This is the second in a series of posts on privacy and anti-spam implications of organizations engaging in promotional activities in which the user of a website or mobile app is asked to supply e-mail addresses of contacts in order to invite those contacts to the website or to download the mobile app.
In the last post, I wrote about building privacy into the design of the website or mobile app. This post deals with a few considerations regarding consent. Upcoming posts will deal with anti-spam and other issues.
Treat the contact information as the personal information of the user (owner of the address book).
Most organizations understand that it is necessary to obtain the consent of the owner of the address book to use contact information for the purposes of soliciting those contacts. Obtaining consent from the user is generally straightforward. In most contexts, there will be a transparent way for the organization to ask for permission to use the user’s contacts. If privacy considerations have been built into the promotional program, asking for permission to use contact information or asking the user to input the contact information for the purpose of “inviting a friend” to the site can be accompanied by disclosure of how the information is going to be used. If the user is going to be provided with the opportunity to customize the message to the recipient, the use will be transparent.
What might not be obvious is any on-going use that the organization may intend to make of the information that is supplied. Consideration should be given to providing relevant information about on-going uses, if any, at the point of request regarding the proposed use and direction to the organization’s more detailed data use policy governing the life-cycle of the requested information.
Treat the contact information as the personal information of the contact (the owner of the email address).
The personal information being collected through “Suggest to a Friend” promotions is also personal information of the non-user. This is frequently overlooked in the design of these marketing initiatives.
The Office of the Privacy Commissioner of Canada has previously stated that organizations that actively solicit non-users’ e-mail addresses from users with the intention of using them for their own purposes must take some responsibility for obtaining consent of the non-users.
The requirement to obtain the recipient’s consent may not be obvious to an organization. The e-mail is, after all, being sent as an invitation from the user. However, in a “suggest a friend” promotion, the substance of the communication is a commercial. The organization is processing the e-mail address for a promotional purpose to invite the recipient to sign-up or join the organization’s site. This use of the e-mail address is likely to be governed by Canadian privacy legislation.
How to Obtain Consent from the Recipient
An e-mail address, on its own, is generally not considered to be sensitive personal information. If the e-mail address will only be used for the purpose of sending an invitation by a user to a non-user who the user knows, the use of the e-mail address by the organization will not be considered to be sensitive. Leaving aside anti-spam legislation, which will be discussed in upcoming posts, the organization soliciting the e-mail addresses may rely on the users to obtain express or implied consent of the non-users.
However, the organization must demonstrate reasonable due diligence to ensure that non-user’s consent has been obtained. Reasonable due diligence varies in the circumstances. In most contexts it will consist (at a minimum) of making sure that users are aware that they must not disclose the non-users’ e-mail address unless the user knows the non-user personally and the non-user would want to receive the e-mail.
If more than one e-mail will be generated (for example, reminder e-mails), that information must be disclosed to the user so that the user can consider whether that use of their contact’s e-mail address would be appropriate. This information should also be disclosed to the recipient.
Due diligence also requires that the organization confirm whether the recipient has in fact expressly or impliedly consented to the use of his or her e-mail address in this manner. This is not an impossible task. For example, when the e-mail is sent to the non-user, the organization could explain why the e-mail is being sent, what use will be made of the e-mail address (reminders, permanent links to the user who sent the message, etc.).
If the recipient objects to this use of the e-mail address (in effect, withdrawing the implied consent), the recipient non-user should be given a way of opting out of further communications. In other words, consideration should be given to allowing the recipient to put himself or herself on a “do not contact” list. In addition, or in the alternative, consideration might be given to permitting the recipient to request deletion from the organization’s system.
Issues relating to non-user consent can be tricky. The organization should consider all uses of the e-mail address and the life-cycle of that use and consult a lawyer to ensure the promotion is compliant.