In 2001, more than half of Canadian consumers in loyalty programs had no idea that information about their buying habits, together with other personal information, was being shared and sold, according to the findings of a survey by EKOS Research Associates.1
Had those people consented to their personal information being collected and used that way? If they did not expressly request that the company not share or sell their information, did they effectively consent?
What constitutes – or should constitute – consent to the use of personal information is one of the most important privacy issues facing the marketing industry today.
It matters, of course, because come January 1, 2004, all private sector industries that deal with personal information in the course of commercial activity will have to comply with privacy legislation – either the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") or provincial legislation that is substantially similar to it. (Federally-regulated undertakings, such as banks and the broadcasting and telecommunications industries have been subject to PIPEDA since January 1, 2001.)
The key obligation of a business under PIPEDA is set out in the Act:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances and -only with the individual’s consent unless obtaining consent would be inappropriate.
PIPEDA requires an organization to obtain consent for each of the collection, use and disclosure of personal information.
The definition of "personal information" is broad – personal information is "any factual or subjective information, recorded or not, about identifiable individuals". There is an exemption for the name, title or business address or telephone number of an employee of an organization (informally referred to as "business card data").
"Personal information" is not limited to information that can be used directly or indirectly to identify an individual. It includes, for example, a person’s name, home address, personal telephone number, health information, income, ethnic origin, credit records, employment history, education/training history, travel or entertainment information and family information.
It includes, in short, a lot of information that marketers value.
Exemptions from consent
PIPEDA has only limited exemptions when it comes to consent. Consent for collecting personal information is not required where:
- the collection of the personal information is clearly in an individual’s interest and consent cannot be obtained in a timely way;
- having to obtain consent would compromise the availability or accuracy of information gathered during the investigation of a breach of an agreement or a contravention of the law;
- the collection of the personal information is solely for journalistic, artistic or literary purposes; or
- the information is publicly available and specified by regulations.2
PIPEDA does not state whether it applies to personal information collected before the legislation comes into force. The privacy legislation just passed by British Columbia and the legislation being proposed in Alberta both contain "grandfathering" provisions – there will be no requirement to obtain consent for the collection of already-collected personal information. However, that information will be protected by the legislation as far as ensuring the accuracy and security of the information, withdrawal of consent and using the information for new purposes.
In any event, on a going-forward basis, businesses need to understand what establishes consent under privacy legislation.
Forms of consent
Generally there are three different forms of consent:
- implied consent;
- opt-in (or positive consent); and
- opt-out (or negative option).
In some cases, consent to the collection and use of information may be implied. For example, someone who gives their home address for a magazine subscription has implicitly given consent to the publisher to retain that information and to use it to deliver the magazine and to solicit a renewal when the subscription expires.
Opt-in consent requires a consumer to actively consent to the collection, use and disclosure of information. It’s the mandatory standard under PIPEDA when collecting, using or disclosing sensitive information. (While "sensitive information" is not defined in PIPEDA and may depend on the circumstances, information such as medical or income records are always considered sensitive information.)
Opt-out consent requires a consumer to actively ask not to have personal information collected, used and disclosed. Without that action, consent is assumed.
While many privacy advocates feel opt-in consent is an ideal standard for all personal information, marketing industry representatives have argued that it should apply only in the case of sensitive information because otherwise it simply isn’t financially feasible for marketers to do business.
Barbara Robins, Privacy Officer, Vice President and Legal Counsel of the Reader’s Digest Association, stated in an interview:
We believe that the ability for the direct marketing industry to continue to obtain consent (to collect, use and disclose information, other than sensitive information) by way of an opt-out is critical to the viability of the industry. We know that in trying to compile lists, the opt-in for example, can be extremely costly without successful results….[W]ithout the availability of the opt-out, it is hard to imagine the industry continuing to grow and thrive.
Is opting out an option?
It’s not clear that opting-out is an option under PIPEDA. But it’s not clear that it isn’t either. PIPEDA doesn’t address the issue directly.
So far it has been up to the Privacy Commissioners to determine whether opting-out in any given situation constitutes consent. Because they are not bound by earlier "decisions" and because their decisions about complaints can be influenced by their own beliefs about the -nature of privacy and the purpose of privacy legislation, it can be difficult to predict what will be acceptable.
Former Commissioner George Radwanski once called opt-out mechanisms "contrary to basic human decency" and said in his report on his investigation into a complaint about Air Canada that he intended to restrict the opt-out negative option approach to very limited situations.
The complaints concerned Air Canada’s Aeroplan Frequent Flyer Program and centred on Air Canada’s practices of sharing personal information about its members with external organizations. Initially Air Canada did this without consent. When it did decide to obtain consent, it sent brochures to only approximately 1% of its members and asked in such a way that consent was assumed unless the member took the initiative to check off the boxes indicating refusal and returned the brochure. Mr. Radwanski found this unacceptable. In addition, he said that the wording about how the information might be used in the future was so vague that members could not reasonably understand how it would be used or disclosed and therefore could not really give consent.
Recently, however, the Office of the Privacy Commissioner has been more relaxed in its approach to opt-out policies. For instance, a decision by Interim Commissioner Robert Marleau issued on August 6, 2003 allowed a cellular telephone company to continue using the opt-out policy and procedure it had in place, despite two complaints that personal information had been used for secondary marketing purposes without the individuals’ consent.
Mr. Marleau stated in his findings that he considers opt-in consent to be the most appropriate method of obtaining consumers’ consent in any circumstances. However, he acknowledged that opt-out procedures are acceptable in certain circumstances. Most importantly, companies using opt-outs must comply with four conditions:
(i) The personal information must be clearly non-sensitive in nature and context;
(ii) The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure;
(iii) The organization’s purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual’s attention at the time the personal information is collected; and
(iv) The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.
Since the cellular telephone company had complied with these conditions, the Commissioner concluded that the complaints were not well-founded. In fact, since the company had recently modified its policy to allow for opt-outs at the time of activation, the Commissioner described the policy as "exemplary".
While it appears that the Office of the Privacy Commissioner’s stance has changed somewhat since Mr. Radwanski’s departure, the appointment of a new Privacy Commissioner when Mr. Marleau leaves at the end of his term may – or may not – result in different decisions. The federal government has recently nominated Jennifer Stoddart as the next federal Privacy Commissioner, but given the scandals that plagued the Office near the end of Mr. Radwanski’s tenure, the nomination will likely be carefully reviewed.
Opting for opting out
Assuming for the moment that opt-out consents will be accepted by the new Privacy Commissioner, it is likely that companies will have to comply with the conditions set out by Mr. Marleau including the condition that the purposes of the use and disclosure must be "limited and well-defined". This sounds easy enough, but the devil may be in the details.
Practically speaking, corporations will want to keep their purposes as vague as possible in order to avoid the arduous task of requesting new consents each time a new purpose arises. However, as Air Canada found out, vague purpose disclosure may not withstand the scrutiny of the Privacy Commissioner. Companies will have to walk a fine balance.
Companies should also ensure that their opt-out procedures are easy, inexpensive and implemented quickly. The Canadian Marketing Association is requiring its members to improve opt-out procedures to make it easy for consumers to see the opt-out option, understand what it means and execute it if that is their decision.
It also appears that a consumer’s opt-out decision must include an organization’s subsidiaries and affiliates. In another decision of the Office of the Privacy Commissioner, the complainant had opted out of receiving unsolicited promotional materials from his bank. When he called to complain that he continued to receive materials from the bank’s affiliates, he was told he would have to contact them directly. The Commissioner found that the bank’s failure to include its affiliates in the opt-out process rendered the option meaningless.
The astounding amount of personal information that can be collected online and the ease with which it can be collected, cross-referenced, used and shared means that consent issues become even more significant in online marketing.
Co-registration, in which a consumer’s registration at one web-site (for example to receive a gift or enter a contest) is deemed to constitute agreement to receive marketing materials from partner sites, can result in a consumer receiving offers and promotions from dozens of third parties. Much of that material may be unwanted, yet a consumer may have to scroll down to see the names of all the partners, and may even be required to opt-out of consent to any or all of them. While it may be cost-effective marketing, it’s arguable whether a consumer in this situation actually has a meaningful opportunity to opt out.
Establishing whether an individual consented to the collection of personal information (as opposed to its use and disclosure) is usually less open to interpretation. But marketers have been developing more aggressive and creative ways to collect consumer information, which may raise privacy concerns. The off-line practices of "network marketing", "creating a buzz" or "word-of-mouth marketing" have become – online – "word-of-mouse marketing" or "viral marketing".
The first and best example is the story of hotmail.com. At the bottom of each Hotmail e-mail is a link asking the recipient of the e-mail to sign up for his or her own Hotmail -account. Once people sign up, each e-mail they send out also includes this link. Therefore, the more people who receive e-mails, the more people who will open their own accounts; the more people who open accounts, the more people who will receive e-mails, and so on.
There is nothing wrong with this from a privacy perspective, since each Hotmail subscriber is an "opt-in" customer. Some web-sites are even more passive; they simply ask users to recommend the site to their friends and provide an easy means for the user to do that. But in other cases, companies may be coming close to – or stepping over – the line when it comes to collecting personal information online.
For example, in one variation of an online contest, registrants are told that they will receive more entries, or otherwise increase their chances of winning, if they send in the e-mail addresses of their friends and family members. Although typically these new registrants, if they decide to join the game at all, are allowed to opt out of receiving information from the company and out of having their information given to third parties, the initial collection of the e-mail addresses is not PIPEDA-compliant because these individuals did not consent to it.
Consent is only one of the privacy issues that will continue to attract attention and debate as the private sector learns to live with privacy legislation. But as the Canadian Marketing Association has pointed out, the more privacy horror stories there are, the greater the likelihood that consumers and regulators will call for opt-in consent in all situations. Keeping the opt-out option may require a higher standard of evidence that consumers are actually consenting adults.
1. "Business Usage of Consumer Information for Direct Marketing: What the Public Thinks" (study commissioned by the Public Interest Advocacy Centre, August 2001) in Privacy Payoff: How Successful Businesses Build Customer Trust by Ann Cavoukian and Tyler J. Hamilton.
2. The regulations (SOR/2001-7) define this "public domain" information as:
(a) personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
(b) personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal
(c) personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry;
(d) personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and
(e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.
The foregoing provides only an overview. Readers are cautioned against making any decisions based on this material alone. Rather, a qualified lawyer should be consulted.
© Copyright 2003 McMillan Binch LLP