This is the third post in a series dealing with promotional activities in which a user of a website or mobile app is requested to provide e-mail addresses of their contacts or allow access to the user’s address book for the purpose of sending an e-mail invitation to a contact of the user.  In the first post, I discussed the privacy by design principle.  In the second post, I discussed the implications of treating the contact information as the personal information of the user and the non-user. 

As I mentioned in previous posts, this whole area is fraught with difficulty and will become more so once Canada’s Anti-Spam Legislation is in-force.  Legal advice should be sought for these types of promotion to ensure compliance.

So the invitation has gone out to the non-user.  Now what? 

Resist the urge to build a profile for the non-user.

The user has not yet agreed to join.  Typically, an organization will want to build privacy protections to avoid building a user profile for the non-user until the user consents to join.  If the purpose of collection was to send an e-mail invitation, it may be difficult to justify the collection of the non-user’s street address or telephone number.

There may be more subtle ways of building a profile, such as by cross-referencing the user’s e-mail address against other users’s address books or searching out other available information on the Internet.  If the website or mobile application’s design involves building a profile for the non-user as part of the promotional activity to invite the user to join, care should be taken to deploy privacy protections. In particular, the organization should avoid “using” the non-user’s personal information for purposes other than making the invitation until the organization has made privacy disclosures to the non-user.

In a recent decision of the Office of the Privacy Commissioner of Canada (“OPC”), the OPC considered Facebook’s practices with respect to generating friend suggestions for non-users in invitations.  At the time of the investigation, Facebook would bundle friend suggestions within the first invitation to the non-user.  The OPC found it significant that by doing so Facebook had already “used” the non-users’ e-mail address to generate friend suggestions without providing any information on how the non-user’s personal information was being used and any opt-out mechanism. 

During the investigation, Facebook changed its practices to something more acceptable to the OPC.  No additional friend suggestions were made in the initial invitation.  There was a more prominent opt-out notice and a notice and link to information regarding the use of the e-mail address for generating friend suggestions.  The non-user’s e-mail address was only used to make additional friend suggestions to the non-user once those disclosures had been made and the non-user given an opt-out opportunity.

Destroy the e-mail address once the purpose for the collection has been fulfilled.

Another issue is what to do with the e-mail addresses of non-users who do not respond either to join or to opt-out.  Organizations should consider whether the purpose for which the e-mail address has been collected has been fulfilled.  If so, then privacy legislation in Canada would instruct the organization to destroy (delete) the non-user’s contact information. 

There will be instances where the website or mobile app stores the contact information for another purpose as a service to the user.  However, if the sole purpose of the collection was to make the invitation, then the organization should consider what would constitute a reasonable period of time to keep the non-user’s contact information.

For more information, visit our Data Governance Law blog at