This is the third post in a series dealing with promotional activities in which a user of a website or mobile app is requested to provide e-mail addresses of their contacts or allow access to the user’s address book for the purpose of sending an e-mail invitation to a contact of the user. In the first post, I discussed the privacy by design principle. In the second post, I discussed the implications of treating the contact information as the personal information of the user and the non-user.
As I mentioned in previous posts, this whole area is fraught with difficulty and will become more so once Canada’s Anti-Spam Legislation is in-force. Legal advice should be sought for these types of promotion to ensure compliance.
So the invitation has gone out to the non-user. Now what?
Resist the urge to build a profile for the non-user.
The user has not yet agreed to join. Typically, an organization will want to build privacy protections to avoid building a user profile for the non-user until the user consents to join. If the purpose of collection was to send an e-mail invitation, it may be difficult to justify the collection of the non-user’s street address or telephone number.
There may be more subtle ways of building a profile, such as by cross-referencing the user’s e-mail address against other users’s address books or searching out other available information on the Internet. If the website or mobile application’s design involves building a profile for the non-user as part of the promotional activity to invite the user to join, care should be taken to deploy privacy protections. In particular, the organization should avoid “using” the non-user’s personal information for purposes other than making the invitation until the organization has made privacy disclosures to the non-user.
In a recent decision of the Office of the Privacy Commissioner of Canada (“OPC”), the OPC considered Facebook’s practices with respect to generating friend suggestions for non-users in invitations. At the time of the investigation, Facebook would bundle friend suggestions within the first invitation to the non-user. The OPC found it significant that by doing so Facebook had already “used” the non-users’ e-mail address to generate friend suggestions without providing any information on how the non-user’s personal information was being used and any opt-out mechanism.
During the investigation, Facebook changed its practices to something more acceptable to the OPC. No additional friend suggestions were made in the initial invitation. There was a more prominent opt-out notice and a notice and link to information regarding the use of the e-mail address for generating friend suggestions. The non-user’s e-mail address was only used to make additional friend suggestions to the non-user once those disclosures had been made and the non-user given an opt-out opportunity.
Destroy the e-mail address once the purpose for the collection has been fulfilled.
Another issue is what to do with the e-mail addresses of non-users who do not respond either to join or to opt-out. Organizations should consider whether the purpose for which the e-mail address has been collected has been fulfilled. If so, then privacy legislation in Canada would instruct the organization to destroy (delete) the non-user’s contact information.
There will be instances where the website or mobile app stores the contact information for another purpose as a service to the user. However, if the sole purpose of the collection was to make the invitation, then the organization should consider what would constitute a reasonable period of time to keep the non-user’s contact information.
For more information, visit our Data Governance Law blog at DataGovernanceLaw.com