Is your data safe with Canada Post? What we know about privacy law violations

By Naomi Barghiel  | Global News

Canada Post broke privacy laws by using personal information from the outside of delivered envelopes for a marketing program, the federal privacy watchdog has found.

The office of Privacy Commissioner Philippe Dufresne said in a report this week that the data collected by Canada Post for this program includes information about where individuals live and what kind of online shopping they do.

The data is used to create mail marketing lists rented to businesses, Dufresne’s report said.

Canada Post had not obtained individuals’ consent to indirectly collect information from envelopes for the purpose of enabling its marketing program, the federal privacy watchdog says in a report on the investigation.

Therefore, the postal operator was found to have violated section five of the Privacy Act — a finding Canada Post disputes. Dufresne’s report added Canada Post has “refused to implement our recommendation that it cease its current practice of using and disclosing personal information leveraged from its operational data for mail marketing activities without seeking authorization from individuals for the indirect collection of their personal information.”

Canada Post says it believes its program does comply with privacy laws.

Here’s what we know from the information laid out in the report.

How did it start?

The report says the privacy investigation began when an individual received marketing material from a local restaurant in Toronto, addressed to him, with his name and full apartment address on the envelope.

He filed a complaint to the commissioner saying he had not provided the restaurant with his personal details. The restaurant revealed that the individual’s information was included in a mail marketing list they had gotten from Canada Post.

The individual then contacted Canada Post and learned that his information had been used as part of their Smartmail Marketing (SMM) program, which the restaurant paid to access.

According to the complainant, he was told by Canada Post that “the program combines information about individuals that CPC has in its possession with publicly available information obtained from the phone directory and sells this to businesses interested in marketing to individuals,” the commissioner’s report writes.

The report notes that Canada Post does not directly provide businesses with the information.

Rather, for a fee, the personal data is disclosed to a third-party mail service provider that has a contract with Canada Post and disperses the mail on behalf of the businesses.

Ann Cavoukian is the executive director of the Global Policy and Security by Design Centre, and former Ontario privacy commissioner. She says Canada Post’s handling of personal information is “absolutely outrageous.”

She says all control over individuals’ data was lost once it was handed over to the third party.

“That’s the problem. You don’t know what it might be used for,” Cavoukian told Global News.

“You give Canada Post (your) information for one purpose: to get your envelope to the intended party. Full stop. They don’t have authorization for any secondary uses,” she said.

Mail service providers are contractually obliged to safeguard the personal information and dispose of mailing lists once a mail campaign is fulfilled, the report says.

The postal operator explained to the complainant that he could get off of the mailing list by opting out of having his name and contact information included in the Canada Post Name and Address Database.

The report says the complainant was still dissatisfied that his information had been used for marketing purposes without his authorization in the first place.

How has Canada Post responded to the findings?

The commissioner recommended that Canada Post stop using and disclosing personal information obtained from its own operational data for mail marketing purposes until it obtains Canadians’ consent.

However, the postal service “refused” to take the recommended action, the report said.

The watchdog’s report says Canada Post disagreed with Dufresne’s conclusion that they had broken privacy law, explaining that it has had to continuously find new ways to diversify its revenue stream to make up for a declining volume of letters over many years.

Canada Post is quoted in the report saying they do not view their “engagement in these activities as being in any way contrary to the public good,” and say their research indicates that consumers enjoy receiving marketing offers by mail.

Dufresne’s office did not agree with the claim, saying it’s unlikely that all Canadians would see the monetization of their entrusted information for marketing purposes in a positive light.

Section 5 of the Privacy Act “requires institutions to collect personal information directly from individuals and notify them of the purposes of collection, unless limited exceptions apply,” the report says.

The terms of “authorization” are not defined in the Act, but the commissioner’s view is that individuals must be aware of the practice that their information is being used and have taken an action “that can reasonably be inferred as giving permission for the practice,” the report says.

Canada Post has argued that Canadians have “implicitly authorized” it to collect their information and that to request re-permission to deliver their mail “would be absurd,” the postal service is quoted in the report.

They add that if individuals do not opt out of Canada Post’s marketing mailing list on their website, then people automatically authorize the use of their information.

Since the commissioner’s ruling, Canada Post has increased transparency on its website about its use of individuals’ personal information for marketing, and increased visibility of the opt-out mechanism. The service also added a related brochure to its retail outlets.

The report says it appreciates Canada’s Post commitment to improve clarity of information, but the actions are not enough to correct the violation of the Privacy Act.

What happens now?

Cavoukian says Canada Post should end their mail marketing list services immediately. If they won’t, then the next course of action should be for the postal service to obtain individuals’ consent.

However, Canada Post has no obligation to follow the federal privacy commissioner’s recommendations.

In order for there to be change, Cavoukian says people will have to voice their disapproval of Canada Post’s actions.

“Everyone can object to this very vocally and strongly and hope that Canada Post will immediately stop this,” she says.

She says the postal service has to come up with other ideas to make up for their revenue losses that don’t involve the use of Canadians’ data.

“That’s not individuals’ problem. The people will end up using (Canada Post) even less,” she said.

If people suspect that their data has been used in Canada Post’s marketing program, Cavoukian says they should file complaints directly with Canada Post or with the federal privacy commissioner.

“Privacy forms the foundation of our freedom. If you want to have free and open societies, you have to have a solid foundation of privacy,” she said.

Read the original version of this article at the publisher’s website here

Leave a Reply