On December 19, 2012, the Office of the Privacy Commissioner of Canada released Report of Findings #2012-005 (dated April 27, 2012) regarding obtaining meaningful consent to the use of information provided to credit reporting agencies. The complaint arose when an insurer increased the home insurance premiums for a couple based on a credit score.

Obtaining Meaningful Consent

In the OPC’s view, the insurance company made a number of errors in obtaining consent. Among the more interesting issues:

• “May” can be misleading. Organizations tend to “hedge” in their disclosure regarding their privacy practices with the liberal use of the word “may” in their privacy policies. In this case, the organization stated that it “may use the score as one of the rating factors”. In practice, however, the organization always used the score at the first renewal of all policyholders. The OPC stated:

“In our view, a customer reading the company’s notice could form the general impression that they are exempted from the practice, or that it applies only in a minority of cases (e.g., individuals with a consistently poor credit history). In actual fact, the company applies the practice broadly and consistently.”

• Transparency involves education. Part of obtaining meaningful consent involves educating the consumer on the use of his or her personal information. The OPC concluded it was unreasonable to expect that an individual would understand that information regarding credit worthiness in a loan or credit context would be used to establish the probability of an individual making an insurance claim. Indeed, the use of the credit scores to determine insurance risk may not be well-understood by Canadian consumers. The OPC cited a November 2010 survey commissioned by the Insurance Brokers Association of Ontario that reported, according to the OPC, that three out of every four consumers do not understand that their credit score is used to determine insurance risk and their premiums for insurance.

• After-the-fact notice does not equate to meaningful consent. The dissemination of more detailed information regarding the use of the credit score prior to the one-year anniversary of the policy was not adequate to obtain consent to the use of the credit score at renewal. The OPC concluded that the request for consent had occurred at the time of the application and this was the relevant point at which information regarding the purpose and sue of the credit score must be provided.

• If there is an industry code, you should follow it. The organization’s troubles were not assisted by the fact that it did not follow the industry code regarding obtaining consent. The OPC stated as follows:

“Moreover, we note that the company does not appear to be following the guidance provided by its own industry association with respect to consent. The Code provides detailed instructions for obtaining consent to the use of credit information and advocates for obtaining express and informed consent. While we acknowledge that the Code is voluntary, as noted above, our view is that its presence indicates that special considerations are warranted for the use of credit information. Accordingly, we find the Code to be informative with respect to the parameters it sets for obtaining appropriate consent in the context of using credit information in underwriting and rating activities for personal insurance.”

Reasonableness and Public Policy

Subsection 5(3) of the Personal Information Protection and Electronic Documents Act provides that an “organization may collect, use or disclose personal information only for purposes that are reasonable person would consider are appropriate in the circumstances.”

Although the OPC acknowledged that the Ontario Consumer Reporting Act permitted the use of consumer reporting agency information to assess insurance risk, the OPC was clearly troubled and has left open the possibility that the OPC might conclude that the use for insurance purposes is unreasonable. The OPC stated that “there is no obvious link between credit information and insurance premiums.”

As such, the OPC intends to continue to conduct research and monitor the public policy issues regarding the use of credit information for the purposes of assessing insurance risk. This statement is curious. Could it be that a practice expressly authorized by a Legislature could be found to fail the reasonableness standard in subsection 5(3) of PIPEDA? This would appear to raise significant constitutional issues entirely sidestepped by the OPC, at least for the moment.

Last month’s U.S. Federal Trade Commission’s U.S.$800,000 settlement with Spokeo, Inc. concerns an issue that I have posted about before: When is a data broker a consumer or credit reporting agency?  As discussed below, the quantum of potential exposure for violating Ontario law relating to consumer reporting may be lower than in the U.S.; however, data brokers should seek legal advice to ensure that they are compliant.

In the recent U.S. case involving Spokeo, Inc., the FTC alleged that the organization was a data broker which collected personal information about consumers from on-line and off-line sources and then created data profiles for consumers to which it sold access. The FTC also alleged that the organization failed to ensure that it was complying with the U.S. Fair Credit Reporting Act (FCRA).  In particular, the FTC alleged that the organization did not ensure that (a) the information was used for the limited purposes permitted by the FCRA, (b) the information was accurate, and (c) users of the data understood that the they were required to notify a consumer if the user of the data took an adverse action against the consumer based on the data in the report.

Ontario (and other jurisdictions in Canada) have legislation that is similar to the FCRA.  The Consumer Reporting Act (Ontario) prohibits any person from conducting or acting as a consumer reporting agency or as a personal information investigator unless registered with the Ontario Registrar of Consumer Reporting Agencies. The potential monetary liability in Ontario may be smaller than in the U.S., but it remains serious.  Violating the Consumer Reporting Act is a provincial offence. Corporations may be subject to fines of up to Cdn. $100,000 and officers and directors of those corporations may be subject to fines of up to Cdn. $25,000 (or in extreme cases, jail terms of up to 1 year or fines and jail terms).

In Ontario, a “consumer reporting agency” is a person or organization who furnishes consumer reports for gain or profit or on a regular co-operative non-profit basis. “Consumer reports” are written, oral or other communication of credit information or personal information which may be used for limited purposes.  Those purposes include:

• the extension of credit to or the purchase or collection of a debt of the consumer to whom the information pertains;
• in connection with the entering into or renewal of a tenancy agreement;
• employment purposes;
• underwriting of insurance involving the consumer; and
• a business or credit transaction involving the consumer.

A “personal information investigator” is a person who gathers personal information for consumer reporting agencies.

Consumer reporting agencies are prohibited from providing information from their files unless they have reason to believe it will be used for purposes permitted by the Consumer Reporting Act.  The Consumer Reporting Act also prohibits certain types of data from forming part of the consumer report, including among other things:

• any credit information based on evidence that is not the best evidence reasonably available;
• any unfavourable personal information unless it has made reasonable efforts to corroborate the evidence on which the personal information is based, and the lack of corroboration is noted with and accompanies the information;
• information regarding any criminal charges against the consumer where the charges have been dismissed, set aside or withdrawn; and
• information as to race, creed, colour, sex, ancestry, ethnic origin, or political affiliation.

Like the FCRA, the Consumer Reporting Act requires disclosure to a consumer if a benefit is denied or a charge to a consumer is increased because of information from a consumer reporting agency.  Consumers have the right to obtain access to their consumer reports.

Depending on its target market, a data broker may cross the line into  consumer reporting.  Organizations that are in the business of providing identity verification or background checking services or who gather data for those purposes should be particularly careful to seek legal advice to determine whether their business model has crossed the line into consumer reporting.

On February 7, 2012, the U.S. Federal Trade Commission (FTC) announced that it had warned marketers of six mobile applications that they may be violating the U.S. Fair Credit Reporting Act.  The FTC stated that the mobile applications provide background screening reports on individuals.  Although the FTC reached no conclusion regarding whether there was any violation by the marketers, the FTC requested that the marketers review the application of and their compliance with the Fair Credit Reporting Act.

The U.S. Fair Credit Reporting Act regulates the activities of consumer reporting agencies.  A “consumer reporting agency” is one that regularly assembles or evaluates information about a person’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living and reports that information to third parties for the purpose of establishing the consumer’s eligibility for (1) credit or insurance to be used primarily for personal, family, or household purposes or (2) employment purposes.

The FTC warned the marketers that they must comply with the Fair Credit Reporting Act if they have reason to believe the information provided through the apps is being used for employment, housing, credit or similar purposes. For example, the Fair Credit Reporting Act imposes obligations on credit reporting agencies with respect to ensuring the accuracy of information, providing mechanisms for consumer redress, and, in some circumstances, requiring consumer reporting agencies to notify users of consumer reports of their obligations under the Fair Credit Reporting Act. The FTC stated that a warning by the marketer that the app was not to be used for the purposes regulated by the Fair Credit Reporting Act did not protect the marketers if the marketers had reason to believe the apps were being used in decisions by third parties with respect to employment, housing, credit or similar purposes.

Developers and marketers of similar applications in Canada should be aware that Canadian provinces have similar laws regulating consumer reporting.  For example, in Ontario, the Consumer Reporting Act regulates persons or organizations that provide reports to third parties for use in relation to, among other things, (1) credit granting or debt collection, (2) entering into or a renewal of a tenancy agreement, (3) employment decisions, and (4) underwriting of insurance.

Among other things, consumer reporting agencies in Ontario (1) must be registered, (2) must follow prescribed practices with respect to the information that may be contained in a report, (3) must provide consumers with access to their consumer report, and (4) must have a process for the consumer to contest inaccurate information.

Failure to comply with the Consumer Reporting Act (Ontario) may result in a fine of not more than Cdn. $25,000 or to imprisonment for a term of not more than one year, or to both.  Accordingly, developers and marketers of background checking or screening apps in Canada may wish to obtain legal advice to ensure that they remain compliant with respect to Canadian provincial laws governing consumer reporting.