By Sara Clodman
“Publicly Available Information” isn’t necessarily what you think it is.
We live in a digital and interconnected economy, where consumers want to benefit from increasingly intuitive products and services to match their evolving expectations.
So, when individuals publicly share information about their tastes and preferences on a social platform, can Canadian organizations reach out to them with products and services tailored to their interests?
Under the Personal Information Protection and Electronic Documents Act or PIPEDA, Canada’s private-sector privacy law, the answer is a definite “maybe”.
PIPEDA definition is limited
The Act says that an organization can collect personal information without the knowledge or consent of the individual if the personal information is “publicly available”. Sounds reasonable, don’t you think? After all, the information has been shared openly in the public domain.
But PIPEDA’s definition of publicly available information departs from this reasonable assumption by indicating that it only includes traditional publications like “a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.”
What about all the other content that is publicly available on the Internet? Like the information found on social media?
The truth is that the law didn’t reflect how profoundly the world was about to change. When PIPEDA came into effect in 2004, social media platforms were not in common usage. And as individuals, we weren’t conducting ourselves in the way that we are today: consuming our news and shopping online, and publicly engaging in conversations and sharing information about our lives.
By not capturing the digital transformation that was about to take place, the definition excludes this type of publicly available information from collection without consent.
But PIPEDA provides some flexibility
Following PIPEDA guidelines and relying on all forms of valid consent, including implied consent, one could conclude that an organization can use other kinds of publicly available information if it is collected by a third party that can prove it complied with PIPEDA guidelines.
Let’s bring this to life through an example. Suppose social media company X allows all its users’ data to be publicly viewable on its site, except for those users who specifically requested that their information be private.
In company X’s terms of service, it is clear that users’ publicly available data will be used by other parties. These terms ensure company X’s compliance with PIPEDA, including identifying purposes, obtaining consent and more. In this circumstance, company X complies with PIPEDA and can, therefore, sell that publicly available social media data to company Y.
Now, for its part, company Y might be able to collect that data from company X if it also complies with PIPEDA, as long as:
Company X has been clear about what types of companies may use its content;
Company Y has identified purpose for collection, in its customer privacy notice as an example;
Company Y has explained it may collect customer information indirectly from other sources, perhaps listing those sources; or
Company Y gives the customer the opportunity to opt out of such indirect collection.
The only thing company Y can’t do is collect the data from company X without relying on any form of consent.
You can see from this example how important it is for companies on both sides of the arrangement to ensure they are compliant with PIPEDA, and to ensure they evaluate the collection and use of public information on a case-by-case basis.
Reflecting the times
While PIPEDA was written to be technology-neutral and has proved its ability to live up to that vision, even the best-worded regulation begins to age a little after almost two decades of technological transformation. The fact is that “publicly available information” is no longer limited to the phone book. The definition of publicly available information for legitimate business practices needs to be modernized.
It is important to remember the protection offered through adherence to PIPEDA’s 10 principles. All organizations are responsible for being transparent about their uses of personal information, while ensuring adequate protections and adherence to fair information practices, no matter if it is publicly available or otherwise.
We must retain the strengths of PIPEDA while ensuring it remains relevant for our times. The Canadian Marketing Association is actively engaged in consultations initiated by the federal government to reform PIPEDA. How the consultations proceed will depend on the priorities of the incoming government.
When the government does proceed, one of the reforms we expect to see is an updated definition of “publicly available information” to reflect the realities of modern society. In the meantime, we take comfort in the fact that the current framework allows for use of public information with appropriate protection.
Sara Clodman is vice president, public affairs and thought leadership at the Canadian Marketing Association (www.the-cma.org). This article is adapted from a blog prepared by the CMA’s Privacy and Data Committee.