Banks try to live up to CBA privacy model

But in researching the annual Bankers’ Report Card, Investment Executive researchers interviewed a Toronto-area banker who expressed concern about potential BMO use of a New York-based company called DoubleClick Inc.

DoubleClick has been at the centre of recent e-commerce controversy. As the Web proliferates and companies decide to offer free access to their Web sites, advertising has become the way to generate revenues and make sites profitable. Companies such as DoubleClick expand by acting as middlemen between Web site proprietors and advertisers. But, DoubleClick goes one step further by offering advertisers the ability to track Web usage by using various ways of gathering information on the sites that surfers are visiting, thereby providing guidance on target marketing.

A May 7 article in the The New York Times, under the headline “So far, Big Brother isn’t big business,” says most firms that have used such information to target their advertising say “the response to their ads does not go up enough to be worth the extra cost and bother.”

Clarify practices

DoubleClick has attempted to clarify its practices. On March 2, its president issued a statement, saying, “It has never associated names, or any other personally identifiable information, with anonymous user activity across Web sites. We commit today that, until there is agreement between government and industry on privacy standards, we will not link personally identifiable information to anonymous user activity across Web sites.”

Although BMO did not return repeated calls, it — like all the banks — has established a privacy code based on the Canadian Bankers Association‘s model privacy code. “From the day Bank of Montreal was founded,” says the privacy code note on BMO’s Web site, “we have been committed to keep confidential all information about you, our customers, and your banking relationships with us. In any business, privacy of personal information is desirable; in banking, it’s essential.”

As for personal information, BMO says: “We obtain personal information about you primarily from you. We may also obtain such information from other sources with your consent. For example, when you apply for a loan, we ask you to authorize us to obtain a credit bureau report on you, and collect and verify your personal information with credit bureaus, credit insurers, your employer, personal references and other lenders.”

The key words here are “with your consent.” It’s a key principle in the CBA model, released in November 1996. The code is based on the Canadian Standards Association‘s Model Code for Privacy Protection of Personal Information. The banking industry has committed to reviewing its own model code every two years to ensure its provisions are up-to-date and relevant.

To obtain consent, the CBA code says banks “will make a reasonable effort to make sure customers understand how the personal information will be used and disclosed by the banks. Banks will get consent from their customers before or when they collect, use or disclose personal information. They will not deceive a customer into giving consent. A customer’s consent can be expressed, implied or given through an authorized representative. A customer can withdraw consent at any time, with certain exceptions.”

Implied consent?

Implied? There may be some situations in which consent is implied, says Linda Routledge, the CBA’s director, consumer and corporate affairs. For example, a few years back, when the banks were implementing their privacy codes, following the release of the CBA code. A bank sent a letter to customers setting out its disclosure procedures and stating it would be sending marketing information as it anticipated customer needs for various bank products and services. The clients were given the opportunity to opt out, but when a customer didn’t do so, consent was implied, says Routledge.

Today, she says, all disclosures are available as clients sign on for new services. Consent or the decision to opt out is obtained then.

“The CBA and the banks participated in the development of the CSA model code,” says Routledge. “Our code was released the same day.”

Some banks have adopted the CBA code verbatim, she says, while others have modified it so their own code is written in shorter form and plainer language.

Canadian banks are well along in their preparations for the new federal legislation, says Routledge. The main difference between the established codes and the legislation is the former applies to bank customers while the latter also applies to the banks and their employees. The legislation also applies to personal information gathered about customers’ clients and corporations.

“My sense is the banks are pretty far along,” says Peter Beamish, policy director at the office of the Ontario Privacy Commissioner. “They’ve accepted the new legislation and are bringing their practices into compliance with it. They should be in place once the bill takes effect.”

As far as Peter Cullen, senior manger, customer loyalty, and a participant in developing privacy policy at Royal Bank of Canada, privacy principles apply no matter where personal information is obtained — on paper or the Web. RBC is rewriting portions of its code to be “more explicit from an e-world perspective.”