A Cautionary Tale Regarding Consent and In-Store Tablets

The Office of the Privacy Commissioner (OPC) recently released a case summary with implications for retailers attempting to obtain consent for privacy-compliance or anti-spam compliance purposes.



Consistent with guidance by the Canadian Radio-television Telecommunications Commission (CRTC) with respect to Canada’s Anti-Spam Legislation, the OPC is taking a harder line with respect to the business records that an organization must retain in order to establish that an individual gave consent. The bottom-line is that the practice of obtaining consent by either having the individual or the salesperson check a box is vulnerable to challenge. Organizations should only use methods of obtaining consent that involve corroborative evidence.

Background
The complaint arose out of a dispute with respect to whether an individual had applied for a co-branded credit card with a retailer. While shopping in a retail store, the complainant was approached to join a loyalty program. The individual provided the salesperson with his driver’s licence as part of the registration.
Later, the individual received a credit card and learned that a credit check had been conducted on him. After obtaining access to the information held by the bank that provided the credit card, the complainant discovered that much of the information on the application was inaccurate and asserted that he had not provided that information to the salesperson. He also argued that he did not check the box on the tablet to permit a credit check.

The OPC concluded that the bank could not establish that it had obtained consent and that the information collected from the complainant was accurate. There was no evidence that the complainant ever saw the tablet screen, provided the information in the application, understood that the information would be used for a credit check or that the individual actually clicked the consent box on the tablet.

No Recognition of Canada Evidence Act
Certainly, the circumstances of this case were suspicious. However, bad facts can make for bad legal interpretations. That seems to be the case here. The OPC appears to believe that organizations must retain independent proof that consent has been obtained. This is similar to guidance form the CRTC’s guidance that oral consent to receive commercial electronic messages must be backed up with an audio recording or third party verification.

This guidance fails to...

Read The Full Article
 

0 Comments Write your comment

    1. Loading...