Payday Lending – Fringe Lending and “Alternative Banking”?

First Report on Fringe Lending and Alternative Banking, The Consumer Experience [pdf file: 0.76mb]

Utility Reconnection Services

Utility Reconnection Services: A New Threat to Vulnerable Consumers?

Public Interest Advocacy Centre
1204-ONE Nicholas St.
Ottawa, Ontario
K1N 7B7
With Funding from Industry Canada
Copyright 2002 PIAC Contents my not be commercially reproduced, But any other reproduction with acknowledgments is encouraged.
The Public Interest Advocacy Centre (PIAC)
ONE Nicholas Street
Ottawa, ON
K1N 7B7
Canadian Cataloguing and Publication Data
Lott, Susan
Utility Reconnection Services: A New Threat to Vulnerable Consumers? ISBN 1-895060-56-7
Executive Summary
This report examines the current status of utility deregulation or restructuring in the energy and telecommunications sectors in Canada and the U.S. and its impact upon low-income consumers. It focuses on three major utility sectors that have the greatest impact on residential, low-income consumers: electricity, natural gas and telephone services. Specifically, the report examines to what extent reconnection services, or services targeted specifically to consumers who have lost service or have been unable to maintain utility service as a result of deregulation or restructuring, have emerged in Canada and the U.S.
The key characteristic of restructuring or deregulation is that investment and pricing decision-making are increasingly guided by market forces and competition. To enable this to occur, the core functions of the utility – the generation, transmission and distribution functions are separated or unbundled and a portion of these functions is subject to competition. The obvious and most significant impact upon the residential consumer is that their source of supply may change. It is no longer just the incumbent utility providing the service. The result has been the entry of reconnection companies into utility markets.
Utility restructuring in Canada has varied in its development and impact between utility sectors. Deregulation in the natural gas industry has been under way since the 1980s. There is some evidence that market segmentation has resulted as a result of restructuring in the gas industry. Market segmentation means that there is a differing impact of prices of natural gas upon different sectors of consumers, with higher prices for residential consumers than for other consumers, such as commercial or industrial consumers.
Deregulation in the electricity sector in Canada, has been a very recent development. It has mainly taken place in Alberta and Ontario. In those provinces, there is already some limited evidence of price increases for residential customers. In the telephone industry, the federal government has jurisdiction and has set out the framework for deregulation through its amendments to federal legislation, which took place in 1993. The major effect of deregulation of the telephone industry has been reductions in long distance rates but increases in local phone service. There is also some limited evidence of telephone reconnection services being offered in Canada.
A significant part of the report examines utility restructuring and its effects in some specific jurisdictions in the U.S. This emphasis comes because utility deregulation in certain U.S. jurisdictions has been significant in its scope and depth. As a result, there is more evidence of market segmentation and growth of reconnection services targeting vulnerable consumers. The report examines some of the regulatory responses to telephone reconnection services and the impact of market segmentation in the energy sector creating the phenomenon of Providers of Last Resort Services.
With this background, the report offers some initial assessment of the overall impact of utility restructuring on vulnerable consumers in Canada and the U.S. Utility price increases have a greater impact on vulnerable consumers because a greater proportion of their income is spent on utilities.
The report assesses how the U.S. experience of deregulation may relevant for Canada. It suggests that there may be a significant impact of Canada’s increasing exports into U.S. energy markets. There may be strong pressure on Canada to conform to the U.S. deregulatory environment. The examination of the effect of utility deregulation in the U.S. also points up very clearly the information deficit in this area in Canada. We have very few government and non-governmental resources dedicated to tracking deregulation and its impact in Canada.
Finally, the report focuses on Canada’s existing legal/legislative framework to protect vulnerable consumers. It looks briefly at the federal regulatory role in telecommunications and in energy and the provincial role, using Ontario as an example. It also looks at consumer protection legislation in Ontario and its applicability and the status of the common law notion of ‘duty to serve’ under deregulation. The report makes some specific recommendations concerning measures to assess status of restructuring, to address effects of restructuring on vulnerable consumers, and recommendations concerning utility reconnection services in the telephone and energy sectors.
This report is available in PDF format. [pdf file: 0.2mb]
 

PIAC comments on CSA Privacy Code

CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96

2002-2003 Review Comments of Philippa Lawson, Public Interest Advocacy Centre

Introduction

It has now been six years since the introduction of the CSA Model Code for Data Protection. A number of organizations have modeled their own privacy codes and policies on this standard, and businesses across the country have been attempting to understand their obligations under the Code, now part of the federal Protection of Personal Information and Electronic Documents Act (“PIPEDA”). Similarly, individual consumers have been trying to understand their rights under this new Code and legislation.
It has become clear that some important aspects of the Code are subject to widely differing interpretation. The vagueness of some provisions leaves both businesses and consumers uncertain as to their proper meaning and application, and encourages each interested party to interpret the provision to their advantage. The result is marketplace confusion, increased business expense, reduced utility of the Code, and loss of confidence by consumers in the protections that the Code was meant to afford.
Some of these issues of interpretation have been taken to the Privacy Commissioner by way of complaint under the PIPEDA. A body of authoritative findings is thus gradually clarifying some of the many grey areas of the Code. However, these findings are not legally binding, and are not subject to appeal by respondents. Hence, businesses can decide not to respect a determination by the Privacy Commissioner, and the matter may never be finally resolved.
Moreover, it will take many years for all of the uncertainties inherent in the Code to be addressed by the Privacy Commissioner. Businesses and consumers need certainty earlier rather than later. Businesses want to be able to design their data systems in accordance with the intended meaning of the Code, rather than having to go back and re-design the system, after finding out that their interpretation of a grey area in the Code was wrong.
Finally, it is far preferable for the Code to be clear on its face, than for parties to have to consult jurisprudence in order to understand what the Code means in practice. The latter merely increases business cost and makes it more difficult for organizations to comply.
For all these reasons, the Code should be revised at least so as to clarify certain vaguely worded provisions, and to create greater certainty for businesses and consumers alike.
In addition to uncertainties surrounding key provisions of the Code, it has come to light that some provisions are inappropriately worded, insofar as they fail to provide the level of data protection intended by the Code. These provisions should also be revisited in the review process.
Finally, the Code is deficient insofar as it fails to address some key components of informational privacy.
We note that the PIPEDA will be subject to Parliamentary review in 2005. Given that the PIPEDA is based on the CSA Code, it is important that any updates to the Code be made in advance of this review. The Parliamentary review will then, no doubt, involve a review of the updates to the Code.

Provisions Needing Greater Clarity

3. Consent
At the core of the Code is the concept of individual knowledge and consent. Yet, this critical concept is unclear in the Code and subject to widely differing interpretations in the marketplace. It is essential that the Code address this fundamental issue by distinguishing between the various types of consent and specifying clearly the circumstances under which each is acceptable.
Sub-principles 3.4, 3.5, and 3.6 address this issue, but do so incompletely and confusingly. They need to be revised so as to clarify that there are at least three different types of consent:

  1. express,
  2. implied, and
  3. deemed (e.g., via negative option).

Confusion has resulted from the use of the term “implied consent” to cover not only situations in which consent is actually provided (i.e., where the person would have consented if asked, and where the facts clearly suggest that consent was provided), but also situations in which consent is merely deemed (i.e., where it cannot reasonably be determined that the person would have consented if asked).
There is an important difference between “implied consent” and “deemed consent”. In the former, the individual has actually consented; whether consent can be implied is a matter of fact, not of law. In the latter, it does not matter whether the individual has actually consented; the law (or Code) permits organizations to act as if the individual has consented.
This difference is important insofar as it leads to differing standards of notice in each case. Notice is of less importance in the situation where consent can be implied. This is because consent can only be implied where it is reasonable to assume that the individual is fully aware of the collection, use, or disclosure and agrees to it. On the other hand, notice is of critical importance in those situations where consent is deemed, since the onus is then on the individual to “opt out” if they desire (or, in cases where no opt-out is offered, the individual needs at least to be aware of the uses to which their information will be put).
Negative option consent, the most prevalent form of consent for use of personal data in the marketplace, is a form of “deemed consent”, since it deems consent regardless of whether the individual is actually aware of the use, let alone consents to it. Other forms of deemed consent may also exist.
The Code needs to be revised so as to clearly distinguish between these different forms of consent, applying different standards of notice as appropriate.
The Ontario government has provided an excellent model for a definition of “implied consent” in its Draft Consultation Act. A version of this model is as follows:
“The consent of an individual to the collection, use or disclosure of personal information about the individual by an organization may be implied only if,

  1. in all the circumstances, the purpose of the collection, use or disclosure as the case may be, is or will become reasonably obvious to the individual;
  2. it is reasonable to expect that the individual would consent to the collection, use or disclosure; and
  3. the organization uses or discloses the information for no purpose other than the purpose for which it was collected.

Obvious purpose

As part of making the purpose of the collection, use or disclosure of personal information about an individual by an organization obvious to the individual, the organization may post or provide a notice describing the purpose where it is likely to come to the individual’s attention.”
Negative option consent also needs to be defined and made subject to criteria for validity. As recently determined by the federal Privacy Commissioner, negative option consent is valid only under the following conditions:

  • the personal information in question is not sensitive;
  • the individual in question would reasonably expect that their consent could be deemed in this circumstance unless they clearly express otherwise;
  • the purposes and negative option are brought to the attention of the individual, not merely posted on a website or hidden in contractual fine print where the individual may not notice it;
  • the notice is clearly worded, in plain language, so that the ordinary consumer can understand how their information may be used;
  • the notice is sufficiently detailed, so that the individual can understand to whom their information may be disclosed,
  • the negative option is appropriately dis-aggregated, so as to allow individuals to opt-out of non-essential uses without also opting-out of essential uses; and
  • the negative option is convenient, easy-to-use, and inexpensive to execute.

The following is a possible approach to negative option consent in the Code:
“Except where express consent is required, an organization may attempt to obtain the consent of an individual to the collection, use or disclosure of personal information by providing a notice to the individual that meets the following requirements:

  1. The organization provides the notice to the individual in a manner in which it is likely to come to the individual’s attention.
  2. The notice is clear and understandable to a reasonable person.
  3. The notice is accurate and would not mislead a reasonable person.
  4. The notice clearly states the purpose or purposes of the collection, use or disclosure.
  5. The notice describes the personal information that is to be collected, used or disclosed.
  6. The notice clearly explains that the individual has the right to opt out, that the individual may opt out at any time and that, if the individual opts out, the opt-out is not limited in duration.
  7. The notice explains the consequences of the individual’s opting out.
  8. The notice provides a means by which the individual can opt out that involves minimal effort by the individual and no cost to the individual, which may include using,

i. a toll-free telephone number,

  1. electronic means, if the organization is communicating with the individual by electronic means,
  2. a form with mailing information and pre-paid postage, or
  3. any other reasonable approach.”

The Code could also provide clearer guidance to organizations on the question of when express consent, as opposed to negative option consent, is required. Such guidance could state as follows:
“An organization shall not use an opt-out notice to obtain a consent of an individual to the collection, use or disclosure of personal information if a reasonable person would not consider it appropriate in the circumstances, having regard to,

  1. the sensitivity of the information;
  2. whether the information is personal health information or financial information ;
  3. the expectations of a reasonable individual;
  4. the context in which the collection, use or disclosure is to occur;
  5. the purpose or purposes for which the information is to be collected, used or disclosed;
  6. the clarity of whatever statements the organization gives to the individual about the purpose or purposes for which the information is to be collected, used or disclosed;
  7. the degree to which the purpose or purposes of the collection, use or disclosure are congruent with the statements mentioned in clause (f);
  8. whether the organization is seeking to disclose the information to a party unrelated to the organization;
  9. whether the organization is in a business or other relationship with the individual; and
  10. the length of time since the organization first obtained the individual’s consent to the collection, use or disclosure of the information.”

2.3; 3.2 Notice

The issue of notice to individuals is addressed in two principles: under “Identifying Purposes” in 2.3, and again under “Consent”, s.3.2. Given the extent to which organizations rely upon notice as opposed to actual consent, it is strange – indeed troublesome – that the Code does not highlight the issue of notice. Consideration should be given to creating a separate principle under heading “Notice”, in order to clarify the issue and to remove repetition from the Code.
Section 2.3 addresses timing of the notice, stating:
“The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is being collected.”
Section 3.2 states:
“Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.”
As noted above under “Consent”, the standard for notice will differ according to whether consent can be implied, is being obtained expressly, or is being deemed under a negative option. The importance of notice in the case of negative option consent, at least, is such that it warrants greater attention and stronger obligations than currently exist in the Code.
Specification of purposes to the individual at or before the time of collection, use or disclosure should be mandatory, and any allowable exceptions thereto should be specified. This is more appropriate than the current approach under which timely notice is not required, even in situations where it should be provided.
The Code should also provide clearer guidance to businesses as to what constitutes “a reasonable effort to ensure that the individual is advised”. Is posting on a website sufficient? Is notice via company brochures, available at the company premises, sufficient? Is including the notice as part of a lengthy contract sufficient?

3.0, 5.0 Retention

The Code covers retention of personal information both implicitly, through collection and use, and explicitly, in ss.5.0, 5.2 and 5.3. It has become clear, however, that parties differ as to whether retention for a particular purpose constitutes a “use” under the Code, requiring consent. The Code should clarify this through appropriately worded sub-principles under 3.0 and 5.0.

Provisions in need of Strengthening

3. Refusal to Deal
Section 3.3 states:
“An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.”
This section, as currently worded, provides little value to the Code. Meaningful data protection requires that organizations do not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required for the transaction or provision of services in question.
The section as currently worded permits organizations to refuse to deal with individuals even where the personal information requested for a purpose that is neither necessary for the dealing, nor related to it. All that is required is that the purpose be “explicitly specified and legitimate”.
Again, the Ontario government’s consultation draft improved significantly upon the wording of the CSA Code, by addressing the issue of “Tied Selling” as follows:
“An organization shall not, as a condition of dealing with an individual, require the individual to consent to the collection, use or disclosure of personal information beyond that required to fulfill the purpose of the dealing.”
5. Explaining Purposes upon Request
The Code currently states, in s.2.5:
“Persons collecting information should be able to explain to individuals the purposes for which the information is being collected.”
The widespread failure of customer service representative to be able to explain the purposes of their personal information collection to consumers upon request is an ongoing problem in the marketplace. Consumers are unable to exercise their rights under the Code because they cannot, without unreasonable effort, find out why the business is seeking the information. Instead, they are faced with a Hobson’s choice of handing over their personal information for unknown future purposes, or cancelling the transaction (after having spent time and effort selecting the good or service to be purchased). This reality effectively strips the Code of effectiveness for the ordinary consumer the context of ordinary marketplace transactions.
In order for businesses to “get with it” and be able to explain to individuals, at the time that the information is requested, the purposes for which the information is being requested, the Code must make this requirement mandatory.
1. Openness – Disclosing the Source of the Information
This sub-principle merely “encourages” organizations to indicate the source of personal information upon request by the individual. It is unclear why organizations should not be required to do so, where they can determine the source of the information without unreasonable effort.
The scheme set up by this Code is one that relies upon consumer complaints in order to uncover problems. If consumers are unable to determine the source of their personal information obtained by an organization due to the organization’s refusal to indicate the source, they may be unable to formulate a legitimate complaint, and a disgraceful practice may never be uncovered. The Code should require such disclosure to individuals where possible.

New Provisions Needed

Limiting Collection – Other Information

The “Limiting Collection” principle implicitly requires that non-personal information be used wherever it suffices. However, in keeping with the structure of the Code, and given the importance of this point, it would be helpful to make this implicit requirement explicit in an additional sub-principle. Again, the Ontario Consultation Draft provides a useful model:
“An organization shall not collect, use or disclose personal information if other information will serve the purpose of the collection, use or disclosure.”

Limiting Collection – Direct Collection

The Code should include a requirement that personal information be collected directly from the individual to whom it pertains, subject to certain exceptions. Such exceptions could include:

  • if the individual consents to having the organization collect the information from the person who has custody or control of it;
  • if the individual consents to having the organization that has custody or control of the information disclose it;
  • if the person with custody or control of the information is authorized at law to act on behalf of the individual and consents to the disclosure of the information to the organization; or
  • if the organization is authorized by law to collect the information in a manner other than directly from the individual.

Collection of Personal Information From or About Children

Many have noted that the Code does not address the specific issue of children’s informational privacy. Consideration should be given to developing a principle addressing this issue.
 

Commissioner’s Findings – MBNA Canada Bank

Privacy Commissioner Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec.: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0083
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against MBNA Canada Bank (MBNA) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that MBNA was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on MBNA’s part with respect to its Mastercard service: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any bank, such as MBNA, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about MBNA’s Mastercard customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is MBNA. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

In your complaint against MBNA, you have expressed the view that the bank’s Cardholder/Credit Card Agreement and its Privacy Policy Statement are particularly inadequate for purposes of the Act.
MBNA disagrees with your allegations. The bank denies, first of all, that it uses and discloses information for secondary marketing purposes or has any plans to do so. By MBNA’s own interpretation, which I presume is common among marketers, using or disclosing a customer’s personal information for “secondary marketing” would mean the outright sale (or exchange of other consideration between the parties) of the information without the customer’s knowledge and consent to a third party that was not part of MBNA’s corporate family.
MBNA maintains that, on the contrary, the products and services offered to its customers are offered either by MBNA itself or by subcontractors acting on its behalf, under its strict supervision, and with due regard for confidentiality. MBNA also insists that for any product or service, such as credit insurance, that is ultimately fulfilled through a third party, the customer’s personal information is not actually disclosed to that party until the customer has indicated that he or she wishes to purchase the product or service in question – that is, has consented to become a customer of the third party.
My Office’s investigation has confirmed that MBNA does not disclose a customer’s personal information to any such third-party supplier until the customer has made the decision to purchase the product or service in question. However, our investigation has also revealed that when MBNA, through a subcontracted telemarketer, offers its customers a product or service (e.g., credit insurance) that is ultimately to be supplied by a third party, the customer is told only that the product is being offered on behalf of MBNA. No specific third-party supplier is mentioned, nor is the customer asked at that time for specific consent to having personal information disclosed to a third party in the event of accepting the offer in question. The customer does not learn who will be the actual supplier of the product or service until he or she eventually receives an information package from that party in the mail.
MBNA readily acknowledges that it does variously collect, use, or disclose Mastercard customers’ personal information in the course of its business dealings with four groups: (1) credit reporting agencies, (2) its three current affiliates; (3) some 380 “Affinity” partners (i.e., organizations that arrange with MBNA to issue Mastercards in their names); and (4) a number of non-affiliated subcontracting companies. However, MBNA maintains that it fulfils its obligations under the Act in this regard by virtue of the statements it makes about its information-sharing practices both on its credit card application form and in its Cardholder/Credit Card Agreement.
Under the heading “Uses of Information”, MBNA’s Cardholder/Credit Card Agreement states as follows:
From time to time, we may obtain updated credit or personal information about you. We may use and share information about you with credit reporting agencies and others, including merchants and companies whether affiliated with us or not. You hereby consent to any disclosure by us from time to time of any and all information we may have about you and your affairs to any other party that, in our sole opinion, may have legitimate need or use for that information, and to our using and sharing personal and other information about you to our affiliates and others for commercial prospect/on or marketing purposes.
Pursuant to applicable federal law, upon written request, you are entitled to be informed of the existence, use, and disclosure of your personal information. In addition, you may withdraw your consent to our use of your personal information. If your consent is withdrawn at any time to our using, collecting, or disclosing information, you do so on the understanding that we may no longer be able to extend credit to you. We will continue to report the status of your account to credit reporting agencies until your account has been finally settled. To request a copy of our Privacy Statement, please write …..
On inquiry by my Office, MBNA has admitted that the “merchants and companies” mentioned in the first paragraph above, though meant primarily to cover such entities as processing agents and Affinity partners, might conceivably mean anyone. MBNA explained that the companies in question are always changing and that the wording therefore needs to be broad in order to accommodate this constant change and avoid the necessity of continually amending a list of specified companies.
MBNA’s credit card application form, on the front side above the signature line, states as follows:
My signature means that I agree to the Conditions on the reverse side of this form, and consent to, and accept this written notice of, your obtaining a credit report or other information about me from any person. I also agree to the ongoing collection, use and disclosure of information relating to me as set out in the conditions and in the credit card agreement relating to my Account.
On the reverse side of the credit card application, in tiny lettering, the above-mentioned conditions appear, in part, as follows:
/ consent to, and accept this as written notice of your obtaining, disclosing or exchanging any credit, personal or other information about me (including information contained in my personal information file) at any time, from, to or with any credit bureau, personal information agent, credit grantor or insurer, my employer or other person in connection with any relationships between us or those which you or I may wish to establish. You, your affiliates and service providers may use any of the information relating to me or my Account to maintain and administer my Account, to offer services and enhancements, and for any purpose not prohibited by law. I also consent to the use and disclosure at any time of all such personal and other information: (i) for purposes of offering me any other product of yours or anyone else (including your affiliates), that you believe may be of interest to me; (ii) to determine which Account benefits, services or enhancements, and/or which other product or service offers may be of interest to me; and (Hi) for such other purposes as are not prohibited by law ….
My consent to use of my personal information and other information as provided in (i) through (Hi) is optional. If I wish to discontinue such use or to not receive any further marketing materials or future credit card offers from MBNA, or if I wish to receive a copy ofMBNA’s Canada’s Privacy Statement, I may write to you at the following address…
The credit card application also makes reference to the Cardholder/Credit Card Agreement and continues as follows: ”… I have requested and received the card, Account, and Agreement, and … I understand and agree with you to everything written there and here”.
MBNA also makes a credit card application form available on its website. This online form provides links to terms, pricing and conditions, to the same legal disclosures as appear on the reverse side of the hard copy application form, and to the bank’s Privacy Policy Statement. However, the online form does not provide a link to the Cardholder/Credit Card Agreement and makes no specific reference itself to disclosure of information. Its only consent statement reads as follows:
I have read the terms and pricing disclosures for this account and by electronically transmitting this application, I indicate my agreement with each of the terms and conditions. I understand that I will be bound by each of the terms of the Credit Card Agreement without limitation.
MBNA also provides its telemarketers with a brief script for obtaining prospective customers’ consent to submitting a credit application over the telephone. This script reads in part as follows:
… The terms and conditions will be provided to you, if approved. You agree that by submitting this credit request you have consented to MBNA Canada obtaining, disclosing or exchanging any credit, personal or other information about you at anytime, to, from or with any credit bureau or other person.
As mentioned above, MBNA also publishes a Privacy Policy Statement, which provides a fuller account of the bank’s rationale and practices in respect of the collection, use, and disclosure of customers’ personal information. However, this is a document that is not issued to customers as a matter of course. Rather, individuals who wish to read it must take the initiative either to request a copy in writing or gain access to it via the MBNA website.
In contending that it fulfils its obligations under Principle 4.3 (Consent) of Schedule 1 to the Act, MBNA makes three main points.
First, it argues that the statements it makes on taking a prospective customer’s credit card application are sufficient in themselves for the individual to make an informed decision about consent. MBNA believes that the signing of the application form, or the verbal agreement over the telephone after the script is read, constitutes the customer’s explicit consent to the bank’s intentions regarding personal information. The bank correctly points out that Principle 4.3.7(a) specifically recognizes application forms as an acceptable means of obtaining consent.
Second, MBNA argues that it subsequently provides the individual with yet another opportunity to consider the matter of consent in reviewing the Cardholder/Credit Card Agreement. The bank regards this document as affording sufficient information for the customer to reassess the earlier decision to give consent. As the bank sees it, by agreeing to be bound by its terms and conditions, and by signing and using the credit card enclosed, the customer is also reaffirming consent to the bank’s intentions regarding personal information.
Third, MBNA points out that the two documents in question state that, even after giving it, the customer may withdraw consent to the collection, use, and disclosure of his or her personal information.
In sum, the bank submits that, by providing each customer with two separate disclosures requiring consent and a further indication that consent may be withdrawn once given, it has complied with the requirements of the Act.
On the basis of these facts, I am required to determine whether MBNA has indeed complied with the requirements of the Act, specifically Principles 4.3, 4.3.2, and 4.3.3 of Schedule 1 and section 5(3) of the Act. In this case, where the central issue is that of consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Finally, section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
Permit me firstly to try to clarify a point of semantics. MBNA has apparently – and, I suggest, incorrectly – taken your reference to “secondary marketing purposes” as meaning purposes of secondary marketing, the term “secondary marketing” ostensibly having a distinct technical meaning among organizations that engage in marketing. What you actually meant, however, was secondary purposes of marketing. MBNA may well take umbrage at an accusation of secondary marketing, according to a definition common in the industry, but there is no such accusation in this case. What you have alleged in effect is that MBNA uses and discloses customers’ personal information for secondary purposes without valid informed consent. The marketing itself may not be secondary in a marketer’s technical sense, but to the individual customer there can be no doubt that MBNA’s marketing purposes are secondary to those for which he or she initially provided personal information to MBNA – that is, purposes of determining credit-worthiness, issuing a credit card, and administering an account.
In any case, regardless of the relative standing of the purposes at issue, the central question here is whether MBNA obtains valid consent in respect of those purposes. On this question, moreover, I am of the view that your expectations regarding consent, as you have expressed them in your submission, are reasonable and in keeping with the Act. Notably, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated. Furthermore, where consent regarding personal information is being sought, I consider it entirely reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient opting-out procedure that can be executed easily, immediately, and inexpensively.
The question is, does MBNA meet these reasonable expectations? In answer to this question, I believe that the above-quoted passages from the bank’s communications materials speak for themselves.
On review of those materials, I have determined firstly that MBNA’s credit card application (both the hard copy and the online versions) and Cardholder/Credit Card Agreement do not represent a reasonable effort on MBNA’s part to ensure that the individual customer is advised of the purposes for which personal information will be used or disclosed. Neither document is written in a manner conducive to the individual’s understanding of how his or her personal information will actually be used or disclosed. Indeed, the wording is so broad in each case as to virtually preclude understanding, unless the individual is to understand that MBNA intends to use personal information however it may see fit and disclose it to whomever it may see fit. This, I should add, would hardly be a purpose that any reasonable person would expect or consider appropriate in any circumstances.
Furthermore, the credit card application itself is written not only in legalese, but also in very tiny lettering – two conditions that operate not only against one’s understanding, but even against one’s reading, of a document. As for MBNA’s Privacy Policy Statement, this document is itself too broadly written (albeit significantly more clear and informative than the others) and in any case would not be a sufficient basis for inferring consent in that it is not supplied to individuals and is thus not immediately available as a reference in making the decision regarding consent. Lastly, the script used by telemarketers in taking credit applications over the telephone is the broadest, least informative, and least adequate of all.
I have also determined that MBNA does not adequately inform customers that some products and services offered on its behalf will ultimately be provided by third parties to which the bank will disclose customers’ personal information.
In sum, having determined the inadequacy of the materials and means used in obtaining consent from customers, I find that MBNA is in contravention of Principle 4.3.2 of Schedule 1 to the Act. It follows that these materials and means do not suffice as a basis for consent. It also follows that, in using the application form and the agreement in question, MBNA is in effect requiring individuals to consent, as a condition of the supply of a product or service, to the collection, use, and disclosure of information beyond that required to fulfil explicitly specified purposes. Nor would a reasonable person consider the collection, use, or disclosure of personal information for the secondary purposes as contemplated in these materials to be appropriate in any circumstances without the knowledge and consent of the individual. I find therefore that MBNA is also in contravention of Principle 4.3 and 4.3.3 of Schedule 1 and section 5(3) of the Act.
I also find that MBNA is omitting to provide a convenient, immediate, and easy means of withdrawing consent to optional practices and, therefore, MBNA does not meet the reasonable expectations of the individual as deemed relevant in Principle 4.3.5.
Accordingly, I conclude that your complaint against MBNA is well-founded.
I am recommending that MBNA redraft its communications materials for credit applicants and new customers with a view to facilitating knowledge of purposes as required under Principles 4.3 and 4.3.2 of Schedule 1. In doing so, MBNA should address the customer’s reasonable expectation to be provided with satisfactory answers to the following questions:

  • What personal information of mine is to be disclosed? The customer should be informed what specific items or types information, from among those collected, the organization intends to disclose. No reasonable person would consider it appropriate for an organization to leave open-ended or vague the nature of any personal information to be given to others. Also, no reasonable person would consider “opt-out” consent appropriate if the information in question is of a potentially sensitive nature, such as financial information. When relying upon opt-out consent, therefore, the organization should make it clear that the information to be disclosed is of a non-sensitive nature compatible with that form of consent.
  • To whom will my personal information be disclosed? The organization should indicate as specifically as possible the parties to which personal information is to be given. Where a comprehensive listing would be impractical, the organization should define intended recipients at least by type or category and where applicable should clarify its business relationship with the recipients (e.g., affiliates, subsidiaries, partners). The organization should not make allowance for unspecified future “others”, but rather should limit recipients to concrete entities or categories currently envisioned. No reasonable person would consider opt-out consent appropriate in circumstances where personal information might eventually be disclosed to parties as yet undetermined or to be added at the organization’s future discretion.
  • How exactly will my personal information be used? Secondary purposes should be limited and clearly indicated. If direct marketing is the purpose of disclosing personal information to other parties, the organization should say so. No reasonable person would consider it appropriate for an organization to leave purposes vague or open-ended or to convey the impression that it will use personal information in any way it may see fit in future.

I am also recommending that MBNA, at the time of offering any customer a product or service that will ultimately be supplied by a third party, identify the third-party supplier in question. In the event that the customer agrees to receive the product or service, MBNA should then obtain the customer’s express consent to the disclosure of specified personal information to the third-party supplier.
Finally, I am recommending that MBNA take steps to meet the reasonable expectation of Mastercard customers for an immediate, easy, and inexpensive means of withdrawing consent to the optional collection, use, and disclosure of their personal information. Specifically, I recommend that MBNA provide either a check-off box on the credit card application form and Cardholder/Credit Card Agreement or a 1-800 number for the convenience of customers who wish to withdraw consent.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,

Commissioner’s Findings – Loyalty Management Group Canada Inc

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent Ottawa (Ontario) K1A1H3
Tel.:(613) 995-8210 Telec: (613) 947-6850 1-800-282-1376
www.privcom.gc.ca
Oct. 16 2002
File: 6100-0084
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against the Loyalty Management Group Canada Inc. (Loyalty) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Loyalty, in conducting its AIR MILES Reward Program (AMRP), was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on Loyalty’s part: (1) failure to adequately bring to the attention of its AMRP members its practices of using and sharing members’ data with affiliates for secondary marketing purposes and the opportunity for members to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of members’ data; and (3) failure to provide members with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies not only to any federal work, undertaking, or business, but also to any company that discloses personal information across borders for consideration. Upon making the determination that Loyalty is a company of the latter type, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”.. .information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Loyalty’s AMRP members as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Loyalty. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

Loyalty, a wholly owned subsidiary of Alliance Data Systems Corporation of Dallas, Texas, itself comprises a number of divisions or affiliates, which are not separate corporate legal entities and which the company calls its “business units”. The AMRP is one of these business units. It is a frequent-buyer program that rewards members (“Collectors”) for loyal shopping by giving them “air miles’ for their purchases from more than 100 participating companies (“Sponsors”) at more than 12,000 retail locations across Canada. Through the AMRP, Loyalty aims at creating value for these Sponsors by enhancing loyalty among their existing customer relationships or by developing new customer relationships.
When a Collector shops at a Sponsor location and presents an AIR MILES card, the Sponsor records the following information:

  • card number;
  • basic transaction data, comprising date of transaction, name and address of store, dollar value of purchase, the number of reward miles earned;
  • on occasion, the product category (e.g., gasoline) or the type of Collector by the type of card carried (95 percent of Collectors hold a blue card; 5 percent hold a gold card, signifying “best customers” who receive bonus opportunities and privileges).

The Sponsor transmits this basic contact information to Loyalty so that it can credit earned reward miles to the Collector’s account. Loyalty sends the Collector a summary of the account every quarter and invoices the Sponsor for the number of air miles credited to the Collector’s account.
Loyalty readily acknowledges that, in addition to these administrative exchanges of basic information, it uses (among its business units) and discloses (to Sponsors) information about its AMRP Collectors for marketing purposes. As far as disclosure of information to Sponsors is concerned, Loyalty maintains, and my Office’s investigation has confirmed, that the only personal information ever disclosed about any individual Collector consists solely of the following items: name, residential address, e-mail address (if applicable), card number, telephone number (if requested by the Sponsor), and collector type (i.e., according to whether the collector carries a regular blue card or a gold card signifying “best customer” status).
Loyalty provides this basic personal information in response to requests from Sponsors who wish to make offers to Collectors of a certain profile, according to broad search parameters. For example, a Sponsor may ask Loyalty to identify very active Collectors in Western Canada who have earned air miles from five or more different Sponsors over a specific period of time. Most of the time, Loyalty sends the information not directly to the requesting Sponsor, but rather in confidence to a production or mailing house that is under contract to either Loyalty or the Sponsor in question. By the terms of the contract, after preparing personalized direct-mailing packages and compiling a mailing list, the contractor then destroys the data files.
Loyalty’s disclosure of personal information to Sponsors is done under strict usage guidelines and agreements that have been in effect since the AMRP began in 1992. Sponsors are legally bound to treat as confidential the information disclosed to them. The agreements state that the list of Collectors is supplied for a one-time, direct mailing for a specified purpose, cannot be used for any follow-up telephone calls, further mailings, or other communications, and must be returned to the AMRP or destroyed by the Sponsor as agreed. Sponsors are not permitted to copy the information or otherwise retain records of it.
Loyalty does disclose other information about Collectors to Sponsors, but our investigation has confirmed that this is aggregate information that does not identify individuals. We have also confirmed that Loyalty’s AMRP database is not publicly accessible or directly accessible to Sponsors, that Loyalty neither collects from nor discloses to Sponsors information identifying specific items purchased, and that personal information pertaining to Collectors’ transactions with one Sponsor is never disclosed to any other Sponsor.
When an individual chooses to enrol in the AMRP, he or she gives consent to terms and conditions by signing an enrolment form, by word if speaking with a service centre representative or, if enrolment is online, by checking the appropriate box before submitting the form electronically.
Under the heading “Enrollment Terms and Conditions”, the forms display the following text:
/ agree to jbe bound by the Terms and Conditions of the AIR MILES Reward Program, and consent to the use of my personal information in accordance with the Privacy Pledge below.
This privacy pledge, which appears in relatively small print under the title, “Committed to Protecting your Privacy”, is a summary of Loyalty’s Privacy Commitment. Loyalty also publishes the pledge as a separate document, available as a handout or on the company website. I present the pledge in its entirety as follows:
The Loyalty Group, as creator and manager of the AIR MILES Reward Program in Canada, is committed to protecting the privacy of Personal Information obtained from Collectors and Sponsors. The Loyalty Group collects Personal Information for the following purposes:

  • to administer the AIR MILES Reward Program, the AIR MILES For Business Program and AIR MILES INCENTIVES, including the management of Collector accounts, to accurately record and update reward mile balances;
  • to process Collector redemptions, including the issuance of reward tickets and vouchers;
  • to invoice Collector and Sponsor accounts, as appropriate;
  • to communicate information and offers to Collectors, Sponsors, and Suppliers;
  • to understand and analyze Collectors’ responses, needs and preferences;
  • to develop, enhance, market and/or provide products and services to meet those needs; and
  • to enable Collectors to participate in promotions and contests.

The Loyalty Group will use this information from time to time to promote additional products, services, Rewards, and special offers from the AIR MILES Reward Program and/or its Sponsors. Collector information is processed and stored in secure and confidential databases in Toronto, Ontario and Dallas, Texas. The Loyalty Group does not give, rent or sell Collector lists from the AIR MILES Reward Program to any organization or individual other than business units of the Loyalty Group, Sponsors and companies contracted to process and manage Collector transactions, redemption requests and communications. The Loyalty Group protects the privacy of Collectors when promoting products and services. If you do not wish to receive marketing or promotional communications other than AIR MILES Summaries, simply inform us in writing to: AIR MILES Customer Service, P.O. Box 602, Station A, Scarborough, Ontario M1K 5K7, or by e-mail to privacyoffice@airmiles. ca. Your ability to collect or redeem AIR MILES reward miles will not be affected. For complete details see our Privacy Commitment at www.airmiles.ca.
It should be noted here that the pledge does not name or otherwise define “business units of the Loyalty Group”. Nor, curiously, does it mention two points that I suspect many prospective members would be relieved to learn: (1) that Loyalty limits its disclosure of information to the items that I have listed above and does not identify specific purchases; and (2) that Loyalty does not disclose Collectors’ transaction information between Sponsors.
Although the pledge clearly indicates that the Collector may withdraw consent to receiving marketing or promotional communications, it only provides for doing so in writing or by e-mail. It does not provide for an immediate, easy, and inexpensive means of opting-out, such as a 1-800 number, for Collectors without internet access. Loyalty has offered the explanation that, for any change Collectors may wish to make to their accounts, the company prefers to have indisputable proof in writing. Loyalty also points out that, in cases where any Collector refuses to provide a written request, the company will accept the request verbally via a toll-free call to its service centre, although this option is not promoted or advertised.
The wording of the privacy pledge on hard-copy forms is identical to that on online forms. However, the script that Loyalty provides to its sales representatives who take applications verbally, usually over the telephone is different. Although this script does instruct the representatives to state purposes for information collection more or less as they are stated on the application forms, it contains none of the other privacy-related information that appears on the forms. For example, it does not make clear that Loyalty gives Collector information only to its own business units, Sponsors, and contractors. Most significantly, it makes no reference to any possibility of withdrawing consent to any of the stated purposes. The wording suggests that the applicant has no option in that regard:
Without this [personal] information and permission to use it for the purposes stated, I will be unable to process the enrollment. Thank-you for calling AIR MILES.
As previously mentioned, Loyalty also has a Privacy Commitment, available both in brochure form and on the website. This 13-page document, which reflects the 10 principles of fair information practices, is the longest and most detailed expression of Loyalty’s privacy policy and practices. For example, unlike the privacy pledge, it does name Loyalty’s business units.
Loyalty has pointed out, moreover, that it makes a concerted effort to communicate its Privacy Commitment, in whole or part, in one form or another, through numerous mailouts to Collectors, as well as through documents on its website. The company affirms that, since the Act came into force, it has distributed to Collectors some 37.5 million pieces of information drawing attention to aspects of its privacy policy and practices, notably the purposes for which it collects personal information and the opportunity for Collectors to opt out of information sharing. On this basis, Loyalty maintains that it does obtain valid informed consent to marketing purposes from its AMRP members.
On the basis of these facts, I am required to determine whether Loyalty is in compliance with Principles 4.3 and 4.3.2 of Schedule 1 to the Act. In this case, where the central issue is consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Though not specifically at issue in your complaint against Loyalty, two other provisions of the Act have guided me in my deliberations regarding the general position that you have expressed. These are Principle 4.2.3, which states in part that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected, and Principle 4.3.1, which states in part that an organization will typically seek consent for the use or disclosure of the information at the time of collection.
I will begin by stating that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. First and foremost, I note that Principles 4.2.3 and 4.3.1 clearly support your expectation that an organization should not merely make policy documents generally available, but should actually bring to the attention of the individual at the time of collection its purposes in respect of collecting, using, and disclosing personal information. Since personal information is most often collected during an application or subscription process, it follows that organizations should take reasonable steps to inform individuals directly of purposes, either in writing or by word of mouth, at the time the individual applies or subscribes for a product, service, or program. Furthermore, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated.
I am also in agreement that, where consent regarding personal information is to be sought, it is entirely reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient and well-advertised opting-out procedure that can be executed easily, immediately, and inexpensively.
The question now is, does Loyalty meet these reasonable expectations?
As I have suggested above, in considering this question my focus of concern has to be the information that Loyalty actually provides to individual subscribers at the time they subscribe to the AMRP. I am favourably impressed with Loyalty’s privacy-related communications effort in general and have only minor quibbles with its “Privacy Commitment” document in particular. The fact remains that the only means whereby Loyalty endeavours to inform individuals of purposes during the actual subscription process are the privacy pledge that appears in both the hard-copy and the online application forms and the script that Loyalty representatives use in taking applications by telephone. It is to the pledge and only to the pledge that Loyalty makes explicit reference in obtaining consent to terms and conditions via its application forms.
Let me say, first of all, that, as far as the purpose statements themselves are concerned. Loyalty has in my view done a very reasonable job. These statements, which are included in the telephone script as well as in the pledge that appears on application forms, strike me as being quite clear and understandable. I note in particular that one of the stated purposes reads as follows: “To communicate information and offers to Collectors, Sponsors, and Suppliers.” It is my view that an ordinary consumer, provided that he or she takes the trouble to read this statement before signing on the dotted line, will have little trouble understanding it and thus will hardly be surprised in due course to receive communications in the line of direct marketing.
I am also pleased to note that Loyalty does go on to advertise with reasonable clarity, on its written application forms, the opportunity for individuals to opt-out of receiving marketing communications. Provided only that the advertised means of opting-out be extended to include a toll-free number or a check-off box on application forms, I am inclined to give high marks to Loyalty for meeting the reasonable expectations of individuals in this regard.
As for the written privacy pledge itself, in my presentation of the facts I have already suggested certain areas in which it could be improved towards better meeting the expectations of the individual – in general by clarifying the limited nature of the personal information collected, used, and disclosed and by better defining the limits of intended disclosures. As a consumer myself, I would also expect to see larger print in such a text to be used in making an important decision about one’s personal information. Still, despite these shortcomings, the pledge, too, warrants a passing grade.
I have found that Loyalty has on the whole made a reasonable effort at informing customers of the secondary purposes of marketing in accordance with Principle 4.3.2. However, I do have one concern in this regard. Despite the merits of the pledge and Loyalty’s communications efforts in general, individuals who apply for membership in the AMRP by telephone do not receive the same information as those who apply in writing or electronically. The script used by Loyalty’s representatives is not as clear or informative as Loyalty’s applications forms. The script does not indicate that marketing purposes are optional and that consent to such purposes may be withdrawn. The script leaves one with the impression that the individual must either put up with marketing or not be a part of the program.
In sum, with the exception of telephone applications, I am satisfied that the communications materials as well as the process of obtaining consent, constitute a reasonable effort to ensure that the individual is advised of the secondary purposes for which personal information will be disclosed. This serves as a valid basis for knowledge and consent. However, I have determined that the problematic telephone script and the lack of a toll-free number to withdraw consent, do not satisfy the requirements of Principles 4.3, 4.3.2 and 4.3.5 of Schedule 1 to the Act.
Accordingly, I conclude that your complaint against Loyalty is well-founded.
I am recommending that Loyalty include on AMRP application forms a check-off box for those who wish to withdraw consent to marketing or Loyalty should provide a toll-free number for the same purpose.
I am recommending that Loyalty revise its communications materials, notably the texts used in obtaining consent during the AMRP application process and including the telephone script, where necessary to ensure clarity and consistency in the following respects:

  1. specifying the items or types of personal information it collects, uses and discloses for marketing purposes;
  2. defining its disclosure activities (e.g., that personal information is not disclosed between Sponsors and that specific purchases are not disclosed); and
  3. advertising the opportunity for program members to withdraw consent to marketing purposes and the method of doing so.

Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
George Radwanski Privacy Commissioner of Canada

Commissioner’s Findings – Hudson’s Bay Company

Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A1H3
Tel.: (613) 995-8210
Fax:(613)947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0082
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against the Hudson’s Bay Company (HBC) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that HBC was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on HBC’s part with respect to its credit card and rewards program: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide adequate information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
‘ I have determined, first of all, that the subject matter of your complaint does fall within my current jurisdiction under the Act, but only as far as HBC’s operations in northern Canada are concerned.
As of January 1, 2001, the Act applies to any federal work, undertaking, or business or to any organization that discloses personal information across borders for consideration. I have determined that HBC does not disclose personal information across borders for consideration. However, by operation of constitutional law, any business venture in the Yukon, Nunavut, or the Northwest Territories is a federal work, undertaking, or business. HBC has five divisions, one of which, its Fields Stores Division, operates one store in the Yukon and two in the Northwest Territories. On this limited basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about HBC’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is HBC. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.*Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
    *Companies commonly fall short of meeting this obligation in several ways:

    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

In your complaint against HBC, you identified that company’s credit card agreement as being particularly inadequate for purposes of the Act.
My Office’s investigation has revealed that HBC’s three Fields stores that fall under my jurisdiction do not participate in the HBC Rewards Program and do not themselves currently collect, use, or disclose personal information in connection with the HBC credit card. Formerly, these stores did in theory take credit card applications, but their involvement in the credit card program would have been limited to forwarding the applications to HBC’s head office in Toronto. The stores in question would not have retained copies and would not themselves otherwise perform any administrative function in respect of credit cards. Moreover, the three stores no longer participate in HBC’s credit card program in any way.
On the basis of these facts, I am required to determine whether HBC is in compliance with Principle 4.3 of Schedule 1 to the Act as far as its operations under my current jurisdiction are concerned. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
In the absence of evidence to the contrary I must conclude that HBC’s three Fields stores in northern Canada do not collect, use, or disclose their customer’s personal information in connection with HBC’s credit card or rewards program. Having no jurisdiction at present for further investigation, I therefore have no basis for finding that HBC is not in compliance with Principle 4.3.
Accordingly, I conclude that your complaint against HBC is not well-founded.
Nevertheless, I would be remiss if I did not take this opportunity to remind HBC that its operations in the rest of Canada will become subject either to the Act or to substantially similar provincial legislation as of January 1, 2004. I also wish to notify HBC that, in your similar complaints against other organizations, I have found your expectations regarding consent, as you expressed them in your general submission, to be reasonable and in keeping with the Act. I would strongly recommend that, in preparing to undertake its more extensive obligations, HBC take due account of the substance of your complaints and of my related findings.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
George Radwanski Privacy Commissioner of Canada

Commissioner’s Findings – Bell Nexxia

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0218
Ms Philippa Lawson
Public Interest Advocacy Centre
One Nicholas Street, Suite 1204
Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell Nexxia under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell Nexxia was not obtaining informed consent from individuals for the collection, use or disclosure of personal information for secondary marketing purposes. Specifically, you complained that Bell Nexxia was not bringing to the attention of its customers (a) its policy of sharing customer information with Bell Canada affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking or business. By operation of constitutional law, any telecommunications company, such as Bell Nexxia, is a federal work, undertaking or business. On this basis, therefore, I was required under Section 12 of the Act to accept and investigate your complaint.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Bell Nexxia. For all these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

Bell Nexxia’s customer base comprises the largest 300 private and public sector customers served by Bell Canada and its affiliates. It assists these businesses to develop their communications infrastructure, including information technology functions and provides them with e-business computerized solutions. Bell Nexxia does not provide services to individual consumers.
On the basis of these facts, I am required to determine firstly whether the information at issue is personal information for the purposes of the Act, and if so, whether Bell Nexxia is in compliance with Principle 4.3 of Schedule 1 to the Act.
Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. Principle 4.3 of Schedule 1 to the Act states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The information that Bell Nexxia deals with, pertains to corporations – not “identifiable individuals”. I am satisfied that Bell Nexxia does not collect, use or disclose the personal information of individuals. I therefore have no basis for making a determination in respect of Principle 4.3 of Schedule 1 of the Act.
Accordingly, I conclude that your complaint against Bell Nexxia is not well-founded.
Now that you have my report, I must inform you that, pursuant to Section 14 of the 4 Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in ‘espect of any matter that you complained about or that I have dealt with in my report, and ihat is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.7 or 4.8 of Schedule 1, in clause 4.3, k5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or 7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division 3f the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application •nust be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of he other party be paid by you where the Court is of the view that this is appropriate. A/hile this does not happen often, it is a possibility of which you should be aware. conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Meary, Director General of Investigations, at 1-800-282-1376.
George Radwanski Privacy Commissioner of Canada
 

Commissioner’s Findings – Bell Express Vu

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent Ottawa (Ontario) K1A1H3
Tel.:(613) 995-8210 Telec.: (613) 947-6850 1-800-282-1376
www.privcom.gc.ca
File: 6100-0217
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell ExpressVu under the Personal Information Protection and Electronic
Documents Act (the Act). In your complaint, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell ExpressVu was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes. Specifically, you alleged that Bell ExpressVu was not bringing to the attention of its customers (a) its policy of sharing customer data with other Bell Canada affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any telecommunications company, such as Bell ExpressVu, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
You initially filed a complaint against Bell Canada. Some weeks later, you clarified to my Office that you had intended your complaint to apply to the information practices of Bell Canada’s affiliates as well. You may have assumed that Bell’s affiliates formed part of the Bell corporate entity. Bell’s affiliates are in fact separate corporate entities; moreover, only three of them are federal works, undertakings, or businesses subject to the Act. A separate complaint file has been opened for each of these three Bell affiliates that fall under my jurisdiction. Bell ExpressVu is one of the three.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Bell ExpressVu’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

Bell ExpressVu readily acknowledges that it does disclose customers’ personal information for marketing purposes to Bell Mobility, another Bell Canada affiliate that is subject to the Act. The information in question comprises contact data (i.e., name, mailing address, home and work telephone numbers, e-mail address), as well as indications of services or products purchased, average monthly billing, credit records, and complaint records. Bell ExpressVu’s disclosure of such information to Bell Mobility is limited at present, but is expected to increase in the future.
Bell ExpressVu also acknowledges that it does not itself actively seek, at the time an individual customer purchases a product or subscribes to a service, consent to disclosure of the customer’s personal information to Bell Mobility. Rather, like other Bell Canada affiliates, Bell ExpressVu relies upon the notion of “implied consent” as explained in Bell Canada’s privacy code, the “Bell Code of Fair Information Practices”. Bell ExpressVu and its sister affiliates have adopted as their own the parent company’s privacy policy and practices, as set out mainly in two documents – the 17-page Bell Code and the 9-page “Bell Customer Privacy Policy”.
The Bell Code defines implied consent as “consent that can reasonably be inferred from an individual’s action or inaction.” Clause 3.7 of the Code states as follows:
In general, the use of products and services by a customer… constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.
As far as the exchange with Bell Mobility in particular is concerned, Bell ExpressVu takes clause 3.7 to mean that, if a customer obtains a product or service at Bell ExpressVu, he or she implicitly consents to having personal information disclosed to Bell Mobility.
The Code does identify the “Bell companies” in question and sets out five general purposes for their collection of personal information, including “To develop, enhance, market or provide products and services.” However, the Code does not indicate that this or any other of the purposes applies specifically to disclosures of information between Bell companies and indeed does not specify that the companies disclose customers’ personal information to one another. On being asked to explain this omission, Bell Canada maintained that such disclosure is implicit in the treatment of the Bell companies collectively as a single organization for the purpose of the Code.
Bell Canada’s Privacy Policy does assign a purpose specifically to disclosures of personal information between Bell Companies, as follows:
The purpose for sharing information among the Bell companies is to help us identify your information, communication and entertainment needs, and provide you with relevant information, advice, and solutions.
It is to be noted, however, that this purpose is not identical with any of the five stated in the Bell Code. It seems closest in meaning to “To develop, enhance, market or provide products and services”, but the verb “market” is conspicuously absent.
Bell Canada communicates its privacy policy and practices to customers through mail-outs (e.g., inserts in telephone bills), the white pages of the telephone directory, websites, and literature made available at Bell World stores. In the year 2000, a brochure entitled “The Bell Privacy Policy and You” was mailed out as a bill insert to all Bell customers.
That brochure included a notification to the effect that customers who did not wish to have their personal information disclosed among Bell companies (listed in the brochure) could withdraw consent by calling Bell Canada at the number shown on bills or electronically via Bell’s various websites. The brochure also stated that customers could view or obtain copies of the Bell Code and Privacy Policy by the same means.
Bell Canada’s white-pages telephone directory likewise informs customers that, if they wish to view or obtain a copy of the Bell Code or Privacy Policy, or if they have concerns about their privacy, they may contact one of the Bell websites or call the number on their telephone bill. However, the directory does not indicate any method or possibility of opting-out of information disclosures among the Bell companies.
The Bell Canada website contains the Bell Code and Privacy Policy as well as other privacy-related information, including instructions on opting-out of information disclosure among the Bell companies and an electronic opt-out form to be used for that purpose. Bell ExpressVu’s website links back to the Bell Canada site and is thus also linked indirectly to the privacy-related information and the electronic opt-out form. However, although Bell ExpressVu accepts opt-outs from its customers via this electronic form as well as by telephone or in writing, its own website makes no direct reference to an opportunity or method of opting-out or even to the practice of sharing information with other Bell affiliates. Nor does Bell ExpressVu, in any other situation or manner, make a point of advertising these optional considerations to its customers.
Nevertheless, on the basis of the information provided in Bell Canada’s privacy-related communications materials, notably the Bell Code and Privacy Policy, Bell ExpressVu has taken the position that its own customers are duly informed, in accordance with Principle 4.3.2 of Schedule 1 to the Act, both of the purposes for which personal information will be used and disclosed, and of the opportunity for easily opting-out of the specific practice of information disclosure among affiliates. Furthermore, Bell ExpressVu contends that the disclosure of personal information among common-branded companies providing a range of related communications services is consistent with the reasonable expectations of its customers as contemplated under Principle 4.3.5.
On the basis of these facts, I am required to determine whether Bell ExpressVu is in compliance with Principles 4.2.3, 4.3, and 4.3.1 of Schedule 1 to the Act. In this case, where the central issue is consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.2.3 states that identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.1 states, in part, that an organization will typically seek consent for the use or disclosure of the information at the time of collection. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
I will begin by stating that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. First and foremost, I note that Principles 4.2.3 and 4.3.1 clearly support your expectation that an organization should not merely make policy documents generally available, but should actually bring to the attention of the individual at the time of collection its purposes for collecting, using, and disclosing personal information. When an organization collects personal information during an application, subscription, or purchasing process, it should take reasonable steps during the same process to specify to the individual, and seek the individual’s express consent for, any intended secondary uses or disclosures. It follows that the organization should be prepared to provide the individual, on the spot, with whatever information he or she may require to make a knowledgeable consent decision. In such situations, I consider it entirely reasonable, as you have suggested, for an individual to expect not to have to seek out or otherwise rely upon information that is not immediately at hand.
I also consider it only reasonable for the individual to expect to be informed, likewise during the same process, of the opportunity and a convenient method for withdrawing consent.
Finally, where an organization intends to disclose personal information that the individual is likely to consider sensitive, such as credit records and complaint records, I consider it reasonable for the individual to expect to be consulted directly and positively in the matter of consent. In such a situation, the organization should use positive or “opt-in” consent rather than the negative option.
It is obvious that, in relying wholly upon its parent company’s notion of implied consent, Bell ExpressVu does not meet the reasonable expectations described above and deemed relevant under Principle 4.3.5. At the time of collecting a customer’s personal information during a subscription or purchasing process, Bell ExpressVu does not supply the customer with information about its intention to disclose personal information to its sister affiliate Bell Mobility, to obtain the customer’s consent for such disclosure, or to notify the customer of the opportunity and method of opting-out of such disclosure. It is not reasonable for Bell ExpressVu to rely upon the presumption of the customer’s knowledge and consent on the basis of general policy documents that it has not itself brought directly to the attention of the customer.
I find therefore that Bell ExpressVu has failed to comply with Principles 4.2.3 and 4.3.1 and, having failed to meet the individual’s reasonable expectations regarding consent as deemed relevant under Principle 4.3.5, is also in contravention of Principle 4.3.
Accordingly, I conclude that your complaint is well-founded.
I am recommending that Bell ExpressVu, at the time of collecting personal information from any customer during a subscription or purchasing process, directly inform the individual customer of the purposes for which personal information is collected and seek his or her consent for intended uses and disclosures. In implementing this recommendation, Bell ExpressVu should ensure that:
(1) purposes are stated in such a manner that the customer can reasonably
understand how personal information is to be used or disclosed, in accordance with Principle 4.3.2 of Schedule 1;
(2) intended uses and disclosures are well-defined especially in respect of

  • the items or types of information to be used or disclosed;
  • the parties to which information is to be disclosed; and
  • the purposes for which information is to be disclosed (e.g., direct marketing);

(3) the customer is directly notified of the opportunity to withdraw consent to specific optional purposes (e.g., direct marketing); and
(4) the customer is provided with, and directly notified of, an easy, immediate, and inexpensive means of opting-out (e.g., a check-off box or toll-free telephone number).
I am also recommending that Bell ExpressVu, at the time of collecting personal information during a subscription or purchasing process, provide individual customers with an opt-in consent form relating specifically to disclosures to Bell Mobility and to any other party to which Bell ExpressVu intends to disclose personal information of a potentially sensitive nature, such as credit information.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
George Radwanski “Privacy Commissioner of Canada
 

Commissioner’s Findings – Bell Canada

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0081
Ms Philippa Lawson
Public Interest Advocacy Centre One Nicholas Street, Suite 1204 Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell Canada (Bell) under the Personal Information Protection and Electronic Documents Act (the Act}. In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you alleged that Bell was not bringing to the attention of its residential local telephone customers (a) its policy of sharing customer data with affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any telecommunications company, such as Bell, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
Some weeks after filing your original complaint, you specified to my Office that you had intended your complaint against Bell to apply to the information practices of the affiliates as well. You may have assumed that Bell’s affiliates formed part of the Bell corporate entity. Bell’s affiliates are in fact separate corporate entities; moreover, only three of them are federal works, undertakings, or businesses subject to the Act. A separate complaint file has been opened for each of these three Bell affiliates that fall under my jurisdiction, and I will issue separate letters of findings for each in due course.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Bell’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Bell. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

In 1986, the Canadian Radio-television and Telecommunications Commission (CRTC) imposed a restriction on Bell’s disclosure of customers’ personal information. This restriction appears as follows in Article 11 (“Confidentiality of Customer Records”) of the Bell Canada Terms of Service:
11.1 Unless a customer consents in writing or disclosure is pursuant to a legal power, all information kept by Bell Canada regarding the customer, other than the customer’s name, address and LISTED TELEPHONE number, are confidential and may not be disclosed by Bell Canada to anyone other than:

  • the customer;
  • a person who, in the reasonable judgement of Bell Canada, is seeking the information as an agent of the customer;
  • another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis with the information to be used only for that purpose;
  • a company involved in supplying the customer with telephone or telephone directory related services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information to be used only for that purpose; or
  • an agent retained by Bell Canada in the collection of the customer’s account, provided the information is required for and is to be used only for that purpose.

Thus, with the very limited exceptions noted, Bell is prohibited by the CRTC from disclosing customers’ information, other than publicly available information (i.e., names, addresses, and telephone numbers already listed in directories), to anyone, including its affiliates, without the express written consent of the individual customer.
My Office’s investigation has confirmed that Bell does not make a practice of disclosing customer information to its affiliates and does not have express written consent for such disclosure from most of its residential and business customers. Bell has explained that, because the process of obtaining express written consent would be cumbersome, the company some time ago made the decision not to seek such consent from customers, but rather to forego such disclosure of information in general.
One notable exception is a form that customers are asked to fill out in Bell stores, authorizing Bell Canada/ Bell Mobility to share, with the store representative, customers’ information relating to the products and services. Another exception was a direct mail-out to approximately 100,000 customers in the year 2000, seeking written consent for disclosure of customer information to all the Bell companies. I note that both of these exceptions comply with Article 11 in that they seek express written consent from the individual customer. Bell affirms, furthermore, that it has never relied upon any consent obtained from the mail-out; in other words, no information has actually been disclosed on the basis of any response from this initiative. Bell has also pointed out that it has never disclosed customer information to companies other than its affiliates, even though Article 11 would permit such third-party disclosures, too, provided that customers’ express written consent was obtained.
Despite having abided by Article 11 since its inception, in November 2000 Bell (along with many other telecommunications companies likewise subject to it) applied to the CRTC to have this restriction modified so as to permit disclosure of confidential customer information to affiliates without having to obtain written consent from the customer. Bell for one believes that Article 11 is unduly more stringent than the Act, which allows for implied consent in some circumstances. You yourself have made a submission to the CRTC, to the effect that Article 11 should remain unchanged. The CRTC has not yet issued a decision in this matter.
On the basis of these facts, I am required to determine whether Bell is in compliance with Principle 4.3 of Schedule 1 to the Act as far as the disclosure of customers’ personal information to its affiliates is concerned. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
On the evidence, I am satisfied that Bell does not make a practice of disclosing customers’ personal information to its affiliates. I am also satisfied that, in the exceptional circumstances where the company has contemplated such disclosure, it has duly informed the individual customer of its intention and has endeavoured to obtain the individual’s express written consent as required by the CRTC. I therefore have no grounds upon which to find that Bell has contravened Principle 4.3 of Schedule 1 to the Act.
Accordingly, I conclude that your complaint against Bell is not well-founded.
Whatever the outcome of its application regarding Article 11,1 trust that Bell will continue to meet all its obligations under the Act, taking due account of the entirely reasonable expectations about consent that you have articulated in your complaint.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
George Kauwanski Privacy Commissioner of Canada
 

Commissioner’s Findings – Bank of Nova Scotia

Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0085
Ms Philippa Lawson
Public Interest Advocacy Centre
One Nicholas Street, Suite 1204
Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against the Bank of Nova Scotia (Scotiabank) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Scotiabank was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on Scotiabank’s part: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any bank, such as Scotiabank, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Scotiabank’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Scotiabank. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

In your complaint against Scotiabank, you have expressed the view that the bank’s privacy brochure entitled “The Scotiabank Group & You: A Question of Privacy” is particularly inadequate for purposes of the Act. In the above-mentioned EKOS survey, this document had been the subject of specific consumer testing.
Scotiabank currently has 12 Canadian subsidiaries, which together with the parent company compose what is known corporately as the “Scotiabank Group”. Although Scotiabank does not refer to these subsidiaries as affiliates, it does readily acknowledge that it discloses to them, for marketing purposes, the personal information of customers. The bank affirms that it requires all members of this group to comply with the Act, as well as the Scotiabank Group Privacy Code.
This 21-page Privacy Code is one of three privacy-related information products that Scotiabank makes available to its customers both at its branches and on its website. Another is the above-mentioned brochure, which is essentially a condensed nine-page version of the Privacy Code. The third is a three-page text entitled “Scotiabank Group Privacy Agreement”, which is included in the companion booklets for each of the products and services offered by Scotiabank.
It should be mentioned here that the Privacy Code, the longest and most detailed of the three with respect to the bank’s privacy policy and practices, is the only one of the three that is not provided directly to individual customers as a matter of policy when they apply in person for Scotiabank’s products or services. Therefore, since it is not immediately on hand for the individual to use as a reference in making the consent decision, it is the least relevant of the three to the central issue of your complaint – that is, whether Scotiabank obtains valid informed consent to secondary purposes of marketing. The focus of concern in this case is the brochure and the Privacy Agreement – especially the latter, since it is the document to which Scotiabank’s various application forms make explicit reference in obtaining customers’ consent to terms and conditions.
On inquiry by my Office, Scotiabank has explained its policy in respect of obtaining customers’ consent to the disclosure of their personal information to other members of the Scotiabank Group. Our investigation has confirmed that, for customers who approach the bank in person to apply for a product or service, the bank instructs its front-line sales representatives as follows.
First, the representative is to give the customer a copy of both the privacy brochure and the appropriate companion booklet for the product or service in question. Then, the representative is required to explain the product or service and, in doing so, to draw attention to, and explain the uses of, the Privacy Agreement contained in the booklet. Specifically, the representative is to explain that the Agreement is used to identify why and how the bank collects, uses, and discloses customers’ personal information; to obtain customers’ consent in that regard; to inform customers of their right, subject to legal and contractual requirements, to withhold or withdraw consent and of the consequences of their doing so; and to provide customers with further information about privacy policies via a cross-reference to the privacy brochure.
Next, by reference to a coded record, the representative is to determine, and document in the bank’s Customer Information System, the customer’s preferences with regard to the disclosure of information with other Scotiabank Group members. In other words, the representative is expected to inquire and note by code whether the customer consents to all marketing efforts (code Y) or whether he or she prefers to opt out of specific efforts – for example, direct mail marketing (code 3) or telephone solicitation (code 4) or solicitation by subsidiaries (code 7).
The customer is ultimately to be asked to sign the appropriate application form, which includes an acknowledgement of receipt of the companion booklet and an agreement to be bound by the terms and conditions of the Privacy Agreement it contains. On signing the application form, if the customer has not indicated preferences otherwise, he or she is assumed to concur with the Privacy Agreement. It should be noted, however, that Scotiabank’s application forms do not themselves display any explicit terms or conditions related to the collection, use, or disclosure of personal information. Nor do customers themselves receive any record of having considered or indicated preferences during the application process.
In order to open an account, a new Scotiabank customer must visit a branch in person, but an existing customer may open a new account electronically. In the latter event, on-line application forms provide the customer with links to companion materials as well as to all of the bank’s privacy-related information products, including the 21-page Privacy Code. These electronic forms have a “Terms and Conditions” section, which reads in part, “By clicking “I agree”, you agree to the terms and conditions of the … Account Agreement, as well as the Terms and Conditions of the Scotiabank Group Privacy Agreement…”. At this point, another link to the Privacy Agreement is provided. The customer indicates consent by clicking on the “I agree” icon.
As to the contents of the relevant privacy-related materials, the privacy brochure informs the reader that, with consent and where the law allows, a Scotiabank Group Member may share personal information, other than health information, with other Scotiabank Group Members so that they may tell customers directly about their services. The brochure does not indicate what organizations or types of organizations belong to the Scotiabank Group. On the subject of personal information collected, the brochure states:
“To the best of curability [emphasis added], we will seek your prior consent to verify and supplement it with external sources such as credit or other bureaus or employers.” On the subject of opting-out, the brochure does explain with reasonable clarity the circumstances in which customers may exercise the right to refuse or withdraw consent. However, the only reference to a procedure for opting-out consists in a suggestion that customers should make the necessary arrangements with the appropriate branch or office. The brochure also warns that, if a customer refuses or withdraws consent to the collection, use, or disclosure of information, the bank may not be able to provide some products, services, or information of value to the customer, although it clarifies that products or services will not be unreasonably withheld.
The Privacy Agreement is more specific than the brochure about the purposes for which personal information is collected and about the situations and manner in which it may be used and disclosed within the Scotiabank Group. The Agreement does not list specific organizations belonging to the group, but does list the types of organizations involved in terms of the services they provide – for example, companies engaged in deposits, loans and other personal financial services, in trust and custodial services, in insurance services, et cetera. The Agreement also contains a footnote to the effect that the Scotiabank Group means collectively Scotiabank and its Canadian subsidiaries and that a current list of domestic subsidiaries may be obtained from any group member’s branch or office. Moreover, Scotiabank affirms that it instructs front-line staff to provide a copy of this list on request to any customer who wants to know to what specific companies the bank may disclose information for marketing purposes.
In a three-paragraph section headed “Refusing or Withdrawing Consent”, the Privacy Agreement spells out even more clearly than the brochure the customer’s right to opt out of the bank’s collection, use, and disclosure of personal information. Notably, this section specifies as follows: “You can tell us any time to stop using information about you to market our products and services or to stop sharing information with other Scotiabank Group members.” However, the Agreement suggests only that the customer should “contact” a branch or office in order to refuse or withdraw consent. It also uses identical wording to that of the brochure to warn that the bank may not be able to provide some products, services, or information of value if a customer refuses or withdraws consent.
As I have mentioned, Scotiabank’s privacy brochure and Privacy Agreement, as a matter of policy, are issued directly to new or established customers who apply in person for products or services. These information products, along with the Privacy Code, are also made easily available by means of electronic linkage to established customers who apply for new products and services on line.
But the question arises, what about long-established customers who have not opened a new account in some time and therefore would not have had the current privacy brochure and Privacy Agreement personally issued to them? How would such customers be deemed to have consented to such information disclosures as are set out in these documents?
In response to this question, Scotiabank has pointed out that, although its current Privacy Agreement dates from the introduction of the Act on January 1, 2001, there was an earlier version that came into effect in May 1997 and was issued to customers on opening new accounts. Before then, and as far back as October 1992, the bank relied upon consent clauses incorporated in application forms. Our investigation has revealed that these prior consent clauses and the earlier version of the Privacy Agreement were much more broadly stated than the bank’s current information products and did not give any indication that customers could refuse or withdraw consent to disclosures of personal information for secondary purposes.
Scotiabank has pointed out that the number of longstanding customers who have never obtained a new product or service and received a Privacy Agreement in the process would be very small. The bank has also stressed the wide availability of its current privacy-related information products and suggested that any such customer who was interested in the bank’s privacy policies could have easily obtained any of these products from a local branch or from the website.
In your complaint, you suggested that Scotiabank should provide a 1-800 number as an easy, low-cost means for customers to withdraw consent instead of requiring them to “contact” a branch. In response, the bank has noted that it does not actually require the customer to visit the branch, but rather has always meant “contact” to include the option of phoning-in or e-mailing. It has also noted that it does in fact already provide a 1-800 number for customer use. Nevertheless, the bank has acknowledged that the brochure and Privacy Agreement do not make explicit reference to telephone or e-mail, and do not advertise the existing 1-800 number, as specific means of withdrawing consent. The bank has found your suggestion to be reasonable, and has agreed to clarify in the next reprint of its privacy materials that customers may withdraw consent by using the 1-800 number, by telephoning a branch, or by e-mail.
Scotiabank has also acknowledged that customers may find its use of the phrase “to the best of our ability” confusing in the context of seeking consent. The bank has agreed to clarify this point, too, in future reprints of privacy materials.
Despite these concessions, however, Scotiabank has taken the position that its privacy communications materials, notably the brochure and the Privacy Agreement, collectively represent a reasonable effort, in accordance with Principle 4.3.2 of Schedule 1 to the Act, to bring to customers’ attention both the bank’s intended disclosures of personal information for secondary marketing purposes and the individual customer’s right to refuse or withdraw consent to such purposes. On this basis, the bank contends that it does obtain valid informed consent from its customers.
On the basis of these facts, I am required to determine whether Scotiabank is in compliance with Principles 4.3 and 4.3.2 of Schedule 1 to the Act. In this case, where the central issue is that of consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Allow me to say firstly that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. Notably, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated. Furthermore, where consent regarding personal information is being sought, I consider it reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient opting-out procedure that can be executed easily, immediately, and inexpensively.
The question is, does Scotiabank meet these reasonable expectations? On review of the communications materials in question and the bank’s official process for obtaining consent, I am on the whole satisfied that Scotiabank does meet these reasonable expectations.
In the first place, notwithstanding a certain ambiguity of expression (which the bank has readily agreed to clarify) and the absence of a 1-800 number assigned explicitly to the purpose of withdrawing consent (an omission which the bank has readily agreed to redress), I am satisfied that Scotiabank does in fact provide customers with an easy, immediate, and inexpensive opting-out procedure in the form of telephone or e-mail access to local branches.
Secondly, it is clear that the bank does not rely upon fine print or documents not immediately at hand.
Thirdly, all things considered, I am of the view that the language of the bank’s communications materials, especially that of the Privacy Agreement itself, does convey to individuals in a reasonably understandable manner how their personal information will be used or disclosed. Although in your complaint you raised some valid concerns about Scotiabank’s privacy brochure in particular, in my view these concerns, when considered in the context of the bank’s communications materials collectively and its policy on matters of consent generally, do not amount to a contravention of Principle 4.3.2.
For example, you have quite correctly pointed out that the brochure does not identify the members of the Scotiabank Group. However, I accept that in cases where membership is changeable it is sometimes impractical to provide an exhaustive listing of current members in a standing privacy document. I am mindful, too, that the document of primary interest in this case is not the brochure, but rather the Privacy Agreement, which does at least make the effort to inform customers of the types of organizations involved in the Scotiabank Group. Scotiabank is quite prepared to provide a list of its group’s current membership to any customer curious enough to ask for one.
All in all, I have found the process of consent to be as important a consideration in this case as the consent-related documentation at issue. In particular, I am favourably impressed with Scotiabank’s policy of personally bringing optional secondary purposes to the attention of customers, presenting these purposes in terms of preferences for consideration, and in effect guiding them through an opt-out procedure on the spot. Provided that this policy was confirmed to be consistently applied and was extended somehow to the realm of on-line applications for products or services, I would be very much inclined to recommend it as an exemplary method of obtaining consent, very much akin to the “opt-in” form of consent that you favour.
In sum, I have determined that the communications materials, as well as the process, in question do constitute a reasonable effort on Scotiabank’s part to ensure that the individual is advised of the secondary purposes for which personal information will be used or disclosed and do thus serve as a valid basis for knowledge and consent. I find therefore that the bank is in compliance with Principles 4.3.5, 4.3.2 and 4.3 of Schedule 1 to the Act.
Accordingly, I conclude that your complaint against Scotiabank is not well-founded.
Nevertheless, since our investigation has confirmed that the bank’s consent procedures could be improved in certain ways, I make the following recommendations as best practices:

  1. Scotiabank should take steps to implement the proposed modifications to its procedure for withdrawing consent and to all references to that procedure in its privacy communications materials.
  2. Scotiabank should take steps to implement the proposed clarification of the phrase, “To the best of our ability,” at every instance in its privacy communications materials.
  3. In all instances of the warning to the effect that withdrawal of consent may result in withholding of products, services, or information, Scotiabank should clarify its meaning, with particular emphasis on identifying the products, services, or information in question.
  4. Scotiabank should modify its hard-copy and on-line application forms for products and services so as to directly indicate conditions relating to the collection, use, or disclosure of personal information and to include a record, copiable to the customer, of indicated preferences in respect of secondary marketing purposes.
  5. As occasion arises to have business contact with any customer of long standing to whom the current privacy brochure and Privacy Agreement have never been directly issued, Scotiabank should take such occasion to provide these documents to the customer.

Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, Ontario, K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,