Canada Post will be conducting a review of its marketing program after the federal privacy watchdog determined it had broken privacy law by using Canadians’ personal information in an unauthorized manner.
The office of Privacy Commissioner Philippe Dufresne said in a report this week that the data collected by Canada Post was used to create mail-marketing lists rented to businesses, in a program called Smartmail Marketing.
The data includes information about where individuals live and what kind of online shopping they do, the report says. However, it adds that Canada Post had not obtained consent from individuals to indirectly collect information from envelopes for the purpose of enabling its marketing program.
Therefore, the postal service was found to have violated section five of the Privacy Act — a finding Canada Post originally disputed.
Canada Post addressed the commissioner’s allegations in a statement Friday.
“We are trusted to handle Canadians’ personal information every day. There is nothing more important to us than maintaining that trust with Canadians. We therefore understand that Canadians may be concerned following the release of the Office of the Privacy Commissioner’s annual report,” Canada Post said.
Canada Post also said Friday that it is committed to the Privacy Act and the protections it places on personal data.
“We are therefore going to conduct a review of our data services program to ensure we live up to the standards that Canadians expect,” it said.
While the program is in review, Canada Post says they will be boosting transparency and awareness of their approach for using personal information. They will also be “streamlining and providing greater visibility” for their opt-out programs, it says.
“Through it all, we will continue to work closely with the Office of the Privacy Commissioner,” the statement says.
Section 5 of the Privacy Act “requires institutions to collect personal information directly from individuals and notify them of the purposes of collection, unless limited exceptions apply,” the commissioner’s report says.
The terms of “authorization” are not defined in the Act, but the commissioner’s view is that individuals must be aware of the practice that their information is being used and have taken an action “that can reasonably be inferred as giving permission for the practice,” the report says.
- Ontario stay-at-home dad overwhelmed by ‘compassionate’ response to financial struggles
- Global Calgary’s Leslie Horton shuts down email body-shamer on live TV
- How to know if you have salmonella as death toll rises from cantaloupe outbreak
- Alberta finance minister says he has not ‘flip-flopped’ on proposed pension change
The commissioner recommended in his report that Canada Post stop using and disclosing personal information obtained from its own operational data for mail marketing purposes until it obtains Canadians’ consent.
However, the postal service had “refused” to take the recommended action, the report said.
The watchdog’s report says Canada Post disagreed with Dufresne’s conclusion that they had broken privacy law, explaining that it has had to continuously find new ways to diversify its revenue stream to make up for a declining volume of letters over many years.
The office of Minister Jean-Yves Duclos, Minister of Public Services and Procurement, says they were concerned to hear about the allegations regarding Canada Post.
Canada Post is quoted in the commissioner’s report saying they do not view their “engagement in these activities as being in any way contrary to the public good.”
The report says the privacy investigation began when an individual received marketing material from a local restaurant in Toronto, addressed to him, with his name and full apartment address on the envelope.
According to the complainant, he was told by Canada Post that “the (marketing) program combines information about individuals that CPC has in its possession with publicly available information obtained from the phone directory and sells this to businesses interested in marketing to individuals,” the commissioner’s report writes.
The report notes that Canada Post does not directly provide businesses with the information.
Rather, for a fee, the personal data is disclosed to a third-party mail service provider that has a contract with Canada Post and disperses the mail on behalf of the businesses.
Ann Cavoukian is the executive director of the Global Policy and Security by Design Centre, and former Ontario privacy commissioner. She says Canada Post’s handling of personal information is “absolutely outrageous.”
She says all control over individuals’ data was lost once it was handed over to the third party.
“That’s the problem. You don’t know what it might be used for,” Cavoukian told Global News.