This is the third post in a series dealing with promotional
activities in which a user of a website or mobile app is requested
to provide e-mail addresses of their contacts or allow access to
the user's address book for the purpose of sending an e-mail
invitation to a contact of the user. In the first
post, I discussed the privacy by design principle. In the
post, I discussed the implications of treating the contact
information as the personal information of the user and
As I mentioned in previous posts, this whole area is fraught
with difficulty and will become more so once Canada's Anti-Spam
Legislation is in-force. Legal advice should be sought for these
types of promotion to ensure compliance.
So the invitation has gone out to the non-user. Now what?
Resist the urge to build a profile for the non-user.
The user has not yet agreed to join. Typically, an organization
will want to build privacy protections to avoid building a user
profile for the non-user until the user consents to join. If the
purpose of collection was to send an e-mail invitation, it may be
difficult to justify the collection of the non-user's street
address or telephone number.
There may be more subtle ways of building a profile, such as by
cross-referencing the user's e-mail address against other
users's address books or searching out other available
information on the Internet. If the website or mobile
application's design involves building a profile for the
non-user as part of the promotional activity to invite the user to
join, care should be taken to deploy privacy protections. In
particular, the organization should avoid "using" the
non-user's personal information for purposes other than making
the invitation until the organization has made privacy disclosures
to the non-user.
In a recent decision of the Office of the Privacy
Commissioner of Canada ("OPC"), the OPC considered
Facebook's practices with respect to generating friend
suggestions for non-users in invitations. At the time of the
investigation, Facebook would bundle friend suggestions within the
first invitation to the non-user. The OPC found it significant that
by doing so Facebook had already "used" the
non-users' e-mail address to generate friend suggestions
without providing any information on how the non-user's
personal information was being used and any opt-out mechanism.
During the investigation, Facebook changed its practices to
something more acceptable to the OPC. No additional friend
suggestions were made in the initial invitation. There was a more
prominent opt-out notice and a notice and link to information
regarding the use of the e-mail address for generating friend
suggestions. The non-user's e-mail address was only used to
make additional friend suggestions to the non-user once those
disclosures had been made and the non-user given an opt-out
Destroy the e-mail address once the purpose for the collection
has been fulfilled.
Another issue is what to do with the e-mail addresses of
non-users who do not respond either to join or to opt-out.
Organizations should consider whether the purpose for which the
e-mail address has been collected has been fulfilled. If so, then
privacy legislation in Canada would instruct the organization to
destroy (delete) the non-user's contact information.
There will be instances where the website or mobile app stores
the contact information for another purpose as a service to the
user. However, if the sole purpose of the collection was to make
the invitation, then the organization should consider what would
constitute a reasonable period of time to keep the non-user's
About Fraser Milner Casgrain LLP (FMC)
FMC is one of Canada's leading business and litigation law
firms with more than 500 lawyers in six full-service offices
located in the country's key business centres. We focus on
providing outstanding service and value to our clients, and we
strive to excel as a workplace of choice for our people. Regardless
of where you choose to do business in Canada, our strong team of
professionals possess knowledge and expertise on regional, national
and cross-border matters. FMC's well-earned reputation for
consistently delivering the highest quality legal services and
counsel to our clients is complemented by an ongoing commitment to
diversity and inclusion to broaden our insight and perspective on
our clients' needs. Visit:
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Software license agreements generally require the customer to pay fees for the software license and related services, which fees are usually based upon the duration of the license and the manner in which the customer is allowed to use the software, together with applicable taxes and withholdings.
In less than nine months, on July 1, 2017, persons affected by a contravention of Canada's anti-spam legislation will be able to invoke a private right of action to sue for compensation and potentially substantial statutory damages.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).