A promotional technique that is not good privacy practice

PIPEDA Case Summary #2004-261

[Principle 4.3]

Complaint

An individual complained that a bank (1) had collected his personal information without his consent, and (2) issued a credit card in his name, also without consent.

Summary of Investigation

The complainant obtained financing for the purchase of a mattress through an affiliate of the bank in question. The financing agreement that he signed allowed the affiliate to disclose his personal information for a period of two years after he had completely paid for his purchase for the purpose of advertising and offering additional products, services and other solicitations that might be of interest to him.

Approximately two years after he had paid for the mattress, he received a credit card statement from the bank, indicating a zero balance owing. He was not aware that a credit card account had been opened in his name, and requested that it be closed. The bank did so immediately, and advised him in writing that it had removed the record of the account from his credit bureau file.

The bank's records indicate that it had issued a credit card in the complainant's name, and opened up an account, eight months earlier than the date of the credit card statement. The credit card had been returned by mail, and the account was never activated. According to the bank, the practice of issuing an unsolicited credit card is a common promotional technique, and the bank did not view it as problematic, as there was no liability for an inactive account, on the part of either the bank or the complainant. The compliance office of the bank had not realized, however, that inactive accounts were being reported to the credit bureaux. When this was brought to its attention, the bank agreed that it was inappropriate. It took prompt corrective action to ensure that unactivated credit card accounts, including the complainant's, were no longer being reported.

The Office confirmed that the issuance of unsolicited credit cards is a fairly common practice amongst financial services organizations, and is not contrary to a provision of any other Act.

Findings

Issued February 11, 2004

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (Act) applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because the bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

With respect to the first complaint, the Assistant Commissioner noted that the bank had collected the personal information of the complainant within the two-year time frame set out in the agreement that he signed with the financing company. She therefore found that the bank had not collected the complainant's personal information without consent.

She therefore concluded that the first complaint was not well-founded.

Regarding the second complaint, the Assistant Commissioner deliberated as follows:

• She noted the bank's assertion that opening up an account and issuing a credit card is a common promotional technique and not problematic as long as there is no associated credit bureau file entry. However, she also noted that while issuing a credit card and opening an account may very well be a common promotional practice, it is clearly not good privacy practice.
• She indicated that such a technique does not simply involve making an individual aware of various products or services by way of flyers or telephone calls, for example.
• Rather, it involves taking the individual's personal information and opening an account for him or her before the person knows about it, let alone decides whether or not he or she even wants it.
• As for the matter of reporting the account to the credit bureaux (which the bank acknowledged was a mistake and discontinued the practice), she noted that when an individual applies for a credit card, such reporting is part of the consent agreement.
• In this instance, the complainant clearly had no idea that the bank had reported his information to the bureaux.
• Thus, the Assistant Commissioner found the bank's use and disclosure of the complainant's personal information in contravention of the consent requirement set out in Principle 4.3.

The Assistant Commissioner concluded that the second complaint was well-founded.

Further Considerations

Although pleased to note that the bank had stopped reporting unactivated accounts to the credit bureaux, the Assistant Commissioner recommended that it cease its practice of creating accounts and issuing unsolicited credit cards. By way of this summary, she wished to notify the financial services sector of her view that promotional techniques, regardless of their merit in attracting new customers, must also reflect the good privacy practices outlined in Schedule 1 of the Act.