Opt-in consent required for a donor list trading program
PIPEDA Findings #2021-009
March 30, 2021
Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)
Description
A charitable organization relied on opt-out consent to enlist donors in a donor list trading program, by which it shared contact information of donors with other charitable organizations. After applying the factors set out in OPC’s Guidelines for Obtaining Meaningful Consent, we determined that the charity required express consent because such information sharing is outside the reasonable expectations of donors. We also found that the information provided to donors by the charity was not sufficient to support meaningful consent.
Takeaways:
- Organizations must consider the reasonable expectations of the individuals when determining the form of consent required.
- Organizations should consider our Guidelines for Obtaining Meaningful Consent when developing a consent process; in particular they must ensure that key information, such as what information will be shared with whom, is provided up front.
Report of findings
Overview
The Complainant alleged that a charity (“the Respondent”) failed to obtain his consent to participate in a donor list trading program (the “Program”), asserting that an opt-out check box on the mail-in donation form he submitted with his donation was inadequate.
The Complainant was surprised to learn that another charity was soliciting donations from him using the address it had received from the Respondent via the Program. He then examined his most recent donation form to the Respondent and noted that it included an unchecked checkoff box stating: “I prefer to not have my name traded with other organizations." The Complainant contacted the Respondent, which opted him out of the Program.
While we appreciate the value to the Respondent and other charities of trading donor lists, and that the Respondent made the Program opt-out option available on each donor form, we determined that this did not constitute valid, meaningful donor consent under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
In the context of this complaint, the information shared by the charity with third parties via the Program was not sensitive and the Program does not create a meaningful residual risk of significant harm. We determined, however, that such information sharing is outside the reasonable expectations of donors, such that the Respondent was required to obtain express opt-in consent for the practice.
We further found that the information provided by the Respondent was not sufficient to support meaningful consent. The donor form was lacking key Program-related information that should have been provided up front, including what personal information would be disclosed to whom, and for what purposes. The insert provided with the donor form, which included a more detailed Program explanation to donors, and the Respondent’s privacy policy, were also both lacking certain information necessary to support meaningful consent, including how donors could withdraw their consent to the Program. Furthermore, the Respondent did not consistently provide the insert to recurring donors, including the Complainant.
We recommended that the Respondent implement the following measures to bring it into compliance with PIPEDA: (i) obtain opt-in consent for the Program; and (ii) provide further information on the donation form, and in the insert and privacy policy, to render that consent meaningful.
Complaint
- The Complainant alleged that the Respondent contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by failing to obtain his consent to participate in a donor list trading program (the “Program”). More specifically, he alleged that the consent the Respondent purported to have obtained, via an opt-out check box on the mail-in donation form he had submitted with his donation, was inadequate.
- The Complainant did not raise concerns related to other methods (e.g. over the phone, Internet) by which the Respondent may obtain consent for the Program. As a result, the scope of this complaint is limited to how the Respondent seeks consent via its mail-in forms - i.e. the donation form and associated insert that explains the Program in detail (the “insert”). These findings should, however, inform the manner in which the Respondent obtains consent for the Program via these other methods.
Background
- The Respondent is a charity that describes itself as [information redacted by the Office of the Privacy Commissioner (the “OPC”)].
- The Complainant is a recurring donor to the Respondent. In 2018, the Complainant became aware of the Program when he received a mail-in form soliciting donations from a different charity. This charity confirmed to the Complainant that it had obtained his name and mailing information from the Respondent. In the Complainant’s view, he had not consented to the Respondent sharing his personal information with third parties, such as this charity. The Complainant examined his most recent donation form to the Respondent and noted that it included a checkoff box stating: “I prefer to not have my name traded with other organizations." The Complainant explained that while he had received and returned the donation form multiple times, he had not previously noticed this checkoff box.
- The Complainant contacted the Respondent to opt-out of the Program and expressed his objection to the Respondent’s use of the opt-out mechanism to share his personal information with third parties. Specifically, he contacted the Respondent’s Chief Development Officer and, after several weeks with no response, contacted the Respondent’s President and CEO and the Chair of the Board of Directors. The Complainant ultimately received a response from the Respondent, approximately three months after his first correspondence. The Respondent apologized for the lack of response, stating that it did not respond to the Complainant’s first two inquiries due to administrative errors.
- Unsatisfied with the response he received from the Respondent, the Complainant filed the subject complaint with our Office.
Analysis
Issue: Whether the Respondent obtained meaningful consent for the Program
The Respondent’s Representations
- The Respondent submitted that it had obtained the Complainant’s consent to share his personal information via the Program, based on his previously submitted donation forms.
- Specifically, the Respondent provided the following information:
- The Program is an important way that it and similar charities seek new potential donors to obtain the funding necessary to fulfil their objectives.
- The exchange of donor or fundraising lists, as done in the Program, is a long-standing, widely used practice among not-for-profit organizations.
- Pursuant to the Program, the Respondent discloses to other participating organizations only donor names, mailing addresses, and the fact that they donated to the Respondent, and it shares this information for the sole purpose of enabling these organizations to contact the individuals by mail only once to solicit donations.Footnote 1
- Participation in the Program is voluntary, with consent obtained via the donation form.
- The donation form is a short document that includes five checkoff boxes, including one that states: “Please read about our list trading policy on our enclosed insert. [_] I prefer to not have my name traded with other organizations.”;
- The Respondent sends an insert with the donation form to new or prospective donors that explains the Program in more detail as follows: “One important way for us to find donors who will support our humanitarian work is to borrow donor lists from other charities. They in turn use our lists to look for supporters of their cause. This is a cost-free and economical way to build awareness for our cause. You may choose to have your name removed for trading purposes simply by checking the appropriate box on the reply coupon. Please, before doing this, consider how important these list trades are for raising funds that allow us to continue our mission.”
- An individual who mails in the completed donation form but has not checked the opt-out checkoff box related to the Program is assumed to have consented to participate; and
- Individuals may opt-out of the Program at any time, including when submitting the donation form or afterward by contacting the Respondent via phone or email.
- Regarding the Complainant’s request to opt-out of the Program, the Respondent confirmed it had noted the Complainant’s opt-out request in its records, removed the Complainant from its donor information-sharing lists, and modified his profile. The Complainant later submitted to our Office a copy of his personalized mail-in donation form, which reflected his desire not to participate in the Program (i.e., the opt-out was pre-checked – see paragraph 24, Figure 2).
Form of consent
- The OPC’s Guidelines for Obtaining Meaningful Consent (the “Guidelines”) state that organizations must generally obtain express consent when: (i) the information in question is sensitive; (ii) the collection, use or disclosure is outside of the reasonable expectations of the individual; or (iii) it creates a meaningful residual risk of significant harm. Consideration of these factors is also relevant to assessing whether the information that the Respondent used to seek consent was sufficiently clear and prominent to support the form of consent required.
- Ultimately, as outlined below, in our view, while the information being disclosed in this circumstance via the Program is not sensitive and does not create a meaningful risk of residual harm, it falls outside the reasonable expectations of the individual, such that the Respondent should have obtained express consent for the practice.
Use of checkoff boxes to seek consent
- Section 4.3.7 of PIPEDA provides that individuals can give consent in many ways. “For example:…(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;”
- Accordingly, we note that checkoff boxes are a reasonable method of seeking consent under certain circumstances. However, the issue here is whether opt-out consent is appropriate in circumstances of this case.
Sensitivity
- Section 4.3.6 of PIPEDA provides that the way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.
- The sensitivity of personal information is context-specific. Principle 4.3.4 states the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
- We therefore considered whether the donor’s name and address was sensitive when combined with the information that they had donated to the respondent. The fact that someone donated to a specific not-for-profit organization may be sensitive where, based on the nature of that organization, one could infer sensitive personal information about the donor.
- In this regard, we note that some charities and not-for-profit organizations may represent specific interests, or specifically support marginalized groups (e.g. charities that support people with specific health conditions, religious beliefs, sexual orientations). In contrast, other charities have broad mandates, and knowing that someone donated to support such a charity is unlikely to enable any inferences that represent sensitive information about a donor.
- The fact that the Complainant had donated to the Respondent does not, in our view, reveal any sensitive information about him. We are therefore of the view that the information disclosed for the purpose of the Program is not sensitive in this context.
- However, given the Respondent’s assertion that the sharing of donor lists is a common practice among charities, we emphasize that the personal information being exchanged may be sensitive, in the specific context of other not-for-profit organizations or causes.
Reasonable Expectations
- Section 4.3.5 of PIPEDA states, in part, that “[i]n obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained.”
- For the reasons set out below, we determined that the Respondent’s donor list sharing program is outside the reasonable expectations of the individual.
- The Complainant stated that as a donor, he expected the Respondent to use his personal information to process his charitable donations; he did not expect the Respondent to share his personal information with other not-for-profit organizations for those organizations’ own purposes. However, the Complainant’s subjective expectation is not determinative in considering the broader concept of an individual’s reasonable expectations.
- The Guidelines state that “if there is a use or disclosure a user would not reasonably expect to be occurring, such as certain sharing of information with a third party…. express consent would likely be required. In some cases, other contextual factors may come into play. For example, where an organization considers disclosure to a third party, the identity of the third party and their purpose in seeking access to the information may be relevant...”
- The Respondent asserted that the ubiquity of donor list trading in the not-for-profit sector, as well as the limited disclosure and use of donor information and the rules and restrictions regarding frequency of contact, should be taken into account in considering donors’ reasonable expectations and the appropriate form of consent in this case.
- While we accept that trading donor lists may be a common business practice, we do not accept that this dictates the reasonable expectations of donors with respect to how and when an organization may share their personal information with third parties.
- We consider that it would be consistent with the reasonable expectations of an individual for the Respondent to use the personal information submitted via a donation form for the purposes of processing their donation, or sending an associated tax receipt. We note, however, that disclosing an individual’s name and address via the Program was not for this primary purpose, but instead, for the secondary purpose of enabling third parties to solicit donations from that individual. In our view, individuals would not reasonably expect the Respondent to disclose their personal information to third parties for this purpose. In particular, individuals for whom the act of donating to charity is a private matter (e.g. for religious reasons) would not expect that their personal information be disclosed in this manner.
Meaningful residual risk of significant harm
- The Guidelines state that “[u]nderlying the contextual analysis of both sensitivity and reasonable expectations is risk of harm to the individual. Harm should be understood broadly, including material and reputational impacts, restrictions on autonomy, and other factors.
- We note that in the circumstances of the Program, the potential disclosure of personal information is very limited in nature and context – i.e. only:
- a donor’s name, mailing address and the fact that they donated to the Respondent (which we have determined to be non-sensitive in this context);
- with other participating non-profit organizations;
- for the purpose of enabling these organizations to contact the individuals, one time by mail, to solicit donations.
- We also note that should a Respondent’s donor receive unwanted mail solicitation via the Program, they are able to opt out such that they will cease to receive such mail in future.
- In light of the above, we consider that the disclosure of the Complainant’s personal information for the purposes of the Program did not raise a meaningful risk of significant harm.
- Given the analysis above, while the information in question was not sensitive in this context and there was no meaningful risk of residual harm, since donors would not reasonably expect the disclosure in question, the Respondent could not imply consent and was required to obtain express consent for the Program.
Meaningful consent
- Section 4.3 of PIPEDA states that “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”
- Section 4.3.2 of PIPEDA provides that “[o]rganizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.”
- Section 6.1 of PIPEDA further provides that “[f]or the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
- First, we reviewed the insert, which represented the most detailed communication to donors regarding the Program. While, in our view, the insert provided a reasonable description of the Program, it did not explain that a participating donor’s mailing address, or the fact that they had donated to the Respondent, would be shared with third parties. We consider this information essential to understanding the nature of the Program, such that the description was insufficient in this regard.
- We also note that while the Respondent always sent the insert along with the donation form to new or potential donors, recurring donors may have received the donation form without the insert. In the context of this complaint, the Complainant received only the donation form in his most recent mail-out from the Respondent. In any event, even where a donor had access to the insert, there is no guarantee they would have read that supporting documentation.
- Recognizing the reality that users may not always read all supporting privacy communications, the Guidelines provide that to receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions, right up front as they are considering using the service or product on offer, making the purchase, or downloading the app, etc. For this purpose, organizations must generally put additional emphasis on certain key elements, including: (i) what personal information is being collected; (ii) to whom it will be disclosed; and (iii) for what purposes.
- For illustrative purposes, we include below, a redacted copy of two versions of the donation form in question. Figure 1 represents the form submitted by the Complainant with his complaint. Figure 2 reflects amendments the Respondent implemented to the form during the course of our investigation, specifically to increase the font size for the opt‐out option:
Figure 1
[Redacted by the OPC]
Figure 2
[Redacted by the OPC]
- While we recognize that the opt-out language is more prominent on the second form, each version failed to provide several key elements of information up front. Specifically, the statement “Please read about our list trading policy on our enclosed insert. [_] I prefer to not have my name traded with other organizations” did not explain that the donor’s name, mailing address and the fact that they had donated to the Respondent would be disclosed: (i) to not-for-profit organizations, (ii) so that those organizations could solicit donations from the donor. In our view, therefore, this was not sufficient to support meaningful consent.
- We note that donors may also look to the Respondent’s privacy policy to inform themselves about the Respondent’s privacy practices, including those related to the Program, particularly if they are looking for this information while they do not have a copy of the donation form or insert in front of them. Upon our review of the Respondent’s privacy policy, we noted that it only briefly describes the Program, in much less detail than the insert.
- Finally, the Guidelines provide that individuals’ privacy choices must be explained clearly and made easily accessible. We understand that it is possible for a Respondent’s donor who has been included in the Program to withdraw their consent at a later time without needing to submit a donation form, which they may not have access to at the relevant time. However, we observed that neither the insert nor the privacy policy provided contact information by which a donor could withdraw their consent.
- For these reasons, in our view, the Respondent did not obtain meaningful consent for its disclosure of donor information to not-for-profit organizations via the Program.
Recommendations
- We made the following recommendations to the Respondent with a view to bringing the organization into compliance with PIPEDA:
- Implement measures to obtain express opt-in consent for the Program.
- Amend privacy communications to ensure meaningful consent for the Program:
- provide key information up front, on the donation form, including that if opt-in consent is given: (i) the donor’s name, mailing address and the fact that they have donated to the Respondent will be disclosed; (ii) the information will be disclosed to not-for-profit organizations; (iii) the disclosure is for the purpose of allowing recipient organizations to solicit donations from the donor; and (iv) donors have the option to withdraw consent at a later time;
- provide the insert with each donation form, including for recurring donors (which the Respondent already committed to do during the course of the investigation), and include in the insert an explanation that the Respondent will disclose the fact that the donor has donated money to the Respondent, as well as details, including necessary contact information, regarding how to withdraw consent for the Program; and
- include in the Respondent privacy policy a more detailed explanation of the Program and how to withdraw consent.
The Respondent’s response to the recommendations
- The Respondent agreed to implement all of our Office’s recommendations.
- The Respondent explained that implementation of the recommendations would require substantial changes to its fundraising mechanisms, communications, and processes that currently refer to and support the Program. The organization further submitted that [redacted by the OPC], resources are limited across the organization. Ultimately, the Respondent committed, and our Office accepted, that it would implement the recommendations by no later than April 30, 2022.
Conclusion
- Accordingly, our Office concludes the matter to be well-founded and conditionally resolved.
- We expect the Respondent to submit to our Office: (i) by April 30, 2021, a detailed plan, including steps and associated timelines, for implementation of the recommendations; (ii) by July 31 and October 31, 2021 and January 31, 2022, quarterly reports detailing specific progress towards implementing the steps outlined in its plan; and (iii) by April 30, 2022, a final report, with supporting documentation, evidencing that it has fully implemented our recommendations. At that time, we will determine whether and how best to pursue the matter in accordance with our authorities under the Act.
Update
Since we issued our findings in the matter, the organization advised our Office that it has ceased its participation in the donor list trading program.
- Date modified: