federal Court and ask the Court to award damages for humiliation. These damages can be considerable in a case where a company has practices that are consistently disobeying the law. I also have the power to publish my findings. This, as I'm sure you can appreciate, is a considerable power. Very few companies would like to be publicly seen as not respecting the basic privacy rights of their customers.
Now, I know all of this might sound a little overwhelming, and I'm not going to stand here and tell you won't find dealing with the PIPED Act to be something of a challenge from time-to-time. I do want to assure you my Office is always available to provide assistance and advice, to help you deal with this new reality. We are here to solve problems, not create them.
As advertisers and marketers-as businesspeople-I'm sure you all have a pretty firm grasp on the need to assess the overall business environment, to understand what people are thinking, so you can direct your activities as effectively as possible.
Certainly, privacy is now a significant influence on the business environment. Not just in terms of legislation like the PIPED Act, but in the way people are thinking about privacy.
What is new is what I would call a "culture of privacy"-the widespread recognition that our personal privacy is under threat as never before, and that we as individuals can no longer rely on the old protections of time and distance and walls of paper that used to guard our personal information more-or-less by default.
People are taking a much more active interest in protecting their privacy. They are far less tolerant when it comes to those who would breach or otherwise interfere with their personal privacy-and I'm sure I don't have to tell anyone here that losing a judgment in the court of public opinion can be far more costly than any damages a judicial body might assess.
To see that, we need only look at the some of the privacy-related public relations disasters of the past couple of years-things like cookies, web bugs, and the famous Longitudinal Labour Force File set up by Human Resources Development Canada.
There are lots of times people don't like to give up their personal information but these examples show they really don't like it when their personal information is collected and used without their knowledge or permission.
This idea of permission, of choice, of consent, is central to the culture of privacy-it is central to privacy itself.
The PIPED Act, and other legislation like it and the principles of fair information practices all flow from this simple but critical premise-if you are going to collect, use or disclose personal information about someone, you need that person's permission to do so.
We know access to personal information is virtually essential to business-and that this access can also be beneficial to customers. But businesses working in the new culture of privacy must remember that to have access to an individual's personal information, they must have the individual's consent. And businesses that ignore this do so at their peril.
Some of this may well sound familiar. The same basic concept showed up in a book published in the United States in 1999-a book about advertising in fact-called Permission Marketing. It was written by Seth Godin, Vice President of Direct Marketing at Yahoo!
Godin talks about "offering the consumer an opportunity to volunteer to be marketed to," and how this can lead to "turning strangers into prospects who choose to opt in to a series of communications," and ultimately, "turning strangers into friends and friends into customers."
I'm not here to plug anyone's book. But the point is, what Godin writes about is widely recognized as a new and important development in advertising and marketing. The key to the book's approach is that entering into a person's private world, interrupting their time and attention, should be subject to their consent.
There's been a lot of talk in recent years about what is often referred to as a "new business culture", in which clients and customers are seen as silent partners in the enterprise, partners whose needs and desires must be taken into account in any business decision. It's a recognition that things are just too competitive, that there are too many alternatives out there for any business to ignore the customer's priorities.
The new privacy culture goes hand-in-hand with this philosophy; indeed, it is part of this new way of doing business.
Privacy has become part of the product. A company can offer its customers a product that meets the minimum standards, or it can offer a product that reflects the organization's commitment to excellence.
A business can look at the PIPED Act, and do exactly what the law requires, or it can look at the business environment, at what people are thinking, and do what the customer requires.
I would encourage organizations to look at the need to obtain consent as an opportunity to open a dialogue with customers, so you know how you're doing on privacy issues-it'll make your relationship stronger.
Showing respect for privacy is part of showing respect for your customer, and respecting your customer is the cornerstone of a good customer relationship.
The bottom line is good privacy is just good business-and in a culture of privacy, better privacy is even better business.
Report a problem or mistake on this page
- Date modified: