Individual raises concerns about consent clauses on credit card application form

PIPEDA Case Summary #2003-203

[Principles 4.3, 4.3.4, 4.3.5. 4.4 and 4.4.1 of Schedule 1]

Complaint

An individual complained that three consent clauses on a bank's credit card application form did not clearly define the scope of the bank's collection and use of personal information. His concerns focused on the consent to collect information; the consent to use the applicant's social insurance number (SIN) for tax-related and credit history matching purposes; and the use of opt-out consent for secondary marketing purposes.

Summary of Investigation

With respect to the first clause, the complainant asserted that the wording was vague and the scope of collection well in excess of what a reasonable person would expect. The bank agreed that the language was problematic and agreed to change it to be more specific about the information it proposes to collect.

As for the consent to use the SIN, the complainant was of the view that consent to two very dissimilar purposes (i.e. tax-related and credit history matching) should be kept separate. The bank maintained that the language of the clause clearly described the use of the SIN and pointed out that as a matter of policy the provision of the SIN is optional with respect to credit products.

Lastly, the complainant objected to the bank's use of an opt-out provision to obtain consent for the disclosure of an applicant's personal information to third parties for secondary marketing purposes. The clause indicates that the applicant may always withdraw consent by calling a toll-free number or contacting his or her local branch. The bank's privacy materials specify the type of information, including annual income and credit history, it collects and discloses to its affiliates. The bank indicated that individuals completing a credit card application in person or over the phone may opt out on the spot. Those sending applications in by mail would have to call the toll-free number or contact a local branch. The bank maintains that the applicant would not risk an unwanted disclosure since he or she would have the opportunity to opt out prior to activating the card.

Commissioner's Findings

Issued August 5, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.4 states that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. Principle 4.3.5 establishes that in obtaining consent, the reasonable expectations of the individual are also relevant. Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization, and Principle 4.4.1 states that organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices.

Regarding the consent to the collection of personal information clause, the Commissioner found the wording vague, noting that the type of information and the sources from which it is collected are not clearly identified. He therefore found that the bank was requiring credit applicants to consent to the open-ended collection of their personal information, in contravention of Principles 4.4 and 4.4.1. He was, however, pleased that the bank had agreed to revise its wording in future printings of the application form.

The Commissioner concluded that the first count of the complaint was well-founded.

Regarding consent to the use of the SIN, the Commissioner noted that this particular consent clause was the subject of a recent finding involving the same bank. In that case, the focus was on the fact that the application form did not clearly indicate that providing the SIN for identification, or credit history matching, purposes was optional. It was determined that the bank had not made a reasonable effort to ensure that the customer was adequately informed of this and, as a result, was not obtaining valid, meaningful consent from applicants, as stipulated in Principles 4.3 and 4.3.2. The bank agreed to clarify on future application forms that the provision of the SIN for identification purposes was optional.

In this case, however, the complainant was concerned about the bank asking applicants to consent to two very different uses at the same time. The Commissioner noted that, although this clause did not breach any specific principle, it contravened the spirit of the Act. He stated that using the SIN for income reporting purposes is legitimate; however, the Commissioner was also of the view that such a reference on a credit card application is inappropriate because it is beyond the scope of the reason for collecting the SIN on the form in the first place. In such circumstances, generating income did not come into play. The Commissioner therefore recommended that the bank remove from this clause the reference to using the SIN for tax-related purposes. Such a change would serve to clarify the use of the SIN in the credit granting process.

As for using opt-out consent for secondary marketing purposes, the Commissioner noted that while he recognized that "opt-out" consent is acceptable in some strictly defined situations, he regards and promotes "opt-in" consent as the most appropriate and respectful form for organizations to use in any circumstances. The Commissioner outlined the following conditions that must be met in order for an organization to justify relying on the opt-out form of consent:

1. The personal information must be demonstrably non-sensitive in nature and context.
2. The information-sharing situation must be limited and well defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
3. The organization's purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected.
4. The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of the procedure at the time the personal information is collected.

Given that, in this instance, the bank is disclosing sensitive financial information to affiliates, the Commissioner found the bank's use of the opt-out form of consent unacceptable in the circumstances and therefore in contravention of Principles 4.3, 4.3.4 and 4.3.5.

The Commissioner concluded that this count of the complaint was well-founded.

Further Considerations

The Commissioner recommended to the bank to develop an opt-in consent procedure for its credit card application form.