Last week the Privacy Commissioner of Canada provided a measure of relief to Canadians who are tired of rifling through overstuffed envelopes filled with marketing materials while in search of their monthly bank statement. In a controversial finding, the Commissioner ruled that the inclusion of marketing materials constitutes “secondary marketing” and that consumers should be entitled to opt-out of receiving it.
The decision is part of a series of recent findings that send a clear message to Canadian business — a commitment to privacy will occasionally mean that longstanding practices must be changed.
While the Commissioner has faced criticism for lengthy delays in reporting cases and for reluctance to name the targets of well-founded privacy complaints (this finding, known months ago within the marketing community, discouragingly involves an unnamed bank), she deserves kudos for this decision since she was undoubtedly aware that it would spark criticism from the banking and marketing communities, who have grown accustomed to generating revenue by including third-party marketing materials in customer statements.
The case began when a bank refused to acquiesce to a customer’s request to remove the marketing materials from their monthly credit card statement. It claimed that the inclusion was common industry practice and did not constitute the use of personal information since all its customers received identical materials.
The Commissioner’s assessment of the complaint focused on three key issues. First, the Commissioner argued that this practice constituted “secondary marketing”, since the customer had provided their personal information to the bank primarily for banking purposes. The inclusion of marketing materials thus constituted an additional “use” of the customer’s personal information.
Second, Canada’s privacy statute features an important provision that prohibits organizations from mandating the disclosure of any personal information that is not strictly necessary to provide the particular good or service. In other words, businesses can ask for as much personal information as they like, but consumers can only be required to disclose information that is essential to the particular service.
By refusing to allow a customer to opt-out of secondary marketing materials, the bank violated the law by effectively requiring personal information for purposes not strictly necessary to provide the primary banking services.
Third, the Commissioner canvassed practices at several other Canadian banks. That survey revealed that while inclusion of marketing materials was indeed standard practice, refusal to permit an opt-out was not. In fact, two of three banks surveyed allowed their customers to opt-out of the receipt of additional marketing materials.
While both the law and industry practice suggest that this decision is a reasonable interpretation of the law, criticism has centered on two issues. Some fear that consumers will ultimately bear the cost of the decision with higher banking fees, while other experts maintain that scarce privacy resources should be directed toward bigger issues such as identity theft or workplace surveillance.
Those concerned with the compliance cost associated with the decision argue that the inclusion of marketing materials effectively subsidizes the cost of mailing monthly statements. If banks are forced to remove the materials, or even to offer the option of removal, the additional cost will be passed along to customers.
Canadians can certainly identify with ever-increasing bank fees, however, the cost of privacy compliance is not unique to this case. Privacy compliance invariably involves a cost, yet support for private sector privacy legislation demonstrates that it is a price Canadians are prepared to pay. Moreover, given the competitive banking environment and the fact that several banks already permit consumer opt-outs, it seems unlikely that consumers will shoulder a significant new cost.
Critics that argue that Canada faces bigger privacy issues than secondary marketing can certainly make a case that identity theft and workplace surveillance are important issues that should not be ignored.
It does not follow, however, that the Commissioner should avoid also highlighting issues such as secondary marketing. The Commissioner is legally obligated to address all complaints filed with her office and therefore must take on cases both big and small.
Even if an investigation would not have been required, the sum of this case is much bigger than its individual parts. The effect for each individual banking customer is limited, yet there is a significant aggregate impact when spread over millions of Canadians. If the Commissioner were to avoid small privacy issues, invasive practices would be left unchecked with everyone bearing part of the burden.
Furthermore, establishing a privacy culture in Canada may well depend upon how we address these smaller issues. Whether it is merchants requiring additional pieces of identification, the misuse of social insurance numbers, the casual disclosure of personal information without permission, or the use of personal information to deliver unwanted marketing materials, the lack of regard for privacy undermines the broader societal value associated with personal information.
Upon taking office, New York mayor Michael Bloomberg made it his mission to clean up city streets by filling potholes and eliminating other similar annoyances. Bloomberg’s approach was based on the premise that safer and cleaner streets start with taking responsibility for the little issues. So too with our personal privacy — we may not be able to eliminate identity theft or invasive surveillance overnight, but respecting consumer choice about the use of their personal information is surely a part of the solution.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at email@example.com or online at www.michaelgeist.ca.