Despite limits set by Canadian privacy laws, many firms engage in aggressive private data collection, according to privacy rights advocate and University of Ottawa e-commerce law professor, Michael Geist.
For instance, he said, the Royal Bank of Canada’s move this month to update its Android mobile banking app following customer fears of the application scooping up their personal data and the recent linking of Montreal-based Aeroplan’s loyalty program with Air Canada shows how businesses are stepping up their personal data collection operations.
“Companies use data mining techniques (the same ones used by intelligence agencies to comb through meta data of billions of telephone calls) to analyze customer habits and inform a wide range of business decisions,” he wrote in a recent blog.
The “insatiable desire” for customer data “stretches Canadian privacy laws to its limits” and places user data at risk for security breaches, Geist said.
While some of the ways the culled data is being used may seem “innocuous,” he said the policy of collecting as much data as possible raises security concerns. For instance, the risk of a security breach rises as businesses retain more information such as financial data and personal data.
In the case of RBC, the bank quickly announced it was making changes to its mobile banking app, after Twitter and Facebook were flooded by customer posts expressing anger and concern because the app was requesting permission to access their call logs, contacts and even GPS location.
Aeroplan on the other hand recently said that holders of its financial credit cards will soon be required to grant the company access to detailed financial activity. By 2014 Aeroplan will have access to cardholder holder transaction information including merchant names, transaction amounts and dates of the transactions.
Geist said Canadian privacy laws require organizations to first obtain consent from a person before they collect, use and disclose personal information of that individual. This view considered privacy as a “negotiated bargain” in which businesses ask for permission to do anything with the private data they collect as long as they obtain consent.
However, the law professor said, while companies can ask for information they deem reasonable under the circumstance, they cannot require customers to disclose information if the information is not necessary in order to supply the good or service the customer is seeking.