by Aniz Alani
The
purpose of this report is to examine issues concerning the protection
of personal information within the retail business sector in Canada
and, in particular, the extent to which retail businesses' web site
privacy statements address these concerns.
Introduction
As
of January 1, 2004, the PIPED Act purports to apply to virtually all
organizations engaging in commercial activity, including retail
businesses carrying on businesses entirely within a single province.
The PIPED Act does not apply, however, in provinces where
"substantially similar" legislation has been enacted. British Columbia,
Alberta, and Quebec have passed substantially similar privacy statutes.
The PIPED Act continues to apply, however, in all cases where personal
information is transferred outside of a province.
For
the purpose of this report, "retail business" includes any organization
which engages in the sale of commodities or goods to an ultimate
consumer.
It is noteworthy that the PIPED Act
does not distinguish between industry sectors except to the extent that
some sectors, such as airlines, banking, and telecommunications, are
considered to be federal works and undertakings. The federally
regulated industry sectors are clearly within the legislative
jurisdiction of the Parliament of Canada under s. 92(10) of the
Constitution Act, 1867.[77]
The application of the PIPED Act to the retail sector has been
particularly controversial because, unlike federal works, businesses
and undertakings, retail businesses operating entirely within a
province are governed by provincial legislation with respect to
"property and civil rights" under s. 92(13) of the
Constitution Act, 1867.
The
Government of Canada has very clearly expressed its view that the PIPED
Act is a valid exercise of Parliament's legislative jurisdiction in
areas of trade and commerce under s. 91(2). Former Minister of Industry
John Manley made the following remarks in the House of Commons with
respect to jurisdiction over the PIPED Act:
The
bill is a legitimate exercise of the federal government's authority to
legislate in respect of trade and commerce in Canada. The increasing
ubiquity of networks and the speed of the technology means more
companies are collecting more information, circulating it more widely
and combining it more ingeniously than ever before.[78]
In
order to ground the PIPED Act as a valid exercise of Parliament's
authority over trade and commerce, specifically in areas otherwise
falling within provincial jurisdiction, the following five conditions
must be satisfied: (1) it is part of a general regulatory scheme; (2)
the scheme must be monitored by the continuing oversight of a
regulatory agency; (3) the legislation must be concerned with trade as
a whole rather than with a particular industry; (4) the legislation
should be of a nature that the provinces jointly or severally would be
constitutionally incapable of enacting; and (5) the failure to include
one or more provinces or localities in a legislative scheme would
jeopardize the successful operation of the scheme in other parts of the
country.[79]
The
constitutional validity of the PIPED Act, specifically whether it
represents a valid exercise of Parliament's authority under the general
trade and commerce power, has been challenged by the Government of
Quebec. A reference question on this issue has been submitted to the
Quebec Court of Appeal.
Without addressing the
merits of the constitutional arguments in any depth, it is noteworthy
that one of the five requirements under the general trade and commerce
power under General Motors of Canada Ltd. v. City National
Leasing is that the
legislation be
concerned with trade as a whole rather than with a particular industry.
Because the legislation cannot be industry-specific, there is very
little opportunity for the PIPED Act
to provide for significant exceptions in terms of the organizations to
which it applies.
The
PIPED Act does not distinguish between small businesses and larger
chain operations. Instead, it imposes positive privacy obligations on
all organizations conducting commercial activity in Canada. Despite the
economic reality which makes it more difficult for an independent
retailer than a large retail chain store to learn its obligations about
the PIPED Act, devise a privacy policy, implement suitable privacy
practices, and develop an infrastructure for responding to customer
access
and correction requests or complaints, the PIPED Act appears to impose
the same duty on each indiscriminately. Instead, every commercial
organization, regardless of its age or size, is required under the
PIPED Act to comply with specific positive obligations. Although this
study focused on companies with privacy statements posted on their
Internet websites - incidentally, a subset of commercial organizations
which enjoys relative expertise and sophistication vis-à-vis
independent small business owners - there is an apparent vacuum of
privacy knowledge and awareness at the level of small business. If the
protection of personal information is, as stated, the purpose at which
the PIPED Act is aimed, additional steps must be taken to ensure the
PIPED Act is enforced broadly across all organizations which
purportedly fall under its application. If the PIPED Act were only
taken seriously by or in respect of relatively large commercial
organizations, the federal government would likely lose its claim to
jurisdiction under the general trade and commerce power since it would
no longer concern trade as a whole. Privacy itself is arguably a matter
of property and civil rights and thus an issue of provincial
jurisdiction. It is only by addressing privacy as a general trade issue
that the federal government has been able to assert jurisdiction over
privacy protection. The alternative argument, which is not explored in
this paper, is that the protection of personal information is a matter
of national concern and thus a valid exercise of Parliament's
jurisdiction to legislate for the "peace, order and good government of
Canada" under s. 91.
Until the federalism issues
have been definitively resolved by the courts, consumers and businesses
must be familiar with applicable privacy legislation at both the
federal and provincial level. Of possible interest for future research
is the manner in which businesses operating in multiple jurisdictions
have adapted their privacy statements and practices to comply with
issues of overlapping jurisdiction.
Methodology
In
order to acquire information about retail organizations' privacy
practices, I contacted 19 companies by
e-mail, inviting the privacy manager at each company to participate in
our privacy study. A comprehensive questionnaire was prepared, which
was intended to solicit generally objective indicators of companies'
privacy practices. As part of the invitation process, I selected 19
retail organizations with internet websites. I then located the e-mail
address listed for each company's privacy manager, and submitted a
standard form invitation letter to the address.
Companies Contacted
The
following 19 companies were contacted with requests to participate in
our study: Future Shop, RadioShack Canada, Staples, Office Depot,
Indigo, Hudson Bay Company, Holt Renfrew, eBay, London Drugs, Black's
Photography, CanadaFlowers.com, Pizza Pizza, CanadaHelps.org, The
Shopping Channel, Henry's, Starbucks, Tim Horton's, McDonald's
Restaurants of Canada, and Subway.
Responses
Of
the 19 companies contacted, the following 5 companies responded by
e-mail expressly declining to participate in our study: Indigo, London
Drugs, Radio Shack, Future Shop, and Black's Photography. Only one
company, McDonald's Restaurants of Canada, agreed to participate in the
study. The 13 remaining companies did not respond to the invitation in
any manner.
Role of the Privacy
Statement Within Privacy Policy
Although
a focus of this privacy study was to examine retail businesses' privacy
policies as published on internet websites, it is clear that a website
privacy statement forms only a part of a company's overall privacy
policy. Essentially, a website privacy statement describes a company's
general policy with respect to its use, collection and disclosure of
personal information within the course of its commercial activity. As
described below, the language of website privacy statements is
typically vague, leaving a reader with very little information about a
company's privacy policy beyond what is already generally provided
under the PIPED Act. Of far greater use to consumers is a company's
detailed implementation manual, which typically describes specific
examples of when a business practice engages a privacy interest and is
affected by the company's obligations under the PIPED Act.
As
part of my interview with McDonald's, I had the benefit of reviewing an
implementation handbook prepared for internal use by McDonald's
Restaurants of Canada Ltd. The handbook contains an itemized
explanation of the company's privacy principles (mirroring those
recognized in the PIPED Act) and a description of how each privacy
principle is reflected in the day-to-day operations. Also included are
hypothetical fact patterns describing situations in which privacy
obligations may operate and how a store manager or employee might
respond to the situation within the spirit of the company's privacy
policy.
The level of detail included in the
implementation handbook is certainly in contrast to the level of
abstraction used generally in published privacy statements. By making
this observation I do not intend to discourage the use of broad privacy
statements. Indeed, privacy statements serve a useful purpose insofar
as they generally inform readers about a company's macro-level
commitment to privacy protection and compliance with the PIPED Act.
Instead I suggest that companies be encouraged to publish or make
available handbooks or implementation guides similar in scope to the
operational manuals published by government with respect to
administrative procedures for access to information legislation.[80]
The
PIPED Act requires that "organizations shall be open about their
policies and practices with respect to the management of personal
information. Individuals shall be able to acquire information about an
organization's policies and practices without unreasonable effort. This
information shall be made available in a form that is generally
understandable."[81]
The Act further provides that the information made available shall
include "a copy of any brochures or other information that explain the
organization's policies, standards or codes."[82]
Relying
on this provision, an individual may request a company to provide a
detailed implementation guide setting out the recommended practices or
policies with respect to specific examples of personal information use
by the particular company. However, companies would be understandably
reluctant to provide this information for two main reasons.
First,
the preparation of a detailed implementation guide represents a
significant investment by the company of its time and resources.
Sharing this information with the public may be seen to deprive the
company of an acquired competitive advantage over another company which
has not made the same investment.
Second, the
publication of specific practice recommendations may be seen to expose
a company to increased liability arising out of legal obligations
created not by the PIPED Act but by the representations in the
publication itself. Adopting this rationale, a company would be well
advised to limit its publicly available policy statements so as to
minimize the creation of any obligations not already imposed by the
PIPED Act. While this concern would appreciably explain the typically
vague language used in published privacy statements, it does little to
assuage individuals' concerns about what specific steps a company is
taking to protect individual privacy. If the privacy policy equates to
confirming minimal compliance with the PIPED Act, there is arguably
less benefit to requiring each company to publish a broadly worded
privacy statement since the reader can otherwise assume the company is
aware of and intends to comply with its general obligations under the
PIPED Act.
Specific Privacy
Considerations in the Retail Sector
In
this part, the means by which retail businesses typically collect and
use personal information will be reviewed. Where these means are used,
a company should specifically address them in a publicly available
privacy policy. The alternative to specifically referring to each is to
leave the consumer uncertain as to whether the company has recognized
the information collection as one which engages a privacy interest.
Customer Feedback/Complaint
Forms
For
some retail organizations in which the exchange of personal
information is not necessary to complete a transaction, the collection
and use of customer feedback forms may form a significant proportion of
a company's personal information inventory. Customer feedback forms
typically invite consumers
to rate their level of satisfaction with their shopping experience in a
number of specific areas. Where the consumer requests that the company
respond to the feedback, the consumer is invited to provide his or her
contact information. In such cases, the exchange of personal
information is clearly voluntary as the consumer's knowledge and
consent of the collection and use is apparent when the feedback form is
completed. A lingering privacy concern, however, exists with respect to
the purposes for which the personal information is subsequently used
and disclosed.
While
all privacy statements examined during this study contained language
restricting the use or disclosure of personal information for purposes
other than those for which the information was collected, the typical
absence of specific examples mentioned in privacy statements leaves the
reader to assume that the company and the reader share identical views
on which exchanges of personal information are governed by the privacy
policy or applicable privacy legislation.
McDonald's
specifically identifies the use of customer feedback forms and
addresses the various privacy interests engaged by their use. For
example, the McDonald's privacy principles speak to the use,
disclosure, accuracy and security of personal information provided in
customer feedback forums. Other companies' privacy policies, including
companies known to use customer feedback forms, do not specifically
address how the personal information contained in these forms will be
used or disclosed by the collecting company.
To the
extent
that a company actively invites consumers to provide feedback on the
company's performance, the company's privacy policy should specifically
address the limited purpose for which the information contained on the
customer feedback form will be used by the company, as well as how the
information will be stored, disclosed, and disposed of when it is no
longer needed.
Returned
Merchandise
Retail
businesses should review in-store return policies in light of privacy
legislation. When a customer attempts to return merchandise to obtain a
refund or exchange in accordance with a store's return policy, it is
still the case that the customer is asked for identifying personal
information as part of the return process. A customer's contact
information is reasonably related to the return process since the
company may need to contact the customer in case the returned product
has suffered undisclosed damage disqualifying the product for a refund
under the store's return policy. Personal information would not be
necessary for this purpose, however, if the clerk processing the return
performs an adequate inspection of the returned merchandise in the
presence of the customer.
Where a
company routinely requests a customer's contact or other personal
information as part of its return policy, what is the effect of a
customer's refusal to consent to the exchange of this personal
information? Since "an organization shall not, as a condition of the
supply of a product or service, require an individual to consent to the
collection, use, or disclosure of information beyond that required to
fulfill the explicitly specified, and legitimate
purposes",[83]
it is doubtful an organization can refuse to provide a refund or
exchange where a customer reasonably withholds consent to providing the
requested personal information. If the store's purpose is indeed to
retain contact information in case there is a latent problem with the
returned merchandise, this purpose should be made expressly clear to
the customer at the time of the return. Moreover, the retention of the
customer's contact information, along with any additional information
including the reasons provided by the customer for returning the
product, should only be kept by the company for a reasonably brief
period of time sufficient to discover any undisclosed problems with due
diligence. This recommendation is not intended to create a limitation
period for nefarious individuals attempting to obtain a refund for
illegitimate purpose, but rather to reflect the reality that retail
businesses ordinarily do not collect or retain identifying information
about an individual when he or she
purchases
a product and therefore should not be granted a broad licence to
collect such information when an individual
returns a product.
Contests and Business Card
Draws
A common
marketing technique used in retail organizations is to offer customers
a contest awarding free products. Customers enter by providing a
business card or completing an entry form requesting contact
information. The ostensible purpose for collecting the personal
information as part of such contests, and accordingly the grounds on
which consent may be implied under principle 4.3.7, is to allow the
collecting organization to contact the winner to make prize
arrangements. Once the information has been collected, however, the
collecting organization has obtained contact information from its
clientele.
Determining
the purposes for which the organization may legitimately use this
information, assuming an express statement of purpose was not included
on the entry form, depends on what a reasonable person would consider
appropriate at the time of collection. If a company intends to
subsequently use the collected information for marketing purposes, the
company should expressly state such purpose at the time of collection.
In the
context of company websites, consumers are often offered opportunities
to enter contests which require the collection of personal
information. In addition
to the entrant's contact information, the entry form may request
additional information concerning the entrant's shopping preferences,
income and education levels, and other information not necessary to
administer the contest itself.
An example of an effective privacy statement
with respect to contests and surveys is found in Future Shop's privacy
policy:
Participate in a Contest,
Promotion, or Survey
From
time to time, we may run contests, promotions, or surveys. If you
participate, you may be asked for contact information as well as
additional optional survey information (for example, product
preferences). Information from contest entries will be used to contact
you if you win. We may also summarize survey information in a manner
that no longer identifies the contest entrants for analysis, but will
not share personal information from entries. All contests are subject
to rules that will be available with each particular
contest.[84]
Rebate
Forms
Occasionally,
a retail store selling a product which includes a manufacturer's rebate
will offer to process and submit the rebate forms necessary to receive
the rebate amount. In such cases, the retail store will necessarily
collect personal information from the consumer including a mailing
address and other details concerning the purchase. In such cases, the
retail store is obliged not to use or disclose the collected personal
information for any purpose other than for processing the customer's
rebate claim. Since the information is no longer necessary for this
purpose once the claim has been submitted to the manufacturer offering
the rebate, the store's policy should provide for the timely and secure
destruction of the rebate information.
An example
of a privacy policy statement with respect to rebate programs is found
on the Future Shop website:
Rebates
Many
of the products you purchase through Future Shop are offered with
rebates. To claim your rebate, you will usually be asked to provide
your name, address, e-mail address and proof of purchase. You may also
be asked by either Future Shop or the vendor to provide your consent to
be added to promotional mailings and newsletters. Your consent is not a
condition of receiving the rebate.[85]
Warranty
Programs
Similar
to rebate programs, some retail businesses offer customers a service
which facilitates product registration for warranty program purposes.
While the standard recommendation with respect to limited retention of
personal information by the retail business applies with equal force as
it does to a company's handling of rebate information, there is a
particular concern where businesses offer a supplementary or extended
warranty program beyond that provided by the product
manufacturer.
For
an additional cost, some retail businesses particularly in the home
electronics sub-sector will offer consumers an opportunity to
supplement a manufacturer's warranty with a policy that provides
technical support and/or damage protection. For example, Future Shop
offers a "Product Service Plan" on virtually all products sold through
its retail outlets or online store.[86]
Where
a retail business administers its own extended warranty program,
information regarding coverage is typically connected to the individual
purchasing the product. Future Shop requests the name, address and
telephone number of the individual registering the warranty coverage.
When a customer attends a retail outlet to request warranty service
under the Product Service Plan, the customer is asked either for a
store receipt or for the individual's phone number to facilitate a
computer search of registered warranty information. Prior to the
implementation of PIPED Act within the provincially-regulated retail
sector on January 1, 2004, Future Shop routinely collected contact
information from customers during every purchase. As part of Future
Shop's privacy compliance program, customers were thereafter only asked
for personal information when purchasing the Product Service Plan
extended warranty coverage. The information recorded includes the
serial number of the specific product to which the extended warranty
coverage applies.
Given the uniqueness of the serial
number,
which prevents individuals from obtaining extended warranty service for
additional products, it is arguably unnecessary to additionally collect
the individual's personal information to facilitate the computer search
of warranty records. Instead, the company could conduct a search by
serial number of the product submitted for warranty coverage, thus
enabling the consumer to obtain warranty service while retaining
relative anonymity.
Interestingly, the Future Shop
privacy
policy makes little mention of its use of personal information in
connection with its warranty program. As part of its privacy statement
in respect of in-store purchases, Future Shop describes the following
policy:
In-Store
Purchases
When
you purchase a Future Shop product or service, you may need to provide
us with contact and payment information (such as credit card
information) so that we can process your request. Examples
where we need contact information include delivery services,
product servicing, in-home installations,
warranty coverage,
and rebate requests. If we collect this information, we will also ask
for your consent to use this information to send you promotional
information on products and services.[87]
In
the privacy statement provided above, Future Shop expressly identifies
warranty coverage as a service mandating an exchange of customers'
personal information. There is no mention of the personal information
being used later to identify and match the product to which the
extended warranty applies.
The statement is also
unclear
with respect to why contact information is necessary to provide
warranty coverage. It may be necessary only to inform the individual of
future amendments to the warranty agreement, but the lack of
specificity as to purpose deprives the individual of the benefit of
knowing based on the privacy policy alone whether withholding consent
precludes the purchase of extended warranty coverage. The closing
sentence, which notifies consumers that personal information
necessarily collected for the preceding purposes may later be used with
consent to send promotional information, calls into question the extent
to which the company has actively minimized its information collection
practices.
Conclusion
Privacy statements
appear with increasing regularity on websites of companies in the
retail sector. As with their counterparts in federally regulated
sectors, the privacy statements produced by retail organizations
typically describe privacy practices in general, abstract terms. This
paper addresses some of the privacy issues specifically relevant to the
retail sector as well as provides recommendations for how retail
businesses might expand their privacy statements to reflect
industry-specific privacy concerns. Striking the right balance between
specificity and flexibility may continue to reflect a tension between
openly disclosing a company's detailed privacy practices and
maintaining the maneuverability provided by non-specific privacy
statements affirming the general principles recognized by the PIPED
Act. If the business community can overcome concerns with respect to
the competitive advantage lost or the liability increased by publishing
detailed privacy manuals, consumers will benefit by having a meaningful
basis on which to assess companies' privacy practices, hold them
accountable for non-compliance, and ultimately guide their purchasing
decisions. Until then, consumers may need to rely on their own
interpretations of PIPED Act and the goodwill of retailers to comply
with the spirit of the legislation and the similarly non-specific
finding reports published by the Privacy Commissioner.
Final Report 
