The Office of the Privacy Commissioner of Canada (OPC) found a charity did not comply with privacy requirements when it traded donor lists. The charity relied on opt-out consent to share donor contact information with other charities but this did not meet the standard of meaningful consent that is required under privacy legislation.
On September 19, 2023, the OPC published findings from a 2021 complaint about a charity that traded donor contact information with another charity.
The donor regularly gave to Charity A using a paper form. The donor received a request for donations from Charity B in the mail. Charity B confirmed that it received the donor’s name and mailing address from Charity A. The donor looked at Charity A’s form and found an opt-out checkbox for donors who “prefer not to have [their] name traded with other organizations.” The donor complained to Charity A. After a long delay, Charity A responded but the donor was unsatisfied and filed a complaint with the OPC.
Charity A argued that trading donor information was necessary to fulfill its objectives, that trading “is a long-standing, widely used practice among not-for-profit organizations,” that participation is voluntary, that the donation form’s check-boxes are few and are clear, and that donors can opt-out.
Using its Guidelines for Obtaining Meaningful Consent, the OPC concluded that by relying on opt-out consent to share donor contact information with other charities, Charity A did not obtain meaningful consent as required by the Personal Information Protection and Electronic Documents Act (PIPEDA).
The OPC made several findings and compliance recommendations.
Information Not Sensitive, No Risk of Significant Harm
The information shared was not sensitive, nor did the sharing create a risk of significant harm to the donor.
But the OPC emphasized that sensitivity of information is context-specific. For example, the nature of a charity could infer sensitive information about a donor, particularly if the charity represents specific interests or supports marginalized groups (e.g. religious beliefs, health conditions, criminal history).
Takeaway: ensure you take the nature of your charity into consideration when assessing whether a donor’s name and address could be sensitive.
Donor’s Reasonable Expectations Not Met
Sharing the donor’s information requires express consent because such sharing falls outside the donor’s reasonable expectations.
The OPC accepted that trading donor lists may be common practice, but common practice does not dictate donors’ reasonable expectations. Donation processing or sending tax receipts fall within donors’ reasonable expectations as to why their information may be disclosed, but donors would not expect disclosure for “the secondary purpose of enabling third parties to solicit donations”.
Further, where “the act of donating to charity is a private matter (e.g. for religious reasons) [donors] would not expect that their personal information [would] be disclosed in this manner.”
Takeaway: put yourself in the donor’s shoes and ask what you would reasonably expect. In other words, apply the golden rule!
Charity Did Not Provide Sufficient Information to Support Meaningful Consent
The charity had not provided sufficient information to support meaningful consent.
The OPC cited various sections of PIPEDA to determine whether the charity provided enough information to the donor to meet the standard of meaningful consent.
- Section 4.3 – knowledge and consent are required for collection, use and disclosure of personal information
- Section 4.3.2 – organizations need to make reasonable efforts to ensure individuals understand the purpose for which information will be used
- Section 6.1 – consent is only valid if it aligns with reasonable expectations
With these principles in mind, the OPC examined the Charity’s donor insert. While the insert provided a reasonable description, it didn’t explain that a donor’s mailing address would be shared with third parties; that recurring donors might not have received the insert; and the insert did not tell donors how they could withdraw consent.
Takeaway: make sure that readers can quickly review important information that impacts their privacy decision, focusing on what information is collected, to whom it is disclosed and for what purpose. Provide this information every time. Provide clear opt-out instructions.
What about check-boxes?
The OPC acknowledged that PIPEDA allows for checkoff boxes, and that they are “a reasonable method of seeking consent under certain circumstances.” The issue was whether opt-out consent was reasonable in this case. The facts led the OPC to the conclusion that it was not reasonable.
The OPC made 4 recommendations to ensure the Charity complied with PIPEDA:
- Use express, opt-in consent for donor list trading
- Provide key information up front, including details of what happens if a donor opts in (what is disclosed, to whom, for what purpose, and the right to withdraw consent)
- Provide key information every time consent is sought
In an update, the OPC noted that the Charity agreed to implement all recommendations, but subsequently ceased its participation in the donor list trading program.
The content provided in this blog is for general information purposes and does not constitute legal or professional advice. Every organization’s circumstances are unique. Before acting on the basis of information contained in this blog, readers should consult with a qualified lawyer for advice specific to their situation.