Alleged disclosure of personal information without consent for secondary marketing purposes by telecommunications company "A"
PIPEDA Case Summary #2003-244
[Principles 4.3, 4.2.3, 4.3.2, 4.3.4 and 4.3.5, Schedule 1]
Complaint
An individual complained that a telecommunications company fails to obtain consent for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, the complainant alleged that the company does not bring to the attention of customers its practice of using and sharing customer data with affiliates for secondary marketing purposes; it fails to provide clear information as to potential secondary uses and sharing of customer data; and it does not provide customers with the opportunity to opt-out of such uses and disclosures.
In brief, the complainant's position may be summarized as follows:
- With respect to secondary marketing purposes, it is always appropriate to ensure customers' knowledge and consent.
- Marketers and the marketed differ on the issue of what form of consent is appropriate.
- Companies should not only state purposes in a policy document, but also "bring to the attention" of the individual customer the practices in question and the option of opting out.
- Companies fall short of meeting this obligation in several ways:
- reliance on a document that has not been provided to the customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print that has been buried in a long document;
- failure to use clear, plain language that is understandable to the ordinary customer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
Summary of Investigation
The company's privacy-related materials and the processes it uses to bring its policies and practices regarding personal information to the attention of the customer were examined during the investigation. The investigation revealed the following:
- The company has a privacy code and privacy policy that are readily available on its web site.
- In brief, the documents detail the purposes for collecting, using, or disclosing customers' personal information, including the marketing of other products and services. They explain that customers have the right to refuse or withdraw consent.
- The company does not require its service representatives to inform all new customers of its privacy policy or of its terms of service, during the service application process. Although it distributes a welcome booklet and a user manual, both of which contain information about its privacy practices, these documents do not have a table of contents. A user would have to read both documents thoroughly to discover the information about privacy.
The company believes that its privacy policy and code form a sufficient basis for customers' knowledge and consent with respect to its collection, use and disclosure practices. It believes that a reference to privacy issues by its service representatives would interfere with the streamlined and easy ordering process that customers want.
Findings
Issued November 7, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner has jurisdiction in this case because telecommunications companies are federal works, undertakings, or businesses, as defined in the Act.
Application: Principle 4.2.3 states that identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. It further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.4 states that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. It requires organizations to take into account the sensitivity of the information, in determining the form of consent to use. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
The Assistant Commissioner found the complainant's expectations as outlined in the complaint to be reasonable and in keeping with the Act.
The Assistant Commissioner determined that the company does not make reasonable efforts to advise its customers of the purposes for which the information it collects will be used. Although its user manual and welcome booklet contain information about its privacy practices, the documents are not indexed. A new subscriber might or might not stumble across the information about privacy. The company's sales and service representatives do not draw the attention of new customers to the company's privacy practices at the time they subscribe to the service. The Assistant Commissioner determined that the company does not disclose sensitive personal information for the secondary purpose of marketing, and its decision to use opt-out consent is therefore appropriate.
The company's policy and practices are posted on its web site, and the Assistant Commissioner determined that these documents clearly spell out the company's practices. Although they are also available in a slightly modified format in the welcome booklet and the user manual that are distributed to all new customers, they are not drawn to the attention of the customer. In fact, as the documents are not indexed, the information about privacy is difficult to find.
The Assistant Commissioner determined, therefore, that the company's privacy practices do not meet the reasonable expectations of its customers, as per Principle 4.3.5 of Schedule 1 of the Act. Having failed to comply with Principles 4.2.3, 4.3.2, and 4.3.5, she also determined that the company was in contravention of Principle 4.3.
The Assistant Commissioner determined that the complaint against the company was well-founded.
Further Considerations
The Assistant Commissioner recommended that the company draw the customer's attention to its policy statement of the purposes for which personal information is collected, and of the customer's options, at the time of collecting personal information during a subscription or purchasing process.
- Date modified: