On December 19, 2012, the Office of the Privacy Commissioner of Canada released Report of Findings #2012-005 (dated April 27, 2012) regarding obtaining meaningful consent to the use of information provided to credit reporting agencies. The complaint arose when an insurer increased the home insurance premiums for a couple based on a credit score.
Obtaining Meaningful Consent
In the OPC’s view, the insurance company made a number of errors in obtaining consent. Among the more interesting issues:
“May” can be misleading. Organizations tend to “hedge” in their disclosure regarding their privacy practices with the liberal use of the word “may” in their privacy policies. In this case, the organization stated that it “may use the score as one of the rating factors”. In practice, however, the organization always used the score at the first renewal of all policyholders. The OPC stated:
“In our view, a customer reading the company’s notice could form the general impression that they are exempted from the practice, or that it applies only in a minority of cases (e.g., individuals with a consistently poor credit history). In actual fact, the company applies the practice broadly and consistently.”
Transparency involves education. Part of obtaining meaningful consent involves educating the consumer on the use of his or her personal information. The OPC concluded it was unreasonable to expect that an individual would understand that information regarding credit worthiness in a loan or credit context would be used to establish the probability of an individual making an insurance claim. Indeed, the use of the credit scores to determine insurance risk may not be well-understood by Canadian consumers. The OPC cited a November 2010 survey commissioned by the Insurance Brokers Association of Ontario that reported, according to the OPC, that three out of every four consumers do not understand that their credit score is used to determine insurance risk and their premiums for insurance.
After-the-fact notice does not equate to meaningful consent. The dissemination of more detailed information regarding the use of the credit score prior to the one-year anniversary of the policy was not adequate to obtain consent to the use of the credit score at renewal. The OPC concluded that the request for consent had occurred at the time of the application and this was the relevant point at which information regarding the purpose and sue of the credit score must be provided.
If there is an industry code, you should follow it. The organization’s troubles were not assisted by the fact that it did not follow the industry code regarding obtaining consent. The OPC stated as follows:
“Moreover, we note that the company does not appear to be following the guidance provided by its own industry association with respect to consent. The Code provides detailed instructions for obtaining consent to the use of credit information and advocates for obtaining express and informed consent. While we acknowledge that the Code is voluntary, as noted above, our view is that its presence indicates that special considerations are warranted for the use of credit information. Accordingly, we find the Code to be informative with respect to the parameters it sets for obtaining appropriate consent in the context of using credit information in underwriting and rating activities for personal insurance.”
Reasonableness and Public Policy
Subsection 5(3) of the Personal Information Protection and Electronic Documents Act provides that an “organization may collect, use or disclose personal information only for purposes that are reasonable person would consider are appropriate in the circumstances.”
Although the OPC acknowledged that the Ontario Consumer Reporting Act permitted the use of consumer reporting agency information to assess insurance risk, the OPC was clearly troubled and has left open the possibility that the OPC might conclude that the use for insurance purposes is unreasonable. The OPC stated that “there is no obvious link between credit information and insurance premiums.”
As such, the OPC intends to continue to conduct research and monitor the public policy issues regarding the use of credit information for the purposes of assessing insurance risk. This statement is curious. Could it be that a practice expressly authorized by a Legislature could be found to fail the reasonableness standard in subsection 5(3) of PIPEDA? This would appear to raise significant constitutional issues entirely sidestepped by the OPC, at least for the moment.