Canada’s privacy laws made news once again when the Supreme Court refused to hear an appeal of the Alberta Court of Appeal’s decision in Leon’s Furniture Limited v. Alberta. In that case, a customer complained to the Alberta Privacy Commissioner when Leon’s insisted on recording her driver’s license number and license plate before they would let her pick up furniture that had been paid for. The Court struck a narrow balance between an individual’s right to privacy, and a business’ need to collect information in order to effectively serve their customers. It’s a fine line, and it can be tricky for businesses to know whether they’ve crossed it or not.
If you’ve ever wondered whether privacy laws apply to your business, they probably do, and as a business owner or operator, you should be aware of your obligations and what you can and can’t do. It can be tempting to err on the side of collecting more customer information than is necessary; the more information you have, the easier it will be to locate someone should the need arise, or perhaps collecting more information will deter would-be fraudsters from targeting your business.
While there are good reasons to collect a customer’s information, Canadian privacy laws have been enacted to protect customers from the over-collection and unauthorized use of information that can be used to personally identify them. Privacy in Ontario (except with respect to healthcare information) is protected by the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Not only does PIPEDA limit the amount of personal information you can collect, it also governs how that information can be collected, and how you are required to deal with the information you do collect.
What information is considered “personal information”?
The language of PIPEDA is purposely broad, and simply states that personal information is “information about an identifiable individual”. Personal information can be someone’s age, name, identification number (including driver’s license, heath card or social insurance numbers), employee files, credit or loan records, or anything else that can be traced back to a specific person.
What information am I allowed to collect?
That depends on what you need the information for. Under PIPEDA, you must tell your customers why their information is collected. If you collect your customers’ personal information to prevent fraud, you need to ensure they are aware of that purpose.
Once you have identified your purpose, you can only collect information that is necessary to fulfill that purpose. For example, when a customer is returning merchandise without a receipt, it is reasonable to collect the customer’s name and address in an effort to deter fraud. On the other hand, Winners/Home Sense had a policy of collecting driver’s license numbers when customers returned merchandise without a receipt. These numbers were stored in the company’s system and used to identify individuals who were making excessive returns without receipts. Canada’s and Alberta’s Privacy Commissioners, in a joint investigation, concluded that collecting driver’s license numbers was not necessary for this purpose, especially given how valuable a driver’s license number can be to fraudsters and identity thieves.
Compare the Winners/Home Sense situation with Leon’s Furniture Stores in Alberta. Many of Leon’s customers pay for merchandise and pick it up, or arrange for someone else to pick it up at a later date. In an effort to deter fraud, and to enable them to investigate fraud after it occurs, Leon’s records the driver’s license number and vehicle license plate of individuals when they pick up merchandise. The Alberta Court of Appeal found that collecting this information was reasonable in light of the store’s objective.
When considering what personal information your business should collect, consider whether you really need the information you are requesting, or whether a less invasive form of information might be suitable (e.g. recording a customer's name and address from their driver's license instead of collecting and storing the driver's license number itself).
Two of the key points to remember when collecting personal information are: (1) your customers must be advised as to why you are collecting their information, and (2) you can only collect the information that is necessary to fulfill that purpose.
How do I advise my customers?
Customers can be advised either orally or in writing. It is important that your front-line staff understand the purpose of collecting information so that they can properly inform a customer if they are asked.
It is crucial to remember that a customer must consent to the collection of their personal information and, in order to provide meaningful consent, they must know what is being collected and why. It is also important to know that you cannot withhold products or services because a customer refuses to provide personal information, unless that information is absolutely necessary to provide that product or service.
The bottom line
As businesses increasingly move into the online world, customers are increasingly concerned about how their personal information is collected, used and stored. Even offline, customers want to make sure that their information is secure and won’t be used for any unauthorized purpose.
PIPEDA sets out ten principles for the collection and protection of personal information. The principles discussed in this article merely scratch the surface of privacy protection. If PIPEDA applies to your business (and chances are, it does), you should seek legal advice to ensure that you comply. Not only is it the law, but as privacy becomes a core value for consumers, good privacy protection is a cornerstone of any successful business.
David Reid is a student-at-law with BrazeauSeller.LLP. To contact BrazeauSeller.LLP call 613-237-4000 or e-mail email@example.com.