Alleged disclosure of personal information without consent for secondary marketing purposes by a bank

PIPEDA Case Summary #2002-82

[Principles 4.3, 4.3.2 and 4.3.5, Schedule 1]

Complaint

An individual complained that a bank fails to obtain consent for the collection, use, or disclosure of personal information for secondary marketing purposes.

Specifically, the complainant alleged that the bank does not bring to the attention of its customers its practice of using and sharing customer data with affiliates for secondary marketing purposes; it fails to provide clear information as to potential secondary uses and sharing of customer data; and it does not provide them with the opportunity to opt-out of such uses and disclosures.

This is one of several similar complaints filed by the individual against a number of organizations. In brief, the complainant's position may be summarized as follows:

• With respect to secondary marketing purposes, it is always appropriate to ensure customers' knowledge and consent.
• Marketers and the marketed differ on the issue of what form of consent is appropriate.
• Companies should not only state purposes in a policy document, but also "bring to the attention" of the individual customer the practices in question and the option of withdrawing consent.
• Companies fall short of meeting this obligation in several ways:

  (a) reliance on a document that has not been provided to the customer, but rather left up to the customer to find on his or her own initiative;

  (b) reliance on fine print that has been buried in a long document;

  (c) failure to use clear, plain language that is understandable to the ordinary customer;

  (d) failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and

  (e) failure to provide an easily executable opting-out procedure.

Summary of Investigation

The bank's privacy-related materials and the processes it uses to bring the bank's policies and practices regarding personal information to the attention of the customer were examined during the investigation. The investigation revealed the following:

• The bank provides two privacy-related documents to the customer and has a detailed privacy code available either on-line or in paper format.
• In brief, the documents detail the purposes for collecting, using, or disclosing customers' personal information among subsidiaries, and explain that customers have the right to refuse or withdraw consent.
• The bank also has a process whereby its representative draws the customer's attention to the bank's privacy policies, and requests and records the customer's preferences with regard to the disclosure of personal information to the bank's affiliates.

In sum, the bank's position is that these materials and processes form a sufficient basis for customers' knowledge and consent. The bank has undertaken to further clarify some of the wording regarding withdrawal of consent and to make more explicit the procedure for withdrawing consent.

Commissioner's Findings

Issued October 16, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner has jurisdiction in this case because the bank is a federal work, undertaking, or business, as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. It further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.

The Commissioner found the complainant's expectations as outlined in the complaint to be reasonable and in keeping with the Act.

The Commissioner determined that the bank's privacy-related materials and processes do constitute a reasonable effort on the bank's part to ensure that the individual is advised of the secondary purposes for which personal information will be used or disclosed and that he or she may refuse or withdraw consent in a reasonable manner.

For example, the bank does not rely upon fine print or documents not immediately at hand. Although the privacy-related documents do not list the affiliates to which the bank may disclose personal information, it does inform customers of the types of organizations involved. The bank also provides a list of its current affiliates to any customer upon request.

In all, the Commissioner was satisfied that the materials and processes serve as a valid basis for knowledge and consent.

The Commissioner found therefore that the bank was in compliance with Principles 4.3.5, 4.3.2 and 4.3 of Schedule 1 of the Act.

The Commissioner concluded that the complaint was not well-founded.

Further Considerations

The Commissioner indicated that he was favourably impressed with the bank's policy of personally bringing optional secondary purposes to the attention of customers, presenting these purposes in terms of preferences for consideration, and in effect guiding them through an opt-out procedure on the spot. He said that, providing the bank's policy were consistently applied and extended to its on-line privacy communications materials, he would be very much inclined to recommend it as a highly exemplary method of obtaining consent and very much akin to the opt-in form of consent favoured by the complainant.