The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, April 11, 2008
I was interviewed some time ago for a feature article in the Toronto Star on privacy issues associated with loyalty cards. These products are very popular in Canada, with Air Miles and Shopper's Drug Mart's Optimum card leading the way. Many of these programs have the potential to collect a vast amount of shopping data, but most of the companies interviewed by Paul Brent didn't really seem to care about collecting the sort of detailed individual data that most assume is being collected.
TheStar.com - Travel - Big Brother is watching, but he doesn't seem to careIf you've ever hesitated when handing over that loyalty card at the liquor store or the pharmacy wondering, "just who is looking at what I'm buying?" you might take some comfort in the answer: Likely nobody.
In theory, marketers have the power to drill down into the digital minefield of a consumer's spending and determine their buying preferences for everything from their favourite wine to their brand of shampoo.
However, the reality is that retailers and service companies are too busy to care what we do, except in large numbers.
"It is not as if you are getting mail from a glasswares manufacturer saying: `We notice that you drink a lot of beer,'" says Ed Strapagiel, executive vice-president of Kubas Consultants. "For the most part, retailers have not over-exploited this data. The power is there to use, but they haven't really gone after it."
The reluctance of merchants to dig deeper into the consumer treasure trove of information makes some sense, however, he adds. "Many of these retailers that we are talking about – Loblaws, Canadian Tire, Shoppers Drug Mart ... they are not direct marketers. If the whole basis of your business is driving business to your store, you are not going to use direct marketing."
Consumers, for their part, realize they are giving up some of their privacy but appear willing to pay that price for the benefits that come from loyalty programs.
"It's actually never bothered me," says Tracy, waiting outside a Shoppers Drug Mart with her dog while her husband shops inside. She has been a devoted Air Miles collector for a decade and flew her mother from Sault Ste. Marie to Toronto on points.
A buyer for a local theatre company, she regularly uses the Internet for private and work purchases, and says she keeps a "close eye" on her credit cards and bank accounts electronically. Her husband agrees the benefits of collecting reward miles outweigh any privacy fears – "even though they are probably tracking our every move," he jokes.
But consumers should be aware they are entering into an agreement with loyalty companies when they take a membership card. The price for those "free" perks, such as travel rewards or discounts on purchases, is that you agree to allow marketers to take an electronic peek into your shopping basket.
"There are a whole bunch of programs where people choose to give up some privacy for convenience," says David Fraser, a privacy lawyer with the Halifax firm of McInnes Cooper.
"It doesn't bother me," says Zan Harriott, who had just purchased a greeting card and lottery tickets at Shoppers and swiped her Optimum points card.
A member of the loyalty program since it started, she says she regularly collects rewards from the card.
Launched in 2000, the Optimum program has 8.2 million members, making it one of the country's largest.
Fraser has not heard of any Canadian marketers abusing the data they obtain from loyalty programs. "In my experience, the companies that run loyalty programs are really quite diligent about privacy issues."
When it comes to privacy and loyalty programs, many consumers are surprised that information is being collected for marketing purposes, while others expect someone in a nameless data centre is noting every last tube of toothpaste.
The reality is somewhere in the middle.
Fraser notes that Air Miles was the subject of a consumer complaint a few years ago, but the federal Privacy Commissioner found the marketer was not amassing the detailed shopping information "a lot of people would have expected them to be collecting."
That fear of just how much information is being gathered acts as a brake on the expansion of loyalty plans. "If you don't tell customers what is going on, they assume the worst," Fraser says.
As the country's biggest loyalty marketer, reaching two-thirds of Canadian households (there are 9 million "collector" households), Air Miles is sensitive to the issue of privacy.
"Not just for us but across the Canadian marketplace, privacy is a pretty significant public policy issue," says Mitchell Merowitz, vice-president of corporate affairs and chief privacy officer for the Air Miles reward program.
The fact that Air Miles has been the most popular loyalty program in the country since 2001 shows that most Canadians are not too worried about leaving a digital record of their purchasing habits.
Information collected by Air Miles is gathered on a household basis and is not product-specific. A successful swipe of the card tells the company the date, value and store a purchase was made.
"The information that you see on your summary statement is the information that we collect," Merowitz says.
Related stuff: Canadian Privacy Law Blog: Air Miles should be about data mining, not mass appeal, Canadian Privacy Law Blog: Article: Loyalty cards plus legwork can track beef buying, and the finding of the Privacy Commissioner of Canada referred to is on the PIAC website at http://www.piac.ca/privacy/loyalty_management_group_canada_inc/.
Labels: loyalty cards, media-mention, privacy, retail, vanity
Tuesday, January 17, 2006
A recent survey by the NRF Foundation polled US consumers to see how much personal information consumers are willing to give up in exchange for benefits as part of loyalty programs. The results are interesting, since they show what information is considered most personal by consumers:
...While consumers do want to pledge their loyalty, retailers are going to have a tough time figuring out just how to build their allegiance. That's because consumers state they are only willing to share a small portion of the much needed personal information that retailers need to develop traditional loyalty programs. According to the study, the most acceptable information shoppers were willing to give retailers include their name (89.8%), e-mail address (78.1%), street address (60.7%), and past transactions (46.8%). Consumers were least likely to allow retailers to track weight (14.4%), income (12.5%), job title (12.1%), employer (10.9%) and net worth (8.2%).
The more intrusive a company wants to get, the greater value they have to provide. This also suggests that a company that wants a widely-adopted program will have to limit the information collected and provide assurances about how it will be protected and used.
Via CRM Today.
Labels: information breaches, loyalty cards, privacy, retail
Monday, January 09, 2006
The Saginaw News ran an interesting feature-length article in its Sunday edition about privacy in the retail system. It touches on loyalty programs, RFID, advertising and security of personal information. And it is balanced, with good comments from both business and privacy activists. Check it out: A peek into your privacy: Retailers increasingly ask for personal information.
Labels: information breaches, loyalty cards, privacy, retail, rfid
Sunday, October 09, 2005
The President of the Air Miles program in Canada recently spoke in Vancouver, suggesting that retailers are missing out on the true benefit of his loyalty program. It's not being able to say "hey, we give you Air Miles so shop here", but rather to build a more intimate relationship with your customers (via data mining):
Retailers missing the point of loyalty reward programs, Air Miles head says - Yahoo! NewsVANCOUVER (CP) - Retailers have lost their way and have become too focused on using loyalty reward programs as a currency to attract customers, says the president of Air Miles.
Bryan Pearson says most retailers are neglecting the wealth of shopper data that is collected by the programs that could be used to better market to their customers, which was one of the purposes the program was created in the first place.
"Points are really viewed as discounts or an alternative way to get something extra and that's not a bad thing, but I'm not sure it's sustainable in the long run," Pearson said in an interview Thursday.
Labels: information breaches, loyalty cards, privacy, retail
Saturday, January 29, 2005
The discussion in Slashdot referred to in my previous post (PIPEDA and Canadian Privacy Law: Loyalty card almost leads to wrongful conviction for arson) led me to the following story:
A magistrate in the UK was investigated for theft of a watch that he "found" in a Tesco store. When he brought it in to be serviced, the jeweller looked up the serial number and found it was reported "lost or stolen". The magistrate said he bought it at a bric-a-brac store, but his loyalty card gave him away: it showed he had been at the Tesco store within two hours of the rightful owner, who lost it there.
Telegraph News Magistrate fined for keeping lost Rolex:"...Inquiries with Tesco, through its Club Card loyalty scheme records, and receipts of purchases showed Rowlett had been in the shop within two hours of Mrs Scott...."
Labels: information breaches, loyalty cards, privacy
The records of a man's purchases compiled by a supermarket loyalty program almost led to his wrongful conviction on arson charges in Washington state. A veteran firefighter was suspected of the crime and his Safeway Club Card revealed a purchase of the store-brand firestarter. He was arrested in October and what would have appeared to be a slam-dunk prosecution had to be abandoned when someone else came forward and took responsibility.
The personal information collected through loyalty programs and other means are a double-edged sword. On one hand, purchase records can provide an alibi that the suspect, for example, was in a different location. On the other hand, otherwise innocuous purchases that are recorded can be interpreted to incriminate someone, perhaps inappropriately. There is also a big risk that too much weight will be put on this evidence, when there is no confirmation of who actually used the card.
Slashdot | Safeway Club Card Leads to Bogus Arson Arrest:"Posted by michael on Saturday January 29, @06:03AM
from the if-you're-innocent-you-have-nothing-to-fear dept.
Richard M. Smith writes "Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt. For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he or she set the fire and not Lyons...."
Labels: information breaches, loyalty cards, privacy
Tuesday, December 28, 2004
A recent survey has confirmed what I've thought for some time: consumers will trade away their privacy at the drop of a hat. The study from Boston University suveyed a range of US consumers on their use and attitude to loyalty cards. Consumers will consistently trade their anonymity (and thus privacy) in exchange for discounts and other perceived benefits. This is even the case for those who are concerned about privacy (16% of those surveyed think about the personal information they are giving away each time they use their cards).
I'll try to find more information on the study, particularly the questions asked as part of the survey. I'm particularly curious if consumers selectively use their cards out of concern for the information that would be included in their profiles (for example, privacy-conscious consumers may not use their cards when they purchase items that may disclose too much personal information) and whether they really think about all the uses to which the information may be put.
The press release is reproduced in full below:
PRESS RELEASE: Grocery Store Loyalty Card Use is Strong Despite Privacy Concerns:"New research from Boston University finds that 86% of adults carry a grocery store loyalty card and use it, even though cards give stores the right to track consumer purchases.
Boston, MA (PRWEB) December 28, 2004 -- Grocery story loyalty cards are more widespread than the Internet or the home computer: 86% of adults have at least one, most have more than one. Yet nearly half of the people who carry them didn’t know about the sophisticated web of tracking and marketing they were getting stuck in when they signed up. Is this a privacy bomb waiting to go off? No, according to results of a Fall 2004 study by a student research team at Boston University’s College of Communication. In an online survey of 515 adult supermarket shoppers the students found that even though privacy concerns are high, most cardholders agree that the benefits of using a loyalty card outweigh any infringement on personal privacy.
Grocery store loyalty cards are the credit card or keychain-sized cards with a barcode or magnetic stripe offered by most large supermarket chains. Chances are good you have at least one in your wallet or purse. When scanned at the cash register, the card unlocks special discounts offered to “loyal” members. In return for the savings, cardholders agree to allow the grocery store to track their purchases each time they shop. Grocery stores use this information to decide which products to carry, what prices to charge, and in some cases, to target consumers with specific coupons and promotions on behalf of grocery manufacturers.
Actual grocery store uses vary by store – some find the data analysis so time consuming they have chosen to abandon the cards altogether as PW Supermarkets, a small chain in Northern California, recently did. Still others have sophisticated systems for matching publicly available information about consumer households with the data collected at the cash register, a practice that infuriates privacy advocacy groups.
Does this tracking influence the consumer’s choice to use a discount card? A clear majority – 76% – of cardholders report that they use their grocery store loyalty card nearly every time they shop despite the fact that 52% also are concerned about how much of their personal information is collected by companies generally. Why do it, then? Sixty-nine percent of consumers report that the card benefits them in the form of lower prices and access to special promotions. And while seven in ten shoppers now know that grocery stores keep track of what they spend, only 16% think about this fact each time they use it.
“The fact that consumers – even those generally concerned about privacy – are willing to use these cards is testament to the fact that personal information is a commodity people are willing to trade with the right company for the right price,” explains Professor James McQuivey, who supervised the research project. No doubt this will only embolden supermarkets as they try to squeeze ever more dollars from a thin-margin retailing environment. What’s next? McQuivey offers, “Expect radio frequency identification embedded in the loyalty card of the future, an electronic tag that will identify you when you walk through the door, when you’re standing in front of the Pampers, and when you arrive at checkout. All with your permission, of course, and in exchange for a benefit grocery stores have yet to identify.”
About the survey
An online survey of 515 people 18 years of age and older was conducted during the last week of October 2004. As such it can only represent the two-thirds of households with Internet access. Sample was randomly drawn from a representative subgroup of participants in Survey Sampling International’s US online panel. The margin of error for a randomly drawn sample this size is +/-5%.
About the College of Communication at Boston University
The College of Communication at Boston University is home to the Communication Research Center where professors train undergraduate and graduate students in the science of consumer research and analysis. This project was designed by students under the supervision of Professor James McQuivey.
Contact Information:
James McQuivey
Assistant Professor
College of Communication
Boston University
640 Commonwealth Ave
Boston, MA 02215
617.803.6209 p
617.507.7892 f"
Labels: cardsystems, information breaches, loyalty cards, privacy
Sunday, October 24, 2004
Marketplace, the Canadian Broadcasting Corporation's consumer affairs program has just continued their series of privacy features by investigating two of the country's loyalty programs:
CBC Marketplace: Mining your business"Our quest: to find out what companies do with your information - the personal stuff you provide on the sign-up sheet when you apply for a card ... and the information gleaned from your purchases when your card is swiped at the store."
Their investigation (with a small sample) confirmed the conclusions of Katherine Albrecht, of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), that loyalty programs do not result in real savings ...
"For some background on loyalty card programs, we headed to Harvard University, in Boston, Massachusetts. We met with a student and privacy activist named Katharine [sic] Albrecht. She's doing her doctoral thesis on loyalty cards.In all her research, Albrecht says she's "been unable to find a single consumer benefit from using these cards."
But wait ... We thought these loyalty card programs were about saving consumers a dime. To test Albrecht's thesis, we did a little research of our own. We went shopping.
Among the interesting elements of the report is a view into the information that is collected by loyalty programs. The show's "consumer cadets" opened loyalty program accounts and subsequently requested access to their personal information. The responses from the companies are posted on the show's website.
Those interested may also wish to check out some of the materials released by the Public Interest Advocacy Centre in Ottawa, following their complaint to the Privacy Commissioner about the information collected by various organizations, including a high-profile loyalty program.
Labels: information breaches, loyalty cards, privacy
Wednesday, September 29, 2004
Commissioner's Findings - Privacy Commissioner of Canada
- PIPED Act Case summary #278 : Daughter required to produce power of attorney document
An individual complained when a bank that had issued a credit card to her father, over whose affairs she has power of attorney, refused to cancel the account at her request unless she produced a copy of her power of attorney.- PIPED Act Case summary #277: Mass mailout results in disclosure of content entrants e-mail addresses
Eleven members of a loyalty program complained that the company that runs the program failed to safeguard their personal information, and as a result, disclosed it to other members.- PIPED Act Case summary #276: The privacy implications of pay per view and piracy prevention measures
An individual alleged that a satellite television provider was indiscriminately collecting and using customer personal information that it gathered through a telephone connection.- PIPED Act Case summary #275: Bank provides inaccurate information to credit agencies
A customer complained that a bank was requesting a payment which had already been paid by cheque. Despite the fact that the bank had cashed the cheque, the customer continued to receive invoices for the amount. The bank proceeded to cancel the person's credit card, and the credit agency reports showed a debt owing for this amount. The person's account therefore indicated “bad debt.”
Labels: information breaches, loyalty cards, privacy
Sunday, January 25, 2004
Hartford Courant: Privacy Traded For Discounts: Apparently the Hartford (Connecticut) Courant has an article on intrusive customer loyalty programs. At least that's what I gleaned from the Google summary (below). I never read the full text because I didn't want to fill out the intrusive Courant registration form:
Privacy Traded For Discounts
Hartford Courant (subscription), CT - 3 hours ago
... Give a company only basic personal information, such as name and address.
Never give out your Social Security or bank account numbers. ...
Labels: google, information breaches, loyalty cards, privacy
Sunday, January 11, 2004
In my previous post below, I made a reference to the Public Interest Advocacy Centre. They have been very active on the privacy front, making well-reasoned submissions on PIPEDA when it was still "Bill C-6" and on the Canadian Standards Association Model Code for the Protection of Personal Information in 2002.
In 2001, the PIAC complained to the Privacy Commissioner about the consent practices of a number of high-profile businesses, including Scotiabank, Bell (and a bunch of its subsidiaries), the Bay and Airmiles (operated by the Loyalty Group). The full-text of the Commissioner' findings are on the PIAC site, instead of the abbreviations that are on the Commissioner's site.
When I read the Commissioner's report on the Airmiles Program, it was interesting to read the following comment, made after reviewing the Airmiles privacy commitment:
Nor, curiously, does it mention two points that I suspect many prospective members would be relieved to learn: (1) that Loyalty limits its disclosure of information to the items that I have listed above and does not identify specific purchases; and (2) that Loyalty does not disclose Collectors' transaction information between Sponsors.
Most people I talk to assume that loyalty programs -- and at least this program -- collects detailed "shopping cart" information. With pharmacies as members of the Airmiles program, this would be a huge issue.
Labels: information breaches, loyalty cards, privacy
The Seattle Times: Loyalty cards plus legwork can track beef buying: Loyalty cards raise quite a few privacy issues. Many people worry about what is done with information that is collected through their use and many people assume the worst about the practices of companies that operate the cards. (See CASPIAN - Consumers Against Supermarket Privacy Invasion and Numbering.) Almost all the discussions I've seen revolve around privacy and marketing. This article from this morning's Seattle Times puts a very interesting spin on what can be done with information that may be collected when consumers use their loyalty cards.
"Sunday, January 11, 2004
By Carol M. Ostrom, Seattle Times staff reporter
If you use a supermarket loyalty card, the store knows a lot about what you buy. But can you use that card to find out if you bought recalled meat from the nation's first mad cow?
Not very easily, say supermarket chains that use such cards, which include the Safeway Club Card, QFC Advantage Card and Albertsons Preferred Savings Card. "
On the subject of loyalty programs, The Public Interest Advocacy Centre's website contains some materials (See their privacy page at http://www.piac.ca/privacy.htm.)related to their complaint about (alleged) inadequate consent against the Air Miles program, among other respondents. Most interestingly, they have published the full text of the findings of the Commissioner, which are ususally only released in abbreviated form.
Labels: information breaches, loyalty cards, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.