ePrivacy-Transforming Customer Privacy Into A Catalyst For Your Business
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
eCustomer World Institute
eCustomer World 2001 Conference
October 9, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
I'm sure that most of you have questions in mind about what Canada's new privacy law, the Personal Information Protection and Electronic Documents Act, means for your business. I'll talk today about the new act, and I hope that what I say will answer most of your questions.
But since the terrorist attacks of September 11 you no doubt also have in mind a bigger picture, more pressing issues, and more troubling questions about privacy. I would be remiss in my responsibilities, both as Privacy Commissioner and as a citizen, if I didn't also talk to you about that bigger picture.
I have often said that, at least in the Canadian context, I believe that privacy will be the defining issue of this new decade. I still believe that to be true, now more than ever.
Privacy is, of course, a fundamental human right, recognized as such by the United Nations. But it is not only an individual right-it's also a shared value, a social, public good. In the words of Justice LaForest of the Supreme Court of Canada, privacy is "at the heart of liberty in a modern state."
Privacy is perhaps the most basic of our freedoms. Some would suggest that it is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, to name but a few.
Until recently, when I spoke of it as the defining issue, I meant that we are facing unprecedented choices with regard to privacy, as the result of the new challenges presented by advances in technology and in science. The choices we make will determine what kind of society we leave for our children and grandchildren.
I am sure that many people would argue that in the light of recent tragic events, it is now the battle against terrorism that will be the defining issue. That battle must be fought, and it must be won.
But if our reaction to terrorism were to excessively and unnecessarily deprive ourselves of privacy, and the freedoms that flow from it, then the forces of darkness would have won a great and terrible victory. How we preserve our values in the face of challenge will, in fact, be the defining issue of this time.
Perhaps it will be necessary to accept some new intrusive measures to enhance security. But these choices must be made calmly, carefully and case by case. Each such measure should be accepted only if it is demonstrably and clearly necessary to address a specific problem, and only if it is clear that no less privacy-invasive measure could satisfactorily achieve the same result.
Even then, we must be careful to distinguish between what might be appropriate as a short-term, emergency measure and what is justifiable as a lasting change.
So that is the big picture. Now, let me turn to the Personal Information Protection and Electronic Documents Act.
Personal information about customers and employees is critical to modern businesses. What businesspeople have to realize is that when they're collecting and handling that personal information, they're holding people's privacy in their hands. That imposes a very important duty of trust on them.
What the new law says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization covered under the law can collect, use or disclose personal information about someone without their consent.
It can collect, use or disclose that information only for the purpose for which they gave consent. And even with consent, it can only collect information that a reasonable person would consider appropriate under the circumstances.
People have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and there is redress if someone's rights are violated.
Before I talk about some of the specific points in the act, I'd like to say three things that I hope will put it in perspective.
First, this is not some bureaucrat's dream of the way society should be. The new law is based on the principles contained in the Model Code for the Protection of Personal Information drawn up by the Canadian Standards Association. The Code is based on several years of consultation with government, business and consumer groups. It is based on the reality of the marketplace.
The second is that this legislation does not set Canada apart.
Virtually every other industrialized nation in the world either has legislation like this, or is in the process of developing it. The only significant exception is the United States, and even there, the question is not whether these principles are valid, but what is the best way to put them into practice. So, while the act is a step forward for privacy in Canada, it really does no more than bring us up to speed with the rest of the world.
Third, and most important, it's part and parcel of the new ways of doing business that you're all here to talk about.
In the "new business culture," clients and customers are seen as partners in the enterprise, partners whose needs and desires must be taken into account in any business decision. No business can afford to ignore the customer's priorities. Things are just too competitive for that.
Part of the new business culture is what I would call a "culture of privacy."
Privacy is not new-its value has long been recognized. As I said earlier, it's a fundamental human right, considered to be at the heart of our society's most basic freedoms.
But a culture of privacy is new. People are taking a much more active interest in protecting their privacy. They are far less tolerant of anyone breaching or otherwise interfering with their privacy.
Look at the some of the most notable privacy-related public relations disasters of the past few years-things like cookies, web bugs, and the infamous Longitudinal Labour Force File set up by Human Resources Development Canada.
There are lots of times people don't like to give up their personal information, but these examples show they really don't like it when their personal information is collected and used without their knowledge or permission.
This is something you have to pay close attention to, when you're talking about things like customer relationship management. These new approaches to marketing require that businesses capture, analyze, and store large amounts of personal information. To get new customers, you have to find them. To keep customers, you have to know them. But an increasing number of customers are saying they don't want to be known. The key is going to be getting that information without driving them away.
This idea of permission, of choice, of consent, is central to the culture of privacy, and to privacy itself.
The act and other legislation like it, and the principles of fair information practices on which they're based, all flow from this simple but critical premise-if you are going to collect, use or disclose personal information about someone, you need that person's permission to do so.
I recognize that some marketers insist that they aren't interested in knowing about individual consumers, but rather about subsets, clusters, or categories of their customer base-their most loyal customers, their most profitable customers, and so on. The starting point is still personal information about individual customers. In the new culture of privacy, if you want access to an individual's personal information, you have to have the individual's consent.
Privacy has become part of the product. A company can offer its customers a product that meets the minimum standards, or it can offer a product that reflects the organization's commitment to excellence.
You can do the bare minimum the law requires, because you have to be in compliance. Or you can look at the business environment and recognize that it is the best approach for the customer.
I would encourage organizations to look at the need to obtain consent as an opportunity to open a dialogue with customers, so you know how you're doing on privacy issues-it'll make your relationship stronger.
Let me give you a bit more detail about how the act applies, and what it means.
As you probably know, the act is being implemented in stages, over a period of three years, and will be in full effect as of January 2004-with one significant exception. In provinces where privacy legislation that is "substantially similar" to the federal act is in force by 2004, the federal government can exempt all or part of the private sector from the application of the act. Otherwise, the federal act will apply to the whole private sector.
To put that another way, while the new federal privacy law may or may not apply to your business now, it, or a provincial law very much like it, will apply to your business within a few short years.
In the first stage-where we are now-the Act applies to personal information collected, used or disclosed in the course of commercial activities by federal works, undertakings and businesses. These are primarily the banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to personal information about the employees of these companies.
It also applies now to any disclosure of personal information across a provincial or international boundary for consideration-"for consideration" being legalese meaning that you get something in exchange for it.
That means if a company in Ontario sells or leases something like a mailing list to a company in Alberta, that information is subject to the protections contained in the act.
The second stage begins on January 1, 2002, when the act will extend to the personal health information of all employees and customers of federal works and undertakings. It will also apply to this personal health information if it is traded outside a province for consideration.
Most of you here today will be affected by the third and final stage, beginning as of January 2004, when the new federal act-or a provincial law very much like it-will apply to all personal information, collected, used or disclosed in the course of commercial activities by all private sector organizations. The federal act will capture interprovincial transfers while provincial ones will capture intra-provincial transactions (except those conducted by federal, works and undertakings).
I realize that businesses are going to face some new challenges in meeting the law's central requirement, which is the need to obtain customer consent.
Marketers, for example, collect information from a variety of sources-contests, market research, warranty cards. That will all be subject to consent.
You need to take that requirement seriously. Implied consent is permitted under the act, but in limited circumstances. You shouldn't rely on it.
For instance, when individuals fill out a warranty card, they assume that the information will only be used to inform them of a defect or product recall or in the event that they need to return the product. The information can be used for these purposes without obtaining explicit consent.
But that's as far as it goes: The individuals would not reasonably expect the information to be sold, or used for any other purpose to which they had not given their express consent.
It's the same for personal information collected through research activities like telephone and in-person surveys or focus groups. The information can only be used for the purposes to which the individual has consented, and of course, consent is needed to collect the information in the first place.
Keep in mind that consent must be meaningful-the individual has to have a reasonable idea what it is they're consenting to, and how the information will be used. If consent is too broad, it ceases to have any meaning.
Needless to say, consent obtained by deceit is not consent at all. Organizing a contest to collect information for some other purpose is not acceptable, unless that other purpose is specified.
Remember that personal information can be retained only as long as it is required to fulfil the purpose for which it was collected. Organizations cannot hold personal information forever just because someone thinks it might come in handy some day.
I suggest that you be cautious about what's known as "opt-out" consent, where someone who wants to collect, use, or disclose my personal information gives me the option to say I don't want them to.
It's often a matter of calling or writing, for example to the Canadian Marketing Association, to get onto a "Do Not Mail/Do Not Call" list. It may be as simple as checking off a box that says I decline the company's offer of sending me information about new services from time to time.
If I don't take them up on this offer to opt out, they proceed as though they have my consent.
Most privacy advocates, myself included, consider opt-out to be pretty poor privacy.
Opt-out is basically a very weak form of consent-you are presumed to consent unless you indicate otherwise.
This puts the responsibility on the wrong party. Someone wanting to collect, use, or disclose personal information should be required to get active consent-invite the person to opt in.
Opt-out is one of those things that works better in theory than in practice. It assumes that people know there's something going on, that they have the right to opt out, and they know how to.
It also assumes that opting out is in fact a valid, realistic option.
Those assumptions might work for the informed, patient, literate, aware consumer advocate. They don't work well as the basis for protecting the privacy of all of the people, all of the time.
Opt-out simply doesn't extend the privacy net as widely as opt-in. It should be used only in situations where the information being collected is not sensitive, and the use is readily apparent.
Most importantly, consent is not open-ended. Just because a person gives consent does not mean that you can collect anything for any purpose.
A key aspect of the act is that organizations need to restrict their collection, use, and disclosure of personal information to "purposes that a reasonable person would consider appropriate in the circumstances." In other words, an organization needs to be able to justify its collection of information.
Let me give you a couple of examples.
If I'm applying for a bank loan, the bank will want information about my ability to repay-my income, maybe my assets. That would be justified. A reasonable person would consider it appropriate in the circumstances.
On the other hand, if the bank wanted to make the loan conditional on my giving consent for it to sell my financial information to an insurance company, that would be a very different matter.
Another example: if I'm buying a computer for several thousand dollars, and I'm taking advantage of the offer of no payments for one year, the company has a good reason to collect personal information from me-where I live, my credit card number, where I work. But if I'm buying a twenty-dollar hand calculator from that store, paying cash, they don't need to know anything about me, and a reasonable person is not going to consider their demand for personal information to be appropriate, in these circumstances.
And that company had better not try to make sale of that twenty-dollar calculator conditional on me handing over unreasonable amounts of personal information. The act specifically prohibits coerced consent, where customers have no choice but to agree to providing unreasonable amounts or kinds of personal information if they want to get a particular product or service.
And what happens if someone complains to me about the way you collect or handle personal information?
First of all, let me stress that I'm an ombudsman. I'm not an enforcer. My way of dealing with complaints isn't like a court. I don't make binding decisions, and I handle complaints informally, quickly, and cost-effectively.
I do have powers. I can compel documents and evidence under oath, I can report matters directly to Parliament, and I can take matters to Federal Court.
But that's only if persuasion doesn't work. I'm not interested in confrontation. I'm interested in resolving complaints and getting at the underlying problems. In 17 years of dealing with Federal Government institutions under the Privacy Act, my Office has never once had to use its formal search or subpoena powers because we've always been able to get voluntary cooperation.
Now, I know all of this might sound a little overwhelming, and you will probably find the act to be something of a challenge from time to time. I want to assure you that my Office is always available to provide assistance and advice, to help you deal with this new reality.
But I hope that you see from this the necessity of making privacy part of your business plan.
When I talk to information technologists, in government and the private sector, I always give them this message: Build privacy in. Build it in at the outset, as part of the design.
I want to impress the same point on you: privacy needs to be built into your customer relations and your business plan at the outset. It can't be an afterthought. It can't be handled after the fact. You can't say, we'll cross that bridge when we come to it. Or worse: if someone complains we'll look at it.
One thing I would suggest is that you look at using Privacy Impact Assessments.
This allows you to examine any system or initiative you're considering developing, with a view to forecasting its impacts on privacy, assessing its compliance with legislation and principles, and determining what's required to fix any problems there may be.
This is an approach that's increasingly popular. People in government and the private sector have learned that it's money and time well spent if it helps them avoid the costs, adverse publicity, and loss of credibility and public confidence that could result from a system that hurts privacy.
You need to do Privacy Impact Assessments at the earliest point in your projects. Try to get an impartial review of them. Get someone who knows privacy to have a look at them. Let them give you a heads-up if there are obvious shortcomings.
I have every confidence in the good intentions of business people who want to get to know their customers. And the new business culture of putting the customer's needs and priorities first seems to me a positive development. I think it's great to see a business approach that's based on respect for individuals, and on finding out what they want.
But, you know, the greatest threats to privacy seldom come from those who want to do harm.
They come from well-intentioned people who say that privacy needs to be sacrificed for some greater good-efficiency, security, customer service.
I believe that it is possible to run a business reaching out to people and giving them the goods and services they want, efficiently and conveniently, without sacrificing privacy.
If you recognize how important privacy is to our society and to our freedom-if you recognize how concerned Canadians are about it, and design your business plan accordingly-you'll be well on the way to a winning market strategy.
Respecting your customer is the cornerstone of a good customer relationship. And that means respecting your customers' privacy.
The bottom line is that good privacy is just good business-and in a culture of privacy, better privacy is even better business.
- Date modified: