Media Centre

Privacy in the Marketplace

Remarks for CMA Regulatory Affairs Conference

September 14, 2006
Toronto, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Introduction

At the risk of using a rather sensitive term in these post-September 11 days, we could say that the Canadian Marketing Association was in many ways a “co-conspirator” in working toward developing balanced private sector privacy rules in Canada. Your association played a major role in developing the Canadian Standards Association’s Model Code for the Protection of Personal Information, which nowforms the centrepiece of the Personal Information Protection and Electronic Documents Act (PIPEDA). In this sense, PIPEDA is in large part the brainchild of CMA and other groups, and the CMA must certainly be the first marketing association in the world with the foresight to actually call on the government to legislate privacy.

The marketing industry long ago understood that good privacy was good for business. When John Gustavson testified before the House of Commons Standing Committee on Industry in March 1999, he stressed that privacy guidelines and transparent information practices are the foundation of the continued success of the marketing industry. Trust in the products and services of a seller are essential for market success. Ethical and legal data collection and its use are keys to that trust. PIPEDA is about just that. By establishing standards for the protection of privacy, PIPEDA will give consumers greater confidence in their interactions with organizations engaged in commercial activities. According to your numbers, the marketing community in Canada supports over 480,000 jobs and generates more than $51 billion in overall annual sales. It is not a bit player in Canadian society, and how it responds to PIPEDA can have a profound influence on the privacy of Canadians.

PIPEDA is a legislative code that adapts the concept of consent for marketing purposes. Ironically, one of the central criticisms of PIPEDA is that it is a marketing code whose provisions must be twisted, stretched and warped to address other activities in the commercial sphere, such as labour relations and health care.

The key to PIPEDA is balance. Section 3 explicitly recognizes that balance when it speaks of both the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

PIPEDA, and the powers afforded the Privacy Commissioner under the Act, do not, nor were they ever intended to, sound (event faintly) the death knell for the marketing industry in Canada. That said, my Office, like Brutus in Shakespeare’s Julius Caesar, has not always heaped praise on the industry. However, unlike Brutus, it is not our intention to bury the industry. We have not sought to make life unnecessarily difficult for the marketing industry. For example, we have accepted that magazine publishers may use the opt-out form of consent for secondary uses of subscription lists, provided that the publishers satisfy several other conditions designed to bring the choice to the attention of subscribers. And, perhaps most important, we are willing to talk to you, and listen to your concerns. In turn, we hope that you will continue to listen to the concerns we raise on behalf of Canadians.

I am also pleased to note the same report by the Canadian Internet Policy and Public Interest Clinic which cited statements by industry representatives who noted that you are generally an industry more respectful of privacy than your counterparts in the United States.

Torts, Faults and Damages

In that so much of what we are talking about today involves legislation, I have to put on my lawyer hat for a moment to define a term in common law I will be using now and then. That is “tort.” In law, a “tort” means a civil or legal wrong that can be pursued in court and that may result in financial penalties.

Even if PIPEDA or other legislation were not here, the marketing industry needs to respond to other laws touching on privacy, such as tort laws. Four provinces – B.C., Saskatchewan, Manitoba and Newfoundland – have enacted statutory privacy torts. In essence, they create a right for an individual to take civil action to challenge the actions of someone who, wilfully and without a claim of right, violates their privacy. In Quebec, the Charter of Human Rights and Freedoms provides that “every person has a right to respect for his private life.” This provision is directly enforceable between citizens, which means that they can take legal action against each other.

Ontario has no statutory privacy tort, but there are strong signs that a common law tort of invasion of privacy is emerging here, and that development may in turn influence courts in other provinces to do the same. It is not wholly unreasonable to anticipate the tort of invasion of privacy being used to challenge some emerging marketing practices, such as the use of radio frequency identification technology. I will be returning to that technology shortly. The consequences of torts and faults are damages. Damages for privacy law breaches are an underdeveloped concept in Canadian law.

Surveys

The law clearly shapes industry behaviour, but so must public attitudes. Several surveys over the past two decades (yes, even Privacy Commissioners conduct surveys!) have revealed the disquiet of Canadians about government and private sector intrusions into their privacy. Our last public survey conducted in March of this year revealed that Canadians want the government and businesses to take their responsibility for safeguarding personal information more seriously. And 8 out of 10 Canadians believe we should have strong laws to protect personal information – which bodes well for PIPEDA review and our call to reform the outdated Privacy Act. Though Canadians are reporting a better understanding of privacy rights than in past years, only 50 per cent feel they have enough information to know the privacy implications of new technologies such as RFIDs. I’ll come to that later.

Loyalty Programs

It is no surprise that I am not a fan of loyalty programs – or at least the current incarnations of such programs. Transparency – one of the necessary attributes under PIPEDA of a system for collecting, using and disclosing personal information in the commercial sphere – is often lacking. At best, loyalty programs are not particularly clear and open about why they collect customer information. Individuals often have little or no idea what is being done with the information they are providing under such programs. They often have little or no understanding of one of the key purposes of loyalty programs – which is to collect information about identifiable individuals. That is, to collect information that is directly linked to the source, to individual people, by name and address and many other characteristics.

The marketing industry may describe loyalty programs as the means to better understand their customers. But not all customers want to be better understood, particularly if it means surrendering their privacy to a commercial interest, and ultimately even to government. Some customers just want to be left alone. Even if such loyalty programs are lawful, I must echo the distaste of many Canadians about constantly being squeezed until personal information pops out of them.

Technology, Marketing and Government – A Potentially Dangerous

I have become increasingly uneasy about the potentially dangerous mix of technology, marketing and government. Some privacy intrusions may be what we call “nuisance” intrusions – the telemarketing calls at dinner, for example. As many of you know, I have urged the CRTC to establish the national do-not-call list provided for in recent Telecommunications Act amendments as soon as possible.

Other intrusions have the potential to be far more sinister, particularly when government steps into the picture. Look what has happened in the last decade with technologies to collect and analyze personal information – Radio Frequency Identification (RFID) technology, facial recognition technology, the surge in applications of other biometric technologies, and the growth of a massive surveillance industry designed for national security purposes. Each of these has also generated commercial spinoffs that enhance the ability of the private sector to intrude into our daily lives. Look at the increasingly frequent, and not always voluntary, participation of the private sector in collecting personal information for vaguely defined national security purposes. Intrusive technologies have dug deeper into our souls, and the political and security environments have become ripe for the accumulation of masses of personal information about us all.

Maybe it serves the interests of the marketing industry to downplay the possible impact of their data collection practices on privacy, but it most certainly does not serve the interests of individuals as citizens in a political environment that often promotes fear and presses us to accept ever-increasing surveillance in response. This is surely the legacy of September 11th, with all its global impacts, but also reaching all the way down into our homes and workplaces.

Let me walk you through my disquiet about one technology in particular – Radio Frequency Identification – referred to by the acronym (and what isn’t these days), RFID. In the United States and the UK, and elsewhere, several companies have secretly used these devices to spy on unsuspecting consumers. “Spy” may be a pretty loaded word, but quite frankly, I can’t think of a more accurate one. In Canada, such surreptitious uses of RFID might well violate PIPEDA. And as I said earlier, companies using this technology might face civil suits under statutory and common law privacy torts or PIPEDA.

Clearly, some marketers could get excited at the prospect of acquiring individualized information through RFID tracking. So too, unfortunately, do some governments.

In the aftermath of September 11, 2001, you will remember the Terrorism Information Awareness – TIA – project, which Congress fortunately did not fund. It will almost certainly reappear under a new brand in future. It was to vacuum up personal information contained in public sector and private sector databases and use that information to try to predict so-called “anti-social” behaviour. Just imagine how the terabytes of data that RFID technology could provide to private industry might be used to slake the thirst of government for information about us all. Of course, what is one person’s anti-social behaviour is another person’s distinctive charm. The danger is the potential for this sort of inquiry to identify legitimate activism as anti-social behaviour.

And don’t think that governments are above collecting data that links our public activities with our private proclivities – shall we say. Just look at recent revelations about domestic wiretapping by U.S. intelligence agencies. There are also allegations, which my Office is now investigating, about possible misuse of data held in the SWIFT banking system. SWIFT is a European-based financial cooperative that supplies messaging services and interface software to financial institutions worldwide. In this case, we are investigating to determine whether personal information relating to Canadians’ financial transactions is being improperly disclosed by SWIFT to foreign authorities.

Perhaps you think my concerns extreme. I disagree. Marketers and their clients may want personal information simply to sell more products and services, or to tailor those products and services to individual consumer tastes. But this type of information collection provides a rich feeding ground for inquisitive governments. I am not so naïve as to believe that it will never happen here. Decisions may be difficult to make about what may be a desirable curtailment of privacy as opposed to essential limitations – which society decides are worth the tradeoff for increased security. We have to be careful that we do not unwittingly allow our more benign acquisition of personal information for marketing purposes to become fodder for much more repressive surveillance by governments in future. We should as a society be mindful that under recent amendments to PIPEDA, information given to the private sector or collected by it may be passed on to the government for law enforcement purposes.

Facial Recognition

I was also troubled to learn from a news report last month that the CEO of the Hudson’s Bay Company was musing about employing facial recognition technology to monitor customer preferences. The apparent reason – it could allow employees to identify repeat customers and their potential interests. I must tell you though, that I would have thought it would have been more useful to train employees to identify the exact expression that showed a customer teetering on the brink of a purchase and then training the employee on how to move in for the retail kill – though I think that “closing a deal” is the more appropriate term these days for making a sale.

We must not forget that some people simply want, and deserve, to be allowed to go about their day-to-day activities without being poked and prodded by nosy governments and business interests. And that prodding can be used to have power over our lives that we have not granted. Avoiding those conditions is what privacy is all about.

Getting Under the Skin of Consumers

These few examples highlight the power of technology to provide information about individuals, often without their knowledge. But I suggest that if the use of such techniques becomes public knowledge, companies may suffer. They are going to suffer, not only because of the potential legal consequences, but because these intrusions are going to get under the skin of consumers – and I won’t even go into the plans of one company to inject an RFID chip into consenting humans.

Consumers are becoming ever more sophisticated in matters of privacy. Intrusions like RFIDs will attract the interest of privacy advocates and privacy commissioners and ombudsmen. I don’t think the resulting picture will be pretty, at least judging by consumer reactions to the use of these technologies in other countries. Consumer protests in the U.S., the U.K. and elsewhere have forced powerful global companies such as Benetton, Gillette, Proctor & Gamble and Wal-Mart to back down on their surveillance uses of RFID technology.

PIPEDA Review

Members of this audience may have much to say, gently, I hope, in response to the issues I have raised. I would like to hear from you, and I would like to extend an offer to participate in evaluating Canada’s private sector data protection legislation.

PIPEDA includes provision for a mandatory review by Parliament every five years. A review is scheduled for this year. Accordingly, my Office prepared a discussion paper that identified several issues for consideration in the upcoming review. To date, we have received almost 60 responses to our discussion paper, including a thoughtful submission by the CMA that touched on many issues.
I am particularly interested in your views on the notion of consent. I believe that most Canadians don’t fully understand the potential uses of their information when they consent to its collection. The gap between the understanding of the citizen of the power of information technology, and its day-to-day uses, is widening, unfortunately. People do not understand how their every purchase could possibly be examined, and therefore, I believe, they often do not have the knowledge to make informed decisions about information disclosures. I intend to look more closely at the appropriate parameters for consent. As I do, I will of course take into account the CMA’s comments on this issue.

Some have argued that as long as a consent clause is worded broadly enough, this will technically and legally permit a wide range of future collections, uses and disclosures under the terms of the agreement between the customer and the organization. However, others maintain that truly free and informed consent is more than a one-time, wide-open, blanket signature on a consent form. To them, informed consent is a dynamic process that involves keeping individuals actively aware – on an ongoing basis, using understandable language, and in a transparent manner – of what an organization intends to do with their personal information, and for what purpose.

Consumer education is an enormous challenge, as your association knows very well, and I commend you for your leadership in educating consumers over the years about telemarketing scams, about protecting children, and all the other issues you have tackled. My Office is trying to address public education on information technology, and I invite you to join us and help us with this important task. It is time Canadians understood the Information Age.

Conclusion

Marketing is a legitimate, useful and, in this competitive global climate, an essential activity for linking the seller and buyer – whether of a product of service. It can serve the interests of both business and consumers. It is an important industry that employs countless Canadians. When well done, it helps the public make choices, and the public recognizes its value. Poorly done, it can be irritating, intrusive and, in some situations, very damaging to this important right we call privacy. Marketing practices must take into account, and respect, individuals’ rights, their expectations and their emerging consciousness about privacy. The consequences of a loss of privacy are becoming more serious. The privacy climate is changing, and industry – all industry, not just the marketing industry – must change with it. I would hope that this change is in the direction of increasing regard for the privacy of individuals, though the industry may have to develop innovative means of meeting its needs for information, while respecting that privacy. But for an industry that is known for innovation and imagination – one that has embraced the coming privacy challenges under the leadership of John Gustavson – surely this can be achieved.