Customer opts-out of receiving promotional material but bank continues to send it

PIPEDA Case Summary #2003-116

[Principles 4.3.8 and 4.5, Schedule 1]

Complaint

An individual complained that his bank was not allowing him to withdraw consent from receiving unsolicited promotional materials. Specifically, the complainant alleged that he had opted-out of receiving this material from the bank's businesses, affiliates and subsidiaries on a number of occasions but still was receiving it.

Summary of Investigation

In August 2001, the complainant, a long-time customer of the bank, received a notice from the bank that included instructions on how to opt-out of receiving unsolicited promotional materials. The complainant followed the instructions but continued to receive materials. Some months later, he contacted the bank again. He was told that a "do not solicit" tag was placed on his file. A couple of months later, he received solicitation from one of the bank's affiliates. When he contacted the bank, he was told that, although his file did contain a "do not solicit" tag, he would have to send a letter directly to the affiliate, withdrawing his consent. The complainant refused to do so. Based on the wording in the notice he received and on the bank's opt-out policy contained on its web site, he understood that when he withdrew consent, his withdrawal applied to all of the bank's businesses, affiliates and subsidiaries. He was again assured that his file would be marked "do not solicit" and that the affiliate would also make such a notation on its file. However, in spite of this, the complainant continued to receive promotional materials.

The bank's privacy policy governs the bank, its businesses, affiliates and subsidiaries. The policy goes on to state that if a customer does not wish to receive promotional materials, he or she can opt-out by contacting his or her nearest branch or by telephoning a 1-800 line.

The bank recognized the difficulties its customers faced when trying to withdraw consent. As a short-term solution, the bank indicated that the names of all customers who had elected to withdraw consent would be removed from all of the bank's affiliates' marketing lists. To address the issue in the longer term, the bank was in the process of creating a database to capture customer preferences across all legal affiliates of the bank. The system is expected to be operational in the near future.

Commissioner's Findings

Issued January 31, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3.8 states that an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal. Principle 4.5 establishes that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

The Commissioner noted that while the bank had apparently provided its customers with the opportunity to withdraw consent, it had not ensured that such withdrawal was in fact communicated to members of the group or respected at all. In the Commissioner's view, such failure on the bank's part rendered the withdrawal option meaningless, and thus did not respect the withdrawal provision outlined in Principle 4.3.8.

The Commissioner also noted that the bank was using the complainant's personal information, originally collected to administer his banking services, for a new purpose, namely, to market other products and services, and was clearly doing so without his consent. He thus found the bank in contravention of Principle 4.5.

He therefore concluded that the complaint was well-founded.