This is the third post in a series dealing with promotional activities in which a user of a website or mobile app is requested to provide e-mail addresses of their contacts or allow access to the user's address book for the purpose of sending an e-mail invitation to a contact of the user. In the first post, I discussed the privacy by design principle. In the second post, I discussed the implications of treating the contact information as the personal information of the user and the non-user.

As I mentioned in previous posts, this whole area is fraught with difficulty and will become more so once Canada's Anti-Spam Legislation is in-force. Legal advice should be sought for these types of promotion to ensure compliance.

So the invitation has gone out to the non-user. Now what?

Resist the urge to build a profile for the non-user.

The user has not yet agreed to join. Typically, an organization will want to build privacy protections to avoid building a user profile for the non-user until the user consents to join. If the purpose of collection was to send an e-mail invitation, it may be difficult to justify the collection of the non-user's street address or telephone number.

There may be more subtle ways of building a profile, such as by cross-referencing the user's e-mail address against other users's address books or searching out other available information on the Internet. If the website or mobile application's design involves building a profile for the non-user as part of the promotional activity to invite the user to join, care should be taken to deploy privacy protections. In particular, the organization should avoid "using" the non-user's personal information for purposes other than making the invitation until the organization has made privacy disclosures to the non-user.

In a recent decision of the Office of the Privacy Commissioner of Canada ("OPC"), the OPC considered Facebook's practices with respect to generating friend suggestions for non-users in invitations. At the time of the investigation, Facebook would bundle friend suggestions within the first invitation to the non-user. The OPC found it significant that by doing so Facebook had already "used" the non-users' e-mail address to generate friend suggestions without providing any information on how the non-user's personal information was being used and any opt-out mechanism.

During the investigation, Facebook changed its practices to something more acceptable to the OPC. No additional friend suggestions were made in the initial invitation. There was a more prominent opt-out notice and a notice and link to information regarding the use of the e-mail address for generating friend suggestions. The non-user's e-mail address was only used to make additional friend suggestions to the non-user once those disclosures had been made and the non-user given an opt-out opportunity.

Destroy the e-mail address once the purpose for the collection has been fulfilled.

Another issue is what to do with the e-mail addresses of non-users who do not respond either to join or to opt-out. Organizations should consider whether the purpose for which the e-mail address has been collected has been fulfilled. If so, then privacy legislation in Canada would instruct the organization to destroy (delete) the non-user's contact information.

There will be instances where the website or mobile app stores the contact information for another purpose as a service to the user. However, if the sole purpose of the collection was to make the invitation, then the organization should consider what would constitute a reasonable period of time to keep the non-user's contact information.

About Fraser Milner Casgrain LLP (FMC)

FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.