Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0085
Ms Philippa Lawson
Public Interest Advocacy Centre
One Nicholas Street, Suite 1204
Ottawa, ON K1N7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against the Bank of Nova Scotia (Scotiabank) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Scotiabank was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on Scotiabank’s part: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any bank, such as Scotiabank, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Scotiabank’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is Scotiabank. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
- Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
- Companies commonly fall short of meeting this obligation in several ways:
- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
In your complaint against Scotiabank, you have expressed the view that the bank’s privacy brochure entitled “The Scotiabank Group & You: A Question of Privacy” is particularly inadequate for purposes of the Act. In the above-mentioned EKOS survey, this document had been the subject of specific consumer testing.
Scotiabank currently has 12 Canadian subsidiaries, which together with the parent company compose what is known corporately as the “Scotiabank Group”. Although Scotiabank does not refer to these subsidiaries as affiliates, it does readily acknowledge that it discloses to them, for marketing purposes, the personal information of customers. The bank affirms that it requires all members of this group to comply with the Act, as well as the Scotiabank Group Privacy Code.
This 21-page Privacy Code is one of three privacy-related information products that Scotiabank makes available to its customers both at its branches and on its website. Another is the above-mentioned brochure, which is essentially a condensed nine-page version of the Privacy Code. The third is a three-page text entitled “Scotiabank Group Privacy Agreement”, which is included in the companion booklets for each of the products and services offered by Scotiabank.
It should be mentioned here that the Privacy Code, the longest and most detailed of the three with respect to the bank’s privacy policy and practices, is the only one of the three that is not provided directly to individual customers as a matter of policy when they apply in person for Scotiabank’s products or services. Therefore, since it is not immediately on hand for the individual to use as a reference in making the consent decision, it is the least relevant of the three to the central issue of your complaint – that is, whether Scotiabank obtains valid informed consent to secondary purposes of marketing. The focus of concern in this case is the brochure and the Privacy Agreement – especially the latter, since it is the document to which Scotiabank’s various application forms make explicit reference in obtaining customers’ consent to terms and conditions.
On inquiry by my Office, Scotiabank has explained its policy in respect of obtaining customers’ consent to the disclosure of their personal information to other members of the Scotiabank Group. Our investigation has confirmed that, for customers who approach the bank in person to apply for a product or service, the bank instructs its front-line sales representatives as follows.
First, the representative is to give the customer a copy of both the privacy brochure and the appropriate companion booklet for the product or service in question. Then, the representative is required to explain the product or service and, in doing so, to draw attention to, and explain the uses of, the Privacy Agreement contained in the booklet. Specifically, the representative is to explain that the Agreement is used to identify why and how the bank collects, uses, and discloses customers’ personal information; to obtain customers’ consent in that regard; to inform customers of their right, subject to legal and contractual requirements, to withhold or withdraw consent and of the consequences of their doing so; and to provide customers with further information about privacy policies via a cross-reference to the privacy brochure.
Next, by reference to a coded record, the representative is to determine, and document in the bank’s Customer Information System, the customer’s preferences with regard to the disclosure of information with other Scotiabank Group members. In other words, the representative is expected to inquire and note by code whether the customer consents to all marketing efforts (code Y) or whether he or she prefers to opt out of specific efforts – for example, direct mail marketing (code 3) or telephone solicitation (code 4) or solicitation by subsidiaries (code 7).
The customer is ultimately to be asked to sign the appropriate application form, which includes an acknowledgement of receipt of the companion booklet and an agreement to be bound by the terms and conditions of the Privacy Agreement it contains. On signing the application form, if the customer has not indicated preferences otherwise, he or she is assumed to concur with the Privacy Agreement. It should be noted, however, that Scotiabank’s application forms do not themselves display any explicit terms or conditions related to the collection, use, or disclosure of personal information. Nor do customers themselves receive any record of having considered or indicated preferences during the application process.
In order to open an account, a new Scotiabank customer must visit a branch in person, but an existing customer may open a new account electronically. In the latter event, on-line application forms provide the customer with links to companion materials as well as to all of the bank’s privacy-related information products, including the 21-page Privacy Code. These electronic forms have a “Terms and Conditions” section, which reads in part, “By clicking “I agree”, you agree to the terms and conditions of the … Account Agreement, as well as the Terms and Conditions of the Scotiabank Group Privacy Agreement…”. At this point, another link to the Privacy Agreement is provided. The customer indicates consent by clicking on the “I agree” icon.
As to the contents of the relevant privacy-related materials, the privacy brochure informs the reader that, with consent and where the law allows, a Scotiabank Group Member may share personal information, other than health information, with other Scotiabank Group Members so that they may tell customers directly about their services. The brochure does not indicate what organizations or types of organizations belong to the Scotiabank Group. On the subject of personal information collected, the brochure states:
“To the best of curability [emphasis added], we will seek your prior consent to verify and supplement it with external sources such as credit or other bureaus or employers.” On the subject of opting-out, the brochure does explain with reasonable clarity the circumstances in which customers may exercise the right to refuse or withdraw consent. However, the only reference to a procedure for opting-out consists in a suggestion that customers should make the necessary arrangements with the appropriate branch or office. The brochure also warns that, if a customer refuses or withdraws consent to the collection, use, or disclosure of information, the bank may not be able to provide some products, services, or information of value to the customer, although it clarifies that products or services will not be unreasonably withheld.
The Privacy Agreement is more specific than the brochure about the purposes for which personal information is collected and about the situations and manner in which it may be used and disclosed within the Scotiabank Group. The Agreement does not list specific organizations belonging to the group, but does list the types of organizations involved in terms of the services they provide – for example, companies engaged in deposits, loans and other personal financial services, in trust and custodial services, in insurance services, et cetera. The Agreement also contains a footnote to the effect that the Scotiabank Group means collectively Scotiabank and its Canadian subsidiaries and that a current list of domestic subsidiaries may be obtained from any group member’s branch or office. Moreover, Scotiabank affirms that it instructs front-line staff to provide a copy of this list on request to any customer who wants to know to what specific companies the bank may disclose information for marketing purposes.
In a three-paragraph section headed “Refusing or Withdrawing Consent”, the Privacy Agreement spells out even more clearly than the brochure the customer’s right to opt out of the bank’s collection, use, and disclosure of personal information. Notably, this section specifies as follows: “You can tell us any time to stop using information about you to market our products and services or to stop sharing information with other Scotiabank Group members.” However, the Agreement suggests only that the customer should “contact” a branch or office in order to refuse or withdraw consent. It also uses identical wording to that of the brochure to warn that the bank may not be able to provide some products, services, or information of value if a customer refuses or withdraws consent.
As I have mentioned, Scotiabank’s privacy brochure and Privacy Agreement, as a matter of policy, are issued directly to new or established customers who apply in person for products or services. These information products, along with the Privacy Code, are also made easily available by means of electronic linkage to established customers who apply for new products and services on line.
But the question arises, what about long-established customers who have not opened a new account in some time and therefore would not have had the current privacy brochure and Privacy Agreement personally issued to them? How would such customers be deemed to have consented to such information disclosures as are set out in these documents?
In response to this question, Scotiabank has pointed out that, although its current Privacy Agreement dates from the introduction of the Act on January 1, 2001, there was an earlier version that came into effect in May 1997 and was issued to customers on opening new accounts. Before then, and as far back as October 1992, the bank relied upon consent clauses incorporated in application forms. Our investigation has revealed that these prior consent clauses and the earlier version of the Privacy Agreement were much more broadly stated than the bank’s current information products and did not give any indication that customers could refuse or withdraw consent to disclosures of personal information for secondary purposes.
Scotiabank has pointed out that the number of longstanding customers who have never obtained a new product or service and received a Privacy Agreement in the process would be very small. The bank has also stressed the wide availability of its current privacy-related information products and suggested that any such customer who was interested in the bank’s privacy policies could have easily obtained any of these products from a local branch or from the website.
In your complaint, you suggested that Scotiabank should provide a 1-800 number as an easy, low-cost means for customers to withdraw consent instead of requiring them to “contact” a branch. In response, the bank has noted that it does not actually require the customer to visit the branch, but rather has always meant “contact” to include the option of phoning-in or e-mailing. It has also noted that it does in fact already provide a 1-800 number for customer use. Nevertheless, the bank has acknowledged that the brochure and Privacy Agreement do not make explicit reference to telephone or e-mail, and do not advertise the existing 1-800 number, as specific means of withdrawing consent. The bank has found your suggestion to be reasonable, and has agreed to clarify in the next reprint of its privacy materials that customers may withdraw consent by using the 1-800 number, by telephoning a branch, or by e-mail.
Scotiabank has also acknowledged that customers may find its use of the phrase “to the best of our ability” confusing in the context of seeking consent. The bank has agreed to clarify this point, too, in future reprints of privacy materials.
Despite these concessions, however, Scotiabank has taken the position that its privacy communications materials, notably the brochure and the Privacy Agreement, collectively represent a reasonable effort, in accordance with Principle 4.3.2 of Schedule 1 to the Act, to bring to customers’ attention both the bank’s intended disclosures of personal information for secondary marketing purposes and the individual customer’s right to refuse or withdraw consent to such purposes. On this basis, the bank contends that it does obtain valid informed consent from its customers.
On the basis of these facts, I am required to determine whether Scotiabank is in compliance with Principles 4.3 and 4.3.2 of Schedule 1 to the Act. In this case, where the central issue is that of consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Allow me to say firstly that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. Notably, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated. Furthermore, where consent regarding personal information is being sought, I consider it reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient opting-out procedure that can be executed easily, immediately, and inexpensively.
The question is, does Scotiabank meet these reasonable expectations? On review of the communications materials in question and the bank’s official process for obtaining consent, I am on the whole satisfied that Scotiabank does meet these reasonable expectations.
In the first place, notwithstanding a certain ambiguity of expression (which the bank has readily agreed to clarify) and the absence of a 1-800 number assigned explicitly to the purpose of withdrawing consent (an omission which the bank has readily agreed to redress), I am satisfied that Scotiabank does in fact provide customers with an easy, immediate, and inexpensive opting-out procedure in the form of telephone or e-mail access to local branches.
Secondly, it is clear that the bank does not rely upon fine print or documents not immediately at hand.
Thirdly, all things considered, I am of the view that the language of the bank’s communications materials, especially that of the Privacy Agreement itself, does convey to individuals in a reasonably understandable manner how their personal information will be used or disclosed. Although in your complaint you raised some valid concerns about Scotiabank’s privacy brochure in particular, in my view these concerns, when considered in the context of the bank’s communications materials collectively and its policy on matters of consent generally, do not amount to a contravention of Principle 4.3.2.
For example, you have quite correctly pointed out that the brochure does not identify the members of the Scotiabank Group. However, I accept that in cases where membership is changeable it is sometimes impractical to provide an exhaustive listing of current members in a standing privacy document. I am mindful, too, that the document of primary interest in this case is not the brochure, but rather the Privacy Agreement, which does at least make the effort to inform customers of the types of organizations involved in the Scotiabank Group. Scotiabank is quite prepared to provide a list of its group’s current membership to any customer curious enough to ask for one.
All in all, I have found the process of consent to be as important a consideration in this case as the consent-related documentation at issue. In particular, I am favourably impressed with Scotiabank’s policy of personally bringing optional secondary purposes to the attention of customers, presenting these purposes in terms of preferences for consideration, and in effect guiding them through an opt-out procedure on the spot. Provided that this policy was confirmed to be consistently applied and was extended somehow to the realm of on-line applications for products or services, I would be very much inclined to recommend it as an exemplary method of obtaining consent, very much akin to the “opt-in” form of consent that you favour.
In sum, I have determined that the communications materials, as well as the process, in question do constitute a reasonable effort on Scotiabank’s part to ensure that the individual is advised of the secondary purposes for which personal information will be used or disclosed and do thus serve as a valid basis for knowledge and consent. I find therefore that the bank is in compliance with Principles 4.3.5, 4.3.2 and 4.3 of Schedule 1 to the Act.
Accordingly, I conclude that your complaint against Scotiabank is not well-founded.
Nevertheless, since our investigation has confirmed that the bank’s consent procedures could be improved in certain ways, I make the following recommendations as best practices:
- Scotiabank should take steps to implement the proposed modifications to its procedure for withdrawing consent and to all references to that procedure in its privacy communications materials.
- Scotiabank should take steps to implement the proposed clarification of the phrase, “To the best of our ability,” at every instance in its privacy communications materials.
- In all instances of the warning to the effect that withdrawal of consent may result in withholding of products, services, or information, Scotiabank should clarify its meaning, with particular emphasis on identifying the products, services, or information in question.
- Scotiabank should modify its hard-copy and on-line application forms for products and services so as to directly indicate conditions relating to the collection, use, or disclosure of personal information and to include a record, copiable to the customer, of indicated preferences in respect of secondary marketing purposes.
- As occasion arises to have business contact with any customer of long standing to whom the current privacy brochure and Privacy Agreement have never been directly issued, Scotiabank should take such occasion to provide these documents to the customer.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, Ontario, K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,