Comments to CRTC on Affiliate Data Sharing

Comments of Action Réseau Consommateur, the Consumers’ Association of Canada, and Fédération des Associations Coopératifs d’économie familiale (“ARC et al”)
Canadian Radio-Television and Telecommunications Commission
Ottawa, Ontario
K1A 0N2
Attention: Ms. Ursula Menke
Secretary General
Dear Ms. Menke:
Re: Public Notice CRTC 2001-60: Confidentiality Provisions of Canadian Carriers (Sharing of customer data with affiliates)
1. The following are ARC et al’s comments in the above-mentioned proceeding, filed pursuant to the procedures set out in Public Notice 2001-60.

The Request

2. This proceeding was initiated by a Part VII application filed on behalf of Bell Canada, Aliant, MTS, Northern, Northwestel, SaskTel, and Telebec (“the Companies”, and was supported by TELUS. Other telecom service providers, primarily wireless carriers, have since expressed their general support for the application or for a similar relaxation of the rule in question.
3. The application is a request to remove the requirement under Article 11 of the ILEC Terms of Service that customer consent to information disclosure beyond that expressly permitted by Article 11 be provided in written form. This is a provision to which other telecom service providers, including wireless providers, have also been made subject by CRTC Order.
4. In brief, the Companies are requesting that they continue to be required to obtain customer consent to such disclosures, but that the consent need not be in writing when the disclosure is to an affiliated organization.

Implications of the Request

5. The Companies are making this request not so that they can rely upon oral or other non-written forms of consent. Rather, they want to be permitted to continue their apparent current practice of relying upon implicit as opposed to explicit consent of customers to the sharing of customer data with their affiliates. As the Companies state:

  • While having the flexibility to collect oral consent is marginally preferable to the status quo, ARC et al’s proposal [that explicit consent be required except where the disclosure is necessary to provide the service requested by the customer] stops far short of what the Companies are seeking….

6. In other words, the issue before the Commission is not whether consent to this data sharing should be obtained in written versus oral or electronic form. Rather, it is whether, or to what extent, consent to this data sharing should be obtained in a manner that ensures that the consent is conscious and informed.
7. The Companies’ proposal is, in essence, to permit them and other service providers to deem customer consent where such consent does not exist and where there are good reasons to suspect that such consent does not exist.

The need for greater clarity

8. Industry players point out that the federal Personal Information Protection and Electronic Documents Act, “PIPEDA”, which applies to them in respect of this issue, does not specifically require that consent to the disclosures in question be obtained in an explicit manner, nor does it set out specific criteria for when implicit consent can be relied upon. In other words, the Companies’ proposal not to specify the type or manner of consent required is entirely consistent with the PIPEDA. ARC et al do not dispute this point.
9. What the Companies fail to point out is that the PIPEDA leaves this very controversial issue open to interpretation, and hence, to abuse. It is precisely because the PIPEDA is so unclear on this issue that greater clarity is needed at the regulatory level, both in terms of when explicit consent is required, and what criteria must be met in order for implicit consent to be valid. It is unfair both to service providers and to customers to leave this highly controversial issue open to interpretation and abuse.
10. In fact, ARC et al submit that the policies and practices disclosed through this proceeding provide sufficient evidence of the likelihood of abuse, should the request be granted. In responses to interrogatories from ARC et al, it became clear that companies want to be able to deem customer consent on the basis of the most minimal notice and opt-out requirements.
11. When pressed for examples of when they would assume customer consent to data sharing with affiliates, companies tellingly avoided examples that go to the heart of the issue before the Commission, and instead provided non-controversial examples, for which consent can reasonably be assumed (e.g., data sharing where necessary to provide the service requested by the individual). No company provided an example of the kind of data sharing that is in issue here: sharing with an affiliate company with whom the customer has no relationship and has expressed no interest in having a relationship. Yet this is exactly the kind of data sharing that the Companies and others wish to engage in without customer consent.
12. While admitting that the determination of whether consent to data sharing with affiliates can be implied must be based, among other things, upon the “reasonable expectations of the individual”, industry players take the view that such individual expectations can be measured by the expectations of the majority of customers, even where a significant minority do not hold the same expectations. Clearly, where customer expectations vary, assumptions about individual expectations cannot be made with any reliability.
13. Moreover, industry intervenors confuse expectations with desires. Just because a customer has come to expect certain behaviour by a company or an industry does not mean that he approves of it or wants to be subjected to it. Customer expectations are therefore relevant, but not determinative.
14. Even if majority expectations were determinative of the “reasonable expectations of the individual”, however, no industry player in this proceeding has provided clear evidence to support its assertions about customer expectations.

Company assertions about customer expectations are unsupported and indeed contradicted by recent market research

15. ARC et al agree with industry players that an important issue in this proceeding is the extent to which customers want them to share customer data with affiliates. It was precisely because of the importance of this issue that PIAC commissioned a national survey of consumers, along with focus groups, last summer. The results of that market research are clear:

  • Businesses cannot assume anything about consumer consent to secondary marketing. This is because attitudes vary widely, with 48% of respondents objecting to the sharing of their personal data with affiliates (only 29% were comfortable with such sharing). It is also because many, if not most, customers are unaware of the extent to which their data is being shared.
  • A large majority (82%) of Canadians want businesses to obtain their permission before using their data for further marketing purposes.
  • A clear majority of Canadians do not want businesses to assume their consent to further marketing. Opt-in approaches to consent are clearly favoured over opt-out approaches (69% do not consider opt-out approaches to be acceptable).
  • Opt-out approaches to consent for marketing purposes are considered acceptable only if the opt-out provision is brought to the customer’s attention, is clearly worded, provides sufficient detail, and is easy to execute.

1. Specific questions about telephone companies were asked, generating the following results:

  • 79% of respondents considered it “highly important” that their telephone company obtain their consent before using their personal information to promote new services and products directly to them.
  • 84% considered it highly important that their telephone company obtain their consent before sharing their data with an affiliate.
  • 66% of respondents considered it unacceptable for their telephone company to use an opt-out approach as a way of obtaining consent to use customer data for purposes such as marketing new products or services.

1. As the survey report points out, these results were confirmed in focus groups, where the importance of obtaining consent was stressed, especially with respect to sharing among affiliates. As the report states:
“When it came to sharing information within a corporate family, most participants [in the focus groups] felt that it was unacceptable to assume consent, although a small number felt it was acceptable.’
2. Repeated assertions by companies in this proceeding that consumers expect and desire them to share customer data with their affiliates for marketing purposes are unsupported by empirical evidence. It is telling that not only did no company offer any empirical evidence to back up its assertions regarding customer desires, all remained unable to do so in response to interrogatories from ARC et al. The only evidence offered to support these sweeping generalizations about customer desires was unspecified “observations” and “feedback from the front lines”, and a brief reference to results of “research over the years” regarding customer expectations (not desires). In no case was any supporting data provided. In the case of the apparently dated research referred to by TELUS, no methodology, dates, or other relevant details necessary to assess the reliability of the research were provided.
3. Clearly, such unsupported assertions cannot be relied upon. Accordingly, the Commission should give no weight to them.
4. If companies could provide data supporting their assertions as to customer desires, they could have and would have done so. Like ARC et al, they had ample time during the course of this proceeding to survey customers and provide data for the benefit of the Commission and other intervenors. That they chose not to do so speaks volumes about their ability to do so.
5. The only reliable evidence as to customer desires provided in this proceeding was that provided by ARC et al, not coincidentally an intervenor representing consumers themselves. That empirical evidence directly contradicts the unsupported assertions of companies in this proceeding that customers want them to share customer data with their affiliates, without obtaining clear consent to such sharing beforehand.

Data sharing among affiliates is of greater concern to consumers than is internal use

6. The Companies take the view that “it is generally appropriate that implicit consent be used for internal company use and sharing of information with communications affiliates under common control and branding”, while “express consent would be required for disclosure to unaffiliated third parties”, with some exceptions. In other words, they make a distinction between affiliates and unaffiliated third parties, but not between internal use and affiliate use, when it comes to customer consent.
7. As noted above, the EKOS survey and focus groups show that consumers are significantly more concerned about companies sharing their data with affiliates than they are about companies using that data internally for secondary marketing purposes. Accordingly, while consumers want companies to obtain their clear permission for even internal profiling and marketing, their desire for companies to do so is even more pronounced in respect of sharing with affiliates.
8. Although willing to apply a higher standard of consent to sharing with unaffiliated third parties (in keeping with customer expectations and desires as reflected in the EKOS study), the Companies and most of their industry colleagues seem to want to ignore the important distinction that consumers draw between internal use and sharing with affiliates. This is not surprising, given the tremendous value to them of customer data. However, it runs contrary to clearly expressed consumer wishes.
9. ARC et al note that, while proposing a rule which does not distinguish between different types of affiliates, the Companies do in the quote above confine their definition of the appropriate bodies regarding whom customer consent to data sharing can be implied, to “communications affiliates under common control and branding”. There are two significant qualifications here: first, that the affiliates in question provide communications services, and that second, that the affiliates be marketed under the same brand. While such a narrowing of the scope of “deemed consent” may go some distance toward assuaging consumer concerns (as suggested by Call-Net in its proposal), it does not negate the need for informed consumer consent to any data sharing, as well as to internal use, for purposes beyond those reasonably expected by the customer.

Customers want telecommunications companies to use opt-in approaches to consent

10. As pointed out above, recent market research indicates that consumers want companies to obtain their consent to data collection, use, and disclosure for marketing purposes through explicit, opt-in approaches, under which consent is never assumed. This result was obtained in respect of questions specifically about telecommunications companies, and specifically about data sharing with affiliates.
11. ARC et al note that their position is supported by the Ontario Privacy Commissioner, who states that:
”….as a general rule, opt-out consent would not be an appropriate mechanism for obtaining consent for the sharing of confidential subscriber information among affiliated companies. Instead, subscribers should be provided with an opportunity to opt-in by checking off a box on the billing insert sent to inform them of the change in the Terms of Service. In addition, subscribers could be provided with an opportunity to opt-in through any mechanism by which the subscriber normally communicates with the company (e.g., telephone, fax, e-mail, or in-person).”
12. For these reasons, ARC et al urge the Commission to adopt a rule that consent to customer data sharing with any third party, affiliated or unaffiliated, must be explicit.
If permitted, negative option approaches to consent should be subject to strict criteria to ensure their effectiveness
13. When asked by ARC et al about the important elements of negative option approaches to consent, companies agreed that the negative option should:

  1. be brought to the individual’s attention;
  2. provide full information as to the uses and/or disclosures in question;
  3. be clearly worded and easy to understand; and
  4. be easy to execute.

14. The only suggestion of ARC et al’s that they disagreed with in this respect was that the negative option be “costless” to execute. On that issue, industry players nevertheless noted that exercising the negative option may entail minor costs, but should generally be available at no or minimal cost.
15. Yet, in stark contrast to their agreement in principle, the Companies’ and TELUS’s current and proposed practices fail to adequately bring the opt-out to the attention of individual customers, are not always adequately informative, and are not always easy to execute.
16. The Companies point out that they communicate their data sharing policies to subscribers via bill inserts, point of sale documents, the introductory pages of the telephone directory, and their websites. TELUS provides its privacy brochure to all new customers, and posts it on its website.
17. Examining these practices more closely via an interrogatory, however, ARC et al discovered that:

  • With respect to bill inserts:
    • In the case of Bell, Aliant, and MTS, the opportunity for subscribers to opt-out of data sharing was either not mentioned or not obvious;
    • Where mentioned, the opt-out required unnecessary effort on the part of the customer (i.e., no toll free number provided on the brochure); and
    • Inserts on point have been sent out no more than once so far by each companies to its subscribers, and there is no indications that further notifications will be sent out via bill insert annually or otherwise.
  • With respect to Directory information:
    • That provided by Bell Canada includes only a condensed version of its stated purposes, contrary to the suggestion in para.49 of The Companies’ Nov. application, and is not very informative;
    • In the case of Bell, Island Tel, MT&T, and NBTel, no opt-out provision is provided at all;
    • In the case of NewTel, the only opt-out provision is re: telemarketing lists;
    • In the case of TELUS, the examples provided under each purpose do not mention sharing with affiliates; and
    • In the case of all the companies, the information is not particularly conspicuous; a subscriber would have to be reading carefully in order to notice and appreciate the assumption that is being made about their consent.
  • With respect to “point of sale” documents,
    • In fact, contrary to the suggestion made by the Companies in para.49 of their original submission, neither Bell, Aliant, MTS, Telebec nor Northern use this avenue to inform customers of their data sharing policies and of the opportunity to opt out; and
    • Only Bell and TELUS appear to inform new customers of their privacy policies via a mail out.
  • With respect to verbal notice to customers,
    • No company other than MTS uses the opportunity of verbal communication with new customers to inform them of the privacy policy (and then, it is not clear what exact information is provided to customers);
    • Only Microcell suggests that it uses or would be willing to use an oral message via SMS to advise customers of a change in the Terms of Service, for example.

18. With respect to website notices, it is obvious that only those customers who use the Internet have any chance of being notified in this manner, and in any case, few Internet-capable subscribers are likely, in ARC et al’s submission, to visit the telephone companies’ website to find out about their privacy policies.
19. ARC et al submit that the ILECs’ current and proposed methods of informing customers of any negative option regarding use and sharing of their data for marketing purposes fail the test of reasonableness. They are inadequate insofar as they fail to engage the attention of customers, are not clearly worded, provide insufficient detail, and are not as easy to execute as they could be.
20. In respect of notifying customers of a change in the Terms of Service as a result of this proceeding, however, some companies proposed more effective means of communication. For example, Microcell stated that notification via “direct contact” with customers would be most appropriate, and that such direct contact could be accomplished via an SMS message (orally), the monthly invoice, or a separate mailed notice.
21. ARC et al submit that these are examples of other means of notification that can and should be used by companies to bring to the attention of customers any negative options regarding data sharing. E-mail messages, telephone messages, and pop-up windows on websites are other possible means of communication. The companies in question are experts in marketing, and hence, in bringing their products and services to the attention of customers. Surely they can make greater efforts to being their privacy policies to the attention of their customers.

Telco data on customer opt-outs proves the point

22. In response to an ARC et al interrogatory, the Companies admit (a) that they have no data on the proportion of customers who are aware of their data sharing policies and opt-out opportunity, and (b) that only a fraction of a percent of customers, if any, have actually exercised the opt-out.
23. It is instructive to compare the 0.006% of Bell’s residential NAS, 0.003% of Aliant’s residential NAS, the 0% of other Companies’ customers who have exercised an opt-out with respect to affiliate sharing, and the “very few” of RWI’s customers who have asked that information not be shared with affiliates, with the 48% of respondents to the EKOS survey who indicated that they do not want companies sharing information about them within corporate families in order to advise them of new products and services that might interest them.
24. There are only two possible explanations for such a vast disparity: customers are simply unaware of the data sharing policy, and/or find it too onerous to execute the opt-out. ARC et al submit that the market research conducted by EKOS supports the inference to be drawn here that most consumers are simply unaware of the data sharing. Under such circumstances, reliance on implicit consent is clearly inappropriate; consent cannot be provided by unaware individuals.

An explicit consent requirement for data sharing with affiliates is entirely consistent with PIPEDA

25. The Companies and others argue that a Commission requirement for explicit consent to customer data sharing with affiliates would be more restrictive than, and would improperly “override” the federal legislation, PIPEDA. ARC et al respectfully disagree.
26. The PIPEDA leaves open the question of when explicit consent is required, suggesting only that the circumstances surrounding the information sharing, the reasonable expectations of the individual, and the sensitivity of the information in question are relevant. Being less than a year old, the legislation has yet to be authoritatively interpreted in context.
27. For the CRTC to require express consent to customer data sharing with affiliates would be entirely consistent with the requirements of PIPEDA. It may constitute a more restrictive approach than the Companies desire, but this does not make it in any way inappropriate or inconsistent with federal legislation.

Competitive equity can be achieved by applying the same rule to all communications companies

28. Any concerns about competitive equity can be addressed simply by applying the same rule to all companies under the CRTC’s jurisdiction. There is no reason why the same rule should not apply to all telecom and broadcasting service providers.
The practices of companies subject to the existing “written consent” rule should be investigated and non-compliance punished
29. It is not clear from the responses to interrogatories provided by companies in this proceeding, whether they are complying with the current rule requiring written consent. On one hand, the Companies assert that “written consent is always obtained for sharing confidential customer information with affiliates, unless one of the exceptions to Article 11 applies”. Yet, in response to another interrogatory, they state:
Since 1997 Aliant Telecom Inc. and its predecessor companies ….have not requested from subscribers written consent for the disclosure of information to affiliates.
30. In the same interrogatory response, Bell Canada and MTS admit to obtaining written consent to such sharing only in certain narrow circumstances. TELUS states that only 2.5% of its customers have given written consent to data sharing with affiliates for directory purposes, while even fewer have provided written consent to data sharing with other TELUS affiliates in the context of loyalty programs.
31. It is unclear to ARC et al how the first interrogatory response reconciles with the second, or with company policies of deeming customer consent to such data sharing.
32. ARC et al urge the Commission to investigate what appears to it to be blatant non-compliance with clear CRTC regulations, and to take appropriate measures regarding any findings of non-compliance.

Conclusion

33. For all the reasons set out above, ARC et al submit that the Commission should require explicit consent of customers prior to any disclosure of confidential customer data to affiliates, except where the disclosure is necessary for the service requested by the customer and where such sharing would be reasonably expected in the circumstances.
34. Should the Commission nevertheless decide not to require explicit consent, it should at a minimum require that any negative option regarding data use or sharing:

  1. be brought to the individual’s attention;
  2. provide full information as to the uses and/or disclosures in question;
  3. be clearly worded and easy to understand; and
  4. be easy to execute at minimal effort and cost.

All of which is respectfully submitted,
Original signed
Philippa Lawson
Counsel for ARC et al
Cc: Interested Parties, PN 2001-60