Wednesday, June 18, 2008

Ask the privacy lawyer: Use of contact information for marketing purposes

I've been overwhelmed by the number of questions I've received in response to "Ask the privacy lawyer". Some of them are too specific and would cross over the line between legal advice and educational. But I got this question, which is relatively generic and probably is something that many people have to deal with:

HI - In September 2007 I subscribed to a well known Canadian magazine. I did not check a box on the form saying I wanted to receive 'mail' from them. However in December 2007 I and my neighbour (whose subscription to the same magazine had just ended) started receiving unsolicited requests for magazine subscripts at a rate of about 1 a week. I knew where the subscription was coming from since they mispelled my name on all the subscriptions in the same way.

I've emailed the magazine and the company responsible for these bulk mailings and have been told they 'occasionally send mailings we think our customs will enjoy' although that's only if you check the box requesting that 'service'.

They tell me the mailings will stop soon - but they haven't and now the mailing have my correctly spelled name.

I know there is a lot of work being done with SPAM laws and no phone anti-telemarketer laws - but is there any way I can legally stop this magazine for falsely advertising that they would to share my name and information with anyone else?

They don't seem to be taking my angry emails very seriously.

This situation sounds like a classic SNAFU, which might only take some more gentle persuasion to fix. But if one wants to take the legal route ....

The first question one has to ask is what privacy law applies. The questioner wasn't specific, so one should consider the options. This is a private sector matter, since we are not dealing with a government institution. Magazines are engaged in commercial activity, so one of the Canadian private sector laws would apply. The default would be PIPEDA, which applies to the collection, use and disclosure of personal information in the course of commercial activities except where there exists an applicable provincial law that has been declared to be "substantially similar" to PIPEDA. The substantially similar laws are the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec). The PIPAs of Alberta and BC are very similar to PIPEDA and are built on the same foundation.

For the purposes of considering this question, I'll assume that PIPEDA applies. PIPEDA requires the knowledge and consent of all individuals for all collection, use and disclosure of personal information. Importantly, an organization cannot require an individual to consent to uses that are not necessary.

4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

Privacy lawyers often refer to marketing as "secondary purposes" as they are secondary to the original purpose for the collection, use and disclosure of personal information (which, in this case, would be sending a subscriber the magazine and for billing purposes). There is some debate as to whether "opt in" or "opt out" is sufficient for these secondary purposes.

In any event, consent ,if previously granted, may be withdrawn:

4.3.8 - An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

Even if an individual had previously consented to the use of personal information for marketing purposes, this consent can be withdrawn "subject to legal or contractual restrictions and reasonable notice". Assuming there is no such impediment, a subscriber should be able to tell a magazine publisher that he or she no longer wishes to receive marketing materials or to have personal information disclosed to other publishers. This is consistent with the Commissioner's finding in Summary #308:

Commissioner's Findings - PIPEDA Case Summary #308: Opting-out of marketing inserts in account statements - April 7, 2005

"The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1."

So what recourse does an indvidual have? He or she can complain to the Office of the Privacy Commissioner, who will investigate and hopefully persuade the publisher to change their practices. If they do not comply, the individual or the Commissioner can take the matter to the Federal Court.

1 comment:

Anonymous said...

Thanks for the detail