Directory company lacked consent to publish complainant's personal information
PIPEDA Case Summary #2019-006
March 28, 2019
Lessons learned:
- Organizations should be careful in assessing whether the information they are collecting is personal information or business contact information as defined by PIPEDA.
- Organizations should be careful when assessing whether they are conducting commercial activity as defined by PIPEDA.
- Organizations collecting and using personal information obtained online should ensure that they have obtained adequate consent from the individuals concerned, taking into account any applicable exceptions to consent, the sensitivity of the information involved and the reasonable expectations of individuals.
- Organizations should review and where appropriate, revise their privacy policies to ensure that they reflect the organization’s actual privacy practices in a transparent and accurate manner.
Complaint
The complainant alleged that Grey House Publishing Canada (Grey House) collected, used and disclosed his personal information without his knowledge or consent.
He claimed that Grey House indiscriminately collected his contact information from the webpage of a local chapter of a Canadian non-profit education association and included the information within its Associations Canada print directory and a linked database.
He alleged that Grey House then took his information and inserted it into an email distribution list that it sold to Economic and Social Development Canada (ESDC). ESDC used the list to send the complainant and other individuals, email “blasts” promoting nominations for the Prime Minister's Volunteer Awards (the awards).
Summary of Investigation
Grey House produces and markets a range of annual print directories in the business, health, statistical and demographic fields. The firm also maintains a series of equivalent electronic databases referred to collectively as Canada's Resource Information Centre (CIRC). Grey House sells the directories and subscription access to the CIRC, and markets “data cards” which enable clients to build lists based upon this information.
Grey House concluded a contract with ESDC to supply an email distribution list of more than 40,000 email addresses, some of which were to be linked to associations and non-profit organizations. This list included the complainant's contact information.
ESDC subsequently sent the complainant an email informing him that the Department was accepting nominations for the awards and that he had been sent information about them because he had “subscribed to a list” owned by Grey House.
The complainant stated that he had never consented for his personal information to be collected and used by the company, nor had he ever subscribed to one of its lists. He also added that he was not an officer, director or employee, or in any position of responsibility regarding the local chapter or the national association.
His local chapter's webpage was linked to the Association's website. The webpage merely listed his contact information and invited local members and the public to contact him: “If you have any questions about our club, please contact [name of complainant] by email [email address of complainant] or phone [telephone number of complainant].”
The complainant stated that the listing did not represent business contact information. Further, it did not constitute his consent for the collection and use of his personal information by third parties, nor did he consider it as being “publicly available” as defined under PIPEDA.
The complainant stated that he had never expressed any interest in the awards and in fact, he had asked ESDC to delete his information from their email distribution list when he received a similar mailing in 2014.
When we raised the complaint with Grey House, it explained that it relies upon both express and implied consent to collect information to populate its print directories and the CIRC.
The company had bought the Associations Canada directory from another publishing company in 2006. Its records indicated that details of a similarly named provincial association had existed for many years and had listed another individual's contact name and information until 2012.
The company confirmed that it had not “scraped” contact information from websites in the past by means of electronic software (also known as “address harvesting”) and provided a sworn affidavit that it was not collecting information through this method. It also pointed to a statement related to Canada’s Anti-Spam Legislation (CASL) on its website to support its caseFootnote 1.
Grey House explained that it used a dedicated editorial team to continuously research, compile and update business contact and other information about organizations for its print directories and the CIRC. It used a variety of methods to do so, including online manual research, online and print questionnaires, telephone calls and fax communications during regular annual “update cycles”. Organizations and individuals also contacted them directly to requests amendments to, or removal of, entries.
The company acknowledged that its editorial team collected the complainant's information manually from the national association website in 2012 and used it, without obtaining express consent. It explained that the names and contact information of a senior executive, officer or director of an association is typically collected when compiling entries for the Associations Canada directory. If a club or association is small, Grey House collects and includes the most senior contact provided on the relevant website.
Grey House indicated that the print directory and database went through three “update cycles” between 2012 and 2015. However, the company was unable to provide evidence to show that it had sent out update cycle questionnaires to the complainant.
Grey House considered the complainant to be the primary “business contact” for the provincial association as he had presented himself as a representative since 2012Footnote 2. Anyone inquiring about joining the association or inquiring about its activities was invited to contact the complainant. The company claimed that such “business contact information” was not within the jurisdiction of PIPEDA.
Grey House further claimed that it was not conducting commercial activity under PIPEDA, stating it collected and used the complainant's information for research purposes. The information was included within the Associations Canada directory and the CIRC free of charge. It was then provided to the ESDC within an email distribution list that was used to send organizations email communications promoting nominations for public volunteer awards: a non-commercial purpose.
Grey House confirmed that it provided ESDC with a similar email distribution list in 2014 under an earlier contract. This list also included the complainant's information. However, Grey House stated that it was unaware of the complainant's complaint to the ESDC about his inclusion in the 2014 list, or his wish to have his information deleted from the records at that time.
Grey House confirmed that while the complainant's information was included in the 2015 email distribution list, it was not aware of, and did not support, the ESDC's statement that people who had received the award mailings were “subscribers” to a list owned by their company.
The company immediately removed the complainant's information from its database and stated that the information would not appear in future publications or listings. The complainant confirmed to our Office that he did not receive subsequent awards mailings.
Outcome
Personal information
Grey House asserted that the complainant's name, email address and telephone number was not personal information, but rather, that it represented business contact information.
In reviewing the above, we examined the previous and current definitions of personal information under section 2(1) of PIPEDA. We also considered the definition of business contact information and section 4.01, which states that PIPEDA does not apply to an organization in respect of the business contact information of an individual that an organization collects, uses or discloses solely for the purpose of communicating or facilitating communications with an individual in relation to their employment, business or profession.
While we recognized that the complainant was listed online as a director of the national association for 2012-2013, he was no longer a director when Grey House provided his contact information to the ESDC and the complainant received the 2014 and 2015 award mailings. Rather, he was an individual whose personal information was included on the chapter webpage solely for the purposes of responding to general inquiries from local members and the public.
We therefore found that the complainant's information collected by Grey House constituted his personal information as defined by PIPEDA.
Commercial activity
We examined the definition of commercial activity in section 2(1) of PIPEDA and paragraph 4(1)(a) which states that PIPEDA applies to organizations in respect of personal information that an organization collects, uses and discloses in the course of commercial activities.
The company compiles information about clubs and associations, and the individuals associated with them, for the core purpose of compiling and maintaining its print directories and the associated databases in the CIRC. Grey House markets and sells the directories and access to the CIRC. Furthermore, Grey House entered into a contract with ESDC to provide the 2014 and 2015 email distribution lists for a fee.
We therefore determined that Grey House was conducting commercial activity under PIPEDA.
Consent
Our Office also examined whether Grey House obtained appropriate consent from the complainant to collect and use his personal information.
The complainant claimed that the company indiscriminately collected his personal information from his local chapter's webpage. However, Grey House denied using electronic software to “scrape” contact information from websites in bulk and we found no evidence of such collection.
Grey House admitted that its editorial team manually collected the complainant's information online in 2012, without obtaining his express consent to do so. Instead, it cited its reliance upon the implied consent of the complainant as his personal information was “publicly available” and there was no accompanying statement on the website limiting the use of his information.
We considered paragraphs 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA, which outline certain exceptions to consent. The paragraphs respectively state that an organization may collect, use or disclose personal information without the knowledge and consent of the individual only if the information is publicly available and is specified by the regulations. The PIPEDA Regulations Specifying Publicly Available InformationFootnote 3 state that only certain information and classes of information apply for the purposes of the above paragraphs.
We examined both regulations 1(b) (personal information appearing in a professional or business directory, listing or notice), and 1(e) (personal information that appears in a publication, including a magazine, book or newspaper) and found that neither exception was applicable in the circumstances. Therefore, consent was required.
When determining the form of consent required, the sensitivity of the personal information involved and the reasonable expectations of an individual must be considered.
We noted that the complainant freely chose to release his information to the public and the information could be considered to be of a less sensitive nature.
However, our Office concluded that the complainant could not have reasonably expected that his personal information would be collected by a third party publishing company and then inserted into a national print directory and database listing him erroneously as an official of a provincial association. Nor could the complainant have expected that his information would then be included in a distribution list sold to a federal government department for the purpose of issuing email communications.
We found, therefore, that Grey House could not rely upon a valid exception to consent, or upon implied consent, to justify its collection and use of the complainant's personal information. In the absence of express consent, Grey House did not obtain adequate consent, in contravention of Principle 4.3 of PIPEDA.
As Grey House deleted the complainant's information from its Associations Canada directory and CIRC, and as the complainant received no further volunteer award mailings from ESDC, we concluded that the consent matter was well-founded and resolved.
Openness
During the course of our investigation, we noted that Grey House's Privacy Statement contained only limited information.
Principle 4.8.1 of PIPEDA states, in part, that an organization shall be open about its policies and practices with respect to the management of personal information and that individuals shall be able to acquire information about these policies and practices without unreasonable effort.
As we determined that Grey House collects, uses and discloses personal information, and conducts commercial activity under PIPEDA, the minimal content of the company's Privacy Statement contravened Principle 4.8.1 of PIPEDA.
Grey House agreed to revise its Privacy Statement to better reflect its privacy practices and accordingly, at the time we issued our report of findings, we concluded that the openness matter was well-founded and conditionally resolved.
- Date modified: