Several recent privacy decisions in Canada illustrate good and bad aspects of operating under a comprehensive privacy law. If you do business with Canadians, pay attention.
The first decision came from the Alberta information and privacy commissioner in August. The case involved a tire store that required a customer returning a purchase to let the store record the customer’s driver’s license number. The complainant did not object to providing a name, address or telephone number, so the controversy focused solely on the license number.
Alberta law provides that an organization may collect personal information only for reasonable purposes and only to the extent that the collection is reasonable for meeting the purposes of collection. It also provides that an organization may not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.
The law establishes a standard regulating the collection of personal information that permits routine commerce without allowing merchants to force individuals to disclose personal information unnecessarily. This simple standard probably would wipe out entire industries in the United States devoted to coercing as much personal information about individuals as possible.
The tire store argued that it needed information to prevent fraudulent returns. In the end, however, the store agreed that simply authenticating and confirming the identity of the individual returning goods would be sufficient. This made the commissioner’s decision easy. He concluded that it is reasonable in some cases to ask for photo identification to confirm identity but not to collect and retain the license number of an individual returning merchandise.
A similar decision from British Columbia’s information and privacy commissioner reached the same result about name, address and telephone number. The British Columbia case also concluded that an organization may not require individuals to provide personal information for the purpose of customer satisfaction follow-up.
I want to compare these two decisions with one that came from Canada’s privacy commissioner in April. In the federal case, an individual complained when his bank refused to let him opt out of receiving marketing materials included in a credit card bill. Statement stuffers advertised products and services offered by the bank in conjunction with other organizations.
The federal law is similar to the Alberta law described above. It prevents an organization from conditioning the supply of a product or service on the collection, use or disclosure of information beyond that required to fulfill the “explicitly specified” and “legitimate purposes” of the activity.
The bank defended its activity with several arguments. The most interesting was that providing a generic, non-personalized, identical message to every customer with a bill should not be considered a use of the customer’s personal information. For comparable activities in the United States, companies sometimes select bill inserts based on personal characteristics. That would make the “generic message” argument impossible.
The privacy commissioner rejected the argument anyhow, concluding that the company still used the customer’s personal information. The purpose of inserts is marketing, and that purpose is secondary to the reasons for which the complainant initially gave personal information – namely, to receive a credit card.
The bank was told that it should implement a means by which customers might withdraw consent to secondary marketing inserts in bank statements. However, no customer could withdraw consent for any information that the bank was mandated by law to send. The decision indicated that the bank decided to offer an opt out for marketing.
What do I think of these decisions? I like that there is a way for consumers to complain about possible violations of privacy law. The main U.S. agency that handles consumer complaints – the Federal Trade Commission – mostly ignores consumers. No U.S. consumer likely would get any response to a privacy complaint sent to the FTC, let alone a favorable ruling.
Substantively, I think that the first decision preventing the collection of unnecessary personal information is good. Consumers are bombarded with commercial demands for personal information unnecessary for transactions. What some companies cannot collect directly, they try to obtain surreptitiously through cookies, spyware and other devices. Consumers need stronger protection against voracious, unreasonable and unnecessary data collection activities.
I take a much dimmer view, however, of the marketing insert decision. The Canadian privacy commissioner’s office is certainly entitled to its view of its law. But I find that the result trivializes privacy. An insert in an envelope being sent anyway is perhaps the most minimal of privacy intrusions, especially when the insert is not based on personal characteristics. I can’t help but wonder whether the same result would have occurred if the insert were a public service announcement.
A separate mailing or an e-mail message from the bank would justify the office’s decision. People find mail and spam sufficiently offensive to be noteworthy. However, I have never heard anyone complain about an insert. My guess is that few people will use the opt out.
I am all for reasonable privacy rules, but there need to be limits. There are enough real privacy intrusions that we don’t need to worry about incidental, non-personally based activities.