Online marketplace needs consent from members before contacting them to join advocacy network

PIPEDA findings #2018-007

January 9, 2018

Description

In January 2017, a popular online marketplace sent a mass email to its Canadian members, inviting them to sign a petition addressed to the federal finance minister. The complainant objected to the respondent using her personal information to send her this type of email and raised her concerns with the online marketplace. Unsatisfied with the organization’s response, the complainant reached out to our Office to investigate the organization’s privacy practices as they relate to the retention, consent and challenging compliance principles. Our Office concluded that the retention allegation was not well-founded while the consent and challenging compliance allegations were well-founded and conditionally-resolved.

The organization has since implemented our Office’s recommendations and the matter is now resolved.

Report of findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act” or “PIPEDA”)

Personal Information Retention

1. The complainant alleged that an online marketplace (“the respondent”) retained personal information that was no longer required to fulfil an identified purpose for their members in Canada who agreed, via an online form (the “online petition form”), to sign a petition letter (the “petition letter”) that was to be sent to the Canadian government. The link to the online petition form was contained in an email sent by the online retailer to the complainant and other members in Canada.

Challenging Compliance

2. The complainant further alleged that the respondent did not enable her to address her related concerns to the designated individual or individuals accountable for the online marketplace’s compliance with the Act.

Consent

3. The complainant also alleged that in the context of the email sent, the respondent had used her email address, as well as the email addresses of other members in Canada, for a purpose other than those for which the respondent collected those addresses, and without the individuals’ consent (or as required by law).

Summary of Investigation

Background

4. On January 11, 2017, the online marketplace sent an email (the “[de minimis] email”) to email addresses associated with their member accounts for which the members both (a) had Canadian addresses, and (b) had used the respondent’s services within the previous 12 months, but were not regular sellers. The [de minimis] email had a subject line that advocated for ecommerce purchases to have less duties and taxes. The [de minimis] email contained a message from a director of the online marketplace in Canada and a link to the online petition form.
5. The [de minimis] email began by stating that Canada’s customs laws make it difficult for users to buy and sell across borders, and that the [de minimis] threshold (i.e., the import value below which duties need not be paid) of $20 in Canada is out of step internationally when compared with the threshold in other countries. It continued that the Canadian threshold makes shopping more expensive, creates red tape for entrepreneurs, and costs taxpayers money.
6. The [de minimis] email stated that the burden on consumers, entrepreneurs and taxpayers should be reduced by the laws in Canada. It ended with a plea to sign a letter to Canada’s Finance Minister. By clicking on the words “sign our letter” (the respondent’s underlining), the reader was taken to a URL where the online petition form was found. The form was located on the online marketplace’s grassroots action network website. Individuals could “sign” the petition letter by filling out the required information fields (i.e., name, email, address, city, province, postal code), and clicking “Submit”. The respondent explained to our Office that this information was collected and then migrated and amalgamated into one document - a petition to be sent to the Finance Minister and other federal ministers.
7. Since the complainant lives in Canada and is a user enrolled with the online marketplace, she received the [de minimis] email. She was not enrolled in their grassroots action network. Enrolling in this network is separate and distinct from enrolling in the online marketplace (the latter being the commercial transaction platform for buyers and sellers).
8. The complainant objected to receiving the [de minimis] email from the online marketplace. She contended that she had not consented to the respondent’s use of her personal information (i.e., her email address) for the purpose of sending such an email to her.
9. The complainant attempted to raise her concerns with the respondent, first by completing and sending a Web form, and then by corresponding several times with the online marketplace’s Office of the President to whom her complaint was directed.
10. Not satisfied with the first response she received from the Office of the President, and believing that it had not addressed her primary concern, she asked that her complaint be escalated. She then received another email from the Office of the President, which directed her to the online marketplace’s grassroots action network website and its privacy policy in general. The complainant asked again for her complaint to be forwarded to the respondent’s Canadian Chief Privacy Officer and that she be provided with the sections of the privacy policy pursuant to which the respondent inferred her consent to send her the [de minimis] email. She also expressed her concern with respect to how difficult it was for her to raise her privacy concerns and have them adequately addressed.
11. The complainant was not directed to the Chief Privacy Officer. The Office of the President did, however, cite a section of the privacy policy which provides that the respondent may contact the customer to send them alerts regarding their account, resolve any problems, troubleshoot problems, collect fees or amounts owed, use surveys or questionnaires to poll their opinions or to provide the customer with any other necessary customer service.
12. She was ultimately not satisfied with the responses she received and thus filed the current complaint against the respondent with our Office.

Personal Information Retention

13. During our investigation, and with regard to the allegation of personal information retention, the respondent described that it had sent the [de minimis] email, an “administrative email” (described further in paragraph 21 below), to their members with a Canadian address, using email addresses stored in its own database.
14. Further, the respondent clarified to our Office that as the emails had been sent by the online marketplace, and not by their grassroots action network, the personal information of those members in Canada who had received the [de minimis] email had not been shared with or retained by the action network, unless those individuals had: (i) chosen to complete and submit the online petition form (indicating their desire to sign the petition letter), or (ii) formally indicated, via a link found in the online petition form, that they were interested in receiving emails about government relations from the grassroots action group.
15. For those members who did fill out the online petition form (where they provided their name, email address and mailing address), the respondent informed our Office that at the completion of its [de minimis] petitioning program, they retained the personal information that the participants provided only as a copy of the entire petition that the respondent ultimately sent to the Finance Minister and three other federal ministers. On the other hand, for those [de minimis] email recipients who formally indicated to the respondent that they were specifically interested in receiving information about government relations, their personal information was added to a database within the online marketplace’s grassroots action network, the purpose being to send them future emails with government-relations-related information.

Challenging Compliance

16. Concerning the allegation that the respondent mishandled the complainant’s privacy complaint, it is evident from the correspondence between the parties that:
    1. there were numerous and persistent efforts by the complainant to make herself and her issue with the [de minimis] email understood;
    2. before the online marketplace employee with whom the complainant was dealing came to understand the issue she was raising, which related to the alleged use of her email address without her consent for what she referred to as “political activities”, she received several different responses that did not address, or even relate to, the concern she was raising; and
    3. ultimately, she was given inconsistent responses, including how she could withdraw her consent to the receipt of emails like that in question, noting that those responses conflict with the respondent’s explanation to our Office that she could not, in fact, have opted out.
17. In its representations to our Office, the respondent explained that the complainant’s concern was originally submitted via […] the respondent’s privacy centre, which includes a submission form for privacy-related questions and complaints. Her complaint was received by the global privacy office, and then escalated to the online marketplace’s Office of the President, which the respondent claims is the body tasked with dealing with serious customer complaints.
18. The respondent acknowledged to our Office that its Office of the President did not immediately understand the exact nature of the issue being raised by the complainant at the time, although we note that it had been explained quite clearly, more than once, in her correspondence with them.
19. Ultimately, the respondent conceded to our Office that the complaint had been handled sub-optimally and that they would be reviewing the matter so as to identify ways in which it could more efficiently address user privacy complaints.

Consent

20. In its representations to our Office, the respondent reiterated its position that its privacy policy included the purpose(s) for which the complainant’s personal information was used to send her the [de minimis] email. Specifically, the respondent cited their privacy policy which states that the online marketplace may contact the customer via email, telephone, text messages, and postal mail with notifications regarding their account or with information about their services and may send out surveys or questionnaires to poll their opinions. The respondent further explained that “…the email and the linked form letter were sent to notify their members of the facts that impact their use of their account and the services, as well as to poll their opinions.”
21. The respondent also explained to our office that the [de minimis] email was sent out under its administrative email functionality, by which it generally informs users regarding matters related to its services, and in respect of which users could not opt out. The respondent further claimed that it sends just one or two emails like the [de minimis] email each year, to inform recipients about government public policy that affects them and of which they may be otherwise unaware.

Application

22. In making our determinations, we applied Principles 4.1.4(b), 4.1.4(c), 4.3, 4.3.2, 4.3.4, 4.3.5, 4.3.6, 4.5 and 4.10 from Schedule 1 of the Act.
23. Principles 4.1.4(b) and 4.1.4(c) state that organizations shall implement policies and practices to give effect to the principles, including (b) establishing policies and procedures to receive and respond to complaints, and (c) training staff and communicating to staff information about the organization’s policies and practices.
24. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
25. Principle 4.3.2 requires that all purposes be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
26. Principle 4.3.4 states, in part, that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.
27. Principle 4.3.5 states that in obtaining consent, the reasonable expectations of the individual are also relevant.
28. Principle 4.3.6 states that the way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
29. Principle 4.5 states in part that personal information shall be retained only as long as necessary for the fulfillment of those purposes for which it was collected.
30. Principle 4.10 states that an individual shall be able to address a challenge concerning compliance with the principles of PIPEDA to the designated individual or individuals accountable for the organization’s compliance.

Analysis and Findings

Personal Information Retention

31. We are satisfied that the respondent did not transfer personal information of its users in Canada to their grassroots action network, and that the action network did not retain that information, for purposes of sending the [de minimis] email. We accept that the email addresses used to send the [de minimis] email to the online marketplace’s users in Canada were taken from its own database. We also accept that after the [de minimis] email was sent, the email addresses remained in the respondent’s database and were not transferred or copied to their grassroots action network unless the recipients of the [de minimis] email either: (i) completed the online petition form; and/or (ii) expressly indicated to the online marketplace, via a link on the online petition form, that they wanted to receive future emails about government relations.
32. The respondent kept the information of those individuals who signed the petition letter only in the form of a copy of the letter that was ultimately sent to federal ministers. In our view, this retention is consistent with the purpose for which the information was collected. Further, the respondent has assured that it will dispose of the copy of the petition in a secure manner when there is no further need to retain it and in accordance with the respondent’s data retention and deletion policies.
33. In our view, therefore, the online marketplace (including their grassroots action network) was not retaining personal information that was no longer necessary to fulfill the purpose for which it was collected. This allegation is thus not well-founded.

Challenging Compliance

34. In reviewing the respondent’s correspondence with the complainant, we noted several issues as she attempted to raise her privacy concerns. The employee who responded to her complaint was apparently unable to understand the specific privacy concerns she was attempting to raise, even after she had explained those concerns clearly several times in writing. Furthermore, the employee ultimately provided incorrect information in response to the complainant’s actual concern – i.e., by explaining how she could opt-out of the receipt of emails like the [de minimis] email, even though, as we learned during our investigation, it was not possible to do so.
35. We also noted that the employee did not escalate or direct the complainant to the individual(s) accountable for the respondent’s compliance with Canadian privacy laws, even after she asked him to do so. This represents a contravention of Principle 4.10. In our view, referring the complainant to an individual more familiar with Canadian privacy requirements would have most likely resulted in a more acceptable response to her concerns.
36. The respondent acknowledged that the complainant’s request was handled sub-optimally, and during the course of our investigation, indicated that it would be reviewing ways that it could more efficiently address its customer privacy complaints.

Consent

37. Firstly, we must consider whether the respondent adequately explained the purposes for which it might use complainant’s personal information, such that she would reasonably understand that the respondent might use her email address to send her emails like the [de minimis] email (Principle 4.3.2).
38. The respondent cited the following section of its privacy policy in respect of the relevant purposes for which it might use users’ personal information: Contact may be made with the user to notify them of changes, troubleshoot or resolve problems or to collect any fees or amounts owed regarding their account. Additionally, the respondent states that users may be contacted to poll their opinions through surveys or questionnaires, or to provide users with necessary customer service. The respondent further specified that the purpose of the [de minimis] email was to notify their members of facts that impact their use of their account and the online marketplace’s services, as well as to poll their opinions.
39. We do not accept that the purpose of the [de minimis] email is consistent with the respondent privacy policy’s purpose to poll your opinions through surveys or questionnaires, as the respondent has suggested. We note that neither the content nor format of the email reflected that of a normal survey or questionnaire. For example, we observed that no questions at all were posed to the email’s recipient, as one would normally expect in a survey or questionnaire.
40. The email also went beyond notifying the online marketplace’s members of facts that impact their use of their account and the marketplace’s services. It is our view that the [de minimis] email’s purpose was chiefly to incite recipients to participate in the campaign to lobby the Government of Canada to reduce its customs [de minimis] threshold, an initiative under the particular auspices of the marketplace’s grassroots action network, which the complainant had never joined nor had she expressed formally a desire to receive emails about government relations. As stated earlier in this report, the online marketplace’s grassroots action network describes itself as the marketplace’s government relations team - which is to be distinguished operationally from the respondent’s transactional Internet platform intended for buyers and sellers.
41. Further, in our view, the purpose of the [de minimis] email also goes beyond the purpose “as otherwise necessary to provide customer service”. According to the respondent, the online marketplace is [where] many people go to shop, sell and give. By all accounts, it is essentially a commercial hub that endeavors to facilitate transactions between buyers and sellers via its Internet platform. The [de minimis] email was not “necessary” to the provision of this service to their customers.
42. The respondent has therefore failed to provide a tenable explanation to support its assertion that its privacy policy provided for the purposes for which the [de minimis] email was sent.
43. Secondly, we must consider the appropriate form of consent that the respondent should have obtained for sending a public policy email for petitioning or lobbying purposes.
44. In determining the form of consent, PIPEDA provides that we should consider the reasonable expectations of the individual and the sensitivity of the information (Principles 4.3.4 and 4.3.6). With regard to the former, and as outlined above, the sending of the [de minimis] email goes beyond that necessary to deliver its core services – the [de minimis] email was sent for the secondary purpose of encouraging individuals to sign a petition on a matter of public policy of potential relevance/benefit to both the respondent and the customer. In our view, this type of email would not have been within the reasonable expectations of users (Principle 4.3.5), and users should have had a choice with respect to whether or not they wished to receive such emails.
45. Concerning the issue of sensitivity, we note that the respondent simply used customers’ email addresses to send the [de minimis] email. In our view, the fact that the [de minimis] email asked for customers’ participation in its public policy petition did not render those email addresses sensitive. There is also no evidence to suggest that the respondent used other information to infer the recipients’ views on the [de minimis] issue before it used their email addresses to send them the email in question – we accept that the email was sent, as an administrative email, as outlined in paragraph 4 of this report.
46. Furthermore, no further information was collected from users as a result of this email unless the user chose to provide it. Only users who expressly opted to participate in the petition, by completing and submitting the online petition form, would have revealed to the online marketplace any political or public policy beliefs, and even then, only in relation to a narrow issue. Further, as we have outlined above, we accept that the respondent used the information submitted via the online petition form for no other purpose but to send, and maintain a record of, the petition letter.
47. Thus, while personal information may become more sensitive depending on the context (Principle 4.3.4), we believe that the personal information at issue here (email addresses) is not sensitive in the context of the purpose for which it was used by the respondent.
48. Therefore, given that, in our view, users would not have reasonably expected to receive emails like the [de minimis] email from the respondent without having been given a choice in this respect, and that the information being used by the online marketplace – namely the customers’ email addresses – was not sensitive in the context, the respondent should have provided users with an opportunity, via a prominent, clearly explained and easily accessible mechanism to opt out of receiving such emails.

Our Office's Recommendations

49. We therefore made the following recommendations to the respondent, in respect of the matters relating to challenging compliance and consent, with respect to bringing the organization into compliance with the Act:
    1. complete the development and implementation of measures, including the following, to ensure that customers’ privacy complaints are appropriately escalated within the online marketplace:
       1. policies and associated training to ensure that individuals fielding customer complaints can adequately recognize privacy-related concerns, and
       2. procedures and associated training to ensure that where privacy concerns cannot be resolved, or where the customer requests it, matters will be escalated to the individual or team designated by the respondent to be responsible for the company’s compliance with privacy laws;
       Note: With respect to this recommendation, we also referred the respondent to the guidance our Office issued jointly with the Information & Privacy Commissioners of Alberta and British Columbia - Getting Privacy Right with a Privacy Management Program^{Footnote 1}, which provides guidelines with respect to complying with Accountability requirements under Canadian privacy law.
    2. provide users with an easily accessible opt-out option for the online marketplace’s public policy and petition messages;
    3. amend its privacy policy to:
       1. clearly indicate that it will send users public policy and petition notices,
       2. explain the nature of those notices, and
       3. explain how users can opt out; and
    4. commit that any future public policy and petition messaging will be limited to that relevant to the underlying commercial relationship between the online marketplace and its users.

The Online Marketplace’s Commitments

50. The online marketplace responded by agreeing to implement each of our recommendations, and more specifically:
    1. In coordination with the customer service teams that support Canadian residents’ privacy related inquiries and complaints, the respondent’s privacy team will provide training and guidance to facilitate expedient resolution and appropriate escalation of these matters. The customer service team will be provided instruction/training which will enable them to more readily identify privacy issues and, where necessary, promptly connect users to the privacy team member responsible for privacy compliance.
    2. To enable the opt-out functionality, the respondent will send government relations emails to its Canadian users with an unsubscribe link, easily accessible and embedded in the message.
    3. To accomplish the third recommendation, the respondent will add the following language to its privacy policy:

       “We may use and retain your personal information as follows: To contact you about public policy matters, or other current events, related to your ability to use the multiple marketplace platforms or that affect your buying and selling activities. This may include invitations to participate in a petition, letter writing, or other sort of public policy related campaign.”

    4. As for the fourth recommendation, the respondent will continue to provide only public policy and petition messaging that is relevant to the underlying commercial relationship between the online marketplace and its users, such as users’ ability to use the multiple marketplace platforms or that affect the users’ buying or selling activities.
51. The respondent requested, and our Office agreed, that given the significant organizational and technical measures required, it would provide documentation evidencing that it has fully implemented each of the measures outlined above by no later than February 28, 2018.

Conclusion

52. Taking into account the above, we are of the view that the retention matter is not well-founded, while the challenging compliance and consent matters are well-founded and conditionally resolved.
53. We remain interested in the respondent's compliance with the commitments it has made to our Office, as outlined in this report, and we will continue to follow-up with the respondent to ensure that those changes are adequately implemented within the agreed upon timeframes. At the appropriate time, we will assess whether the respondent has fully complied with our recommendations and, if necessary, address any outstanding concerns in accordance with our authorities under the Act.