Customer gets signed up for retailer credit card without his consent
PIPEDA Case Summary #2016-012
March 31, 2016
Lessons Learned
- Organizations are responsible for keeping a record of the consent (e.g., written, verbal, etc.) obtained from an individual for the collection, use or disclosure of the individual’s personal information.
- Consent for the collection, use or disclosure of sensitive personal information requires the individual’s express consent.
- Organizations must recognize that employees may not always follow procedures, so it is important that additional checks and balances are in place. Our Privacy Toolkit: A Guide for Businesses includes specific direction to organizations to “retain proof that consent has been obtained.”
- Organizations requiring additional information about consent can review our Office’s PIPEDA interpretation bulletin, Form of Consent.
Complaint
While shopping in a retail store, an individual was approached by a salesperson and asked to join a loyalty program. He agreed to join the loyalty program, and provided the salesperson with his driver’s licence to complete the registration.
The individual was surprised to receive a credit card from the bank associated with the retailer a few weeks later. He claimed that he was never informed that he was applying for a credit card. In fact, when he asked the salesperson directly if the application had anything to do with a credit card, he was told it did not.
He also learned that his file with a major credit reporting agency showed a recent request to review his credit report from the bank (also known as a “hard pull” inquiry) to establish new credit. The individual claimed that he had not provided his consent to either the retailer or the bank to collect this personal information for such an inquiry.
The individual then sent a request for access to his personal information to the bank and received a copy of his in-store application, which turned out to be a credit application. The complainant noted that much of the information on the application—including his phone number, occupation, annual income, and monthly rent—was inaccurate. Only the information obtained from his driver’s license was confirmed to be accurate. The individual asserted that he had never provided any of the inaccurate information to the salesperson.
When contacted by our Office, the bank claimed that the individual had knowingly provided his personal information for the purpose of obtaining a credit card. While the complainant had indicated that the salesperson had recorded his information with a paper and pen, the bank maintained that the information was entered into an electronic tablet (a pilot project). Additionally, the bank believed that the complainant had provided his express consent for a credit check by checking a box on the tablet used by the salesperson.
Outcome
The Office’s investigation did not establish that the complainant:
- ever saw the tablet screen;
- provided all the information included in the application;
- understood that it would be used to collect his credit information; or
- actually clicked the requisite consent box. (and not the salesperson)
In our view, the bank failed to:
(i) demonstrate that it had obtained the complainant's consent and;
(ii) ensure that the information it collected was sufficiently accurate.
Therefore, our investigation concluded that the bank contravened a number of PIPEDA principles, including consent (Principle 4.3) and accuracy (Principle 4.6). The bank also contravened Principle 4.1.4 by failing to put in place adequate procedures to give effect to the principles.
The bank apologized to the complainant, cancelled the credit card and asked the credit reporting agency to remove the account and inquiry from the complainant’s file.
Remedial action by the bank
The bank discontinued its in-store pilot program using the electronic tablet for credit applications. In response to recommendations made by our Office, it further pledged that, should it relaunch such a program in future, it would implement measures to ensure that the bank is able to demonstrate that:
(i) the client is given the opportunity to read the online application form and associated privacy communications; and
(ii) the client has provided the personal information included in the submitted application, as well as consented to the subsequent use and/or disclosure of that information.
Accordingly, we concluded the matter to be well-founded and resolved.
- Date modified: