Canada Post’s collection and use of personal information for marketing purposes not compliant with the Act
Complaint under the Privacy Act
May 12, 2023
Description
An individual complained to our Office about Canada Post’s practice of using the personal information that it gathers from the outside of delivered envelopes and parcels to create mail marketing lists that it rents to the private sector. The information collected by Canada Post for this program includes information about where individuals live and what type of online shopping they do (based on who they receive packages from). We found that Canada Post has not obtained individuals’ authorization to indirectly collect personal information from the outside of envelopes that it delivers for the purpose of enabling its marketing program, and is therefore in contravention of section 5 of the Privacy Act.
Our Office recommended that Canada Post cease its current practice of using and disclosing personal information leveraged from its operational data for mail marketing activities until it could seek and obtain Canadians’ authorization. Canada Post has not agreed to take this corrective action, and we urge it to re-consider this position.
Takeaways
- Section 5 of the Privacy Act requires government institutions to obtain authorization from individuals to collect information about them indirectly if they intend to use the information for an administrative purpose (unless certain limited conditions apply).
- Canada Post's use of personal information for its mail marketing program is an “administrative purpose”. The decision to include an individual in a mailing list that it rents out to third parties directly affects the individual by causing them to receive unsolicited marketing mail.
- For an individual to “authorize” an indirect collection, they must: (i) be aware of the practice or reasonably expect the practice; and (ii) take an action that can reasonably be inferred as giving permission for the practice - either expressly, such as through a signed authorization, or at a minimum via their conduct.
- For any Canadians wanting to opt-out of having their personal information in the Canada Post “Name and Address Database” that they use to create mail marketing lists, they can go to Canada Post’s Name and Address Database page and complete the form.
Report of findings
Overview
The complainant received unsolicited marketing mail addressed to him, including his not-publicly-available suite number. Canada Post Corporation (“CPC”) confirmed this was due to his name being included in a marketing list CPC provided to a third-party for a fee. The complainant filed a complaint with our office to determine whether CPC’s practice of using operational information for marketing purposes is compliant with the Privacy Act (the “Act”).
After careful consideration of CPC’s submissions, we accept that, given the broad language of the Canada Post Corporation Act (the “CPC Act”), CPC’s practice of collecting information from parcels and envelopes that it delivers, for the purpose of offering mail marketing list services, is directly related to an operating program or activity of CPC and therefore compliant with the collection provisions of section 4 of the Act. We also accept that CPC’s use and disclosure of personal information [to Mail Service Providers (“MSPs”) who generate and send mail campaigns on behalf of advertisers] is for the purpose of delivering the ‘Smartmail Marketing Program’ (“SMM Program”), and therefore in line with the use and disclosure provisions of sections 7 and 8 of the Act.
However, we found that CPC’s collection practices under the SMM Program contravene the requirements of section 5 of the Act - which requires institutions to, wherever possible, collect personal information that may be used for an administrative purpose directly from individuals unless they authorize otherwise, except under limited circumstances that do not apply to this matter. We do not accept CPC’s argument that it is not using the personal information in question for an administrative purpose. We also do not accept its alternative arguments that the mere availability of an opt-out mechanism, and/or the fact that individuals accept mail delivery by CPC generally, constitutes authorization by individuals for CPC to indirectly collect and use personal information about them from the outside of envelopes for the purpose of offering mail marketing list services to businesses.Footnote 1
During the course of our investigation, CPC began work to improve the clarity and transparency of information on its website and at its retail outlets (via a planned brochure) about its use of individuals’ personal information for mail marketing list services.
However, CPC disagreed with our findings that it contravened section 5 of the Act and refused to implement our recommendation that it cease its current practice of using and disclosing personal information leveraged from its operational data for mail marketing activities without seeking authorization from individuals for the indirect collection of their personal information.
Background
The Complaint
- The complainant reported that he received marketing material from a local restaurant in Toronto, addressed to him, with his name and full apartment address on the envelope, including the suite number. The complainant submitted that he had not provided the restaurant with his contact details and his suite number is not listed in the phone directory. After making inquiries, the complainant learned from the restaurant that the mail was sent to him as his name was included in a mail marketing list obtained from CPC.
- The complainant then contacted CPC for additional details and, in so doing, learned that his address had been used as part of a mail marketing campaign (paid by the restaurant), under CPC’s SMM Program. According to the complainant, he was told by CPC that “the program combines information about individuals that CPC has in its possession with publicly available information obtained from the phone directory (Canada411) and sells this to businesses interested in marketing to individuals.” CPC represented to our office that the business interested in marketing does not directly receive the personal information. Rather, for a fee, the personal information, which CPC indicates remain the ‘property’ of CPC, is disclosed to a third-party mail service provider which has entered into a contract with CPC and manages the mail out on behalf of the business.
- CPC explained to the complainant that he could opt out of having his name and contact information included in the Canada Post Name and Address Database in order to stop his information from being included in mailing lists provided to MSPs for marketing purposes.Footnote 2 Notwithstanding CPC’s explanation, the complainant remained dissatisfied that CPC had disclosed his information for marketing purposes in the first place.
CPC’s Marketing Mail List Services
- Under CPC’s SMM Program, CPC offers a number of for-fee marketing services to businesses. This includes “cleansing” customer lists (by updating, adding to, and correcting contact information), and preparing marketing mail lists to enable an advertiser to better target businesses or residential households via direct mail.Footnote 3
- To offer marketing mail list services, CPC contractually engages mail service providers (chosen by the advertiser) pursuant to a Third-Party Service Provider Licence Agreement. The mail service provider prepares and sends the direct mailout for customers based on the criteria of a given marketing campaign. CPC’s marketing information points out there is a greater chance that recipients will open ‘addressed mail’Footnote 4 versus unaddressed mail (which they also offer). Mail service providers are subject to security and confidentiality obligations, which prohibits the disclosure of mailing lists (or other data) to advertisers, and they are contractually obliged to safeguard the information and dispose of mailing lists once a mail campaign is fulfilled. Advertisers must pay CPC again if they wish to reuse mail marketing lists.
- One of CPC’s competitive advantages in this field, compared with private sector companies offering similar services, is that CPC has an extensive and accurate database of mailing addresses in Canada (CPC’s “Proprietary List”),Footnote 5 as well as other ‘proprietary information such as accurate information on where individuals live and their online shopping habits.Footnote 6 To offer the SMM Program, CPC uses data in its SMM Database which includes records compiled from various sources, including:
- CPC’s Proprietary List of addresses across Canada;
- for certain types of parcels, information about the categories of retailer that the individuals at a particular address receive parcels from – used by CPC to derive insights on online shopping habits aggregated at the postal code level;
- names and address information that CPC collects from the outside of mail it delivers – used by CPC to correct, update or supplement address information about individuals obtained from third party sources below;Footnote 7
- publicly available telephone directory information sourced from third-party consolidated data (e.g., address, contact names and telephone numbers);
- data that CPC collects from third parties who have obtained individuals’ consent to share information about them for marketing purposes, such as purchased mobile phone geolocation data (e.g., time spent at different types of retail outlets in the past month), self-reported survey data and purchased mailing lists, as well as census and other aggregated data to help businesses target the right customers with greater precision.Footnote 8
- In the case of the complainant, the telephone directory where CPC collected the complainant’s name and address did not include his suite number, which was needed to deliver addressed mail to him. CPC explained that in the context of its SMM Program, it ensures that addresses are correct by adding, for example, missing suite or unit numbers, to enable delivery of the marketing mail. With respect to the complainant, CPC confirmed that it added the suite number, which it got from its operational data (i.e., collected from the address data on posted packages/envelopesFootnote 9) to update the complainant’s mailing address for the purposes of the marketing campaign in this instance.
- CPC noted that it only includes individuals in mailing lists it compiles from SMM Program data if it was able to find the individual in either the public phone directory, or from purchased “consent-based” consumer surveys – where the company indicates individuals consented to their information to be shared with “partner companies for marketing and research purposes.”
- ‘Targeting attributes’ for mail marketing lists can be selected by advertisers at the neighborhood level, postal code level or household level. On its website, CPC indicates that it can prepare marketing lists based on 1,200 available targeting attributes in categories such as Demographics (e.g., marital status, ethnicity), Interest and Behaviors (e.g., golf enthusiasts, loyalty card holders) and Life Stage and Lifestyle (e.g., families with children, outdoor adventurists).Footnote 10
Issues
- In light of the allegations made by the complainant, this report examines whether CPC’s collection and subsequent use and disclosure practices, that resulted in the unsolicited addressed mail received by the complainant, are compliant with: (i) the requirement for collections to be related directly to an institution’s operating programs or activities under section 4 of the Act; (ii) the requirements to collect personal information directly and with proper notice under section 5 of the Act; and (iii) the requirement to obtain consent from individuals for the use and disclosure of personal information, except where certain conditions apply, under sections 7 and 8 of the Act.
Analysis
Issue 1: Are CPC’s marketing mail list services compliant with the collection requirements of section 4 of the Act?
- Section 4 of the Act states that no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution. After careful review, detailed below, we accept that CPC’s mail marketing list services are operating programs of CPC that are enabled by the CPC Act. Therefore, we accept that personal information may be collected by CPC for the express purpose of operating these for-fee services under section 4 of the Act.
- Specifically, CPC cited subsection 5(1) of the CPC Act as its lawful authority to operate the SMM Program. Subsection 5(1) of that Act mandates CPC to, “establish and operate a postal service for the […] delivery of messages, information, funds and goods”, including the provision of any services that “are, in the opinion of the Corporation, necessary or incidental to the postal service provided by the Corporation” and “are capable of being conveniently provided in the course of carrying out the other objects of the Corporation.”
- CPC also cited that paragraph 5(2)(b) of the CPC Act requires it to, “have regard to the need to conduct its operations on a self-sustaining financial basis.” CPC did not expressly define what it considers “incidental services” to be; however, it did note in its representations to our Office that: “The provision of direct marketing mailing lists to its commercial customers is a service that is incidental to the postal service provided by CPC and one that is capable of being conveniently provided in the course of carrying out its other objects, as per section 5 of the Canada Post Corporation Act. Importantly, the provision of this incidental service is instrumental in ensuring CPC continues to maintain its financial independence and viability…”
- In other words, CPC considers its SMM Program and other services such as customer list cleaningFootnote 11, to be “incidental services” directly linked to its mandate to operate a postal service on a self-sustaining financial basis.
- Based on the above, we accept that the collection of personal information described in paragraph 6 above, for the purpose of offering its SMM Program, relates directly to CPC’s operating programs as enabled by section 5(1) of the CPC Act. The collections are therefore compliant with section 4 of the Act and we find this aspect not well-founded. However, as described further in the Issue 3 section of this report, we found that CPC is not compliant with the requirements of section 5 of the Act.
- While we accept CPC’s arguments above with respect to its compliance with section 4 of the Act, the broad discretion for collection under this provision represents an important trust, which, in our view, Canadians rightly expect to be for carefully circumscribed government purposes. In this context, for completeness, we include and address certain ancillary arguments advanced by CPC.
- First, CPC argued that its power to create operating programs or activities like the SMM Program is further grounded in subsection 16(1) of the CPC Act, which provides that, “In carrying out its objects and duties under this Act, the Corporation has the capacity, and subject to this Act, the rights, powers and privileges of a natural person.” CPC submitted that this grant of powers distinguishes CPC from most other government institutions and requires a different approach when assessing what CPC is authorized to do.
- While we accept that this grant of powers distinguishes CPC from other government institutions, the jurisprudence on section 16 of the CPC Act tends to describe that provision as providing CPC with the authority to engage in discrete transactions such as entering into contracts, increasing rates, or granting licenses.Footnote 12 Moreover, CPC’s powers under section 16 of the CPC Act are circumscribed by its statutory mandate. This is plain from the opening words of the provision, “In carrying out its objects and duties under [the CPC Act]…”. As such, and contrary to CPC’s submissions, section 16 of the CPC Act is not a freestanding authority to collect personal information. Interpreting section 16 of the CPC Act otherwise would result in section 4 of the Act having limited application to CPC. We therefore reject the argument that section 16 of the CPC Act provides CPC with broad-based authority to collect personal information.
- Second, CPC noted the trend of ‘declining volumes of letters for many years’ and that to help make up for the resulting revenue shortfall while ensuring that it continues to fulfill its nationwide mandate, CPC must continually innovate and introduce new ways to diversify its revenue streams. It stated that it did not view “CPC’s engagement in these activities as being in any way contrary to the public good. In fact, research indicates that consumers enjoy receiving relevant marketing offers by mail.” We do not agree that all Canadians would see the monetization of their personal information entrusted to CPC to enable targeted marketing in such positive terms.
- Third, CPC suggested that the preparation of commercial mailing lists is a standard business practice for national postal administrations around the globe, including those operating within strong privacy protection regimes. It mentioned as examples the UK, Australia, Germany, France, Sweden, Finland, Spain and the United States. However, when we examined publicly available materials of these other postal services, we did not find indications that these postal services are monetizing personal information for mailing lists without consent as CPC does. In fact, we noted that the United States Postal Service specifically indicates in its Privacy Policy that they do not sell or rent personal information.Footnote 13
Issue 2: Are CPC’s marketing mail list services compliant with the requirements of sections 7 and 8 of the Act?
- Section 7 of the Act states that personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except: (a) for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or (b) for a purpose for which the information may be disclosed to the institution under subsection 8(2).
- Section 8 of the Act states that personal information can only be disclosed with an individual's consent – subsection 8(1) – or in accordance with one of the paragraphs of subsection 8(2), one of which, 8(2)(a), is: “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.” [emphasis added] The test for whether a disclosure is for a ‘consistent use’ is whether there is a sufficiently direct connection between the purpose and the proposed use, such that an individual would reasonably expect that his or her information could be used in the manner proposed.Footnote 14
- As described in paragraph 6 above, CPC uses a range of personal information that it collects from different sources, including from the outside of envelopes and parcels it delivers, to generate accurate and targeted mail marketing lists for commercial customers under its SMM Program. In the process, it also discloses names and addresses of individuals to mail service providers to [stuff the envelopes] on behalf of advertisers under contractual terms set by CPC.
- As detailed below, we do not accept CPC’s first position that its use and disclosure of personal information in the course of mail marketing list services offered to commercial clients are for the purpose of “delivering the mail” or for a consistent use with that purpose [second enabling condition of 8(2)(a)]. However, we accept that this use and disclosure of personal information nonetheless meets the requirements of subsection 7(a) and paragraph 8(2)(a), as we accept CPC’s second position that offering the SMM Program is one of their original purposes for collecting the personal information on mail they deliver, in addition to actually delivering the mail. To be clear, we do not believe that most Canadians are aware that the SMM program constitutes an original purpose. We address this gap below in Issue 3 containing our analysis on section 5.
- With respect to CPC’s first position, it submitted that its use of names and addresses from envelopes to correct, complete and update individuals’ addresses on commercial clients’ own mailing lists, and those CPC offers to commercial clients via mail service providers, contributes to accurate and timely sortation and delivery of mail. It argued that the use of personal information under the SMM Program was therefore for the purpose of delivering the mail or a consistent use with that purpose.
- We do not accept that the use of either address information or online shopping habits to provide mail marketing list services to commercial clients is for the purpose of delivering the mail, or is sufficiently directly connected to the purpose of delivering the mail, such that an individual would reasonably expect that his or her information could be used in the manner proposed.
- With respect to CPC’s second position, CPC also contended that enabling the SMM Program was one of the original purposes of collection for all the personal information described in paragraph 10 – including operational information it collects from the outside of envelopes and packages that it delivers. CPC noted that this position is supported by its published Personal Information Bank (“PIB”) description entitled “Address Accuracy and Delivery of Mail” (PPU 001) which states that this bank contains “name and address information captured from envelopes to facilitate sortation and validation for delivery of the mail; and, to create, validate and correct mail marketing lists.” [emphasis added] The published PIB description also states that the purpose for the collection of the information in the bank is: “Purpose: the records are used to support the provision of postal services, including signature mail services and mail marketing lists.”Footnote 15 [emphasis added]
- In light of the above, and CPC’s broad discretion to determine its operating programs as described in the Issue 1 section of this report, we accept that CPC’s use and disclosure of personal information for the purposes of offering its direct marketing services is for an original purpose of collection, and therefore complies with subsection 7(a) and paragraph 8(2)(a) of the Act.
Issue 3: Are CPC’s marketing mail list services compliant with the collection requirements of section 5 of the Act?
- While we found that sections 4, 7 and 8 of the Act permits the collection and subsequent use and disclosure of personal information for the purpose of offering the SMM Program, we determined that these collections are not compliant with section 5 of the Act which requires institutions to collect personal information directly from individuals and notify them of the purposes of collection, unless limited exceptions apply.
- Specifically, subsection 5(1) states that “a government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2).” Subsection 5(2) states that “a government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected.” And finally, subsection 5(3) states that subsections (1) and (2) do not apply where compliance therewith might (a) result in the collection of inaccurate information; or (b) defeat the purpose or prejudice the use for which information is collected.
The collections are for an administrative purpose
- CPC argued that using and disclosing individuals’ personal information for the purpose of offering mail marketing list services is not an ‘administrative purpose’ as contemplated by the Act. As a first step, we therefore considered whether section 5 applies, including whether the use of an individual’s information to provide mail marketing services constitutes a use for an “administrative purpose” as defined in section 3 of the Act: “the use of that information in a decision-making process that directly affects that individual”.
- There is limited jurisprudence interpreting the definition of “administrative purpose” in the Act. However, in elaborating on the definition of administrative purpose above, the Treasury Board Secretariat (“TBS”) Policy on Privacy ProtectionFootnote 16 specifies that: “This includes all uses of personal information for confirming identity (in other words, authentication and verification purposes) and for determining eligibility of individuals for government programs”. Furthermore, the Policy describes the binary concept of a “non-administrative purpose” as: “the use of personal information for a purpose that is not related to any decision-making process that directly affects the individual. This includes the use of personal information for research, statistical, audit and evaluation purposes”.Footnote 17
- This aligns with a decision of British Columbia’s Information and Privacy Commissioner, which suggests that the Act (as well as its counterpart in British Columbia’s privacy legislation) creates a “functional separation” between purely research or statistical uses (which will not qualify as administrative purposes) on the one hand, and ‘administrative’ decisions on the other. Further, in speaking about the term “administrative purpose” when debating Bill C-25 to introduce the Act in 1977, the then Minister of Justice also framed administrative purposes in direct opposition to statistical purposes.Footnote 18
- We disagree with CPC’s argument that the personal information contained in the SMM Program database is not used for the kind of “administrative purpose” contemplated by the Act. CPC submitted that the direct marketing services it offers do not affect an individual’s rights and that therefore, the underlying personal information is not used for an administrative purpose. It argued that the SMM Program does not serve a public function typically associated with administrative bodies in that this program does not: (i) allocate public resources, (ii) adjudicate issues involving individual interests, or (iii) concern the relationship between individuals and public institutions. It contended that, in the course of operating this purely commercial program, no decisions are made about, or directly affect, an individual that would constitute an administrative purpose under the Act. The effect of CPC’s argument is to restrict the ambit of “administrative purposes”, defined in section 3 of the Act as “the use of that information in a decision-making process that directly affects that individual” to more classic government decision-making processes (for example, a licensing decision made by a department). We disagree with this interpretation.
- In our view, CPC’s interpretation of the scope of “administrative purpose” is overly restrictive. Decisions are made about individuals in the context of the SMM Program, specifically, the decision to include an individual’s name in a mailing list that is subsequently used for marketing purposes. Individuals are directly affected by this decision because they are then essentially targeted for marketing and receive unsolicited addressed mail that they would not otherwise receive.
- Had Parliament intended for the definition of “administrative purpose” to be triggered only for certain types of decision-making actions affecting individuals, it would have included explicit language to this effect in the Act, and it did not. In our view, the fact that CPC is not engaged in a ‘classic’ government administrative decision-making (for example, whether to issue a licence or permit, accept an application, etc.) does not mean that it is outside the scope of section 5 of the Act. Thus, in our view, section 5 does apply to personal information collected for the purposes of CPC’s mail marketing services.
The indirect collections are not authorized by individuals
- CPC further argued that even if the personal information used for its direct marketing mail services is characterized as being used for an administrative purpose, nothing in the design of the SMM Program violates section 5 of the Act. Specifically, CPC argued that individuals have implicitly authorized CPC to collect the information indirectly as per subsection 5(1) of the Act. CPC’s position is that this implicit authorization for personal information it collects from third parties (such as survey information) is derived from the consent that individuals provide to those third parties to share their information “for research and marketing purposes”. CPC’s position is that its implicit authorization to use personal information on the outside of mail that it delivers is derived from the fact that individuals accept mail delivery by CPC generally, and/or the fact that individuals can opt-out of CPC’s SMM Program database as described in CPC’s online Privacy PolicyFootnote 19, its “Privacy at Canada Post Booklet” available at retail outlets, and its Personal Information Bank (“PIB”) entitled “Address Accuracy and Delivery of Mail” (PPU 001).Footnote 20
- “Authorization” is not defined in the Act, however, for an individual to be considered to have “authorized” a practice, in our view they must: (i) be aware of the practice or reasonably expect the practice and (ii) have taken an action that can reasonably be inferred as giving permission for the practice – either expressly, such as through a signed authorization, or at a minimum, implicitly via their conduct.
- With respect to information collected from third parties who sought (valid) consent to share the information with CPC for marketing purposes, we accept that this could theoretically constitute authorization for indirect collection. In our view, to meet this condition, CPC would need to conduct due diligence to confirm that the third party(ies) did in fact obtain valid consent for the disclosure of the personal information to CPC for marketing purposes. Given that there were no indications that CPC collected any of the complainant’s personal information in this manner we did not examine CPC’s due diligence in this context.Footnote 21
- With respect to CPC’s argument that individuals implicitly authorize the indirect collection of their personal information for the SMM Program by accepting mail delivery from CPC in general, and/or by not using the opt-out available on CPC’s website, we disagree. CPC suggested that the term “mail” includes transactional and advertising mail, and that therefore in receiving mail generally, individuals implicitly authorize CPC to collect and use their personal information to enable advertising mail. It argued that it has the permission of Canadian households to deliver mail to their address, and to request “re-permission to deliver their mail would be absurd.” It further suggested that as individuals can opt-out of the SMM Program on CPC’s website, in not using this opt-out, individuals implicitly authorize the use of their personal information for the SMM Program.
- In our view, neither individuals’ use of the postal service generally, nor the availability of an opt-out mechanism in CPC’s privacy policy, constitute authorization from individuals for CPC’s indirect collection of personal information on mail that they receive for the purposes of the SMM Program. Specifically, we do not believe: (i) that most individuals would be aware of the practice or reasonably expect it; nor (ii) that individuals have, either expressly, or via their conduct, given permission for the practice. The practice of using address or behavioural information taken from a posted envelope(s) for the purpose of marketing insights into online shopping habits, and validating or correcting a commercial mailing list does not seem sufficiently related to traditional mail delivery such that authorization can be implied from the act of addressing the envelope, or more generally, an individual availing themselves of mail delivery services in Canada. As we found in a previous investigation of CPC,Footnote 22 informed consent is the fundamental issue in this case.
- Further, we did not receive any submissions from CPC that would suggest that an exception under subsection 5(3) would apply in this case, nor do they appear applicable based on the facts. Therefore, we have no indication that an exception to the direct collection requirement applies in this context.
- We note that in its representations, CPC stated that it shares certain similarities with private sector entities as a crown corporation, and that the Personal Information Protection and Electronic Documents Act (“PIPEDA”)Footnote 23 permits commercial use and disclosure without consent of publicly available personal information, as specified in the related PIPEDA regulations.Footnote 24 As CPC is an institution subject to the Privacy Act, not PIPEDA, we have not assessed the SMM Program against the requirements set out in PIPEDA. However, we note that much of the personal information that CPC collects for use in the SMM Program is not publicly available. Indeed, as CPC notes in its promotional materials, it is the use of this non-public “proprietary operational data” (for which it does not obtain consent) that makes CPC’s mail marketing list services particularly valuable.Footnote 25
- Further, CPC argued that requiring it to modify its practices to obtain authorization from individuals would subject it to a more stringent privacy standard than applies to other Canadian organizations operating similar business activities given its view that the personal information at issue is not sensitive in nature and the risk of harm to individuals is extremely low. However, regardless of the sensitivity of personal information, consent for collection, use and disclosure of personal information is a cornerstone of both PIPEDA and provincial private sector legislation in all but carefully prescribed circumstances (such as the exception for publicly available information noted above). Similar to our analysis above as to what constitutes “authorization”, in joint guidelines issued by our Office and the Offices of the Information and Privacy Commissioner of Alberta (“OIPC-AB”) and British Columbia (“OIPC-BC”) on obtaining meaningful consent, it is indicated that where an individual would not reasonably expect their personal information to be collected, used or disclosed in a particular way, express consent is generally required.Footnote 26
- For all the reasons described above, we found that CPC does not have individuals’ authorization for its indirect collection of personal information from mail that it delivers, for the purpose of enabling its SMM Program, and is therefore in contravention of section 5 of the Act.
Recommendation
- In light of this contravention of section 5 of the Act, we recommended that CPC cease its current practice of using and disclosing personal information leveraged from its operational data for mail marketing activities without seeking authorization from individuals for the indirect collection of their personal information.
- CPC disagreed with our finding and did not agree to implement this recommendation. Instead, it commenced work to: (i) improve the clarity of information on its website about its use of individuals’ personal information for mail marketing list services, and increase visibility of the related opt-out mechanisms, (ii) add a related brochure to its retail outlets, and (iii) educate its commercial clients on how to respond to questions from individuals about advertising mail that they receive as a result of the SMM Program.
- We appreciate CPC’s commitment to enhance transparency, as information about CPC’s use of personal information in the SMM Program and the related opt-out mechanism for individuals is currently difficult to find and incomplete. However, in our view these measures do not constitute obtaining authorization from individuals as required by section 5, and therefore do not correct the contravention of the Act. Specifically, the measures CPC is working on neither: (i) ensure that all individuals whose personal information is being collected for the SMM Program are aware of it, nor (ii) ensure that all affected individuals have, either expressly or via their conduct, given permission for the practice.
- Practically speaking, individuals are not made aware of CPC’s practices or presented with a choice (to authorize indirect collection for the SMM Program or not) when they use CPC’s services for traditional mail delivery (such as by posting an envelope). The measures proposed by CPC only target those individuals who proactively engage with CPC through its digital properties or at retail outlets, and only if those individuals seek out the relevant information.
- We invited CPC to consider potential options to obtain authorization, such as by contacting individuals by mail (using the contact information for them that it has) through a mail-out process. CPC contended that it considered sending a ‘mail-out’ about the SMM Program but felt that this would target households and not individuals, thereby not achieving the intended goal of offering meaningful, individual choice. It did not propose other alternatives beyond the transparency measures described above. Notwithstanding CPC’s views on limitations associated with sending a one-time mailout, versus the status quo, this type of action would be a significantly more effective and impactful way to reach Canadians, particularly those who choose not to interact with CPC through its digital properties, including the majority of Canadians who would be unlikely to seek out privacy communications.
- In fact, we are of the view that our recommendation could indeed by satisfied by a properly structured mail-out process to households that informs resident individuals of the collection of their personal information under the SMM Program and provides an easily accessible way for individuals to opt out of the collection for this purpose.
- Therefore, we maintain our recommendation that CPC cease its current practice of using and disclosing personal information leveraged from its operational data for mail marketing activities without seeking authorization from individuals for the indirect collection of their personal information.
Conclusion
- We found that CPC’s SMM Program complies with the requirements of sections 4, 7 and 8 of the Act but contravenes section 5 of the Act. As CPC did not agree to take corrective action to bring the SMM Program into compliance with the Act, we therefore find the complaint well-founded and not resolved.
- We would expect that CPC would take the steps we recommended to bring its activities into compliance with the Act. We further urge CPC to re-consider remedial options such as an acceptable mail-out process as referenced in paragraph 51 above.
- Date modified: