Customer objects to bank's consent practices
PIPEDA Case Summary #2003-250
[Principles 4.3, 4.3.5, 4.3.6, 4.3.7 of Schedule 1]
Complaint
Upon receiving notification that his bank was amending the language of its credit card agreement, an individual raised three objections with the Commissioner's Office:
- that the bank had been, prior to the amendment, disclosing his personal information to third parties for the secondary purpose of marketing without his knowledge and consent;
- that the form of consent, known as "opt-out" consent, that the bank is seeking is inappropriate because it puts the onus on customers to decline; and
- that it takes eight weeks for an opt-out request to take effect.
Summary of Investigation
This complaint is closely related to an earlier case involving the same bank, in which it was determined that the bank had failed to obtain the meaningful consent of its customers to its practice of using their personal information for the secondary purpose of marketing. The Office recommended that the bank redraft its communication materials for credit applicants to specify what personal information is to be disclosed, to whom it will be disclosed, and how exactly the personal information will be used. The Office also recommended that the bank take steps to meet the reasonable expectations of customers for an immediate, easy and inexpensive means of withdrawing consent to the optional collection, use and disclosure of their personal information.
In response to these recommendations, the bank has undertaken a review, not yet complete, of the language used in its credit card application form. In the meantime, the bank sent out a letter of notice, informing customers of their right to not have their personal information used for secondary marketing purposes and of the existence of a toll-free number that they may use to opt out of the bank's personal information sharing practices. It was this notification that prompted this complaint.
As for the length of time it would take to honour an opt-out request, the bank indicated that, given the different production timelines for various direct mail and telemarketing campaigns, it could take up to 90 days for all such marketing to cease. The maximum time period identified in the notice of amendment, however, was eight weeks.
Findings
Issued December 12, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.5 obliges us to consider the reasonable expectations of the individual in obtaining consent. With respect to the form of consent, Principle 4.3.6 states that the way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. Principle 4.3.7 allows for the use of opt-out consent.
Regarding the first allegation, the Assistant Commissioner indicated that the Office had previously determined that the bank in question was not obtaining the meaningful consent of its customers for the optional secondary purpose of marketing. The complainant in this case had raised objections about the same issue after the bank had acted in part on the Office's recommendations. Thus, his allegation that the bank was using and disclosing his personal information without his knowledge and consent had already been determined to be contrary to Principle 4.3, and thus well-founded.
The Assistant Commissioner therefore concluded that the first count of the complaint was well-founded.
Regarding the second allegation, the Assistant Commissioner noted that while this Office regards and promotes "opt-in" consent as the most appropriate and respectful form for organizations to use in any circumstances, it also recognizes that opt-out is acceptable in some strictly defined situations. This issue was considered in the earlier complaint, and it was determined that this form of consent would be acceptable as long as meaningful consent was otherwise being obtained and the personal information being used or disclosed was non-sensitive in nature. The investigation in this case established that the personal information being used or disclosed included individuals' names and addresses and would therefore in these circumstances be considered non-sensitive. On the understanding that the language of the consent agreement currently under development would conform to the Office's recommendations and would specify what personal information is being used or disclosed, the Assistant Commissioner was willing to accept the bank's use of opt-out consent in the circumstances, as per Principles 4.3.6 and 4.3.7.
The Assistant Commissioner concluded that the second count of the complaint was not well-founded.
With respect to the third allegation, the Assistant Commissioner was of the view that a customer who is already in the bank's marketing system might reasonably expect it to take a number of weeks for the organization to process an opt-out request. She thus accepted that the period of time specified by the bank met the reasonable expectations of the individual, as provided under Principle 4.3.5.
The Assistant Commissioner therefore concluded that the third count of the complaint was not well-founded.
Further Considerations
Notwithstanding the last finding, the Assistant Commissioner recommended that the language of the bank's account agreement accurately reflect the maximum period of time it takes to ensure that an opt-out request is fully in effect, i.e., 90 days and not eight weeks.
- Date modified: