Not infrequently, customers may resort to consumer affairs columnists and other third parties, such as consumer advocacy groups, in order to resolve issues that they are having. In these circumstances, is there implied consent for the vendor of the goods or services to disclose personal information to the third party advocate?
This was the issue in an October 31, 2014 Report of Findings by the Office of the Privacy Commissioner of Canada (OPC) regarding an investigation into the allegations that an Internet Service Provider (ISP) improperly disclosed personal information to a newspaper columnist. The OPC agreed with the ISP that there was reason to believe implied consent existed, and that the ISP’s response was appropriate, in the circumstances.
Background on the case
After failing to resolve a longstanding internet service dispute with his ISP, a consumer e-mailed a newspaper columnist with instructions to resolve the dispute with the ISP. The newspaper columnist is known by the consumer and public as a consumer advocate who intervenes and tries to resolve problems consumers face with organizations.
The columnist forwarded the consumer’s e-mail to the CEO of the ISP seeking a response to the complaint. The ISP responded to the columnist, who then forwarded the response to the consumer. The consumer objected to the ISP sharing his personal information to the columnist without his consent. The ISP argued they believed they had the consumer’s implied consent, the information they disclosed to the columnist was not sensitive and it was relevant to defending itself against the consumer’s allegations. The OPC agreed with the ISP.
Key points for organizations
1. Does an organization require express or implied consent?
Two types of consent exist under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – express and implied. In general, express consent should be sought, especially when the personal information is considered sensitive. When information is not sensitive, implied consent is generally considered appropriate.
In this case, the OPC found the ISP disclosed non-sensitive information about the history of the consumer’s dispute with the ISP.
2. In some circumstances, organizations can reasonably assume implied consent from the
individual’s actions or inactions.
An organization should consider the reasonable expectations of the individual when obtaining consent. Consider whether the individual has certain knowledge or understanding of the information and context to assist in determining their expectations, and subsequently consent.Implied consent is appropriate in situations where the intended use or disclosure of personal information is clear from the context.
Given that the consumer sought assistance in resolving his dispute with the ISP when he contacted the newspaper columnist, it was a reasonable expectation that his information would be disclosed in order to address the very information he put into question.
3. An organization should limit its disclosure when it relies on implied consent.
An organization does not have carte blanche under implied consent and the OPC scrutinizes the information being collected or disclosed. The ISP limited its disclosure to information only related to the consumer’s allegations, in order to properly defend itself against said allegations, and to properly respond to the columnist’s inquiries during a dispute resolution situation.
The information that was disclosed was entirely related to the issue that the consumer initiated.
In this case, the OPC found the ISP had a reasonable belief to rely on implied consent, and that the ISP properly limited the disclosure to personal information that was relevant to the complaint against them.
Organizations should continue to be mindful of the before, during and after around implied consent; the sensitivity of the information, the individuals reasonable expectations and actions/inactions, and limiting the collection or disclosure of information to the particular context.