Other PIAC Documents

Tell us your story!
Please contact us with your stories and questions.

Inadequate approaches to opt-out consent

Also available as a PDF [pdf file: 0.07mb]

Philippa Lawson, Counsel
(613) 562-4002 x.24
plawson@piac.ca

Mr. George Radwanski Privacy Commissioner of Canada 112 Kent Street Ottawa, Ontario K1A 1H3

BY EMAIL and MAIL Dear Commissioner Radwanski: Complaint re: Inadequate Approaches to Opt-out Consent

Please accept this formal complaint under s.11 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), regarding business non-compliance with the requirement, under the PIPEDA, for individual knowledge and consent to the collection, use and disclosure of personal consumer information for the purpose of secondary marketing purposes. Based on recent market research conducted for us by EKOS Research Associates Inc.1, it is clear that many companies are not obtaining informed consent (either implicit or explicit) from individuals to the collection, use, and/or disclosure of personal data for secondary marketing purposes.

The non-compliance we are complaining about is widespread and appears to reflect prevailing business practice in the retail market. For the purpose of investigation, however, we recognize that you need company-specific complaints. We therefore submit the following specific complaints:

  • the failure of Bell Canada to bring to the attention of its residential local telephone customers (a) its policy of sharing customer data with affiliates for secondary marketing purposes, and (b) the corresponding opportunity for customers to opt-out of such sharing;
  • the failure of HBC (Hudson’s Bay Company), in respect of its credit card and rewards program, a) to adequately bring to the attention of customers:
    • to adequately bring to the attention of customers: its practices of using and sharing customer data for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices;
    • to provide adequately clear information as to potential secondary uses and sharing of customer data, and
    • to provide applicants with a method of opting-out of such uses and sharing that can be executed immediately, easily, and at minimal effort and cost.
  • the failure of MBNA Canada Bank, with respect to its Mastercard service: a) to adequately bring to the attention of its customers: i) its practices of using and sharing customer data for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices; b) to provide adequately clear information as to potential secondary uses and sharing of customer data, and c) to provide applicants with a method of opting-out of such uses and sharing that can be executed immediately, easily, and at minimal effort and cost.
  • the failure of the Bank of Nova Scotia: a) to adequately bring to the attention of its customers: i) its practices of using customer data, and sharing such data with affiliates, for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices; b) to provide full and clear information as to potential secondary uses and sharing of customer data, and c) to provide customers with a method of opting-out of such uses and sharing that can be executed immediately (e.g., from the customer’s residence), easily, and at minimal effort and cost.
  • the failure of AIR MILES reward program:
    • to adequately bring to the attention of its customers: i) its practices of using customer data, and sharing such data with affiliates, for secondary marketing purposes, and ii) the opportunity for customers to opt-out of such practices;
    • to provide full and clear information as to potential secondary uses and sharing of customer data, and
    • to provide customers with a method of opting-out of such uses and sharing that can be executed immediately, easily, and at minimal effort and cost.

These examples2, in our view, involve violation of the basic PIPEDA requirement for “the knowledge and consent of the individual…for the collection, use, or disclosure of personal information, except where inappropriate.” (Principle 3, Schedule 1)

We submit first that, in respect of secondary marketing purposes, it is always appropriate to ensure the individual’s knowledge and consent, such that the exception does not apply. Secondary marketing involves no higher public interest such as law enforcement, health, or security that would override the general duty to obtain consent.

The issue then becomes: when can consent reasonably be inferred? (i.e., when can companies rely on “implied consent” to secondary marketing purposes) This is where there is clearly a difference of view between the marketers and the marketed.

Companies appear to take the view that customer consent to secondary marketing can be deemed to have been given, as long as the policy is stated in some document that is accessible to the customer. They do not consider that they have any obligation to bring to the attention of the individual customer the practices in question or the negative option regarding those practices. As a result, most consumers are not aware of the practices or of the negative option, contrary to the requirements of the PIPEDA. If they are not aware, they clearly are not consenting, implicitly or otherwise.

Failure to bring to the attention of the individual, so as to ensure awareness, was the single most common deficiency in company practices that we came across in our survey. It is manifested most commonly in two forms: (a) reliance on a document which is not provided to the individual customer, and which the customer must find on their own initiative, and (b) reliance on fine print buried in a long document, which most customers do not read in full and which companies do not realistically expect them to read in full.

Other common deficiencies which render the “implied consent” relied upon by companies meaningless, include:

*failure to provide the relevant information in clear, plain language such that the ordinary consumer can easily understand what they are being assumed to have consented to;

*failure to provide adequately detailed information such that the consumer can fully appreciate the extent and purpose of uses and sharing to which they are consenting, and

  • failure to provide a method of executing the negative option which is easy, does not require the use of computers (which many consumers do not have), involves minimal effort on the part of the consumer (e.g., does not require the consumer to write a letter and mail it to a postal address), and can be executed at minimal cost (e.g., does not require a long distance telephone call).

Our recent survey of Canadians’ expectations and desires regarding business collection, use and disclosure of their personal information for secondary marketing purposes confirms that the common practice of assuming customer consent to such purposes is unjustified. A copy of the survey report, which we sent to you earlier this year, is enclosed.

Attitudes vary widely among Canadians, such that businesses cannot assume anything about consent to secondary marketing. For example, 38% of respondents were not comfortable with companies using their personal information “in order to advise [them] of new products and services that may interest [them]”. A higher proportion of Canadians (48%) are uncomfortable with the sharing of such information among affiliates for the same secondary marketing purposes.

Yet, only a tiny percentage of consumers actually execute the negative options offered to them by companies, in respect of data use and sharing for secondary marketing purposes. For example, Bell Canada reports that only 500 of its customers have exercised an opt-out with respect to affiliate sharing.3 This is a tiny fraction of a percent of Bell’s residential customer base.4 Aliant Telecom reports only 30 instances of customer opt-out – again, a tiny fraction of a percent of their total residential customer base.5 Representatives from Air Miles have stated in the media that only a very small percentage of their customers exercise the negative option.

Clearly, there is an enormous mis-match between the proportion of Canadians who say they would like to exercise the opt-outs, and the proportion of Canadians who actually do. The cause is clear: most people are either inadequately informed, or simplyunaware, of the practices in question and of the opportunity to opt-out. Of the minority who are aware, many likely fail to act on their desires because of the effort required to exercise the opt-out.

Our survey shows that over half (54%) of those participating in loyalty programs are unaware of the fact that many of these programs collect, use and disclose information about their purchasing habits in order that companies can target them with new products and services. (53% of all respondents reported being unaware of this fact, suggesting widespread unawareness of common business practices in using and sharing customer data.) Clearly, consumers cannot be consenting to practices of which they are unaware. Yet, companies continue to assume customer consent to practices of which a majority of Canadians say they are unaware. Surely, this cannot be considered compliance with the PIPEDA.

The survey shows that a large majority of Canadians (82%) want to be asked for their permission before a company uses their personal information to build a profile on them for the purpose of marketing new products and services. Deeming consent, or assuming that it has been implicitly given when we know that a sizeable proportion of Canadians don’t consent to these practices, does not constitute “obtaining permission” or “obtaining consent” as required under the PIPEDA.

We should note that a clear majority of respondents to our survey want companies to use opt-in approaches to consent to secondary marketing (as opposed to opt-out): 69% do not consider opt-out approaches, in general, to be acceptable methods of obtaining consent. This preference for opt-in approaches was clearly evident in focus group testing as well, even after participants were made aware of the costs of opt-in approaches both to companies and to themselves as consumers.

Opt-out approaches were considered acceptable only under certain conditions: that the opt-out provision is brought to the customer’s attention, that it is clearly worded and sufficiently detailed, and that it is easy to execute. As noted above, these conditions are not met in practice. (In fact, we have yet to identify an opt-out approach which meets all of these conditions.)

In conclusion, it is clear that the current business practice of deeming consumer consent to the collection, use and disclosure of personal data for secondary marketing purposes does not reflect actual consumer expectations or desires. It surely does not meet the legislative requirement under PIPEDA for the individual’s knowledge and consent to such data use and sharing.

We respectfully request confirmation from you that opt-out approaches to individual consent to the collection, use and/or disclosure of personal data for secondary marketing purposes meet the requirements of the PIPEDA only if they:

  • are brought to the attention of the individual,
  • are clearly worded,
  • provide sufficient detail for the consumer to make an informed choice, and
  • are easy to execute with minimal effort.

All of which is respectfully submitted,

original signed

Philippa Lawson Counsel

cc: Bell Canada Hudson’s Bay Co. MBNA Canada Bank Bank of Nova Scotia AIR MILES

1 Copy attached. A copy of this report was sent to you earlier this year, as well.
2 We would be happy to discuss further with you the particular deficiencies of each company’s information practices.
3 See Bell Canada’s response to ARC et al’s question in the proceeding initiated by CRTC Public Notice2001-60, regarding customer consent to sharing of customer data with affiliates, in TheCompanies(ARCetal)27Aug01-6.4 Bell has app. 8.65 million residential network access lines.
5 App. 950,000 NAS.

 

Personal Information PIAC does not retain any of the information you enter here
Place enter a name
Place enter a valid email
Place enter a valid email