Avoid the compliance pitfalls of PIPEDA with a new publication from the Privacy
Commissioner
The Personal Information Protection and Electronic Documents Act (PIPEDA) was passed 7 years ago and its interpretation has evolved with the investigation and resolution of over 2600 individual complaints. The Office of the Privacy Commissioner recently released ‘Leading by Example’, meant to share the insights gained from many precedent-setting findings and provide guidance to businesses in developing and applying privacy practices. Many of these findings will be of interest to direct marketers, in particular those involving ‘secondary marketing’ and outsourcing customer lists.
The collection of individual personal information for a primary purpose which is then used for ‘secondary marketing’ purposes, either directly or passing on to third parties, should be done with PIPEDA compliance in mind. There are several potential issues with secondary marketing under PIPEDA rules.
These issues were illustrated in a case involving a bank. A customer of the bank requested that ‘statement stuffers’ not be included with his monthly credit card mailing, claiming he had not provided permission for anything other than the card statement to be sent to him. The bank agreed to cease telemarketing and direct marketing to the customer, but refused to let the customer opt out of receiving the statement stuffers, stating that the bank would have to manually intercept the complainant’s bill from the production run. The bank claimed this was unreasonable and that because all statements had stuffers, they were not using personal information in this case.
The Assistant Commissioner of the Privacy Commission ruled against the bank, finding that the bank was using personal information when it inserted advertising into the credit card statement envelope. This use was secondary to the purpose for which consent was given, to receive a credit card. The commission also concluded that individuals must always have the right to opt-out of secondary marketing.
The Commissioner held that the bank was in violation of virtually every aspect of consent. In regard to opting-out, the bank’s failure to provide a “convenient, immediate, and easy means of withdrawing consent” to secondary marketing purposes did not meet the reasonable expectations of the individual.
Firms must inform customers of potential secondary uses and provide a form of consent compliant with PIPEDA. Opt-out consent may be appropriate for secondary marketing purposes subject to the following conditions:
- The personal information must be clearly non-sensitive in nature and context.
- The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
- The organization's purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected.
- The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.
The Privacy Commissioner cites an exemplary use of opt out consent in a case involving a telecommunications company. The company included in the customer monthly bill an insert that fully described their privacy policies for secondary marketing and provided their customers three convenient ways to opt out: through a toll-free number, e-mail, or on the organization’s website. The telecommunications company also provided individuals with the ability to opt-out at the time that they activated their phone.
Another important PIPEDA principle is that an organization is responsible for personal information in its possession that is transferred to a third party for processing. The organization must use contractual means to provide a comparable level of protection while the information is being processed by a third party and PIPEDA also requires organizations to be open about their policies and practices relating to the management of personal information.
These principles were at issue in a case in which a bank sent a notice to its credit card customers to inform them that it used a service provider located in the United States to process and store payment transactions and that customers’ personal information may be accessible to U.S. authorities. The bank’s outsourcing arrangement had been approved by the Office of the Superintendent of Financial Institutions. The bank had in place a contract with its service provider that included, among other things, terms regarding confidentiality, security, monitoring, oversight, audit, custody and control.
In such situations where an organization outsources personal information for processing by a third-party service provider located in a foreign country, the organization remains accountable for the personal information. The Office of the Privacy Commissioner concluded that the bank had met its obligation to provide a comparable level of protection through appropriate contractual means. The risk that personal information could be disclosed to U.S. authorities was comparable to the risk of mandatory disclosure to Canadian authorities under lawful authority here if the service provider was located in Canada.
This bank case also demonstrated that an organization must also inform its customers about policies and practices for personal information and that it must notify customers if data may become available to a foreign government under lawful order.
‘Leading by Example’ provides many precedents that address PIPEDA compliance issues and can be downloaded off the website of the Office of the Privacy Commissioner: http://www.privcom.gc.ca
