Bank does not obtain the meaningful consent of customers for disclosure of personal information

PIPEDA Case Summary #2003-192

[Principles 4.3, 4.3.2, 4.3.4 and 4.3.5 of Schedule 1]

Complaint

An individual complained that his bank did not obtain the meaningful consent of its customers with respect to its disclosure practices. He also was of the view that the bank should be seeking the written consent of its customers for the disclosure of personal information to third parties, except for those third parties that provide related administrative services.

Summary of Investigation

The complainant received a notice from his bank that it was amending its personal information consent clause for its credit and deposit agreements. The purpose for the amendment was to notify customers that the bank intended to use their personal information for the secondary purpose of marketing new products and services. The form indicated that customers could withdraw consent by writing to the bank, although it warned that doing so might restrict the bank's ability to effectively provide products and services. It also included a note about who would have access to customers' personal information.

While the bank's original consent clauses did alert customers to the use of their personal information for secondary marketing purposes, at that time, personal information was only disclosed to the bank's affiliates and not to other service providers. "Affiliates" referred to members of the bank's "financial family," while "service providers" referred to external organizations with which the bank had a business relationship. Such organizations could be marketing a product or service or performing functions that help the bank administer customer accounts, such as a printing service. Since the bank was developing a new product with an external organization, or service provider, it decided to amend its consent clause to reflect the possibility of new products and services being co-developed with its affiliates and service providers, and to remind customers of their right to withdraw their consent to such disclosure.

Although the amendment notice was the basis for the complaint, the Commissioner's Office reviewed the language used in the bank's account applications and agreement forms, as well as in its privacy materials, available to clients. The bank acknowledged that the wording of the opt-out process and the use of service providers was vague and agreed to clarify it in future printings of its materials. The new wording will specify that personal information for the secondary purpose of marketing will not affect the bank's ability to provide services. The bank states that it will also distinguish between the companies that provide services and products that support the customer's relationship with the bank (such as cheque printing services) and those that use the customer's personal information to market additional products and services. The new language will provide examples in each instance, and will also specify the type of information disclosed for the secondary purpose of marketing.

The complainant strongly objected to the bank's use of opt-out consent and believed that an individual's personal information should not be divulged unless that person specifically permits it through written consent. The bank defended its use of opt-out consent by stating that it is appropriate where the information is less sensitive. The bank stated that, with respect to the product that prompted the amendment, the bank used its client information to generate a mailing list that it then sent to the service provider. The information on the list included the name, address, telephone number and e-mail address of the client. The bank did not disclose financial or credit information to the service provider, nor does it disclose such information to any of its affiliates for their use in marketing additional products and services. The bank tentatively intends to send an updated mailing list to the service provider twice a year.

The bank accepts client requests to opt out from the use of their personal information for secondary marketing at any time verbally, through its 1-800 number, or in writing, by mail or facsimile. It was noted, however, that the 1-800 number was not specified on the amendment notification or in the bank's privacy materials. The bank indicated that future printings would include this information.

The Commissioner's Office reviewed the bank's practices with respect to recording opt-out requests and found that the bank is able to easily update the client's file to reflect his or her wishes, either the same day that the request is made or the next business day.

Commissioner's Findings

Issued July 23, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 elaborates on the need for "knowledge and consent." Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

Principle 4.3.4 states that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information; although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. Finally, Principle 4.3.5 establishes that, in obtaining consent, the reasonable expectations of the individual are also relevant.

The Commissioner began by noting that the problems with the bank's consent clauses were so fundamental that they were not clarified by the amendment notice, however well-intentioned it may have been. He considered the language of the bank's consent clauses to be vague. The purposes for the collection and disclosure of personal information were unclear, and the type of information to be disclosed and to whom it would be disclosed unspecified. He did not think that a customer would be able to reasonably understand how his or her personal information is to be used based on the wording of these clauses and the bank's privacy materials. He therefore found that the bank had not provided the basis for meaningful consent, as per the requirements of Principles 4.3.2 and 4.3.

As for using opt-out consent for secondary marketing purposes, the Commissioner noted that while he recognized that "opt-out" consent is acceptable in some strictly defined situations, he regards and promotes "opt-in" consent as the most appropriate and respectful form for organizations to use in any circumstances. The Commissioner outlined the following conditions that must be met in order for an organization to justify relying on the opt-out form of consent:

1. The personal information must be demonstrably non-sensitive in nature and context.
2. The information-sharing situation must be limited and well defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
3. The organization's purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected.
4. The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of the procedure at the time the personal information is collected.

While the Commissioner was satisfied that the bank was not disclosing sensitive personal information, he was nevertheless prevented from finding the use of opt-out consent acceptable in the circumstances because the bank had clearly not met the last three conditions. He therefore found the bank in contravention of Principles 4.3.4 and 4.3.5.

The Commissioner therefore concluded that the complaint was well-founded.

Further Considerations

The Commissioner was pleased that the bank had agreed to amend the language of its consent clause to specify what information will be disclosed for marketing purposes, that opting out of such disclosure will not affect the provision of service, the methods of opting out, and the types of third-party services that are used to support the administration of a customer's account.