Telecommunications company agrees to stop conducting credit checks for marketing purposes

PIPEDA Report of Findings #2015-018

October 20, 2015

Complaint

An individual complained that a telecommunications company (Telco) collected and used his personal information without consent. The personal information at issue related to a credit check performed by the Telco after the individual made inquiries about telecommunications services. The individual also complained that the Telco performed ongoing credit checks without his consent after signing up for services.

Summary of Investigation

Initial Credit Check

The complainant received promotional materials from the Telco advertising a special offer for a particular service and he contacted the Telco to learn more about the offer. While he declined the offer at that time, the complainant later contacted the Telco to order the service and arrange for installation.

Later, after reviewing his credit report, the complainant discovered the Telco had conducted a credit check on the date of his first contact with the Telco. The complainant said that the customer service representative did not confirm that a credit check would be performed, nor did he authorize a credit check.

The Telco explained that it conducts an initial credit check to determine a customer’s credit-worthiness and whether they can obtain services without paying a security deposit. It further explained that it requires its customer service representatives to get express consent before completing an initial credit check on an individual. In this case, the Telco was unable to provide evidence that the complainant’s consent had been obtained.

Ongoing Credit Checks

After reviewing subsequent credit reports, the complainant noticed that the Telco had begun performing credit checks about every two months, starting from the time he subsequently signed up for services. The complainant believed these ongoing credit checks were an unwarranted collection and use of personal information.

The Telco explained that it collected the complainant’s credit information to assess their eligibility for a promotional campaign and that the practice was described in the company’s Service Agreement, which the complainant had accepted. The Telco also pointed to its Privacy Policy, which listed additional purposes for which personal information could be collected.

Outcome

Initial Credit Checks

A prior case has established that it was appropriate in the circumstances for a telecommunications company to collect personal information from an individual to facilitate a credit check. However, individuals must consent to that collection in order for it to be in compliance with PIPEDA. In the present case, the Telco failed to obtain the complainant’s meaningful consent when it completed an initial credit check, contravening Principle 4.3 of Schedule 1 of PIPEDA.

The Telco has since implemented a combination of training solutions and communications to staff to ensure that a customer’s meaningful consent is obtained prior to accessing any credit information.

Ongoing credit checks

Subsection 5(3) of PIPEDA states that an organization may collect, use or disclose information only for purposes that a reasonable person would consider appropriate in the circumstances. Our Office’s investigation into the Bell Relevant Ads Program made clear that information about credit-worthiness should only be used for purposes that are directly related to decisions with important financial implications.

As part of this investigation, by conducting credit checks of the complainant in support of the marketing program, the Telco was collecting personal information for a purpose which a reasonable person would not consider appropriate in the circumstances. Therefore, the Telco’s collection of credit information for marketing purposes contravened subsection 5(3) of PIPEDA.

As a result of the investigation, the Telco stopped the practice of ongoing collection of individual’s credit information for marketing purposes.

After reviewing the actions taken by the Telco to address the matters raised in this investigation, our Office concluded that the complaint was well-founded and resolved.

While our investigation dealt with the collection and use of the complainant’s credit information and not with the issue of consent, our Office still noted that it is unlikely that the Telco’s customers would have meaningfully understood, via the terms in its Agreement and Privacy Policy, that their credit information would be used to deliver tailored promotions.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Complaint

1. The complainant alleged that a telecommunications company (“Telco”), the respondent, collected and used his personal information without his knowledge and consent. More specifically, the complainant alleged that the Telco performed a check on his credit file without his authorization.
2. He further alleged that the Telco continued to collect and use his personal information without his knowledge and consent. Specifically, he claimed that the Telco performed ongoing checks of his credit file after he had registered for service with the company.

Summary of Investigation

3. The facts as stated below are based on representations and supporting documentation provided to our Office by the complainant and the Telco, respectively.

Initial Credit Check

4. The complainant received promotional materials from the Telco advertising a special offer for a particular service. He subsequently contacted the Telco to learn more about the offer. He submitted that while he declined the offer at that time, he called the Telco back the following month to order the service and arrange for installation.
5. Later, after reviewing his credit report, the complainant discovered that the Telco had conducted a credit check on his credit file on the date of his first ‘inquiry call’. He represented that the customer service representative with whom he had spoken did not inform him that a credit check would be performed, and that he did not authorize a credit check.
6. In its representations to our Office, the Telco indicated that it conducts a ‘hard check’ on a customer’s credit file to determine an individual’s credit-worthiness. The results of that initial credit check are used to determine whether the customer can obtain the Telco’s equipment and services without a security deposit.
7. The Telco further submitted a customer service form showing an order by the complainant for Internet service, as evidence that the customer did, in fact, order services during his first ‘inquiry call’. The Telco acknowledged, however, that it could not confirm that its customer service representative had obtained consent for the credit check associated with the order, as the voice recordings from the subject call were no longer available.
8. The Telco noted that it is mandatory for all of its representatives to obtain an individual’s consent before accessing his or her credit file, and emphasized that its web-based system, which the Telco’s sales representatives use to create new installation orders, automatically prompts representatives to ensure that they have obtained a customer’s consent prior to performing an external credit check.
9. Prior to our Office’s intervention, the Telco also modified other internal materials to emphasize this step. Scripting for the Telco’s flowchart tool that guides the representatives through different customer-facing activities, was updated to remind representatives about the need to obtain consent.
10. The Telco further stated that coaching had been conducted with the customer service representative who had spoken with the complainant, and reminders were issued to all the Telco’s customer service representatives on two separate occasions to stress the importance of requesting consent from the customer before proceeding with a credit check. These reminders, which our Office has reviewed, clearly alerted representatives to the seriousness of its requirement that they obtain such consent, and included details of the respondent’s related procedures as well as a link to the Telco’s training materials.

Ongoing Credit Checks

11. The complainant noticed, from additional credit reports he obtained, that the Telco began performing bi-monthly (approximately) checks on his credit file after he became a customer. He provided evidence to our Office of subsequent checks the Telco had performed on three separate occasions.
12. He considered the Telco’s continuing checks an unwarranted collection and use of his personal information given that: (i) they were conducted after his service had been established; and (ii) his account was not in arrears.
13. The Telco submitted that it did not conduct ongoing hard checks on the complainant’s credit file, but rather that it requested periodic ‘soft checks’ for the purpose of determining the complainant’s eligibility for promotions. It explained that soft checks remain on the individual’s credit report for a limited time, and are generally replaced on the report when the same organization requests another soft check. Soft checks do not impact an individual’s credit score. More specifically, in this case, the Telco was requesting, from the credit reporting agency, answers to a set of nine “Yes/No” questions for certain customers, including the complainant. The information the Telco collected was linked to a unique identifier, which was in turn associated with individual customers. The Telco used the credit information, which included information regarding the nature and amount of new or potential credit, to identify individuals who were more likely than the general population to consider moving residences, and to design marketing campaigns to appeal to these customers.
14. The Telco maintained that its ability to collect credit information on a periodic basis was described in the company’s service agreement (the “Agreement”) in place at the time of the incidents alleged in the subject complaint.
15. The Telco noted that, as per its standard process, a hard copy of the Agreement had been mailed to the complainant along with his equipment. The Agreement was also made available online, in store and could be requested by mail. The Telco further explained that customers were required to expressly accept the terms of the Agreement before their service would be activated. During the online service activation process, customers were prompted to click an “Agree” button, which became active only once they had scrolled to the bottom of the Agreement. The Telco provided our Office with a page from the complainant’s account file which showed that the organization had received confirmation of the complainant’s acceptance of the Agreement, via his clicking of the “Agree” button.
16. The Telco further noted that its Privacy Policy, a link to which was made available within the Agreement, listed additional purposes for which personal information could be collected by the organization.
17. Subsequent to our intervention, the Telco informed our Office that it had ceased the collection of individual credit information for the purpose of the marketing program in question. It is now employing a third-party service which provides geographically aggregated credit information to support its promotional activities.

Application

18. In making our determinations, our Office applied subsections 2(1) and 5(3) of Part 1 of the Act, and Principles 4.3 and 4.3.2 of Schedule 1 of the Act.
19. Subsection 2(1) defines personal information as information about an identifiable individual.
20. Subsection 5(3) stipulates that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate.
21. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 further provides that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; and to make such consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

Analysis

Initial Credit Check

22. In our Office’s view, the Telco failed to demonstrate that it obtained adequate consent for its initial collection and use of the complainant’s credit information.
23. Our investigation confirmed that the Telco performed an initial hard credit check on the complainant’s credit file. We accept the Telco’s assertion that it conducted its initial credit check for the purpose of verifying the complainant’s credit-worthiness before extending credit in the form of loaned equipment and ongoing services without a security deposit. In our view, as we have found in the past (PIPEDA Case Summary #2002-94), a telecommunications service provider like the Telco can, with consent, collect credit information for such purposes.
24. However, based on the complainant’s version of events and the fact that the Telco was unable to provide evidence to the contrary, we accept that the Telco failed to obtain the complainant’s consent prior to collecting his credit information in this case.
25. We therefore find that, with respect to the initial collection of the complainant’s credit information, the Telco contravened Principle 4.3 of Schedule 1 of the Act.
26. We acknowledge, however, that with a view to ensuring that customer consent is obtained prior to proceeding with a credit check, the Telco: (i) implemented a change to its relevant internal tools; (ii) provided retraining for the subject customer service representative; and (iii) issued a reminder email to all customer service representatives highlighting the importance of obtaining consent and the potential consequences for failing to do so.

Ongoing Credit Checks

27. In our view, by conducting credit checks on the complainant and others in support of the marketing program in question, the Telco was collecting personal information for a purpose which a reasonable person would not consider appropriate in the circumstances.
28. As a preliminary matter, it is our view that the information collected for use in this marketing program was the complainant’s personal information. That is, the information the Telco collected was linked to a unique identifier, which was in turn associated with the complainant.
29. In a recent investigation into Bell’s Relevant Ads Program, the Commissioner noted that:

    “We see such provincial [credit reporting] legislation as reflecting the recognition that measures of credit worthiness, such as credit scores, are only to be used for certain limited purposes directly related to decisions with important financial implications for the consumer and the organization concerned. Bell’s use of credit score information to design targeted ads clearly extends beyond these recognized purposes.”

30. Similarly, our Office finds in this case that the Telco’s collection of individual credit information for marketing purposes represents a contravention of subsection 5(3) of Part 1 of the Act.
31. However, we also recognize that the Telco has, subsequent to our intervention, ceased using individual credit information for the purpose of the marketing program in question in this investigation.

Conclusion

32. Accordingly, we conclude that the matters are well-founded and resolved.

Other

33. Our investigation dealt with the collection and use of the complainant’s credit information for the purposes of a specific marketing campaign. However, in our Office’s view, more broadly, use of individual credit information obtained from a credit reporting agency, for secondary marketing purposes, would generally be considered inappropriate under the Act.
34. Given that our Office has determined that the Telco’s collection and use of credit information for marketing purposes to be inappropriate in this case, we have not issued a finding with respect to the issue of consent for such purposes. That said, in our view, it is unlikely that the Telco’s customers would have meaningfully understood, via the terms in its Agreement and Privacy Policy, that their credit information would be used to deliver tailored promotions. With that in mind, our Office strongly encourages the Telco to provide a clear explanation to its customers of all the appropriate purposes for which it is seeking consent to use customers’ credit information.