Personal Information Protection and Electronic Documents Act statutory provisions and some relevant abstracts of decision summaries.
4.3 Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.
Summary: Knowledge and informed consent of the individual are required for collection, use and/or disclosure of personal information except in limited circumstances. The limited exceptions are listed by in PIPEDA and additional ones are listed and described in a regulation specifying publicly available information. Organizations sometimes disclose information to family members without consent in violation of PIPEDA.
Consent may be express or implied. Consent may also be assumed when an adequate “opt-out” procedure is provided for information that is not sensitive. When an organization assumes consent, it has an affirmative duty to clearly disclose it is making this assumption. Opt-out procedures will not be valid unless immediately or timely processed to avoid a period where consent is assumed. When consent is obtained through a consent form, the form must clearly disclose the purposes for which information is being requested and explain how the information will be used and how it will be disclosed. Consent forms must be explicit and detailed. Small print and legalistic language which is hard to understand may invalidate consent. Optional data must be clearly denoted as such. Consent is not required to disclose information when no disclosure is made (e.g., where a management agency supervises employees under an agreement which protects employee information). Consent is not required when the Act is inapplicable because the information is not personal (e.g., business information or the information can not be linked to an identifiable individual).
When obtaining consent, the organization’s purpose must be clearly disclosed and must not be vague to effect informed consent. PIPEDA only applies to personal information and thus consent is not required to disclose business information.
An individual is deemed to voluntarily give consent even when faced with transfer or termination from employment for failure to consent as long as the individual is not under duress.
PIPEDA’s consent and knowledge requirement is inapplicable in inappropriate situations. These include lawful requests from government agencies, court orders, subpoenas issued by an entity with authority to compel production (but not those issued by an attorney) and when necessitated by national security concerns. Consent and knowledge are not required when an investigation is in progress concerning a breach of an agreement or a criminal investigation. In some circumstances, disclosure may be made without consent of an individual to collect a debt. PIPEDA provides a publicly available information exception which provides that the Act is inapplicable to information which is publicly available such as white pages directory information previously published. Any organization invoking an exception to the Act’s requirements bears the burden of proof to show the exception is valid and proper.
PIPEDA only applies to a federal work, undertaking or business as defined in the Act. Consent and knowledge are not required for collection, use and disclosure where no jurisdiction exists to apply PIPEDA.
A private organization obtained personal information from individuals without their consent when it conducted unauthorized video surveillance of public places. PIPEDA Case summary #1, WF.
An internet service provider (ISP) obtained consent to send unsolicited email notices to its customer in its service agreement and was, therefore, not in contravention of the act. PIPEDA Case summary #2, NWF.
Individuals give implied consent to publish directory information in white pages when they are offered the option but choose not to have an unlisted number. Telephone companies do not violate the Act by charging fees for the unlisted service in compliance with government regulations. PIPEDA Case summary #8, NWF.
An organization that is not a federal work, undertaking, or business as defined in the Act is not subject to the consent requirements in PIPEDA. PIPEDA Case summary #17, D.
An organization which denied an employee’s access request to her records improperly copied union representatives on its response without the consent of the employee. However, the organization could assume consent when it copied the employee relations coordinator who had been previously involved and who had some of the records requested. PIPEDA Case summary #20, WF.
An internet service provider (ISP) that monitors the email services it provides and responds to delivery failure messages did not violate PIPEDA. PIPEDA Case summary #21, NWF.
An organization may assume consent to print bank account and bank transit numbers on an employee’s pay stub when the employee requested their pay be electronically deposited. PIPEDA Case summary #23, NWF.
An organization attempted to obtain information about a computer user’s NETBIOS without his consent. Since this information could be used to trace an individual’s identity which would reveal significant personal information, this violated Principle 4.3. PIPEDA Case summary #25, WF – R.
A bank violated the Act when it mistakenly sent a married couple’s pay stubs to a third party. PIPEDA Case summary #28, WF.
A bank manager called its customer’s employer to report what the bank manager considered to be rude an inappropriate behavior on the part of the customer. The customer held a personal account at the bank and had engaged bank staff in an argument concerning the account but also transacted business at the bank for his employer. The Commissioner held the bank manager improperly disclosed personal information without the individual’s knowledge or consent in violation of PIPEDA. PIPEDA Case summary #30, WF.
A bank complied with the Act when it provided an individual with written notification at the time she opened her account of its practice of contacting customers to obtain their opinions regarding future products and services. The bank could assume consent if the customer did not opt out since the personal information at issue was not sensitive. PIPEDA Case summary #35, NWF.
A telecommunications company did not violate the Act when it published its customer’s directory information in accordance with the customer’s consent given upon initiation of telephone service. PIPEDA Case summary #38, NWF.
An internet service provider (ISP) did not violate PIPEDA when it reassigned its customer’s email address to another customer by mistake given that a disclosure of personal information did not take place. PIPEDA Case summary #41, NWF.
Air Canada did not obtain consent for a new use of frequent flyer member’s personal information that had previously been collected and was, therefore, in contravention of the act. PIPEDA Case summary #42, WF.
A bank did not violate the Act when it tape recorded telephone conversations with its customer and subsequently disclosed them in a court proceeding because the customer had signed a consent form agreeing to be bound to an agreement which clearly disclosed the bank’s practices. Moreover, the bank provided the customer with a privacy brochure and verbally informed him of the bank’s practices. PIPEDA Case summary #51, NWF.
An organization does not need consent to disclose an individual’s name, address, and telephone number which appears in a publicly available white pages directory. However, when any personal information beyond name, address and phone number are disclosed, consent is required. PIPEDA Case summary #54, WF.
An organization that discloses information without an individual’s knowledge and consent pursuant to an exception in the Act is responsible for ensuring the exception is valid and proper. PIPEDA Case summary #62, WF.
Where collection of information is reasonable, an employer can take negative actions including transfer and dismissal of employees who refuse to give consent for a security check. PIPEDA Case summary #65, NWF.
An internet service provider (ISP) failed to clearly explain that the ISP would store and deny access to emails pending payment of an account in arrears. Therefore, the customer could not have given meaningful consent to the practice. Thus, the ISP was in contravention of the Act. PIPEDA Case summary #66, WF.
No consent to collect, use, or disclose non-personal information is required. Where a fax does not name an individual or provide the means to identify an individual, it is not protected information. An organization is not required to obtain consent to collect personal information in connection with a criminal investigation. PIPEDA Case summary #68, NWF.
An organization failed to comply with PIPEDA when it inadvertently disclosed third party personal information when responding to a request for a copy of an employee’s personnel file. The organization also failed to obtain consent from its customers to allow quality assurance monitoring of telephone calls. PIPEDA Case summary #72, WF.
An organization does not disclose personal information when one calls oneself and sees one’s own name and unlisted number on a telephone display screen. PIPEDA Case summary #75, NWF.
Where multiple forms of data collection occur such as through the web, in writing, and by phone, all forms must ensure the individual is provided adequate information to grant informed consent. A method for immediately withdrawing consent such as check-off box or toll free phone number must be provided. PIPEDA Case summary #78, WF.
An organization that makes reasonable efforts to ensure its customers know the purposes for which information is collected, used, and disclosed and seeks consent for such purposes satisfies PIPEDA. A bank that provides detailed written privacy policies to its customers, draws attention to these documents when new accounts are established and requests and records the customer’s preferences for disclosure is in compliance. PIPEDA Case summary #82, NWF.
An organization is not required to obtain informed consent to collect personal information while conducting an investigation into a breach of an agreement or contravention of law. PIPEDA Case summary #84, NWF.
An organization must obtain informed consent to tape record telephone calls. PIPEDA Case summary #86, WF.
An individual’s complaint that a bank used his identification to determine his birth date and run a credit check without his consent was unfounded. The individual gave consent to the credit check in connection with the account application and there was no evidence the request for identification was used for any purpose other than identification. PIPEDA Case summary #93, NWF.
Monitoring of an individual’s credit card spending practices in accordance with the terms of the card holder agreement was acceptable. The Commissioner found the bank did not collect additional information from the cardholder without his consent. PIPEDA Case summary #95, NWF.
An attorney in Quebec issued a subpoena for financial records and the organization released the records in violation of PIPEDA. The organization was not in conformity with the Act because records may only be released without the knowledge and consent of the affected individual in response to a court order or subpoena – not a subpoena issued by an attorney who does not have authority to compel production. PIPEDA Case summary #96, WF.
A bank collected spousal income information without the spouse’s consent. It also failed to clearly disclose the purposes for data collection such that a reasonable person could understand how the information would be used or disclosed. The bank was, therefore, in violation of the act. PIPEDA Case summary #97, WF – R.
A telecommunications company disclosed contents of a debtor’s records to a collection agency. The information included the unlisted telephone number of an individual whom the debtor frequently called. The Commissioner concluded the unlisted telephone number was the personal information of both the debtor and the unlisted account holder. Therefore the telecommunications company violated PIPEDA when it disclosed the phone number without the unlisted account holder’s consent. PIPEDA Case summary #99, WF.
A bank employee violated the Act when it disclosed private information to its customer’s mother because the employee mistakenly believed they were talking with the customer after having called and asked for the individual by last name only. PIPEDA Case summary #100, WF.
Video recording of trucks entering a railway terminal for the purpose of documenting the condition of goods entering and exiting the facility that also recorded the image of the driver was acceptable without consent. However, disclosure of personal information to the truck driver’s employer, without naming the driver but which enabled the employer to identify the driver, did violate PIPEDA. PIPEDA Case summary #107, WF.
In violation of the Act, a bank employee disclosed balance information to a credit card holder’s husband who was not a joint account holder without her consent. PIPEDA Case summary #108, WF.
Organizations will not be in contravention of the Act when there is insufficient evidence to support the complaint. PIPEDA Case summary #113, NWF; PIPEDA Case summary #81, NWF; PIPEDA Case summary #77, NWF.
A bank violated PIPEDA when it required customers to disclose their SIN without obtaining their consent or informing them of the purpose for collecting the SIN. PIPEDA Case summary #115, WF – R.
An organization’s policy requiring employees on extended sick leave to consent to their physician supplying information about the employee's illness to the organization’s occupational health professionals did not violate PIPEDA. PIPEDA Case summary #118, NWF.
A bank employee used a customer’s personal information without consent to commit fraud; a violation of the Act. PIPEDA Case summary #121, WF.
A telecommunications company did not violate PIPEDA when it accessed its customer’s account information to respond to her phone calls and emails. PIPEDA Case summary #126, NWF.
A telecommunications employee argued his consent to a security check to enable him to work in a restricted area of an airport was involuntary and violated PIPEDA. The Commissioner determined that although he may have lost his job if he failed to consent, he did in fact have a choice. PIPEDA Case summary #127, NWF.
An organization may disclose information without the knowledge and consent of an individual for the purpose of collecting a debt. However, the ability to do so is not unlimited. PIPEDA Case summary #130, NWF.
After an individual provided two forms of identification to a bank employee. The bank made photocopies of the identification and, in the process, acquired more information that was necessary given the circumstances without the customer’s consent. PIPEDA Case summary #132, WF.
A telephone company disclosed unlisted addresses on its web site in error without consent of the addressees and was, therefore, in violation of the Act. PIPEDA Case summary #138, WF.
A bank was in compliance with the Act when it disclosed credit information to a credit bureau in accordance with its cardholder agreement. The cardholder gave consent by using the card. PIPEDA Case summary #140, NWF.
A bank failed to explain that disclosure of the SIN was optional in connection with a credit card application. This failure resulted in an inability for the applicant to give meaningful consent. PIPEDA Case summary #142, WF.
No consent is required when producing documents during the discovery process within the context of legal proceedings. PIPEDA Case summary #143, NWF.
The process of linking old and new credit card accounts for the purpose of honoring pre-existing automatic payments does not violate PIPEDA where no information is disclosed. PIPEDA Case summary #144, NWF.
Where no disclosure is made, consent is not required. A company hired to manage employees on behalf of the employer could have access to employee information without this being considered disclosure where its contractual agreement required compliance with PIPEDA. PIPEDA Case summary #145, NWF.
A credit bureau disclosed information without the individual’s knowledge or consent in violation of PIPEDA. PIPEDA Case summary #150, WF.
Meaningful consent cannot be obtained unless an individual is informed as to the specific uses toward which the information will be applied. PIPEDA Case summary #151, WF; PIPEDA Case summary #148, WF.
The Commissioner determined that telecommunications employees gave implied consent to collect statistical information for individual job performance evaluations because they were informed of the practice and chose to continue their employment. PIPEDA Case summary #153, NWF.
A bank customer called her branch and asked a general question without disclosing her identity. Using its caller identification system, the bank accessed the caller’s account without consent, thereby violating Principle 4.3. PIPEDA Case summary #155, WF.
A bank violated the Act by providing an uncle of a customer with information pertaining to the client’s transaction history. PIPEDA Case summary #158, WF.
A bank complied with PIPEDA because it clearly disclosed that providing SINs on a credit card application was optional and it allowed customers to withdraw consent. PIPEDA Case summary #159, NWF.
A telephone company is not required to obtain consent for a supervisor to listen to calls for the purpose of training telephone operators. The Commissioner noted that none of the caller’s personal information was recorded or preserved. PIPEDA Case summary #160, NWF.
Where information cannot be traced to a specific individual, no consent is required and PIPEDA does not apply. PIPEDA Case summary #161, NWF.
An organization that used “cookies” on its web site to collect and store personal information violated Principle 4.3 by failing to obtain user consent. PIPEDA Case summary #162, WF.
Organizations assuming consent must bring this assumption to the attention of their customers at the time information is collected. PIPEDA Case summary #167, WF.
A bank was held responsible for actions of its third party collection agent for disclosure of protected information to a debtor’s employer without the debtor’s knowledge or consent. PIPEDA Case summary #168, WF.
The Commissioner investigated a complaint by a bank customer who alleged the bank monitored the number of credit inquires on his credit bureau report without his consent. No evidence was found to indicate any violation of PIPEDA. PIPEDA Case summary #170, NWF.
A telephone subscriber who signed up for a non-published telephone number complained when the subscriber’s name and number were displayed on a caller identification device. Where information was provided to both new and current subscribers but no special efforts were taken to bring information to the attention of current subscribers, the organization could not assume consent. PIPEDA Case summary #172, WF.
A bank was not required to obtain consent to disclose financial information about its customer when disclosure was made to a government agency pursuant to a lawful request for the purpose of law enforcement. PIPEDA Case summary #173, NWF.
No consent is required to disclose information pursuant to a court order (writ of seizure). PIPEDA Case summary #174, NWF.
A bank disclosed private information about its customer’s account to her ex-husband without her knowledge or consent. This was in violation of the Act. PIPEDA Case summary #175, WF.
When an organization informs an individual it is taping a telephone call, it is proposing the individual grant consent and if the individual refuses consent the taping must cease. PIPEDA Case summary #176, WF.
Meaningful consent cannot be obtained unless the organization reasonably enables individuals to understand the intended use for which the information is being collected. PIPEDA Case summary #180, WF; PIPEDA Case summary #61, WF.
Consent is not required to disclose information to an attorney representing the lending organization for the purpose of debt collection. PIPEDA Case summary #181, NWF.
An organization obtained credit files pertaining to one of its former employees without her consent and in violation of its agreement with the credit bureau. Despite these facts, the credit bureau was entitled to reasonably believe consent had been obtained by the requesting organization in accordance with its contractual agreement. PIPEDA Case summary #182, NWF.
To be valid, consent must be meaningful. Consent cannot be deemed meaningful when the language used in the consent form is vague, legalistic, difficult to read and understand, so broad as to preclude understanding of specific intended uses, or when the form fails to identify that providing the requested information is optional. PIPEDA Case summary #184, WF.
A railway company’s notification to truckers of a change in security protocols requiring a collection of identification cards and fingerprints along with a signed consent form met the requirements of PIPEDA. PIPEDA Case summary #185, NWF.
An individual complained that a credit bureau disclosed his/her personal information to a telecommunications company without consent. The Commissioner found the case to be not well-founded even though the individual did not, in fact, grant consent. The telecommunications company should not have requested the information from the credit bureau pursuant to its contractual agreement. The credit bureau, however, was entitled to assume the requesting organization had complied with its agreement. PIPEDA Case summary #186, NWF.
A consumer allegedly requested that a credit check NOT be performed. Nevertheless, the organization proceeded with the credit check. The Commissioner ruled that the organization did not violate PIPEDA because it was not aware of the consumer’s request and that it was reasonable for the organization to rely on the consent that was previously granted through its client business. PIPEDA Case summary #188, NWF.
Once consent has been withdrawn, an organization must honor the request and remove the information in question. PIPEDA Case summary #189, NWF.
Consent is not required if the disclosure of information is required by law. Thus, when an organization disclosed medical information pertaining to an employee, as required under the Workers’ Compensation Act, it was not in contravention of the Act. PIPEDA Case summary #191, NWF.
A written consent form must not be vague; its purpose must be clear and the type of information to be disclosed must be specified. PIPEDA Case summary #192, WF.
An individual denied a telephone company permission to run a credit check on an application for residential long distance telephone services. The telephone company then performed the credit check which was a violation of PIPEDA because consent was not obtained. PIPEDA Case summary #193, WF.
A credit reporting agency can reasonably assume that banks that send it personal information for credit reporting purposes had obtained the consent of the affected individuals because the banks had entered into a confidentiality agreement wherein PIPEDA applies. PIPEDA Case summary #194, NWF.
Private information disclosed subject to an arbitrator’s order did not require consent. PIPEDA Case summary #198, NWF.
When a bank disclosed confidential, financial information to its customer’s fiancée, the fiancée called off the wedding. The Commissioner found that the information was provided without the customer’s consent and thus the bank violated the Act. PIPEDA Case summary #200, WF.
A written consent must not be vague. It must clearly identify elements that are optional to effect meaningful consent. The use of an “opt-out” procedure to effect consent is invalid with respect to credit card applications because the information collected and disclosed is sensitive. PIPEDA Case summary #203, WF.
A telecommunications company employee allegedly disclosed the first name of a customer as well as personal information contained in a personal guarantee. However, because the first name, in and of itself, could not be linked to the customer, the Commissioner ruled that it was not personal information. PIPEDA Case summary #205, NWF.
An organization may assume consent providing that an easy, inexpensive, and immediate “opt-out” procedure is provided under certain circumstances. The private information must not be sensitive, information sharing with third parties must be well defined with respect to disclosure and use, and the organization’s intended use of the information must be brought to the customer’s attention at the time information is collected. PIPEDA Case summary #207, NWF.
A bank employee conducted a credit check on an individual without his consent based upon an application for credit in his name and that of his ex-wife signed solely by her. Had this occurred after PIPEDA had been enacted it would have been a violation. Moreover, there was insufficient evidence of improper disclosure of information to the applicant’s ex-wife. PIPEDA Case summary #208, NWF.
A telephone company contacted its customer’s mother to determine if the customer was moving. The customer had only given consent to contact his mom as a reference during the credit application process and to leave messages. Because the company disclosed information beyond the scope of the customer’s consent, it violated PIPEDA. PIPEDA Case summary #210, WF.
A bank disclosed a client’s personal information to his/her aunt and mother without consent. Although the customer had provided the aunt’s contact information as a reference for the purpose of verifying information, the Commissioner concluded, nevertheless, that the personal information was disclosed without consent. PIPEDA Case summary #213, WF.
In violation of the Act, a bank conducted credit checks on customers without their knowledge or consent in order to prescreen them for overdraft approval. PIPEDA Case summary #214, WF – R.
A bank failed to obtain a customer’s consent for the purposes of recording a phone call related to the activation of a credit card. Moreover, the bank failed to appropriately respond to the customer’s refusal to consent to the recording of the call. The Commissioner found the bank in violation of Principles 4.3 and 4.35. PIPEDA Case summary #215, WF.
A telemarketing firm shared individual sales performance information with its employees to motivate and encourage competition among them. Since sharing such information is a widely known industry practice and there was evidence the organization made its employees aware of the purposes for the practice, it could be inferred that the employee’s willingness to work under these circumstances constituted consent. PIPEDA Case summary #220, NWF.
A collection agent called a debtor’s aunt. The debtor had given consent to use the aunt’s number to convey messages but the Commissioner concluded that a reasonable person would understand such consent to be limited in scope. By revealing that the agent was calling from the company’s credit department, information was disclosed which exceeded the debtor’s consent. PIPEDA Case summary #225, WF.
A telephone company was accused of providing a transcript of a hearing impaired customer’s call to the police without their consent. The Commissioner found no evidence to support the accusation. PIPEDA Case summary #227, NWF.
A transportation company violated the consent requirement by allowing a binder containing sensitive employee performance information to be left in a room accessible to all employees. PIPEDA Case summary #228, WF.
Where an individual provided her unlisted home telephone number to her bank and represented it as business contact information, the Act did not apply and therefore consent for collection, use, or disclosure was not required. PIPEDA Case summary #230, NWF.
A telephone company published a customer’s previously unlisted name and address in a telephone directory without her consent. The company was, therefore, acting in contravention of the Act. PIPEDA Case summary #231, WF.
It is not necessary for a nuclear facility to acquire spousal consent in order to collect information about its employee’s spouse for the purpose of conducting security clearance checks. Principle 4.3 does not require consent where it would be inappropriate to require such consent. PIPEDA Case summary #232, NWF.
A bank was accused of providing personal financial information about a loan applicant to the applicant’s business associates. However, the Commissioner found no evidence of non-compliance. PIPEDA Case summary #234, NWF.
An organization violated the Act when it contacted a hospital and obtained information about its employee’s medical exam without the employee’s consent. PIPEDA Case summary #235, WF.
A credit card offer allowed applicants to opt-out from having their personal information used for a secondary marketing purpose. But the time required to process such requests was eight weeks, effectively requiring all new account holders’ consent for a brief period in violation of PIPEDA. , WF.
A bank that discloses the customer’s name, credit card number, membership number, and points information with loyalty program providers in accordance with its agreement was deemed to have obtained proper consent. PIPEDA Case summary #241, NWF – NWF.
A two year old general consent agreement signed with a bank's subsidiary allowing disclosure of information related to a closed account was insufficient to satisfy Principle 4.3. PIPEDA Case summary #246, R.
A bank failed to obtain meaningful informed consent to use information for the secondary purpose of marketing. PIPEDA Case summary #250, WF - NWF – NWF.
Promotional materials which contained a notice stating how requested information would be used and providing instructions to “opt-out” complied with PIPEDA. PIPEDA Case summary #258, R.
A signed written agreement satisfied the requirement for knowledge and consent for the collection, use, and disclosure of private information. PIPEDA Case summary #259, NWF – WF.
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
Summary: An organization must seek consent for the use or disclosure of information at or before the time of collection. If the organization wishes to use previously collected information for a new purpose, it must obtain consent for the expanded scope of use.
When an organization wishes to use personal information previously collected for a new purpose, it must first obtain consent. PIPEDA Case summary #42, WF.
An organization must seek consent for collection, use and disclosure at the time information is requested. PIPEDA Case summary #78, WF.
The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
Summary: An organization must make a reasonable effort to ensure an individual understands the purpose(s) for which information will be used. Without such knowledge, any consent given is meaningless. Thus the Act requires both knowledge and consent. An organization will be considered to have made reasonable efforts when it clearly discloses its purposes at or before the time of data collection. Such disclosures of purpose must be clear and unambiguous. The organization must disclose all genuine primary and secondary purposes and the disclosure must be specific.
A bank made reasonable efforts to ensure its customer was advised of the purposes for which his private information was collected, used and disclosed. The bank asked him to sign a consent form, provided him a copy of an agreement governing its practices, provided him a privacy brochure and personally explained its practices. PIPEDA Case summary #51, NWF.
A broad statement of purpose is insufficient to enable an individual to provide informed consent and, as such, fails to provide a basis to determine allowable uses. PIPEDA Case summary #61, WF.
An internet service provider (ISP) failed to inform its customers of its secondary purpose for collecting customer emails and was, therefore, in contravention of the Act. PIPEDA Case summary #66, WF.
An organization that clearly identifies the purposes of collecting, using, and disclosing personal information, describes its use of personal information and specifies the restrictions under which it discloses personal information meets the requirements of Principle 4.3.2. PIPEDA Case summary #78, WF.
An organization which provided two privacy related documents to its customers and additional detailed information on-line and in hardcopy at the customer’s request made a reasonable effort to ensure the individual was advised of the secondary purposes for which personal information would be used or disclosed. PIPEDA Case summary #82, NWF.
A bank violated PIPEDA when it required customers to disclose their SIN without obtaining their consent or informing them of the purpose for the SIN. PIPEDA Case summary #115, WF – R; PIPEDA Case summary #105, WF – R.
An organization that had informed the complainant when he was hired that a security check may be required and that failure to undergo the check or obtain clearance could result in job loss was did not violate principle 4.3.2. The issue of voluntary vs. involuntary consent must be determined in the context of the reasonable person test in subsection 5(3). PIPEDA Case summary #127, NWF.
A bank failed to explain that disclosure of the SIN was optional in connection with a credit card application. Since the bank failed to make a reasonable effort to ensure the applicant understood the SIN was optional, the applicant could not give meaningful consent. PIPEDA Case summary #142, WF.
An organization failed to inform its customer of the true purposes for which information was requested and was, therefore, in contravention of the Act. PIPEDA Case summary #152, WF.
An organization cannot assume consent unless it provides detailed information to its customers to ensure they have knowledge of the assumption of consent and purposes for which information will be used. PIPEDA Case summary #167, WF.
It is not possible to obtain meaningful consent in accordance with PIPEDA when an organization fails to clearly disclose its exact purpose(s) in detail. PIPEDA Case summary #192, WF; PIPEDA Case summary #184, WF; PIPEDA Case summary #180, WF; PIPEDA Case summary #151, WF; PIPEDA Case summary #97, WF – R; PIPEDA Case summary #83, WF; PIPEDA Case summary #56, WF; PIPEDA Case summary #24, WF.
A bank required individuals to consent to a credit check as a condition of opening a new account. The real purpose for this was to verify the individual's identity and check for previous illegal or fraudulent activity. The Commissioner determined that the bank failed to comply with Principle 4.3.2 when it failed to inform its customers of the specific purposes for requesting consent. PIPEDA Case summary #219, WF.
A telephone company’s practice of drawing the customer’s attention to its privacy policies was a reasonable effort to ensure an individual is advised of the purposes for which personal information was requested. , NWF.
If a signed consent form fails to explain its purpose in a way that a reasonable person would understand, the form will not satisfy the requirement of informed consent. , R; PIPEDA Case summary #148, WF.
An organization did not make a reasonable effort to inform its customer how information would be used when the notice was unclear. The notice was “hidden away” under headings which were not descriptive of the actual content. PIPEDA Case summary #258, R.
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
Summary: An organization may not require an individual to provide information or consent to its use and disclosure as a condition of providing a product or service unless such consent is legitimate and necessary to satisfy disclosed purposes. Since this principle is fundamentally tied to the organization’s purpose, the organization must disclose its purpose. An organization which fails to disclose its purposes is by default requiring information beyond the specified purpose in violation of PIPEDA.
Organizations often violate this requirement when they require an individual’s SIN for a purpose other than income tax reporting. And even in the case of income tax reporting, a SIN is not required in some cases (e.g., exception for minors opening a bank account). The Commissioner has expressly noted an organization cannot require a SIN to apply for credit or a loan.
Organizations may require two separate forms of identification to extend credit. They may also collect an individual’s personal financial information (including information on income and assets) to extend credit. But they may not require tax returns as part of a credit application because the tax return contains more information than required to determine credit worthiness. An organization may refuse to supply credit to an individual who refuses consent to allow the organization to perform credit reporting to credit bureaus.
Organizations may deny certain services such as financial withdrawals and disconnection or modification of services when a person fails to provide identification (but see , organizations must be able to immediately handle opt-out requests or the organization will be deemed to have collected and used information beyond that required for a legitimate purpose.
An organization may not deny access to its web site unless the individual accessing the site enables “cookies.”
An organization which refused to provide internet service to an applicant unless they provided their SIN violated PIPEDA. PIPEDA Case summary #22, WF – R.
A bank implemented a fraud prevention program in response to identity theft requiring customers to have identification ready upon request. The Commissioner was satisfied that the purpose was specified and legitimate and that established customers would be allowed to withdraw funds even without identification. PIPEDA Case summary #27, NWF.
Where an individual wanted to open a basic bank account with no credit privileges (no overdraft protection, credit card or credit in any form), a bank violated PIPEDA by requiring personal information to perform a credit check. The bank required information beyond that legitimately required. PIPEDA Case summary #40, WF.
An organization which refused to provide a service unless a customer provided a bank account number for electronic debit or a credit card to be charged complied with the Act since it required such information for the legitimate purpose of collecting payment. The organization is not required to provide alternate payment arrangements. PIPEDA Case summary #48, NWF.
A bank’s requirement that a customer consent to it obtaining “financial and other information about you” from “any other source” was so broad it violated the Act’s prohibition of requiring consent to collect information beyond that legitimately required. PIPEDA Case summary #76, WF – R.
When an organization fails to disclose its purposes for requesting information, it is by default requiring consent as a condition of supplying a product or service to the collection, use and disclosure of information beyond that for specified purposes. PIPEDA Case summary #83, WF.
A sole proprietor wished to open a small business banking account but complained when the bank required him to disclose personal information for a credit check. Since no government law requires a bank to accept an application for a business account unconditionally and the bank does assume a credit risk associated with the account, the bank’s requirement was legitimate. PIPEDA Case summary #117, NWF.
Government regulations provide an exception for children from the normal requirement that banks collect the SIN for income reporting. As a result, a bank violated PIPEDA when it refused to open an account for a child without his/her SIN. PIPEDA Case summary #132, WF.
An airline refused to process a lost baggage claim request in contravention of the Act unless the claimant provided their SIN, birth date, occupation, and company name. These items of personal information exceeded that required for legitimate purposes. PIPEDA Case summary #148, WF.
A cellular phone company refused to provide phone service unless an individual provided two pieces of identification for the purpose of conducting a credit check. This practice was determined to be reasonable and legitimate since phone service is a form of unsecured credit when customers pay for the calls after the fact. PIPEDA Case summary #151, NWF; PIPEDA Case summary #104, NWF.
A cable company refused to disconnect cable service if an individual did not provide his date of birth and mother’s maiden name. The Commissioner found the use of these items for identification purposes legitimate. PIPEDA Case summary #152, WF.
An organization violated Principle 4.3.3 when it denied an individual access to its web page unless that individual enabled their web browser to accept “cookies.” PIPEDA Case summary #162, WF – R.
A bank required a credit applicant to report an SIN in contravention of the Act to process a loan application. PIPEDA Case summary #166, WF.
A bank required tax returns of self-employed applicants for credit in order to assess their credit worthiness. While the purpose is valid, the Commissioner found that the bank’s requirement that Notice of Assessments (NOAs) be provided by the applicant violated PIPEDA because the NOAs contained information beyond that required by the bank. PIPEDA Case summary #169, WF.
A bank refused to process a credit card application unless the applicant supplied their Social Insurance Number (SIN). This was in contravention of the Act. PIPEDA Case summary #184, WF.
It is not unreasonable for an organization to refuse to extend credit or require a security deposit when an individual refuses to provide documents to establish their identification and/or facilitate a credit check. PIPEDA Case summary #204, NWF; PIPEDA Case summary #202, NWF; PIPEDA Case summary #94, NWF; PIPEDA Case summary #56, NWF; PIPEDA Case summary #24, NWF.
The Commissioner found that a reasonable person would expect a bank to provide continuing updated credit information to credit bureaus in accordance with its contractual obligations. It was therefore permissible for a bank to refuse to extend credit to a customer who refused consent to allowing the updating of his loan accounts to the credit bureau. PIPEDA Case summary #206, NWF.
It is legitimate to require documents for identification purposes when extending credit to an individual or modifying the service(s) they receive from an organization. PIPEDA Case summary #217, NWF.
An organization could withhold a service for failure to consent to a limited background check which was considered a legitimate purpose under the circumstances. Since the organization failed to disclose this purpose, however, it violated PIPEDA. PIPEDA Case summary #219, WF.
It was legitimate for a bank to collect an individual’s personal information regarding the make and model of her car as part of a credit card application so that the bank could determine her credit worthiness. PIPEDA Case summary #223, NWF.
As a result of a delay in processing opt-out requests, a bank was requiring that credit card customers allow the use of their personal information for a nonconsensual purpose in order to become a card holder. The bank was, therefore, in contravention of the Act. , WF.
A bank that shared an individual’s name, credit card number, membership number, and points information on a loyalty credit card with its loyalty program partner was acting for a legitimate purpose. It is illogical to expect benefits from a loyalty credit card program without such disclosures. PIPEDA Case summary #241, NWF – NWF.
A bank complied with Principle 4.3.3 when it required its customer to provide identification that it compared to his signature on file at his normal branch before allowing the customer to withdraw funds. PIPEDA Case summary #245, NWF – NWF.
A bank violated PIPEDA when it refused to issue a bank card after the applicant provided her driver’s license and employee identification card which contained her physical description, address and date of birth. Bank officials later admitted that the driver’s license was sufficient to identify the individual and issue her a bank card. PIPEDA Case summary #257, WF.
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
Summary: An organization may vary the form of consent it seeks by using opt-out or opt-in consent depending upon the circumstances and the sensitivity of the personal information at issue. The sensitivity of personal information depends on the nature of the information and context for use and disclosure. Sensitive information includes but is not limited to medical records (health status), financial records (annual income, credit history, financial status, household income), social insurance number (SIN), driver’s license number, passport number, record of customer complaints, age and marital status. Name and contact information are not considered sensitive. One example of context which requires positive “opt-in” consent is when an organization uses personal information to tailor its marketing message based on an individual’s personal preferences and financial status.
An organization that uses personal information to tailor promotional offers to the individual’s personal preferences and financial status must obtain positive “opt-in” consent. PIPEDA Case summary #42, WF.
Personal information such as one’s age, marital status, financial status, household income and health status are sufficiently sensitive to require affirmative (opt-in) consent for disclosure. PIPEDA Case summary #91, WF.
An organization may not use an “opt-out” form of consent even with non-sensitive information unless certain conditions are met. The organization must: 1) clearly limit and define the personal information to be used or disclosed; 2) define the purposes and bring these purposes to the individual's attention at the time the personal information is collected; and 3) provide an easy, inexpensive, convenient and immediate procedure to opt-out. PIPEDA Case summary #192, WF.
An organization may use an “opt-out” form of consent for information that is non-sensitive in nature and context. An organization must clearly and expressly identify the purpose for information sharing, the exact information to be shared, and the extent of the intended use or disclosure. Sensitive information includes financial information such as annual income and credit history. PIPEDA Case summary #203, WF.
An individual’s name and contact information is not sufficiently sensitive to require positive or “opt-in” consent. PIPEDA Case summary #207, NWF.
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual's name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual's request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.
Summary: The reasonable expectations of an individual are relevant when obtaining consent. The Commissioner found the following expectations to be reasonable:
Organizations must disclose their purposes for obtaining information. Without such disclosure, individuals cannot give meaningful consent.
An organization must bring to the attention of its customers practice of using and sharing customer data for secondary marketing purposes and provide customers with the opportunity to opt-out of such uses and disclosures.
Opt-out procedures should be easy, inexpensive and convenient. Opt-out requests should be processed immediately.
Current customers who previously gave consent for disclosure of their personal information should expect an organization to take a few weeks to process an opt-out request.
Individuals must be informed before taping of a telephone conversation begins and such taping must immediately be ceased and destroyed upon request.
When consent is given to allow a telephone call to be recorded for quality assurance purposes, a supervisor may listen to the call for training purposes. The call may not, however, be used for a company wide training initiative.
An individual who gives consent to share information for secondary marketing purposes would not expect the organization to target offers to them based upon their private personal preferences and financial status.
An individual who had an argument with bank staff concerning his account may reasonably expect disclosure of the argument through normal public discourse and small town gossip. However, a reasonable person would not expect disclosure to be made by the bank manager to one’s employer. PIPEDA Case summary #30, WF.
A reasonable person who gives an organization consent to share information for a secondary marketing purpose would not expect the organization to tailor promotional offers based upon personal preferences and financial status. PIPEDA Case summary #42, WF.
An individual’s expectations that an organization disclose clear information as to potential secondary uses and sharing of customer data and the opportunity to opt-out of such uses and disclosures is reasonable and relevant to consent. PIPEDA Case summary #78, WF.
An individual could reasonably expect to be informed when any portion of a telephone call is recorded and to be asked for consent before recording begins. PIPEDA Case summary #86, WF.
One may reasonably expect an organization to specify the extent to which personal information collected is disclosed for marketing purposes, to make consent arrangements (opt-in versus opt-out) clear, and inform the public of its privacy policies and practices. PIPEDA Case summary #91, WF.
An individual reasonably expects to be informed of any assumption of consent, to have any secondary purposes brought to his attention and explained and be provided with a convenient and immediate opportunity to opt out before any unwanted disclosure occurs. PIPEDA Case summary #167, WF.
It would be reasonable for an organization to allow a supervisor to listen to a tape recording made with consent for quality assurance purposes. It is not reasonable, however, for an organization to use a tape recording made for quality assurance purposes to be used for a company wide training program. PIPEDA Case summary #180, WF.
An individual must have knowledge of an organization’s purposes and actual or intended uses for information in order to give meaningful consent. PIPEDA Case summary #192, WF.
An individual reasonably expects an organization to clearly define the scope of collection and use of personal information. PIPEDA Case summary #203, WF.
An individual reasonably expects to be informed of an organization’s practice of tape recording telephone calls before or commensurate with the taping process. Once an individual objects or refuses consent for tape recording, an individual expects the recording to cease. PIPEDA Case summary #215, WF; PIPEDA Case summary #176, WF (and that an organization would notify an individual of the consequences for failure to consent and delete a tape recording previously made without consent).
It is not reasonable for an individual who willingly participates in a telemarketing environment where personal sales data are posted to expect this information to remain confidential. PIPEDA Case summary #220, NWF.
An individual reasonably expects an opt-out procedure to be easy, convenient and immediate. , WF; PIPEDA Case summary #83, WF.
An individual reasonably expects an organization to bring to the attention of customers its practice of using and sharing customer data for secondary marketing purposes and provide customers with the opportunity to opt-out of such uses and disclosures. , WF; , NWF; PIPEDA Case summary #82, NWF.
A customer who is already in an organization’s marketing system should reasonably expect it to take a number of weeks for the organization to process an opt-out request. PIPEDA Case summary #250, WF - NWF – NWF.
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
Summary: An organization may seek consent in different ways depending on the sensitivity of the personal information at issue and the planned use and disclosure.
Express consent must be obtained for collection, use and disclosure of sensitive information. An individual’s purchasing habits and preferences is sufficiently sensitive to require express consent. PIPEDA Case summary #42, WF.
An individual’s name and address is not sensitive information which would require positive (opt-in) consent. PIPEDA Case summary #250, WF - NWF – NWF.
Individuals can give consent in many ways. For example:
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) consent may be given orally when information is collected over the telephone; or
(d) consent may be given at the time that individuals use a product or service.
Summary: An organization may use “opt-out” consent under certain circumstances.
Where an organization was disclosing non-sensitive personal information limited to names and addresses, the organization could use opt-out consent. PIPEDA Case summary #250, WF - NWF – NWF.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.
Summary: An organization must allow an individual to withdraw consent at any time with limited exceptions to comply with legal or contractual requirements. Organizations comply with this requirement when they take immediate and comprehensive action to honor the individual’s withdrawal of consent. Organizations that fail to timely process opt-out requests or process them in error violate PIPEDA. One allowable exception is an individual with an unpaid balance on a loan may not withdraw consent for credit reporting.
An organization which provides a method for its customers to “opt-out” but fails to ensure all of its affiliates discontinue unwanted marketing efforts violates the Act. By failing to communicate its customer’s request to opt-out among its affiliates, it rendered the withdrawal option meaningless. PIPEDA Case summary #116, WF.
An organization that failed to remove an individual’s SIN from its records upon request failed to comply with PIPEDA. PIPEDA Case summary #189, NWF.
An organization complied with the Act when it destroyed a document at the individual’s request. PIPEDA Case summary #205, NWF.
An individual may not withdraw consent from a bank to share personal financial information with other lenders and credit reporting agencies based on legal and contractual requirements. PIPEDA Case summary #211, WF.
A bank processed an opt-out request but the customer continued to receive unwanted solicitations due to an error in its database which contained multiple records for the same individual. The Commissioner considered this a violation of PIPEDA as the bank should have honored the opt-out request by ceasing all unwanted solicitations. PIPEDA Case summary #248, WF.
An organization that assumes consent while providing an option to opt-out must have sufficient resources to handle opt-out requests in a timely manner. PIPEDA Case summary #249, WF.
PIPEDA provisions menu:
1. Personal Information Protection and Electronic Documents Act
PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR
"federal work, undertaking or business"
"personal health information"
2. (2) Notes in Schedule 1
4. (1) Application
4. (2) Limit
4. (3) Other Acts
4.1 (1) Certificate under Canada Evidence Act
4.1 (2) Certificate following filing of complaint
4.1 (3) Information not to be disclosed
4.1 (4) Power to delegate
PROTECTION OF PERSONAL INFORMATION
5. (1) Compliance with obligations
5. (2) Meaning of "should"
5. (3) Appropriate purposes
6. Effect of designation of individual
7. (1) Collection without knowledge or consent
7. (2) Use without knowledge or consent
7. (3) Disclosure without knowledge or consent
7. (4) Use without consent
7. (5) Disclosure without consent
8. (1) Written request
8. (2) Assistance
8. (3) Time limit
8. (4) Extension of time limit
8. (5) Deemed refusal
8. (6) Costs for responding
8. (7) Reasons
8. (8) Retention of information
9. (1) When access prohibited
9. (2) Limit
9. (2.1) Information related to paragraphs 7(3)(c), (c.1) or (d)
9. (2.2) Notification and response
9. (2.3) Objection
9. (2.4) Prohibition
9. (3) When access may be refused
9. (4) Limit
9. (5) Notice
10. Sensory disability
Filing of Complaints
11. (1) Contravention
11. (2) Commissioner may initiate complaint
11. (3) Time limit
11. (4) Notice
Investigations of Complaints
12. (1) Powers of Commissioner
12. (2) Dispute resolution mechanisms
12. (3) Delegation
12. (4) Return of records
12. (5) Certificate of delegation
13. (1) Contents
13. (2) Where no report
13. (3) Report to parties
Hearing by Court
14. (1) Application
14. (2) Time of application
14. (3) For greater certainty
15. Commissioner may apply or appear
17. (1) Summary hearings
17. (2) Precautions
18. (1) To ensure compliance
18. (2) Delegation
18. (3) Return of records
18. (4) Certificate of delegation
19. (1) Report of findings and recommendations
19. (2) Reports may be included in annual reports
20. (1) Confidentiality
20. (2) Public interest
20. (3) Disclosure of necessary information
20. (4) Disclosure in the course of proceedings
20. (5) Disclosure of offence authorized
21. Not competent witness
22. (1) Protection of Commissioner
22. (2) Libel or slander
23. (1) Consultations with provinces
23. (2) Agreements
24. Promoting the purposes of the Part
25. (1) Annual report
25. (2) Consultation
26. (1) Regulations
26. (2) Orders
27. (1) Whistleblowing
27. (2) Confidentiality
27.1 (1) Prohibition
27.1 (2) Saving
27.1 (3) Definitions
28. Offence and punishment
29. (1) Review of Part by parliamentary committee
29. (2) Review and report
30. (1) Application
30. (1.1) Application
30. (2) Subsection (1) Expiry date
30.(2.1) Subsection (1.1) Expiry date
31. (1) Definitions
"secure electronic signature"
31. (2) Designation
33. Collection, storage, etc.
34. Electronic payment
35. (1) Electronic version of statutory form
35. (2) Statutory manner of filing document
35. (3) Statutory manner of submitting information
35. (4) Authority to prescribe form, etc.
35. (5) Meaning of "filing"
36. Documents as evidence or proof
37. Retention of documents
38. Notarial act
40. Requirements to provide documents or information
41. Writing requirements
42. Original documents
44. Statements made under oath
45. Statements declaring truth, etc.
46. Witnessed signatures
Regulations and Orders
48. (1) Regulations
48. (2) Characteristics
48. (3) Effect of amendment or repeal
49. Amendment of schedules
50. (1) Regulations
50. (2) Contents
50. (3) Minimum rules
50. (4) Incorporation by reference
51. Effect of striking out listed provision
AMENDMENTS TO THE CANADA EVIDENCE ACT
52-57. Canada Evidence Act
AMENDMENTS TO THE STATUTORY INSTRUMENTS ACT
58-59. Statutory Instruments Act
AMENDMENTS TO THE STATUTE REVISION ACT
60-71. Statute Revision Act
COMING INTO FORCE
72. Coming into force
PRINCIPLES SET OUT IN THE NATIONAL STANDARD OF CANADA ENTITLED MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION, CAN/CSA-Q830-96
This page does not constitute legal advice. These abstracts are of only the first 260 case summaries published by the federal privacy commissioner's office. Some have now been updated by that office. Those updates are not yet reflected here. That office has also published in excess of 100 additional summaries which must be read to understand the current PIPEDA application by that office. The statutory sections shown here are unofficial and may now have been amended. In addition, this document does yet not contain abstracts from case summaries applying, nor the text of, the very important principles document originally published with this statute. Although this page may serve as an initial general introduction to the topic, you really should seek legal advice rather than making any decisions based on the the content of this page.