Submission of the Intervenor British Columbia Civil Liberties Association (the “BCCLA”) in an Inquiry under Part 11 of the Personal Information Protection Act (the “Act”) Complaint against Canadian Tire Store #353 (the “Organization”); OIPC File No. P04-22573
1. This inquiry will determine whether the practice and the published policy of the Organization to collect personal information from customers returning merchandise are in compliance with ss. 7, 11 and 35 of the Act. This submission does not comment on the section 35 issue.
2. “Personal information” means information about an identifiable individual, but does not include “contact information”. “Contact information” means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual.
3. Section 7 of the Act deals with consent and reads:
7(1) An individual has not given consent under this Act to an organization unless
(a) the organization has provided the individual with the information required under section 10(1), and
(b) the individual’s consent is provided in accordance with this Act.
4. The information that is required under s. 10(1) must be provided on or before collecting personal information and is verbal or written disclosure of (a) the purposes for the collection of the information, and (b) on request by the individual, the position name or title and the contact information for an officer or employee of the organization who is able to answer the individual’s questions about the collection.
5. Section 7(2) reads:
7(2) An organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure or personal information beyond what is necessary to provide the product or service.
6. Section 11 of the Act deals with limitations on collection of personal information and reads:
11 Subject to this Act, an organization may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that
(a) fulfill the purposes that the organization discloses under section 10(1), or
(b) are otherwise permitted under this Act.
Submissions of the Parties
7. The Applicant states that she was told that she was required to provide her telephone number and other personal information (“e.g. my birthdate”) in order to return an item of merchandise to the Organization for a refund. The Organization states that its consistent practice is to ask customers returning merchandise to provide their name, home address and telephone number and sometimes to show photo identification. The Organization does not say that it collects birthdate information. The Organization says that the information it collects is keyed into the Organization’s computer as part of the processing of a return voucher form.
9. The Organization says that there is a posted notice at the store in question and that a customer handout is also available. The Organization says that these forms of notice state that a refund may necessitate the provision of a receipt and photo identification. The rationale provided in the notice is that “[c]ontrolling losses assures the store’s ongoing ability to serve its customers’ needs at competitive prices [and] [h]aving such information will also allow follow up in the event there has been an error in the returns’ processing by the store.”
10. The Applicant submits that she does not understand why and how the practice of collecting and retaining personal information is necessary for the Organization to process a refund. The Organization submits that the provision of personal information acts primarily as a deterrent to fraud because “persons who return stolen merchandise are anxious to provide as little personal information as possible”, and that it also allows the Organization to contact customers in case there has been an error in processing the refund transaction and to contact customers to inquire as to whether they were satisfied with the return transaction. The Organization also submits that the reasons for requiring personal information are “obvious to a reasonable person”.
11. Our submission addresses the issue of consent under section 7 and the question of whether a reasonable person would consider the purpose(s) of collecting the personal information appropriate under section 11. We also make a very brief submission on in camera evidence at inquiries.
Issue One: Did the Organization Obtain Valid Consent?
12. Leaving aside whether the notice that the Organization says is posted was made available to the Applicant, the BCCLA has four points about the issue of consent.
Inadequacy of Notice
13. Our first concern is the inadequacy of the notice. The notice on returning merchandise states that “[t]he same information that is required to complete an individual purchase may also be required for a refund” and that this “may also necessitate a receipt and photo identification”. However, if you purchase an item in cash, there is no information required to complete an individual purchase. The notice does not, in our submission, give an adequate or even accurate description of what the policy is, which is the collection of name, home phone and address and the inputting of this information into a store computer system. The other notices that the Organization point to say even less and speak only of retaining a receipt from the purchase and the possibility that valid photo ID “may be required”.
14. Section 7 of the Act requires the disclosure of the purposes of collecting personal information in order to obtain valid consent. We submit that the disclosure of the purposes for collection of information is not sufficient for compliance with this section if the nature of the collection itself is misrepresented or impermissibly vague.
15. In PIPED Act Case Summary #148, which dealt with personal information required by an airline in order to process a claim of missing baggage,
[t]he Commissioner determined that the airline had identified two purposes for the collection, but had not in either case stated the purpose in a manner reasonably conducive to the complainant’s understanding of how the information would actually be used or disclosed. The airline should have clarified that tracing baggage would involve putting personal information into the tracing system and creating a potential for disclosure to other users of that system. The airline should also have clarified that serving as the basis of a claim meant verifying the claim as well as processing it. In sum, he determined that the vaguely formulated purpose statement on the form had not in itself constituted a reasonable effort on the company’s part to advise the complainant of the purposes for which his personal information was to be used or disclose. (emphasis added)
16. We submit that the notice in this matter also has a “vaguely formulated purpose statement” that does not clarify that personal information is being put into a databank and is therefore too nebulous to be the basis for a proper consent.
Multiple Consents Required for Multiple Purposes
17. Our second concern is that the Organization does not obtain proper consent for each distinct purpose, but merely obtains a single consent to cover all three different purposes. The Organization’s submission discusses three different purposes for the collection of personal information; the first, to control losses, the second to allow for follow up in the event that there has been an error in processing the return, and the third, not provided in any written notice, is to follow up for the purposes of determining customer satisfaction of the return transaction.
18. The “follow up” purpose in the third rationale is clearly a marketing tool for the Organization. The Organization states that it conducts its own surveying of customer satisfaction by contacting customers by automated telephone system. This is not stated as the outcome of consenting to the provision of personal information nor is it obvious that consent will result in being contacted by telephone for the purpose of determining your satisfaction. We submit that it is disingenuous for the Organization to characterize this as having “no marketing purpose” and say that it is inappropriate for “consent” to such activities to be piggy-backed on to a different purpose, such as fraud prevention, which customers may be much less inclined to object to. We submit that a separate consent is required for the purposes of “follow up”.
Information Not Required for the Provision of the Service
19. Thirdly, it is our submission that at least two of the purposes for collection of personal information run afoul of Section 7(2) which states:
An organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure or personal information beyond what is necessary to provide the product or service.
20. We submit that it is clearly not necessary for the Organization to collect personal information for the purpose of allowing follow up in the event of error in the transaction. If such were to be considered “necessary”, then there would effectively be no limit on the collection of personal information as it would be required for every conceivable type of transaction since it is just as likely that a person might receive the wrong change in an initial purchase than in the return of the product for a refund. The potential to correct hypothetical errors is not a requirement for the provision of the service at issue in this inquiry. And we submit that the same rationale applies to the third purpose of follow up for the purposes of determining customer satisfaction: it is clearly unnecessary for the provision of the service and information collected for that purpose is a breach of section
21. We submit, therefore, that only the purpose of fraud prevention is legitimately at issue. And the question under section 7(2) is whether the requirement for personal information for this purpose goes beyond what is necessary to provide the service. It is arguable that the personal information does not go beyond what is necessary to provide the service. We discuss the issue of necessity more fully below.
No Implied Consent
22. Finally, since the issue was raised by the Organization, we submit that the implied consent provisions of Section 8(1) of the Act are not met in this case. We say that it is not obvious to the “reasonable person” that providing their personal information to receive a refund on merchandise is for the purposes of preventing fraud. We say the “reasonable person” would ask themselves why the provision of a receipt is insufficient for proof of purchase and how disclosure of one’s home address provides additional proof of purchase. We note that the Applicant’s submission states that the Applicant “does not understand why and how this practice of collecting personal information and retaining it on a computer is necessary to provide the product and service to customers”
23. We submit that the “reasonable person” is not likely to have devoted time to considering the ways that refund fraud might be perpetrated even with a receipt and that the connection between the prevention of fraud and the provision of personal information is not “obvious”.
Issue Two: Would a reasonable person consider the purpose(s) of collecting the personal information ppropriate in the circumstances?
24. We submit that the appropriate test for a determination under Section 11 of the Act is the test set out by the Federal Privacy Commissioner and adopted by the Federal Court in Eastmond v. Canadian Pacific Railway, 2004 FC 852, June 9, 2004 (Fed. Crt), considering PIPEDA Finding #114. In that case, the Federal Privacy Commissioner was making a determination under section 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA), which states that personal information may be collected only for purposes that a reasonable person would consider to be appropriate.
25. The Privacy Commissioner’s “reasonable person” test for appropriateness poses four questions:
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportionate to the benefit gained?
- Is there a less privacy-invasive way of achieving the same end?
26. We say this is the appropriate test for this matter because the test is well-established under the PIPEDA counterpart to Section 11 of the Act, and the entire Act was determined to be “substantially similar” to PIPEDA in September 2004. The Privacy Commissioner of Canada has made determinations under PIPEDA since 2001. We say that the test developed under the “substantially similar” provisions of PIPEDA is the appropriate test in the instant case.
27. Further, while decisions from other jurisdictions that have analogous provisions may provide some assistance in this inquiry, the fact that there does not appear to be a single decision precisely on point means that such cases are of limited assistance to the inquiry. They furnish authority only for arguments based on analogy and/or obiter. We suggest that given the lack of jurisprudential guidance in this precedent-setting matter, it is especially appropriate to examine first principles and follow the well-established four- part test for “reasonableness” developed by the Federal Privacy Commissioner.
28. The first part of the test requires that the impugned policy be demonstrably necessary in order to meet some specific need.
29. The Organization addresses its claim to necessity in submitting that it would almost certainly not continue to provide cash refunds unless it is able to continue to collect personal information. The Applicant submits that her experience in being given a refund without providing her personal information is evidence that the policy is not necessary.
30. Section 5 of Quebec’s Act respecting the protection of personal information in the private sector requires that only personal information that is “necessary” for the object of a file may be collected and recorded. In X. and Allostop, C.A.I. 94158, March 1995 and X. c. Residence L’Oasis Fort-Saint Louis,  C.A.I. 367 (C.A.I. Que.), the Commission d’access a l’information du Quebec found that “necessary” is tantamount to
31. Clearly, the experience of the Applicant in this case demonstrates that the collection and recording of personal information is not an indispensable requirement for providing refunds for returned merchandise. However, it is at least possible that a necessity argument could be made if limiting fraud were required to sustain the refund service over time and over numerous transactions. The evidence going to this point will presumably be in the in camera material.
32. Under the second part of the test, the policy must be demonstrably likely to be effective in achieving its intended purpose.
33. The Organization submits that the collection of personal information for the purposes of limiting fraud is essentially effective by means of deterrence. As stated in the affidavit of Keith Gostlin at paragraph 27: “Asking for photo identification operates as a significant deterrent to refund fraud. In our experience persons who seek to obtain fraudulent refunds generally try to provide as little information as possible, and are invariably reluctant to provide photo identification.”
34. The BCCLA agrees that it is not unreasonable to suppose that those attempting to commit an act of fraud may be reluctant to provide personal information. The troubling part of the analysis is that any law-abiding person who values their privacy acts in precisely the same way.
35. Even aside from our deep concern that consideration for personal privacy marks out a person as “suspicious” in the context of this deterrence model, we also question the effectiveness of this type of deterrence. We submit that there is an inherent inconsistency in the affidavit evidence. On the one hand, the affidavit of Mr. Gostlin states that those seeking to commit fraud are “invariably” reluctant to provide personal information. The Organization’s submission reinforces the point and states that “as the attached affidavits demonstrate, requesting photo identification has clearly been shown to be a deterrent to return of stolen merchandise for cash refund” (p.7). On the other hand, Mr. Gostlin’s affidavit also states that “almost without exception, our customers have accepted and understood the recording of their name, telephone number and address and being required to show photo identification is reasonable and necessary..”(para. 35) and from the Organization’s submission that “it is evident from the affidavits of Mr. Gostlin and Ms. Nilsen that very few customers ever inquire as to why they are asked to provide their name, address and telephone, and sometimes photo identification” (p.7).
36. The evidence as set out above indicates that those committing fraud “invariably” don’t cooperate in providing their personal information and that almost everyone cooperates in providing their personal information. Recalling that the group of non-co- operators or policy-questioners will include those who are not committing fraud but simply value their privacy, these two pieces of evidence put together can be said to demonstrate that the number of people committing fraud is very small indeed. And that is most certainly not the position of the Organization, which claims that product return fraud is a very large problem. So, the inherent contradictions in the evidence available to the intervenors leads us to suggest that this evidence is incapable of supporting the
proposition that this type of “deterrence” is demonstrably likely to be effective.
37. The second way in which the Organization says that the collection of personal information is effective in preventing fraud is in the ability to track customers’ return history in order to identify suspicious patterns. We agree that this type of tracking could be an effective means of assisting in the prevention of certain types of fraud.
38. The third part of the test requires that the loss of privacy be proportionate to the benefit gained.
39. In terms of assessing the detriments to privacy, we note that the type of personal information is not the most sensitive type of personal information. We also note that the policy of collecting and using this information affects a great number of people. By the Organization’s calculation, there are more than 70,000 merchandise refunds a year at the store in question. It isn’t stated how many customers provide their personal information to the store per year, but even taking into account that a customer may seek a refund more than once a year, it is clearly a vast number of people who are affected by the policy.
40. In terms of assessing the benefits, we note that the “deterrence” rationale is unsupported by any evidence that we have seen. We note also that the ability to track customers’ return history is only an effective tool against fraud that is repeated. None of the evidence we have seen indicates to what degree the fraud problem that is cited by the Organization is due to the type of repeated fraud that tracking may flag as opposed to
more isolated incidents that tracking cannot flag.
41. We are thus unable to fully assess the question of proportionality, but we submit that the benefits that are cited in this analysis should not include the nebulous claim that requiring personal information is a deterrent to fraud, but rather be confined narrowly to indicating the type of fraud that may be flagged by tracking product return history. We also submit that the points raised by the Organization regarding how quickly it is able to process refund requests with all the customer’s information already logged on the computer cannot legitimately be cited as a benefit for the purposes of this analysis as it is unrelated to any stated purpose for the collection of the information.
Less Intrusive Alternatives
42. The final part of the test asks whether there is a less privacy-invasive way of achieving the same end.
43. The computer tracking system is not the only means of fraud prevention that the Organization uses. Employees will obviously look to all manner of signs and signals that could indicate a fraudulent transaction and may view tape from surveillance cameras to see if persons returning merchandise entered the store with that merchandise. This is less privacy impairing than keeping a databank of customers’ personal information. There is no evidence available to indicate how effective this means of fraud prevention is, but it would seem likely to be very effective.
44. Tagging the product as opposed to the customer is a less privacy-invasive means of preventing refund fraud. We appreciate this technology is still being developed on the level of individual product identifiers, but RFID tags have been proposed as a means of combating fraudulent returns. There may be a time in the near future that such a system would be a preferred method of refund fraud prevention.
45. We submit that it is possible that the policy meets the “reasonableness test” if the in camera evidence supports the necessity and proportionality of the measure. We are unable to assess this. If there is insufficient evidence to demonstrate necessity and proportionality, we say the policy is not in compliance with section 11.
46. By way of conclusion, even if the policy is in compliance with section 11, we believe the issue of consent is problematic in this case and submit that the policy should be changed to prevent “package deal” consent and “consent” that fails to accurately describe what personal information is being sought and that it will be retained.
47. We believe our ability to argue our position has been impaired by the exclusion of in camera material. We submit that the Organization’s interests would be adequately protected if the intervenors were provided with the in camera material on the condition that they give undertakings not to disclose the material. We suggest the use of this procedure in future inquiries.
All of which is respectfully submitted.
British Columbia Civil Liberties Association
British Columbia Civil Liberties Association
550 – 1188 W. Georgia Street