Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent Ottawa (Ontario) K1A1H3
Tel.:(613) 995-8210 Telec.: (613) 947-6850 1-800-282-1376
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell ExpressVu under the Personal Information Protection and Electronic
Documents Act (the Act). In your complaint, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell ExpressVu was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes. Specifically, you alleged that Bell ExpressVu was not bringing to the attention of its customers (a) its policy of sharing customer data with other Bell Canada affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any telecommunications company, such as Bell ExpressVu, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
You initially filed a complaint against Bell Canada. Some weeks later, you clarified to my Office that you had intended your complaint to apply to the information practices of Bell Canada’s affiliates as well. You may have assumed that Bell’s affiliates formed part of the Bell corporate entity. Bell’s affiliates are in fact separate corporate entities; moreover, only three of them are federal works, undertakings, or businesses subject to the Act. A separate complaint file has been opened for each of these three Bell affiliates that fall under my jurisdiction. Bell ExpressVu is one of the three.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Bell ExpressVu’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
- Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
- Companies commonly fall short of meeting this obligation in several ways:
- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
Bell ExpressVu readily acknowledges that it does disclose customers’ personal information for marketing purposes to Bell Mobility, another Bell Canada affiliate that is subject to the Act. The information in question comprises contact data (i.e., name, mailing address, home and work telephone numbers, e-mail address), as well as indications of services or products purchased, average monthly billing, credit records, and complaint records. Bell ExpressVu’s disclosure of such information to Bell Mobility is limited at present, but is expected to increase in the future.
The Bell Code defines implied consent as “consent that can reasonably be inferred from an individual’s action or inaction.” Clause 3.7 of the Code states as follows:
In general, the use of products and services by a customer… constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.
As far as the exchange with Bell Mobility in particular is concerned, Bell ExpressVu takes clause 3.7 to mean that, if a customer obtains a product or service at Bell ExpressVu, he or she implicitly consents to having personal information disclosed to Bell Mobility.
The Code does identify the “Bell companies” in question and sets out five general purposes for their collection of personal information, including “To develop, enhance, market or provide products and services.” However, the Code does not indicate that this or any other of the purposes applies specifically to disclosures of information between Bell companies and indeed does not specify that the companies disclose customers’ personal information to one another. On being asked to explain this omission, Bell Canada maintained that such disclosure is implicit in the treatment of the Bell companies collectively as a single organization for the purpose of the Code.
The purpose for sharing information among the Bell companies is to help us identify your information, communication and entertainment needs, and provide you with relevant information, advice, and solutions.
It is to be noted, however, that this purpose is not identical with any of the five stated in the Bell Code. It seems closest in meaning to “To develop, enhance, market or provide products and services”, but the verb “market” is conspicuously absent.
On the basis of these facts, I am required to determine whether Bell ExpressVu is in compliance with Principles 4.2.3, 4.3, and 4.3.1 of Schedule 1 to the Act. In this case, where the central issue is consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.2.3 states that identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.1 states, in part, that an organization will typically seek consent for the use or disclosure of the information at the time of collection. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
I will begin by stating that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. First and foremost, I note that Principles 4.2.3 and 4.3.1 clearly support your expectation that an organization should not merely make policy documents generally available, but should actually bring to the attention of the individual at the time of collection its purposes for collecting, using, and disclosing personal information. When an organization collects personal information during an application, subscription, or purchasing process, it should take reasonable steps during the same process to specify to the individual, and seek the individual’s express consent for, any intended secondary uses or disclosures. It follows that the organization should be prepared to provide the individual, on the spot, with whatever information he or she may require to make a knowledgeable consent decision. In such situations, I consider it entirely reasonable, as you have suggested, for an individual to expect not to have to seek out or otherwise rely upon information that is not immediately at hand.
I also consider it only reasonable for the individual to expect to be informed, likewise during the same process, of the opportunity and a convenient method for withdrawing consent.
Finally, where an organization intends to disclose personal information that the individual is likely to consider sensitive, such as credit records and complaint records, I consider it reasonable for the individual to expect to be consulted directly and positively in the matter of consent. In such a situation, the organization should use positive or “opt-in” consent rather than the negative option.
It is obvious that, in relying wholly upon its parent company’s notion of implied consent, Bell ExpressVu does not meet the reasonable expectations described above and deemed relevant under Principle 4.3.5. At the time of collecting a customer’s personal information during a subscription or purchasing process, Bell ExpressVu does not supply the customer with information about its intention to disclose personal information to its sister affiliate Bell Mobility, to obtain the customer’s consent for such disclosure, or to notify the customer of the opportunity and method of opting-out of such disclosure. It is not reasonable for Bell ExpressVu to rely upon the presumption of the customer’s knowledge and consent on the basis of general policy documents that it has not itself brought directly to the attention of the customer.
I find therefore that Bell ExpressVu has failed to comply with Principles 4.2.3 and 4.3.1 and, having failed to meet the individual’s reasonable expectations regarding consent as deemed relevant under Principle 4.3.5, is also in contravention of Principle 4.3.
Accordingly, I conclude that your complaint is well-founded.
I am recommending that Bell ExpressVu, at the time of collecting personal information from any customer during a subscription or purchasing process, directly inform the individual customer of the purposes for which personal information is collected and seek his or her consent for intended uses and disclosures. In implementing this recommendation, Bell ExpressVu should ensure that:
(1) purposes are stated in such a manner that the customer can reasonably
understand how personal information is to be used or disclosed, in accordance with Principle 4.3.2 of Schedule 1;
(2) intended uses and disclosures are well-defined especially in respect of
- the items or types of information to be used or disclosed;
- the parties to which information is to be disclosed; and
- the purposes for which information is to be disclosed (e.g., direct marketing);
(3) the customer is directly notified of the opportunity to withdraw consent to specific optional purposes (e.g., direct marketing); and
(4) the customer is provided with, and directly notified of, an easy, immediate, and inexpensive means of opting-out (e.g., a check-off box or toll-free telephone number).
I am also recommending that Bell ExpressVu, at the time of collecting personal information during a subscription or purchasing process, provide individual customers with an opt-in consent form relating specifically to disclosures to Bell Mobility and to any other party to which Bell ExpressVu intends to disclose personal information of a potentially sensitive nature, such as credit information.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
George Radwanski “Privacy Commissioner of Canada