Privacy Commissioner
Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent Ottawa (Ontario) K1A1H3
Tel.:(613) 995-8210 Telec.: (613) 947-6850 1-800-282-1376
www.privcom.gc.ca
File: 6100-0217
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against Bell ExpressVu under the Personal Information Protection and Electronic
Documents Act (the Act). In your complaint, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that Bell ExpressVu was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes. Specifically, you alleged that Bell ExpressVu was not bringing to the attention of its customers (a) its policy of sharing customer data with other Bell Canada affiliates for secondary marketing purposes and (b) the corresponding opportunity for customers to opt-out of such sharing.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any telecommunications company, such as Bell ExpressVu, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
You initially filed a complaint against Bell Canada. Some weeks later, you clarified to my Office that you had intended your complaint to apply to the information practices of Bell Canada’s affiliates as well. You may have assumed that Bell’s affiliates formed part of the Bell corporate entity. Bell’s affiliates are in fact separate corporate entities; moreover, only three of them are federal works, undertakings, or businesses subject to the Act. A separate complaint file has been opened for each of these three Bell affiliates that fall under my jurisdiction. Bell ExpressVu is one of the three.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about Bell ExpressVu’s customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:

  • It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
  • There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
  • Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
  • Companies commonly fall short of meeting this obligation in several ways:
    • reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
    • reliance on fine print buried in a long document;
    • failure to use clear, plain language understandable to the ordinary consumer;
    • failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
    • failure to provide an easily executable opting-out procedure.
  • The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.

Bell ExpressVu readily acknowledges that it does disclose customers’ personal information for marketing purposes to Bell Mobility, another Bell Canada affiliate that is subject to the Act. The information in question comprises contact data (i.e., name, mailing address, home and work telephone numbers, e-mail address), as well as indications of services or products purchased, average monthly billing, credit records, and complaint records. Bell ExpressVu’s disclosure of such information to Bell Mobility is limited at present, but is expected to increase in the future.
Bell ExpressVu also acknowledges that it does not itself actively seek, at the time an individual customer purchases a product or subscribes to a service, consent to disclosure of the customer’s personal information to Bell Mobility. Rather, like other Bell Canada affiliates, Bell ExpressVu relies upon the notion of “implied consent” as explained in Bell Canada’s privacy code, the “Bell Code of Fair Information Practices”. Bell ExpressVu and its sister affiliates have adopted as their own the parent company’s privacy policy and practices, as set out mainly in two documents – the 17-page Bell Code and the 9-page “Bell Customer Privacy Policy”.
The Bell Code defines implied consent as “consent that can reasonably be inferred from an individual’s action or inaction.” Clause 3.7 of the Code states as follows:
In general, the use of products and services by a customer… constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.
As far as the exchange with Bell Mobility in particular is concerned, Bell ExpressVu takes clause 3.7 to mean that, if a customer obtains a product or service at Bell ExpressVu, he or she implicitly consents to having personal information disclosed to Bell Mobility.
The Code does identify the “Bell companies” in question and sets out five general purposes for their collection of personal information, including “To develop, enhance, market or provide products and services.” However, the Code does not indicate that this or any other of the purposes applies specifically to disclosures of information between Bell companies and indeed does not specify that the companies disclose customers’ personal information to one another. On being asked to explain this omission, Bell Canada maintained that such disclosure is implicit in the treatment of the Bell companies collectively as a single organization for the purpose of the Code.
Bell Canada’s Privacy Policy does assign a purpose specifically to disclosures of personal information between Bell Companies, as follows:
The purpose for sharing information among the Bell companies is to help us identify your information, communication and entertainment needs, and provide you with relevant information, advice, and solutions.
It is to be noted, however, that this purpose is not identical with any of the five stated in the Bell Code. It seems closest in meaning to “To develop, enhance, market or provide products and services”, but the verb “market” is conspicuously absent.
Bell Canada communicates its privacy policy and practices to customers through mail-outs (e.g., inserts in telephone bills), the white pages of the telephone directory, websites, and literature made available at Bell World stores. In the year 2000, a brochure entitled “The Bell Privacy Policy and You” was mailed out as a bill insert to all Bell customers.
That brochure included a notification to the effect that customers who did not wish to have their personal information disclosed among Bell companies (listed in the brochure) could withdraw consent by calling Bell Canada at the number shown on bills or electronically via Bell’s various websites. The brochure also stated that customers could view or obtain copies of the Bell Code and Privacy Policy by the same means.
Bell Canada’s white-pages telephone directory likewise informs customers that, if they wish to view or obtain a copy of the Bell Code or Privacy Policy, or if they have concerns about their privacy, they may contact one of the Bell websites or call the number on their telephone bill. However, the directory does not indicate any method or possibility of opting-out of information disclosures among the Bell companies.
The Bell Canada website contains the Bell Code and Privacy Policy as well as other privacy-related information, including instructions on opting-out of information disclosure among the Bell companies and an electronic opt-out form to be used for that purpose. Bell ExpressVu’s website links back to the Bell Canada site and is thus also linked indirectly to the privacy-related information and the electronic opt-out form. However, although Bell ExpressVu accepts opt-outs from its customers via this electronic form as well as by telephone or in writing, its own website makes no direct reference to an opportunity or method of opting-out or even to the practice of sharing information with other Bell affiliates. Nor does Bell ExpressVu, in any other situation or manner, make a point of advertising these optional considerations to its customers.
Nevertheless, on the basis of the information provided in Bell Canada’s privacy-related communications materials, notably the Bell Code and Privacy Policy, Bell ExpressVu has taken the position that its own customers are duly informed, in accordance with Principle 4.3.2 of Schedule 1 to the Act, both of the purposes for which personal information will be used and disclosed, and of the opportunity for easily opting-out of the specific practice of information disclosure among affiliates. Furthermore, Bell ExpressVu contends that the disclosure of personal information among common-branded companies providing a range of related communications services is consistent with the reasonable expectations of its customers as contemplated under Principle 4.3.5.
On the basis of these facts, I am required to determine whether Bell ExpressVu is in compliance with Principles 4.2.3, 4.3, and 4.3.1 of Schedule 1 to the Act. In this case, where the central issue is consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.2.3 states that identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.1 states, in part, that an organization will typically seek consent for the use or disclosure of the information at the time of collection. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
I will begin by stating that I consider your expectations regarding consent, as you have expressed them in your submission, to be entirely reasonable and in keeping with the Act. First and foremost, I note that Principles 4.2.3 and 4.3.1 clearly support your expectation that an organization should not merely make policy documents generally available, but should actually bring to the attention of the individual at the time of collection its purposes for collecting, using, and disclosing personal information. When an organization collects personal information during an application, subscription, or purchasing process, it should take reasonable steps during the same process to specify to the individual, and seek the individual’s express consent for, any intended secondary uses or disclosures. It follows that the organization should be prepared to provide the individual, on the spot, with whatever information he or she may require to make a knowledgeable consent decision. In such situations, I consider it entirely reasonable, as you have suggested, for an individual to expect not to have to seek out or otherwise rely upon information that is not immediately at hand.
I also consider it only reasonable for the individual to expect to be informed, likewise during the same process, of the opportunity and a convenient method for withdrawing consent.
Finally, where an organization intends to disclose personal information that the individual is likely to consider sensitive, such as credit records and complaint records, I consider it reasonable for the individual to expect to be consulted directly and positively in the matter of consent. In such a situation, the organization should use positive or “opt-in” consent rather than the negative option.
It is obvious that, in relying wholly upon its parent company’s notion of implied consent, Bell ExpressVu does not meet the reasonable expectations described above and deemed relevant under Principle 4.3.5. At the time of collecting a customer’s personal information during a subscription or purchasing process, Bell ExpressVu does not supply the customer with information about its intention to disclose personal information to its sister affiliate Bell Mobility, to obtain the customer’s consent for such disclosure, or to notify the customer of the opportunity and method of opting-out of such disclosure. It is not reasonable for Bell ExpressVu to rely upon the presumption of the customer’s knowledge and consent on the basis of general policy documents that it has not itself brought directly to the attention of the customer.
I find therefore that Bell ExpressVu has failed to comply with Principles 4.2.3 and 4.3.1 and, having failed to meet the individual’s reasonable expectations regarding consent as deemed relevant under Principle 4.3.5, is also in contravention of Principle 4.3.
Accordingly, I conclude that your complaint is well-founded.
I am recommending that Bell ExpressVu, at the time of collecting personal information from any customer during a subscription or purchasing process, directly inform the individual customer of the purposes for which personal information is collected and seek his or her consent for intended uses and disclosures. In implementing this recommendation, Bell ExpressVu should ensure that:
(1) purposes are stated in such a manner that the customer can reasonably
understand how personal information is to be used or disclosed, in accordance with Principle 4.3.2 of Schedule 1;
(2) intended uses and disclosures are well-defined especially in respect of

  • the items or types of information to be used or disclosed;
  • the parties to which information is to be disclosed; and
  • the purposes for which information is to be disclosed (e.g., direct marketing);

(3) the customer is directly notified of the opportunity to withdraw consent to specific optional purposes (e.g., direct marketing); and
(4) the customer is provided with, and directly notified of, an easy, immediate, and inexpensive means of opting-out (e.g., a check-off box or toll-free telephone number).
I am also recommending that Bell ExpressVu, at the time of collecting personal information during a subscription or purchasing process, provide individual customers with an opt-in consent form relating specifically to disclosures to Bell Mobility and to any other party to which Bell ExpressVu intends to disclose personal information of a potentially sensitive nature, such as credit information.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,
George Radwanski “Privacy Commissioner of Canada