Resources & Library Français | Help | Contact Us

New Personal Information, Protection & Electronic Documents Act poses a life and death challenge to direct mail fundraisers

Canadian FundRaiser: August 16, 2000

According to Merv White, a lawyer with Wardlaw, Mullin, Carter, Thwaites & Ward, the federal government's recently-passed Bill C-6, the Personal Information Protection and Electronic Documents Act "will have a substantial negative impact on the current practices of charities which sell or barter their donor lists. They will also significantly restrain commercial fundraisers in the manner in which they collect and use personal information on donors." In its Privacy Law Bulletin, Fasken Martineau DuMoulin says that the extremely broad application of the Act will "create a significant obstacle to data banking for the purpose of resale or sharing among related organizations." The Business Law Group of McCarthy Tétrault calls it a "new privacy paradigm". Others in the fundraising field would likely prefer the term "ticking time-bomb", if they were not hesitant to discuss it at all for fear of opening the Pandora's box of implications it carries.

Not only will C-6 have far-reaching impact on the private sector, it could well affect every business across the country - including nonprofits of every stripe. Designed to respond to concerns raised by advances in information technology exchange, and an outgrowth of Prime Minister The Hon Jean Chretien's Canadian Electronic Commerce Strategy, its objectives were to establish some rules "to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."

The European Union forced our hand

It all seems reasonable enough, on the face of it, and the government's hand has certainly been forced by the European Union's Directive on Data Protection, which imposes restrictions on the transmission of data to jurisdictions outside the EU that lack personal data protection laws aimed at the private sector. In moving ahead with C-6, however, Canada not only diverges from American legislators, which have so far resisted calls to adopt private sector privacy legislation (a scary move indeed, considering that the US is our foremost trading partner) but also could - in fact, will - bring about radical change in the charitable direct mail fundraising field in Canada.

According to Renée Graf, manager, government relations, for the Canadian Marketing Association, one of the implications for marketers will be the requirement to obtain specific consent from individuals for the various uses of their personal information. The Act, she points out, applies to any commercial activity that includes identifiable information about an individual, and requires consent before the information is collected, consent before it is used, and consent before it is transferred to a third party.

Consent must be informed and precise

"This means," Graf adds, "that if you obtain consent for one purpose you cannot then use the individual's information for additional purposes that might arise in the future. It follows then, if consent has only been obtained for the purpose of research, you would not then be able to pass the person's information on to a third party without first getting their consent ... which raises yet another point. The purposes for which the information will be used must be transparent."

For example, says Graf, if a parent company operates several different companies under its umbrella, it would have to be clear to the individual that they might receive communications from other company-owned operations. Again, they should be provided with an opportunity to opt out of receiving such communications if they so desire. Consent can be given orally or in writing, and according to McCarthy Tétrault, "it would appear that negative options can be employed and there is probably room for implied consent. " The consent, however, must be both informed and "directed not only to the fact that the information is being collected but also to the uses to which it is to be put."

The CMA Privacy Code includes some examples of negative option clearances that are already widely used:

"From time to time, we make or subscription list available to specific reputable companies and organizations whose products and/or services we believe may be of interest to you. If you do not want your name to be made available, please check here."

"We make our customer list available to a few carefully screened firms. If you prefer not to receive such mailings, please check here."

"By enrolling in the "x" program, you agree to receive a membership kit and regular communications which will include offers from participating sponsors. From time to time, sponsors may make separate communications to you. If you do not wish to receive such sponsor communications, please check this box."

Accurate records will be crucial

As is the case now for CMA members, if you transfer information to a third party, you are responsible for ensuring that everyone on that list has consented to their information being passed on or to receiving information from other parties. Therefore, keeping up-to-date, accurate records will be important.

Can you obtain blanket permissions for the use of personal information? The CMA's guess is that you can, but you have to be very clear about the wording you use when obtaining that consent. Also, you will have to be 100% sure that anyone you exchange your lists with is only contacting your names for the specific purpose for which you obtained the consent. This can likely be covered off by including some legal wording in your contracts stating, for example, that your consent was obtained explicitly for research purposes and, therefore, the names can only be used for that same purpose.

Yet another implication, Graf points out, is that of the use of Public Domain Information. Regulations will have to be drafted outlining the types of PDI that the government will permit marketers to use. The CMA is participating in the drafting of these regulations.

A simple mailing label could get you in trouble

For the time being, the Act applies to the federally-regulated private sector (transportation, telecommunications, and some financial institutions) and to inter-provincial commercial activity. This means that something as basic as a mailing label would be affected, if it were being sent from one province to another, as the label contains identifiable information about an individual. The first step at this point for businesses and charities involved in any way in direct marketing activities is to obtain competent legal advice. You'll have to assign an employee the responsibility to be in charge of and accountable for your personal information handling practices, and to interact with the Office of the Privacy Commissioner if and when necessary. You'll have to be ready to deal properly with requests for access to personal information, and complaints - from both employees and the public. Then you'll need to adopt and comply with a privacy code such as that produced by the CMA or the Canadian Standards Association International, and carry out a simple internal audit to establish some benchmarks.

First step: a database audit

Information you'll need includes the following:

• What personal information do we gather on individuals?
• How do we compile it?
• Where do we keep it, and in what form?
• What security procedures do we have in place to ensure that it can not be used by others for purposes other than those for which it was gathered?
• How do we use it?
• How do we ensure that it is accurate?
• Who has access to it?
• Are we covered by this new legislation? In what way, and to what extent? How are we affected by it?

In fact, this Privacy legislation will come into effect gradually over a three-year period, and some organizations will have much more time to rework their marketing activities than others. For example, if your lists are business lists, you may well be in the clear, for the moment, since the Act's definition of 'personal information' reads " ...information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization." This, however, will be cold comfort to most charities, which rely largely on home addresses.

CMA distributing a compliance guide

Since commercial contracts fall within provincial jurisdiction, this federal legislation will apply only if a province fails to implement its own privacy laws. Within the next three years, the provinces will be coming up with similar legislation, but to date, only Quebec has done so. "Hopefully," Graf commented, "this legislation won't be more restrictive than C-6." The alternative, to have federal privacy laws and then ten different provincial privacy laws, would be devastating for the industry and the Canadian economy. In the meantime, the CMA has been holding privacy seminars for its members, and distributing copies of a detailed compliance guide outlining steps that it recommends be taken to meet the legislative requirements of this new law.

There is much within the new law which is subject to debate. The CMA has its interpretation that it passes on to its members but is aware that others may disagree. The ultimate decision on any controversial provisions of the law will be provided by the Privacy Commissioner of Canada, the agency that will be responsible for the enforcement of the Act, which certainly has teeth. The fines for interfering with the Commissioner in the course of an investigation or audit can be as much as $100,000 (you won't be able to trash troublesome information during an inquiry), and complainants to the Federal Court of Canada can see businesses ordered to change their information practices, publish notices concerning the changes they have made to comply with C-6, and pay damages, including those for any "humiliation" the complainant may have suffered.

A toothless tiger?

In spite of its extensive new powers under C-6 to enter premises, issue subpoenas, audit, hold hearings, investigate and make orders, the Privacy Commissioner is already overloaded with complaints and resulting investigations. Given the current cost-cutting environment, and the reluctance with which the federal government approached the task in the first place, it may be unwilling to provide the resources necessary to mount meaningful governance of this legislation. To rely on this rather than re-visiting your data gathering and management practices, however, would seem to be foolhardy, given the drastic damage that negative publicity under this legislation could create for a nonprofit depending on the good will of the Canadian public.

For more information: Renée Graf, manager, government relations, Canadian Marketing Association, 416-391-2362, fax 416-391-1237, email , web site ; Canadian Standards Association International, web site ; Barbara McIsaac, McCarthy Tétrault, 416-362-1812, fax 416-868-0673, web site ; Merv White, Wardlaw, Mullin, Carter, Thwaites & Ward, 519-941-1760, fax 519-941-3688, email , web ; Jeffrey Kaufman, Fasken Martineau DuMoulin LLP.

About CharityVillage  |  Free Newsletter  |  Media Centre  |  Contact Us    Terms and Conditions of Use  |  Privacy Policy    © CharityVillage Ltd.  All rights reserved.    Email help@charityvillage.com