Privacy Commissioner Commissaire a la protection of Canada de la vie privee du Canada
112, rue Kent
Ottawa (Ontario)
K1A1H3
Tel.: (613) 995-8210
Telec.: (613) 947-6850
1-800-282-1376
www.privcom.gc.ca
File: 6100-0083
Ms Philippa Lawson
Public Interest Advocacy Centre
1 Nicholas Street, Suite 1204
Ottawa, ON K1 N 7B7
Dear Ms Lawson:
This letter constitutes my report of findings with regard to the complaint you filed against MBNA Canada Bank (MBNA) under the Personal Information Protection and Electronic Documents Act (the Act). In your complaint received in my Office on October 18, 2001, you made reference to Principle 4.3 (Consent) of Schedule 1 to the Act and alleged that MBNA was not obtaining informed consent from individuals for the collection, use, or disclosure of personal information for secondary marketing purposes.
Specifically, you made three allegations of failure on MBNA’s part with respect to its Mastercard service: (1) failure to adequately bring to the attention of its customers its practices of using and sharing customer data for secondary marketing purposes and the opportunity for customers to opt out of such practices; (2) failure to provide full and clear information as to potential secondary uses and sharing of customer data; and (3) failure to provide customers with an opting-out method that can be executed immediately, easily, and at minimal effort and cost.
I have determined, first of all, that the subject matter of your complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any bank, such as MBNA, is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate your complaint.
I have also determined from the facts of the case that the information at issue is personal information for purposes of the Act. Section 2 of the Act defines personal information to be ”…information about an identifiable individual…”. It is clear from the wording of your complaint that your concern is information about MBNA’s Mastercard customers as identifiable individuals.
Before I provide you with my other findings, let me first outline the facts obtained in the course of my Office’s investigation.
You have filed similar complaints against several organizations, one of which is MBNA. For all of these complaints, you have formulated a general position, in support of which you have submitted a market research survey conducted by EKOS Research Associates Inc. I summarize your position as follows:
- It is always appropriate to ensure the individual’s knowledge and consent in respect of secondary marketing purposes.
- There is a clear difference, however, between marketers and the marketed on the issue of what form of consent is appropriate – that is, express consent versus implied consent.
- Companies often appear to take the view that a customer’s consent to secondary marketing can be taken as implied provided that the policy in question is stated in some document that is accessible to the customer. However, companies have an obligation not merely to state purposes in a policy document, but also to bring to the attention of the individual customer the practices in question and the negative option attached.
- Companies commonly fall short of meeting this obligation in several ways:
- reliance on a document not provided to the individual customer, but rather left up to the customer to find on his or her own initiative;
- reliance on fine print buried in a long document;
- failure to use clear, plain language understandable to the ordinary consumer;
- failure to provide customers with adequately detailed information about the extent and purpose of contemplated uses and sharing of their personal information; and
- failure to provide an easily executable opting-out procedure.
- The EKOS marketing survey shows a preference for opt-in versus opt-out consent among a clear majority of respondents. Opt-out consent is considered acceptable only under conditions where the opting-out provision is brought to the customer’s attention, is clearly worded and sufficiently detailed, and is easy to execute.
In your complaint against MBNA, you have expressed the view that the bank’s Cardholder/Credit Card Agreement and its Privacy Policy Statement are particularly inadequate for purposes of the Act.
MBNA disagrees with your allegations. The bank denies, first of all, that it uses and discloses information for secondary marketing purposes or has any plans to do so. By MBNA’s own interpretation, which I presume is common among marketers, using or disclosing a customer’s personal information for “secondary marketing” would mean the outright sale (or exchange of other consideration between the parties) of the information without the customer’s knowledge and consent to a third party that was not part of MBNA’s corporate family.
MBNA maintains that, on the contrary, the products and services offered to its customers are offered either by MBNA itself or by subcontractors acting on its behalf, under its strict supervision, and with due regard for confidentiality. MBNA also insists that for any product or service, such as credit insurance, that is ultimately fulfilled through a third party, the customer’s personal information is not actually disclosed to that party until the customer has indicated that he or she wishes to purchase the product or service in question – that is, has consented to become a customer of the third party.
My Office’s investigation has confirmed that MBNA does not disclose a customer’s personal information to any such third-party supplier until the customer has made the decision to purchase the product or service in question. However, our investigation has also revealed that when MBNA, through a subcontracted telemarketer, offers its customers a product or service (e.g., credit insurance) that is ultimately to be supplied by a third party, the customer is told only that the product is being offered on behalf of MBNA. No specific third-party supplier is mentioned, nor is the customer asked at that time for specific consent to having personal information disclosed to a third party in the event of accepting the offer in question. The customer does not learn who will be the actual supplier of the product or service until he or she eventually receives an information package from that party in the mail.
MBNA readily acknowledges that it does variously collect, use, or disclose Mastercard customers’ personal information in the course of its business dealings with four groups: (1) credit reporting agencies, (2) its three current affiliates; (3) some 380 “Affinity” partners (i.e., organizations that arrange with MBNA to issue Mastercards in their names); and (4) a number of non-affiliated subcontracting companies. However, MBNA maintains that it fulfils its obligations under the Act in this regard by virtue of the statements it makes about its information-sharing practices both on its credit card application form and in its Cardholder/Credit Card Agreement.
Under the heading “Uses of Information”, MBNA’s Cardholder/Credit Card Agreement states as follows:
From time to time, we may obtain updated credit or personal information about you. We may use and share information about you with credit reporting agencies and others, including merchants and companies whether affiliated with us or not. You hereby consent to any disclosure by us from time to time of any and all information we may have about you and your affairs to any other party that, in our sole opinion, may have legitimate need or use for that information, and to our using and sharing personal and other information about you to our affiliates and others for commercial prospect/on or marketing purposes.
Pursuant to applicable federal law, upon written request, you are entitled to be informed of the existence, use, and disclosure of your personal information. In addition, you may withdraw your consent to our use of your personal information. If your consent is withdrawn at any time to our using, collecting, or disclosing information, you do so on the understanding that we may no longer be able to extend credit to you. We will continue to report the status of your account to credit reporting agencies until your account has been finally settled. To request a copy of our Privacy Statement, please write …..
On inquiry by my Office, MBNA has admitted that the “merchants and companies” mentioned in the first paragraph above, though meant primarily to cover such entities as processing agents and Affinity partners, might conceivably mean anyone. MBNA explained that the companies in question are always changing and that the wording therefore needs to be broad in order to accommodate this constant change and avoid the necessity of continually amending a list of specified companies.
MBNA’s credit card application form, on the front side above the signature line, states as follows:
My signature means that I agree to the Conditions on the reverse side of this form, and consent to, and accept this written notice of, your obtaining a credit report or other information about me from any person. I also agree to the ongoing collection, use and disclosure of information relating to me as set out in the conditions and in the credit card agreement relating to my Account.
On the reverse side of the credit card application, in tiny lettering, the above-mentioned conditions appear, in part, as follows:
/ consent to, and accept this as written notice of your obtaining, disclosing or exchanging any credit, personal or other information about me (including information contained in my personal information file) at any time, from, to or with any credit bureau, personal information agent, credit grantor or insurer, my employer or other person in connection with any relationships between us or those which you or I may wish to establish. You, your affiliates and service providers may use any of the information relating to me or my Account to maintain and administer my Account, to offer services and enhancements, and for any purpose not prohibited by law. I also consent to the use and disclosure at any time of all such personal and other information: (i) for purposes of offering me any other product of yours or anyone else (including your affiliates), that you believe may be of interest to me; (ii) to determine which Account benefits, services or enhancements, and/or which other product or service offers may be of interest to me; and (Hi) for such other purposes as are not prohibited by law ….
My consent to use of my personal information and other information as provided in (i) through (Hi) is optional. If I wish to discontinue such use or to not receive any further marketing materials or future credit card offers from MBNA, or if I wish to receive a copy ofMBNA’s Canada’s Privacy Statement, I may write to you at the following address…
The credit card application also makes reference to the Cardholder/Credit Card Agreement and continues as follows: ”… I have requested and received the card, Account, and Agreement, and … I understand and agree with you to everything written there and here”.
MBNA also makes a credit card application form available on its website. This online form provides links to terms, pricing and conditions, to the same legal disclosures as appear on the reverse side of the hard copy application form, and to the bank’s Privacy Policy Statement. However, the online form does not provide a link to the Cardholder/Credit Card Agreement and makes no specific reference itself to disclosure of information. Its only consent statement reads as follows:
I have read the terms and pricing disclosures for this account and by electronically transmitting this application, I indicate my agreement with each of the terms and conditions. I understand that I will be bound by each of the terms of the Credit Card Agreement without limitation.
MBNA also provides its telemarketers with a brief script for obtaining prospective customers’ consent to submitting a credit application over the telephone. This script reads in part as follows:
… The terms and conditions will be provided to you, if approved. You agree that by submitting this credit request you have consented to MBNA Canada obtaining, disclosing or exchanging any credit, personal or other information about you at anytime, to, from or with any credit bureau or other person.
As mentioned above, MBNA also publishes a Privacy Policy Statement, which provides a fuller account of the bank’s rationale and practices in respect of the collection, use, and disclosure of customers’ personal information. However, this is a document that is not issued to customers as a matter of course. Rather, individuals who wish to read it must take the initiative either to request a copy in writing or gain access to it via the MBNA website.
In contending that it fulfils its obligations under Principle 4.3 (Consent) of Schedule 1 to the Act, MBNA makes three main points.
First, it argues that the statements it makes on taking a prospective customer’s credit card application are sufficient in themselves for the individual to make an informed decision about consent. MBNA believes that the signing of the application form, or the verbal agreement over the telephone after the script is read, constitutes the customer’s explicit consent to the bank’s intentions regarding personal information. The bank correctly points out that Principle 4.3.7(a) specifically recognizes application forms as an acceptable means of obtaining consent.
Second, MBNA argues that it subsequently provides the individual with yet another opportunity to consider the matter of consent in reviewing the Cardholder/Credit Card Agreement. The bank regards this document as affording sufficient information for the customer to reassess the earlier decision to give consent. As the bank sees it, by agreeing to be bound by its terms and conditions, and by signing and using the credit card enclosed, the customer is also reaffirming consent to the bank’s intentions regarding personal information.
Third, MBNA points out that the two documents in question state that, even after giving it, the customer may withdraw consent to the collection, use, and disclosure of his or her personal information.
In sum, the bank submits that, by providing each customer with two separate disclosures requiring consent and a further indication that consent may be withdrawn once given, it has complied with the requirements of the Act.
On the basis of these facts, I am required to determine whether MBNA has indeed complied with the requirements of the Act, specifically Principles 4.3, 4.3.2, and 4.3.3 of Schedule 1 and section 5(3) of the Act. In this case, where the central issue is that of consent, I am also obliged to take due account of Principle 4.3.5 in my deliberations.
Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; it further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Principle 4.3.5 states that, in obtaining consent, the reasonable expectations of the individual are relevant.
Finally, section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
Permit me firstly to try to clarify a point of semantics. MBNA has apparently – and, I suggest, incorrectly – taken your reference to “secondary marketing purposes” as meaning purposes of secondary marketing, the term “secondary marketing” ostensibly having a distinct technical meaning among organizations that engage in marketing. What you actually meant, however, was secondary purposes of marketing. MBNA may well take umbrage at an accusation of secondary marketing, according to a definition common in the industry, but there is no such accusation in this case. What you have alleged in effect is that MBNA uses and discloses customers’ personal information for secondary purposes without valid informed consent. The marketing itself may not be secondary in a marketer’s technical sense, but to the individual customer there can be no doubt that MBNA’s marketing purposes are secondary to those for which he or she initially provided personal information to MBNA – that is, purposes of determining credit-worthiness, issuing a credit card, and administering an account.
In any case, regardless of the relative standing of the purposes at issue, the central question here is whether MBNA obtains valid consent in respect of those purposes. On this question, moreover, I am of the view that your expectations regarding consent, as you have expressed them in your submission, are reasonable and in keeping with the Act. Notably, Principle 4.3.2 clearly supports the expectation that consent be based on purposes stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the collections, uses, and disclosures contemplated. Furthermore, where consent regarding personal information is being sought, I consider it entirely reasonable for the individual to expect not to have to read fine print or search for information in a document that is not immediately at hand. Finally, where consent to optional secondary purposes is presented as a condition for supply of the primary product or service, I consider it only reasonable for the individual to expect to be provided with a convenient opting-out procedure that can be executed easily, immediately, and inexpensively.
The question is, does MBNA meet these reasonable expectations? In answer to this question, I believe that the above-quoted passages from the bank’s communications materials speak for themselves.
On review of those materials, I have determined firstly that MBNA’s credit card application (both the hard copy and the online versions) and Cardholder/Credit Card Agreement do not represent a reasonable effort on MBNA’s part to ensure that the individual customer is advised of the purposes for which personal information will be used or disclosed. Neither document is written in a manner conducive to the individual’s understanding of how his or her personal information will actually be used or disclosed. Indeed, the wording is so broad in each case as to virtually preclude understanding, unless the individual is to understand that MBNA intends to use personal information however it may see fit and disclose it to whomever it may see fit. This, I should add, would hardly be a purpose that any reasonable person would expect or consider appropriate in any circumstances.
Furthermore, the credit card application itself is written not only in legalese, but also in very tiny lettering – two conditions that operate not only against one’s understanding, but even against one’s reading, of a document. As for MBNA’s Privacy Policy Statement, this document is itself too broadly written (albeit significantly more clear and informative than the others) and in any case would not be a sufficient basis for inferring consent in that it is not supplied to individuals and is thus not immediately available as a reference in making the decision regarding consent. Lastly, the script used by telemarketers in taking credit applications over the telephone is the broadest, least informative, and least adequate of all.
I have also determined that MBNA does not adequately inform customers that some products and services offered on its behalf will ultimately be provided by third parties to which the bank will disclose customers’ personal information.
In sum, having determined the inadequacy of the materials and means used in obtaining consent from customers, I find that MBNA is in contravention of Principle 4.3.2 of Schedule 1 to the Act. It follows that these materials and means do not suffice as a basis for consent. It also follows that, in using the application form and the agreement in question, MBNA is in effect requiring individuals to consent, as a condition of the supply of a product or service, to the collection, use, and disclosure of information beyond that required to fulfil explicitly specified purposes. Nor would a reasonable person consider the collection, use, or disclosure of personal information for the secondary purposes as contemplated in these materials to be appropriate in any circumstances without the knowledge and consent of the individual. I find therefore that MBNA is also in contravention of Principle 4.3 and 4.3.3 of Schedule 1 and section 5(3) of the Act.
I also find that MBNA is omitting to provide a convenient, immediate, and easy means of withdrawing consent to optional practices and, therefore, MBNA does not meet the reasonable expectations of the individual as deemed relevant in Principle 4.3.5.
Accordingly, I conclude that your complaint against MBNA is well-founded.
I am recommending that MBNA redraft its communications materials for credit applicants and new customers with a view to facilitating knowledge of purposes as required under Principles 4.3 and 4.3.2 of Schedule 1. In doing so, MBNA should address the customer’s reasonable expectation to be provided with satisfactory answers to the following questions:
- What personal information of mine is to be disclosed? The customer should be informed what specific items or types information, from among those collected, the organization intends to disclose. No reasonable person would consider it appropriate for an organization to leave open-ended or vague the nature of any personal information to be given to others. Also, no reasonable person would consider “opt-out” consent appropriate if the information in question is of a potentially sensitive nature, such as financial information. When relying upon opt-out consent, therefore, the organization should make it clear that the information to be disclosed is of a non-sensitive nature compatible with that form of consent.
- To whom will my personal information be disclosed? The organization should indicate as specifically as possible the parties to which personal information is to be given. Where a comprehensive listing would be impractical, the organization should define intended recipients at least by type or category and where applicable should clarify its business relationship with the recipients (e.g., affiliates, subsidiaries, partners). The organization should not make allowance for unspecified future “others”, but rather should limit recipients to concrete entities or categories currently envisioned. No reasonable person would consider opt-out consent appropriate in circumstances where personal information might eventually be disclosed to parties as yet undetermined or to be added at the organization’s future discretion.
- How exactly will my personal information be used? Secondary purposes should be limited and clearly indicated. If direct marketing is the purpose of disclosing personal information to other parties, the organization should say so. No reasonable person would consider it appropriate for an organization to leave purposes vague or open-ended or to convey the impression that it will use personal information in any way it may see fit in future.
I am also recommending that MBNA, at the time of offering any customer a product or service that will ultimately be supplied by a third party, identify the third-party supplier in question. In the event that the customer agrees to receive the product or service, MBNA should then obtain the customer’s express consent to the disclosure of specified personal information to the third-party supplier.
Finally, I am recommending that MBNA take steps to meet the reasonable expectation of Mastercard customers for an immediate, easy, and inexpensive means of withdrawing consent to the optional collection, use, and disclosure of their personal information. Specifically, I recommend that MBNA provide either a check-off box on the credit card application form and Cardholder/Credit Card Agreement or a 1-800 number for the convenience of customers who wish to withdraw consent.
Now that you have my report, I must inform you that, pursuant to section 14 of the Act, you have the legal right to apply to the Federal Court, Trial Division, for a hearing in respect of any matter that you complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), or 8(6) or (7) or in section 10.
Should you wish to proceed to the Court, we suggest you contact the Trial Division of the Court office nearest you. It is located at the Supreme Court Building, Kent & Wellington, Ottawa, ON K1A OH9, telephone (613) 992-4238. Normally, an application must be made within 45 days of the date of this letter.
You should also be aware that the Court has discretion to order that the costs of the other party be paid by you where the Court is of the view that this is appropriate. While this does not happen often, it is a possibility of which you should be aware. Conversely, the Court may order that your costs be paid where the Court finds that your application raises an important new principle.
This concludes the investigation of your complaint. If you have any questions or comments about the disposition of the complaint, I would invite you to contact Mr. Gerald Neary, Director General of Investigations, at 1-800-282-1376.
Yours sincerely,