The Importance of Trust

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Canadian Marketing Association's 2004 National Convention & Trade Show

May 4, 2004
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Good morning. I am very pleased to be here today. I want to discuss two issues that I think will be of particular interest to you, but before I do so, I want to spend a few minutes talking about trust and how it relates to privacy and to marketing.

The Importance of Trust

Trust — it's a very simple word, but a highly complex concept. A typical dictionary definition — a belief in the honesty, reliability or strength of a person or thing — does not begin to capture the complexity of the concept.

Our society could not function without trust. Our personal relationships are based on trust. Our political system is based on trust. Our economy is based on trust.

Without trust, we would feel isolated and alone. When trust in our political system breaks down political engagement and involvement suffers — the result is a "democratic deficit." Our currency is based on trust; without it, the economy would collapse.

When I spoke to an audience of law enforcement and national security officials last week, I referred to the anonymity of modern urban society and how this has resulted in a weakening of accountability and social controls. The anonymity of modern urban society has equally significant implications for trust relationships.

Merchants no longer know their customers; bank managers don't know the people applying for loans; consumers don't know the business people from whom they purchase goods and services; and parents may not even know the teachers, coaches or caregivers to whom they entrust their children.

As a result, we increasingly rely on information rather than personal knowledge or personal relationships to make decisions. And third party organizations, such as credit bureaux, are called on more and more to act as trust intermediaries.

Privacy and Trust

Privacy, of course, is closely related to trust. There are innumerable definitions of privacy, but many of them refer to the ability of individuals to determine when and with whom they share personal information about themselves.

Trust is perhaps the most important factor that individuals use to decide when and where to share their personal information.

When we don't know whether we can trust someone with our personal information we become concerned about our privacy. If individuals do not feel that they can trust others with their personal information they may refuse to provide it, they may provide false or incomplete information, or they may even decide not to use a service or purchase a product,

One reason that governments passed privacy laws was to create and strengthen trust.

The federal Privacy Act, which has now been in force for over twenty years, was passed, in part, to enhance citizens' trust that the government would not misuse their personal information.

The Personal Information Protection and Electronic Documents Act or PIPEDA was passed in the late 1990s to promote trust in electronic commerce. Equally important, the Act was intended to reassure the European Union that personal information about European citizens that was transferred to Canada would be adequately protected.

As marketers you are well aware of the importance of trust. Your livelihood, your existence is based on trust.

The Canadian Marketing Association

To its credit, the Canadian Marketing Association understands that customers care about how businesses treat their personal information.

Perhaps this is a case of enlightened self-interest, but nonetheless, your association has played an important leadership role in urging businesses to recognize that the way they use and disclose personal information is critically important to their success.

Canadian Marketing Association has operated a Do-Not-Contact program for several years. Canadian Marketing Association was one of the first major industry associations in Canada to require its members to adhere to a privacy code.

Canadian Marketing Association was one of the initial participants in the Canadian Standards Association's (CSA) initiative to develop a model code for the protection of personal information. As you know, the CSA Model Code has been incorporated into PIPEDA as Schedule 1.

In 1995, Canadian Marketing Association was the first industry group to advocate national privacy legislation. Our office issued a press release applauding Canadian Marketing Association's "courageous stand". And when PIPEDA was passed, your President, John Gustavson, called the new law a "win-win for consumers and business".

Unfortunately for Canadians, all marketers are not members of Canadian Marketing Association and all marketers do not share Canadian Marketing Association's commitment to ethical, permission-based marketing. As valuable as Canadian Marketing Association's programs are, we all have to do more. We want to work with Canadian Marketing Association; we want to work with the CRTC, with Industry Canada and with other privacy commissioners to eliminate marketing practices that do not respect fair information principles.

PIPEDA

PIPEDA has been in force since January 1, 2001, but until last January the application of the Act was limited to federal works, undertakings and businesses such as banks, airlines and telecommunications companies and to personal information that was disclosed across borders for consideration.

Now the Act applies much more broadly — it applies to all organizations throughout Canada engaged in the collection, use or disclosure of personal information for commercial purposes. There's an exception, there always is. In those provinces that have passed recognizedly substantially similar legislation the provincial legislation applies. Quebec's legislation has already been declared substantially similar by the Governor in Council; we anticipate that Alberta's and British Columbia's acts will soon be declared similar.

Despite the best efforts of your association, the initial instinct of some of you may be to see PIPEDA as an impediment to business. After all, personal information is virtually the lifeblood of modern business. Personal information helps businesses identify potential customers and understand their behaviour and needs. It helps them assess the effectiveness of their advertising. It helps them determine who is a credit risk.

Canadians accept tradeoffs of personal information for goods and services, but they want the process to be transparent. They want to decide what level of privacy is acceptable to them, and how much personal information they are willing to surrender for a particular benefit. They don't want someone else making that decision for them.

This has given rise to a "culture of privacy" in business. Respect for customers' and clients' privacy is the key to gaining and keeping their trust and confidence. Doing business in a manner respectful of the culture of privacy is not only good for privacy; it is also good for business, to quote my Ontario colleague Ann Cavoukian.

Companies that fail to respect the privacy interests of their customers and clients face far greater penalties in terms of lost customer trust and good-will than they will ever suffer as a result of PIPEDA. Trust can take years to create; it can be destroyed in an instant.

PIPEDA and Consent

Now I would like to turn to some practical issues that I understand are of interest to Canadian Marketing Association's members.

An important component of privacy is the ability of individuals to determine when and with whom they share personal information about themselves. Individuals exercise this control by giving or withholding consent for the collection, use or disclosure of their personal information.

PIPEDA recognizes that there are different ways to obtain consent. Over the last three plus years, we have spent a good deal of time thinking about the issue of consent. What I would like to share with you today is our thinking on "opt-out" consent.

We have considered the use of opt-out in a number of different contexts. A common use of opt-out is in the context of using or disclosing personal information for a secondary purpose such as marketing. We accept that opt-out can be used as a legitimate way to obtain consent under the following conditions:

  • The personal information must be demonstrably non-sensitive in nature and context;
  • The information-sharing situation must be limited and well-defined with respect to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure;
  • The organization's purposes must be limited and well-defined and stated in a clear and understandable manner; and
  • The organization must establish an easy and inexpensive procedure to allow individuals to immediately opt-out of, or subsequently withdraw consent to, the secondary purpose.

Approximately a year ago, our Office issued a finding — number 167 — dealing with the use of opt-out consent by a magazine for the purpose of disclosing personal information to third parties for marketing purposes. This finding has caused some concern, particularly around the issue of the timing of obtaining consent.

We have reviewed the finding and we think that perhaps more has been read into the finding than was intended. The finding did not necessarily set out a general principle that has to be met in all situations. In this particular case, it would have been relatively easy for the magazine to provide information about possible disclosures on the subscription form and provide an opportunity to opt-out.

Having said this, I would like to clarify our thinking on this issue. We continue to believe that, as a general rule, organizations should inform individuals about all uses or disclosures and obtain consent at the time of collection. However, we understand that providing individuals with this information during certain types of transactions, such as telemarketing calls and purchases in stores, can be a challenge. There may be situations where consumers are in a hurry to complete a transaction and, as a result, they may not make a very informed decision with respect to consenting to disclosures. They may in fact make a more informed decision at a later date, for example, when they receive an invoice or a monthly statement.

So we accept that, in some cases, it may not be reasonably possible to obtain meaningful consent at the time of collection. Principle 4.3.1 recognizes that, in certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected, but before the use or disclosure. The bottom line is that consent is required before use or disclosure.

I should also tell you that we have recently had discussions with Canada Post about the use of opt-out consent on its Change of Address Notification Forms. The issue relates to the need to obtain consent for the disclosure by Canada Post of change of address information to commercial mailers. I would expect that many of you in the audience make use of this service.

We think that Canada Post should be able to use opt-out consent for these disclosures. The information Canada Post discloses would generally be considered non-sensitive. For the sake of consistency, we have told Canada Post that we would accept the use of a single opt-out box, provided it meets the conditions set out above.

Marketing Challenges Remain

Privacy laws, or laws of any type for that matter, can contribute to building trust, but they can only do so much. Ultimately, businesses have to take the lead in creating trust.

This becomes clear when we look at two current and pressing marketing issues.

Unwanted e-mails are a major problem. According to some estimates, spam accounts for more than half of all e-mails in Canada. Spam is annoying, intrusive and it's often offensive. Spam is expensive. Spam can contain viruses, web bugs or worms that can compromise the security of a computer and the information it contains.

"Phishing" is a new and very serious e-mail scam. This involves fraudsters sending email messages that appear to come from legitimate and well-known companies. These messages often inform the recipient of a problem with an account and request the recipient to provide account information and other personal information, which is then used to commit identity theft and fraud.

Some countries have attempted to legislate although this is one area where laws have limits. PIPEDA is potentially relevant — an e-mail address would typically be considered personal information. The problem of course is determining who is sending the e-mails and, if they are outside Canada, our jurisdiction is limited.

We are also concerned about the use or potential use of personal information contained in public registries, tribunal decisions, and court records for marketing and other purposes. These records can contain highly sensitive personal information — financial information, health information, information about children and information about people's mental state — that should only be used for the purposes for which it was collected.

The use of this information for unrelated purposes has long been a concern of privacy commissioners throughout Canada. In 1997, the Commission d'accès à l'information du Québec released an influential report on this subject. More recently, we have expressed our views on this subject to the Canadian Judicial Council. We are pleased to see that some organizations are beginning to limit access. For example, Justice Canada recommended in late 2003 that divorce records should be treated as confidential personal information.

Spam, unwanted telemarketing calls and the misuse of personal information are as much of a problem for legitimate marketers such as yourselves as they are for individuals and for those of us charged with protecting privacy. As important as they are, laws such as PIPEDA and agencies such as the Office of the Privacy Commissioner have limits

This is where you come in. We want to continue to work with Canadian Marketing Association as partners. Canadian Marketing Association has played a critically important role in urging businesses to adopt ethical information practices and we encourage Canadian Marketing Association to continue to show leadership in the future. We look forward to continuing to work with you in extending fair information practices across the playing field.

Thank You

Date modified: