![]() ![]() ![]() |
![]() |
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
|
![]() |
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
![]() PIPEDA Case Summary #297Unsolicited e-mail for marketing purposes(Section 2; Principles 4.3; paragraphs 7(1)(d) and 7(2)(c.1); and Principles 4.1 and 4.1.3) The Office of the Privacy Commissioner recently had occasion to investigate collection and use complaints concerning unsolicited e-mail. In one instance, the complainant's personal information was collected from two publicly available directories, while in the other case, it was collected from a directory available only to a particular association's membership. The following is a summary of each complainant's concerns. Complaint AAn individual complained that a sports organization had collected and used his personal information, specifically, his business e-mail address, without his consent. Summary of InvestigationThe complainant received an unsolicited e-mail promoting the purchase of tickets at his place of work. When he asked the sales representative how his e-mail address had been obtained, he was told that it had been collected from his employer's web site. The sales representative told the complainant that he would not be marketed further; however, a few weeks later, the complainant received a second e-mail solicitation from the same organization. The sports organization did not dispute that it had sent the complainant a solicitation on two occasions at his place of work. The two sales representatives in question had obtained the same e-mail address through web site directory searches, and did not cross-reference his request that he be deleted from the marketing lists. One of the agents was responsible for soliciting ticket sales through contacting the employees of educational institutions, while the other generated his contact lists through the web sites of law firms, including the one with which the complainant was associated. The organization subsequently instituted cross-selling controls to ensure that the name of any individual who did not want to be solicited was deleted from all marketing lists, and removed the complainant's name from its lists. The company also engaged a different ticketing and sales firm that was more knowledgeable of the requirements of PIPEDA. The complainant's employer took the view that the e-mail addresses of its staff were business information. Although the employer might under very exceptional circumstances allow an employee to suppress his or her e-mail address, the employer requires its employees to agree to publish their business e-mail addresses, consistent with its business model and its expectation that employees be easily accessible. The employer also expects any business or organization to obtain its permission before contacting staff for purposes unrelated to the promoting the employer's interests. FindingsIssued December 1, 2004 Application: Section 2 defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Principle 4.3 of Schedule 1 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Two exceptions to consent are set out in paragraph 7(1)(d), which states that an organization may collect personal information without the knowledge or consent of the individual only if the information is publicly available and is specified by the regulations; and paragraph 7(2)(c.1), which stipulates that an organization may, without the knowledge or consent of the individual, use personal information only if it is publicly available and is specified by the regulations. For the purposes of paragraphs 7(1)(d) and 7(2)(c.1), the regulations specify that publicly availably information includes the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice. In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
The Assistant Commissioner concluded that the collection and use complaints were well-founded. Complaint BIn the second set of complaints from one individual, the allegations again involved collection and use of personal information, namely a business e-mail address, without knowledge and consent. In this case, complaints were filed against two organizations: a company selling a product (the seller) and a marketing company acting on its behalf. Summary of InvestigationThe complainant received an unsolicited commercial e-mail advertising a product. The e-mail was directed to her business e-mail address and appeared to have been issued from the seller. The e-mail invited recipients to have their name removed from the seller's mailing list, upon request. In fact, the e-mail had been issued by the company providing the marketing services. The company that provides marketing services also maintains a web site and business e-mail address on behalf of the seller. It only shares with the seller the personal information of potential clients who express an interest in purchasing an advertised product. Both the complainant and the president of the marketing company were members of a professional association. Access to the membership list of this association is restricted, and its membership directory is not to be used by its members to solicit or market products to other members. The marketing company acknowledged that it had collected and used the complainant's business e-mail address without the complainant's consent to market the seller's products. At the complainant's request, the marketing company suppressed her personal information from its marketing list, and apologized for the use of her personal information. The seller for its part denied any knowledge of or responsibility for the privacy practices of the marketing company acting on its behalf, and denied obtaining the complainant's e-mail address without her consent. FindingsIssued March 31, 2005 Application: Section 2 defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Principle 4.3 of Schedule 1 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. In making her determinations, the Assistant Commissioner deliberated as follows:
The Assistant Commissioner thus concluded that the collection and use complaints against the marketing company were well-founded.
The Assistant Commissioner concluded that the collection and use complaints against the seller were not well-founded. Further ConsiderationsThe Assistant Commissioner advised the seller that in ignoring the privacy practices of a company that acts on its behalf, it has, in her view, exposed itself to a risk that its business reputation will be tarnished. |
![]() |
||||
Date published: 2005-04-28 |
![]() |
Important Notices |