How Much Do We Drink?

How Much Do We Drink?

3 Lessons Learned from the LCBO Collection of Personal Information

Every company dreams of having rich data profiles of their customers.  The more you know about your customers, the better you can refine your products and marketing to reflect their wants and needs.  In a perfect world, you could analyze the data and come up with innovative new products and service offerings that match your customers’ demographics.

The Endless Opportunities of Big Data

To help achieve their goals, companies are investing in customer relationship management (CRM) software in increasing numbers.  According to a 2014 survey by IDC Canada, more than 40% of large Canadian businesses use CRM software for sales.  Roughly 30% also used CRM for marketing and customer service purposes.

The massive data collection and analytical capability of CRM software provides a huge temptation to collect a range of personal information that you don’t currently need.  Implementing powerful CRM systems requires careful thought about what data to collect and the use to which it will be put.

You Want to Know WHAT About my order?

The Liquor Control Board of Ontario (LCBO) just learned the hard way that there are limits on collecting personal information for which it could not define an appropriate current use.  In a recent set of decisions, the LCBO has been ordered to destroy certain personal information it had collected – and is stuck with a legal bill of more than $250,000.

A wine club filed a complaint with the Information and Privacy Commission in June, 2012 about the LCBO’s requirement that orders placed collectively by the club be accompanied by detailed personal information about the individual members and their orders.  The club argued that this essentially amounted to inappropriate oversight of personal alcohol consumption.  By comparison, a consumer can walk into a store and make anonymous purchases.  In Order PO 3356-R (issued June 2015, which confirms its earlier order; leave to appeal denied by Ontario Court of Appeal, Sept 25, 2015), the Commission found that the LCBO could not justify its collection of the personal information.  The Commission did not accept the LCBO’s position that it required the personal information to prevent fraud and illegal third party sales by the wine clubs, as there was no evidence that the clubs presented an actual risk of these activities.
The Commission noted that the LCBO could not collect personal information for speculative or potential purposes that were not defined at the time of collection, and took the rare step of issuing an order requiring the personal information to be destroyed.

Three lessons learned from the LCBO’s experience:

  • Define your needs:  Don’t collect personal information purely because you might find a use for it in the future.  Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws require that the purposes for which personal information is collected be identified by the organization at or before the time the information is collected.
  • Transparency:  Ensure that you very clearly explain what you are collecting and why, so that everybody is on the same page.
  • Privacy by Design:   No one person is likely to have all the answers. The priorities of Marketing & IT will likely include sales targets, customer experience, ease of use and cost control.   Invite your privacy rep to the table early on, so that privacy considerations make it onto the list of priorities. Building privacy issues into systems design rather than bolting them on afterwards is known as “privacy by design”.  An excellent resource to guide you through the process is Incorporating Privacy into Marketing and Customer Relationship Management, published by the Information Privacy Commissioner of Ontario and the Canadian Marketing Association.

For assistance with a privacy assessment of your CRM initiatives, contact PrivaTech.