In its Finding released September 19, 2023, the Office of the Privacy Commissioner of Canada (“OPC”) found that a charity incorrectly relied on opt-out consent to enlist donors in a donor list trading program, by which it shared contact information of donors with other charitable organizations.

Takeaways

Not-for-profit organizations that engage in the trading or bartering of donor lists must:

  1. obtain opt-in consent for any such program;
  2. provide further information on the donation form itself (or on inserts to the form) and in a privacy policy, to render that consent meaningful. This means providing key information up front (i.e., on the donation form) including that if opt-in consent is given:
    •  the donor’s name, mailing address and the fact that they have donated to the organization will  be disclosed;
    • the information will be disclosed to not-for-profit organizations;
    • the disclosure is for the purpose of allowing recipient organizations to solicit donations from the donor; and
    •  donors have the option to withdraw consent at a later time;
  3. include in the organization’s privacy policy a more detailed explanation of the donor list trading program and how to withdraw consent.

The complaint

The complaint was initially made when a donor to one charity learned that another charity was soliciting donations from him using the address it had received from the first charity via its first charity’s donor list trading program.

The complainant checked a recent donor form and noted that it included a negative option style of consent: an unchecked box stating: “I prefer to not have my name traded with other organizations.”

The Complainant alleged that the charity failed to obtain his consent to participate in a donor list trading program, asserting that an opt-out check box on the mail-in donation form he submitted with his donation was inadequate.

Charities and commercial activities

The OPC did not discuss the issue of jurisdiction. PIPEDA is limited to personal information handled in the course of “commercial activities”. However, “commercial activities” is define to mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” This may come as a surprise to some not-for-profit organizations which believed their non-commercial activities placed them outside PIPEDA. The provincial privacy laws do not contain the “commercial activity” qualifier and thus would apply to provincial not-for-profit organizations (although the Alberta privacy law contains special rules for not-for-profit organizations).

Reasons why opt-out consent was inappropriate

According to the OPC’s Meaningful Consent Guidelines (“Guidelines”) organizations must generally obtain express consent when:

  1. The information being collected, used or disclosed is sensitive;
  2. The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or,
  3. The collection, use or disclosure creates a meaningful residual risk of significant harm.

1. Sensitivity

In considering the sensitivity of the information, the OPC noted that donor information had the potential to be sensitive, noting that “some charities and not-for-profit organizations may represent specific interests, or specifically support marginalized groups (e.g. charities that support people with specific health conditions, religious beliefs, sexual orientations). In contrast, other charities have broad mandates, and knowing that someone donated to support such a charity is unlikely to enable any inferences that represent sensitive information about a donor.”

However, in the context of this particular complaint, the OPC determined that the information shared (name and address) by the charity (which had a broad mandate) was not sensitive.

2. Reasonable Expectations

The OPC found that it would be consistent with the reasonable expectations of an individual for the charity to use the personal information submitted via a donation form for the purposes of processing their donation, or sending an associated tax receipt. However, the OPC found that disclosing an individual’s name and address via the trading program was not for this primary purpose, but instead, for the secondary purpose of enabling third parties to solicit donations from that individual. The OPC concluded individuals would not reasonably expect the charity to disclose their personal information to third parties for this purpose.

Because such information sharing is outside the reasonable expectations of donors, express opt-in consent was required for the practice.

3. Harm

The OPC noted that in the circumstances of the trading program, the potential disclosure of personal information was very limited in nature and context, only shared with other participating non-profit organizations for the purpose of enabling these organizations to contact the individuals, one time by mail, to solicit donations, and that recipients of unwanted mail are able to opt out such that they will cease to receive such mail in future, did not raise a meaningful risk of significant harm.

Meaningful consent

The OPC concluded that the consent obtained in this case had not been meaningful.

The OPC emphasized that the Guidelines provide that to receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions, right up front as they are considering using the service or product on offer. For this purpose, the organizations must generally put additional emphasis on certain key elements, including: (i) what personal information is being collected; (ii) to whom it will be disclosed; and (iii) for what purposes.

The OPC found that the charities materials were insufficient to support meaningful consent:

  • The donor form was lacking key program-related information that should have been provided up front, including what personal information would be disclosed to whom, and for what purposes.
  • The insert provided with the donor form (which included a more detailed explanation of the trading program) and the charity’s privacy policy were both lacking certain information necessary to support meaningful consent, including how donors could withdraw their consent to the trading program.
  • The charity did not consistently provide the insert to recurring donors.

Outcome

The OPC required the charity to submit, over the course of a year, “a detailed plan, including steps and associated timelines, for implementation of the recommendations”, as well as quarterly reports detailing specific progress towards implementing the steps outlined in its plan; and a final report, with supporting documentation, evidencing that it has fully implemented the OPC’s recommendations.

Given the resource constraints of not-for-profits, it is not surprising that the charity simply elected to cease participating in the trading program.

Takeaways

Not-for-profit should review their privacy policy, their consent forms and their processes to ensure they comply with the OPC’s most recent finding.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, ,
Kirsten Thompson

About Kirsten Thompson

Kirsten Thompson is a partner and the national lead of Dentons’ Privacy and Cybersecurity group. She has both an advisory and advocacy practice, and provides privacy, data security and data management advice to clients in a wide variety of industries.

Full bio

RELATED POSTS