Alleged disclosure of personal information without consent for secondary marketing purposes by telecommunications company "B"

PIPEDA Case Summary #2003-243

[Principles 4.3, 4.2.3, 4.3.2, 4.3.4 and 4.3.5, Schedule 1]

Complaint

An individual complained that a telecommunications company fails to obtain consent for the collection, use, or disclosure of personal information for secondary marketing purposes.

Specifically, the complainant alleged that the company does not bring to the attention of its customers its practice of using and sharing customer data with affiliates for secondary marketing purposes; it fails to provide clear information as to potential secondary uses and sharing of customer data; and it does not provide them with the opportunity to opt-out of such uses and disclosures.

In brief, the complainant's position may be summarized as follows:

• With respect to secondary marketing purposes, it is always appropriate to ensure customers' knowledge and consent.
• Marketers and the marketed differ on the issue of what form of consent is appropriate.
• Companies should not only state purposes in a policy document, but also "bring to the attention" of the individual customer the practices in question and the option of opting out.
• Companies fall short of meeting this obligation in several ways:
  1. reliance on a document that has not been provided to the customer, but rather left up to the customer to find on his or her own initiative;
  2. reliance on fine print that has been buried in a long document;
  3. failure to use clear, plain language that is understandable to the ordinary customer;
  4. failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
  5. failure to provide an easily executable opting-out procedure.

Summary of Investigation

The company's privacy-related materials and the processes it uses to bring its policies and practices regarding personal information to the attention of the customer were examined during the investigation. The investigation revealed the following:

• The telecommunications company has a privacy code and privacy policy that are readily available on the website, or accessible through a 1-800 number.
• In brief, the documents detail the purposes for collecting, using, or disclosing customers' personal information, including the marketing of other products and services. They explain that customers have the right to refuse or withdraw consent.
• The telecommunications company also has a process whereby the representatives who activate phone service draw the customer's attention to the terms of service. These include a confidentiality section and a consent clause that alerts a customer to the company's marketing practices, and to a customer's options, including the right to opt-out of such practices.
• The company is subject to a restrictive covenant, imposed by the CRTC, which prevents it from disclosing the personal information of its customers (other than their name and address) without their express consent.

The telecommunications company's position is that its privacy policy and code, and the activation process it uses, form a sufficient basis for customers' knowledge and consent with respect to its collection and use practices. Furthermore, the company cannot and does not disclose customer information, other than name and address, without express consent, as per CRTC requirements.

Findings

Issued November 7, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner has jurisdiction in this case because the telecommunications company is a federal work, undertaking, or business, as defined in the Act.

Application: Principle 4.2.3 states that identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. It further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.4 states that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. It requires organizations to take into account the sensitivity of the information, in determining the form of consent to use. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.

The Assistant Commissioner found the complainant's expectations as outlined in the complaint to be reasonable and in keeping with the Act.

The Assistant Commissioner determined that the company complies with the restrictive covenant of the CRTC, and does not disclose the personal information of its customers to affiliates, other than name and address, for the secondary purpose of marketing their products and services. The company uses some of the customer information it collects to develop and market products, including the products of affiliates, to its customer base. It does not use sensitive information, such as a customer's SIN number, driver's licence, passport, or record to complaints, in developing marketing campaigns.

The Assistant Commissioner determined that the telecommunications company's privacy documents and activation process do constitute a reasonable effort to ensure that the individual is advised of the secondary purposes for which personal information will be collected or used. She was also satisfied that a customer may refuse or withdraw consent in a reasonable manner. In all, the Assistant Commissioner was satisfied that the materials and processes serve as a valid basis for knowledge and consent.

The Assistant Commissioner found therefore that the company was in compliance with the Act.

The Assistant Commissioner concluded that the complaint was not well-founded.