It was a marketer’s worst nightmare, splashed across the pages of a big daily newspaper last September: the personal financial information of hundreds of Bank of Montreal customers, contained on branch computers, was potentially up for grabs on eBay for six hours.
BMO conducted an internal review, but the faux pas sent the federal privacy watchdog sniffing around the bank and left consumers and companies more aware of the sensitivity of personal information.
Financial institutions such as BMO have been subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) since January 2001 to help avoid such situations. And while privacy horror stories are rare, come January 1, 2004, all businesses that engage in commercial activities will be subject to the legislation to protect personal information that is collected, used or disclosed by organizations.
Believe it or not, there are still a number of businesses that are not currently compliant with the act’s stipulations (see ‘Privacy law: what you need to know,’ page 11). According to a survey of 36 companies conducted in October by the Retail Council of Canada, though most respondents are aware of the legislation (89%), only 61% had begun implementing privacy policies.
Still, some marketers have taken the high road by beginning work to comply with PIPEDA months, and even years, ahead of the 2004 cut-off date. In the process, they have created customer communications initiatives around their privacy policies, and instituted intensive staff training to raise awareness for privacy and build consumer trust. These are strategies that marketers who haven’t complied may want to take note of.
‘Our members have been aware of [the legislation] for some time,’ says John Gustavson, president of the Canadian Marketing Association, which helped negotiate the legislation. ‘But there are tens of thousands of companies out there we don’t think are paying any attention to this. Sometimes, marketers are saying: ‘It’s not really my responsibility…the legal department or the privacy officer [can deal with it].’ But no marketer wants to be on the front page because they haven’t been protecting their customers’ information properly.’
Increasing customer confidence has been the goal of Edmonton-based Intuit Canada in addressing privacy issues. Mitchel Gray, privacy officer at the financial products company, which owns brands such as financial management software Quicken, says it has been on top of the legislation since early 2001.
‘We’ve always been concerned about privacy,’ says Gray. ‘[We approached the privacy issue] by starting with the customer and not with the legislation. If it [were to come out that we lost information], it would have an impact on how customers view us.’
Gray says the process ultimately began with an analysis of the legislation to see what needed to be done and then a comparison with the company’s existing policies on privacy. The last step was writing up a new privacy policy, which Gray says is the linchpin from which everything radiates. ‘It is a lot more comprehensive and addresses all of the questions the legislation poses. For example, I don’t know if [before] we were telling customers what we were doing with encryption,’ says Gray. ‘The policy explicitly laid it out.’
The end of the process encompassed staff training to ensure that all employees are on the same page, should customers contact them seeking information on privacy practices. A training manual for staff was developed to address related issues. All in all, it took about a year for Intuit to become compliant with the law.
Intuit’s privacy policy is now listed on its Web site (intuit.com/canada), and whenever a customer gives out personal information on the site, a synopsis of the policy is attached that summarizes why the company is seeking information. As well, a phone number and e-mail are included in case customers have more questions.
Similarly, Toronto-based online job resource Workopolis, under the direction of chief privacy officer and director of product management Laird Farquharson, became compliant with the act in January 2001.
Farquharson says action was necessary due to the nature of the job search business. ‘We deal with folks’ resumés, and the resumé is a sensitive document with a ton of information about an individual,’ he says. ‘We also handle resumés on behalf of other customers [such as banks, telcos, etc.]. Because we house personal information on behalf of them, the act did cover us.’
Workopolis sought legal guidance from Toronto-based McCarthy Tétrault LLP, conducted a review of its policies and procedures to identify sensitive areas, and then drafted a policy accordingly. As a result, there is now a footer on all of Workopolis’s Web pages informing consumers of what type of data is collected on them and how it is protected and accessed by third parties.
A special policy is included on the accessibility of resumé information and both policies are presented to users before they register to the site. Customers are asked whether they would like to receive additional information from Workopolis, with the query: ‘Can we send you news and updates about workopolis.com?’ in which they must opt in rather than opt out by checking a box.
‘We would use this flag to send newsletters to our job seekers. A job seeker can [also] set up a CareerAlert via e-mail, and that is very explicit, because they are asking for the e-mail,’ says Farquharson. ‘I want to give them choice and control.’
Farquharson says the underlying benefit of the opt-in method is the trust it builds with consumers. More importantly, he says, ‘when you ask people to become part of a community, it’s much more valuable because you’re certain that everyone wants to be there.’ Workopolis sends out 300,000 e-mails daily – mostly CareerAlerts.
Cost hasn’t been much of an issue in implementing the policies and procedures, says Farquharson, since Workopolis didn’t have a lot of changes to institute. From a marketing standpoint, too, he says there haven’t been any significant changes. ‘The biggest impact is with awareness through education and training.’
BMW Group Canada has also been proactive with regard to privacy; the company began the process over a year ago, according to Kelly Lam, manager of CRM/relationship marketing for the Whitby, Ont.-based firm. An internal committee was set up and legal counsel Ian Sideco was appointed privacy officer. Meanwhile, privacy training was instituted for all of the local BMW dealers, and each has their own privacy officer.
‘We’ve also met with every department that deals with customer information to review their current practices and ensure that everything is compliant with the legislation,’ says Lam, who adds that the company also sought out organizations such as the CMA to get additional tips.
Communication of the company’s privacy practices have also been key for BMW. P-O-S materials that include BMW’s privacy policy – in the form of brochures for both the MINI and BMW brands – will be available at dealers by year end, and Lam says that any future direct-mail pieces will also include the policy.
Elizabeth McHaughton, a partner with Blake Cassels & Graydon LLP in Toronto, says it’s best for businesses to think of privacy as a continuum and to work on becoming compliant as quickly as possible. ‘The important thing is to focus on the 10 privacy principles and make sound judgments on how they apply to your organization. [And on an ongoing basis], remember to always assess any new program or marketing process plan from a privacy perspective and to build it in from the beginning.’
