This is a pivotal time for marketers, particularly direct marketers. The federal privacy legislation, known formally as the Personal Information Protection and Electronic Documents Act and affectionately as PIPEDA, will soon have an effect on how and if direct marketers can talk to customers and potential customers.
PIPEDA is designed to protect personal information that is collected, used or disclosed by organizations in the course of commercial activities (in essence the foray of direct marketers). Its fundamental premise is that organizations must first obtain the consent of an individual before personal information is collected, used or disclosed.
The legislation only applies to personal information, which is defined as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization (i.e. business card information). Also, you needn’t worry about consumer statistics and data because if it is stripped of any personal identifiers it is not included in PIPEDA.
The tiered implementation of PIPEDA will begin on Jan. 1, although the law initially came into force three years ago, primarily in respect of federal undertakings, such as airlines, telephone and cable companies and banks. As of this coming Jan. 1, it will affect organizations throughout Canada, except for those situated in provinces that have enacted substantially similar legislation. (So far, only Quebec’s legislation has been deemed to meet that threshold, although B.C. and Alberta both have legislation that comes into force on Jan. 1 as well, which adds another level of confusion for marketers in those provinces.)
To better understand the scope of the Act, I will run through the 10 principles incorporated as part of PIPEDA, which explain how the legislation is meant to be interpreted.
1. Accountability. Every organization is responsible for the personal information that it retains and must designate someone who is responsible for compliance with the legislation.
2. Identifying Purposes. At or before the time of collection of personal information, you must clearly set out the purposes for which the information is being collected.
3. Consent. This is the most essential, and least clear, requirement of the legislation. Knowledge and consent of the individual is required for the collection, use and disclosure of their personal information, except where inappropriate.
The consent must be informed; therefore, the person providing the consent must know what uses the organization will make of his/her information. The principles provide that consent can either be express or implied, depending on the nature and sensitivity of the information. The biggest question for marketers is whether implied consent is appropriate or if express consent is required.
The expectations of a reasonable person are supposed to be taken into consideration when assessing what type of consent is required. For instance, if a person has a magazine subscription there is implied consent to allow the magazine publisher to contact the person to solicit a magazine renewal. On the other hand, health-related information will almost always be considered sensitive, requiring express consent.
A major issue for consideration, and debate, is what exactly constitutes express consent? Can the consent be negative consent (opt-out) or does it have to be by way of positive consent (opt-in)? In my view, negative express consent will often be sufficient. But, this advice will quickly change if the nature of the personal information is sensitive (usually more than name and contact information) or if you share the information with third parties.
The Privacy Commissioner’s position appears to be that if a company collects personal information for use in a contest or from individuals who request information from a company, such information – a name, address, telephone number and/or e-mail address – will likely not be considered sensitive information. In those cases, it is likely that negative express consent is sufficient. But, if the information includes financial information, opt-in consent would be required.
The rules seem to change where personal information (even merely contact information) is shared with unrelated third parties. In those cases, the organization must tell the individual, at the point of collection, what information is being shared with third parties and a list of the organizations (or at least the type of organizations) to which the information is disclosed. The Commissioner has even required an organization to set up a toll-free number to provide customers with an easy mechanism to withdraw consent. I worry that this standard might be applied to all companies that share personal information.
Another twist to the consent issue is the age of the consumer. The Canadian Marketing Association has published specific guidelines, available on its Web site, that address how consent can be collected from minors (specifically teenagers) and in what circumstances parental consent is needed. Rumour has it that the Privacy Commissioner has agreed that these CMA guidelines are appropriate.
4. Limiting Collection. You can only collect the amount of personal information that is required for the identified purposes, and the collection must be by fair and lawful means.
5. Limiting Use, Disclosure and Retention. If you wish to use the personal information for purposes other than those identified, you will have to seek additional consent. In addition, you can only retain the personal information as long as is necessary to fulfill the purposes.
6. Accuracy. You must keep the information collected as accurate, complete and current as possible for the identified purposes.
7. Safeguards. You must make sure that protection and security is in place to ensure the safe keeping of the personal information. Security measures must be appropriate to the sensitivity of the information. For example, credit card information must be more rigorously secured than e-mail addresses.
8. Openness. Your policies relating to the management of personal information must be accessible and available. I recommend that each organization have a formal privacy policy available on its Web site.
9. Individual Access. Individuals must be given access to their personal information that your organization holds. In addition, they must be able to correct any inaccuracies in the information (this is particularly important where you hold personal information that can affect an individual’s credit rating).
10. Challenging Compliance. The practices of an organization can be challenged by an individual. Note that while the Office of the Privacy Commissioner of Canada works primarily on the basis of responding to individual complaints, it also has the right to investigate the practices of organizations on its own initiative or conduct an audit.
Unfortunately, the law has no grandfathering provision, which means that even though you have a relationship with a client that existed prior to Jan. 1/04, you cannot continue using or disclosing their personal information without the individuals’ consent. In certain circumstances their consent may be implied. But, to avoid any possible confusion, you should move quickly to ensure that consent exists for any future use and retention of personal information.
This area of law is very situation specific and this column is only meant to provide an overview of the basic expectations that arise under PIPEDA. Please talk to your lawyer to ensure that your processes relating to personal information are in compliance with the law.
For more on how marketers are complying with PIPEDA, see ‘Privacy: Are you ready?’ page 9.
Shelley Samel is an advertising and marketing lawyer at Gowling Lafleur Henderson LLP in Toronto. She can be reached at shelley.samel@gowlings.com.
