In its Finding released September 19, 2023, the Office of the Privacy Commissioner of Canada ("OPC") found that a charity incorrectly relied on opt-out consent to enlist donors in a donor list trading program, by which it shared contact information of donors with other charitable organizations.
Takeaways
Not-for-profit organizations that engage in the trading or bartering of donor lists must:
- obtain opt-in consent for any such program;
- provide further information on the donation form itself (or on
inserts to the form) and in a privacy policy, to render that
consent meaningful. This means providing key information up front
(i.e., on the donation form) including that if opt-in consent is
given:
- the donor's name, mailing address and the fact that they have donated to the organization will be disclosed;
- the information will be disclosed to not-for-profit organizations;
- the disclosure is for the purpose of allowing recipient organizations to solicit donations from the donor; and
- donors have the option to withdraw consent at a later time;
- include in the organization's privacy policy a more detailed explanation of the donor list trading program and how to withdraw consent.
The complaint
The complaint was initially made when a donor to one charity learned that another charity was soliciting donations from him using the address it had received from the first charity via its first charity's donor list trading program.
The complainant checked a recent donor form and noted that it included a negative option style of consent: an unchecked box stating: "I prefer to not have my name traded with other organizations."
The Complainant alleged that the charity failed to obtain his consent to participate in a donor list trading program, asserting that an opt-out check box on the mail-in donation form he submitted with his donation was inadequate.
Charities and commercial activities
The OPC did not discuss the issue of jurisdiction. PIPEDA is limited to personal information handled in the course of "commercial activities". However, "commercial activities" is define to mean "any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists." This may come as a surprise to some not-for-profit organizations which believed their non-commercial activities placed them outside PIPEDA. The provincial privacy laws do not contain the "commercial activity" qualifier and thus would apply to provincial not-for-profit organizations (although the Alberta privacy law contains special rules for not-for-profit organizations).
Reasons why opt-out consent was inappropriate
According to the OPC's Meaningful Consent Guidelines ("Guidelines") organizations must generally obtain express consent when:
- The information being collected, used or disclosed is sensitive;
- The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or,
- The collection, use or disclosure creates a meaningful residual risk of significant harm.
1. Sensitivity
In considering the sensitivity of the information, the OPC noted that donor information had the potential to be sensitive, noting that "some charities and not-for-profit organizations may represent specific interests, or specifically support marginalized groups (e.g. charities that support people with specific health conditions, religious beliefs, sexual orientations). In contrast, other charities have broad mandates, and knowing that someone donated to support such a charity is unlikely to enable any inferences that represent sensitive information about a donor."
However, in the context of this particular complaint, the OPC determined that the information shared (name and address) by the charity (which had a broad mandate) was not sensitive.
2. Reasonable Expectations
The OPC found that it would be consistent with the reasonable expectations of an individual for the charity to use the personal information submitted via a donation form for the purposes of processing their donation, or sending an associated tax receipt. However, the OPC found that disclosing an individual's name and address via the trading program was not for this primary purpose, but instead, for the secondary purpose of enabling third parties to solicit donations from that individual. The OPC concluded individuals would not reasonably expect the charity to disclose their personal information to third parties for this purpose.
Because such information sharing is outside the reasonable expectations of donors, express opt-in consent was required for the practice.
3. Harm
The OPC noted that in the circumstances of the trading program, the potential disclosure of personal information was very limited in nature and context, only shared with other participating non-profit organizations for the purpose of enabling these organizations to contact the individuals, one time by mail, to solicit donations, and that recipients of unwanted mail are able to opt out such that they will cease to receive such mail in future, did not raise a meaningful risk of significant harm.
Meaningful consent
The OPC concluded that the consent obtained in this case had not been meaningful.
The OPC emphasized that the Guidelines provide that to receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions, right up front as they are considering using the service or product on offer. For this purpose, the organizations must generally put additional emphasis on certain key elements, including: (i) what personal information is being collected; (ii) to whom it will be disclosed; and (iii) for what purposes.
The OPC found that the charities materials were insufficient to support meaningful consent:
- The donor form was lacking key program-related information that should have been provided up front, including what personal information would be disclosed to whom, and for what purposes.
- The insert provided with the donor form (which included a more detailed explanation of the trading program) and the charity's privacy policy were both lacking certain information necessary to support meaningful consent, including how donors could withdraw their consent to the trading program.
- The charity did not consistently provide the insert to recurring donors.
Outcome
The OPC required the charity to submit, over the course of a year, "a detailed plan, including steps and associated timelines, for implementation of the recommendations", as well as quarterly reports detailing specific progress towards implementing the steps outlined in its plan; and a final report, with supporting documentation, evidencing that it has fully implemented the OPC's recommendations.
Given the resource constraints of not-for-profits, it is not surprising that the charity simply elected to cease participating in the trading program.
Takeaways
Not-for-profit should review their privacy policy, their consent forms and their processes to ensure they comply with the OPC's most recent finding.
About Dentons
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.
