Verizon: When can a Telco use subscriber’s personal information for marketing purposes?

In the U.S., Verizon has recently been slapped with a $7.4 million fine by the U.S. Federal Communications Commission (FCC) for a privacy violation, the largest fine the FCC has ever imposed for a privacy violation.

What did Verizon do to deserve this fine? It failed to provide the choice of opting out of its marketing campaigns to two million of its customers. Under the U.S. Communications Act, Telcos are allowed to access or use customers’ personal information, but only under certain limited circumstances which can include marketing campaigns, but only if customers have agreed to receive marketing messages through an opt-in/opt-out process. While it is reported that Verizon usually sends an opt-out notice to new customers (either in a welcome letter or in a message on their first bill), it had failed to provide such notice to some of its customers for a period ranging from 2006 to 2012, and it also failed to notify the FCC within the prescribed delay after identifying the issue.

Could a similar situation take place in Canada?

Potentially, except for the “fine” part.

The Canadian federal law the Personal Information Protection and Electronic Documents Act (PIPEDA) works on an ombudsman model; this means that any complaints regarding compliance with PIPEDA must be filed with the Federal Commissioner of Canada, which may investigate, report and try to reach a satisfactory solution. However, it cannot issue binding order. A party that is dissatisfied with the report of the Federal Commissioner may apply to the Federal Court, which has the power to issue binding orders and is not bound by the findings of the Federal Commissioner. The federal courts have not awarded any real damages since PIPEDA came into force. In some of the substantially similar private sector provincial data protection laws such as in Quebec, two specific types of penalties may apply for non-compliance with the Quebec law: an organization acting in contravention of this law is liable to a fine ranging from $1,000 to $50,000, and for subsequent offences, a fine ranging from $10,000 to $100,000. Again, no real fines have been issued.

Can a Telco use subscriber’s personal information for marketing purposes in Canada?

Yes, but this can’t be a condition to the service, as it is not required or necessary for providing the service. Canadian data protection laws provide that an organisation may only collect and store information which is required for the product or service to be provided. More specifically, under PIPEDA, principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. In Quebec, a similar principle can be found under article 9 of the Act Respecting the Protection of Personal Information in the Private Sector : An organisation may not “refuse to respond to a request for goods or services (…) by reason of the applicant’s refusal to disclose personal information except where collection of that information is necessary for the conclusion or performance of a contract, collection of that information is authorized by law; or there are reasonable grounds to believe that the request is not lawful”. In case of doubt, personal information is deemed to be non-necessary.

It may be acceptable to provide the option for subscribers to opt-out from secondary marketing in certain situations, but the “opt-out” must be used with caution.

For instance, the organization can’t take a long period to process it. In PIPEDA Case Summary #2003-238, the Privacy Commissioner had articulated the view that new credit card customers were illegally required to consent to the use of their personal information for secondary marketing purposes, because if the applicant opted out, it would take up to twelve weeks for such request to take effect. Also, the opt-out process must be simple and information used for secondary marketing purposes should not be sensitive. Last fall, Bell planned to modify its privacy policy, as it was intending to use account and network usage information to serve up personalized advertising more relevant to subscribers who could opt-out from the tracking. This change received attention from consumer protection groups, as well as triggered several complaints at the Office of the Privacy Commissioner of Canada. Soon after, the OPC announced that it was launching an investigation on the organization’s privacy practices.

The picture may be slightly different if the service provided to subscribers is a free service. In the CIPPIC complaint against Facebook, one of the issues was the fact that since users were not allowed to opt out of Facebook Ads, Facebook was unnecessarily requiring users to agree to such ads as a condition of service, in violation of Principle 4.3.3 of PIPEDA. The finding of the Privacy Commissioner on this issue took into account the fact that the site is free to users and that since advertising is essential to the provision of the service, individuals who wish to use the service must be willing to receive a certain amount of advertising.

In the Verizon file, in addition to paying the fine, Verizon must include opt-out notices on every single invoice sent to customers over the next three years. It must also put monitoring and testing systems in place to ensure that its customers are receiving Verizon privacy notices.

This content has been updated on September 9, 2014 at 7 h 45 min.