Is a driver’s licence fair game?
Canadian retailers say they’re confused about the privacy implications of collecting customers’ personal data, particularly when regulations governing data collection can vary from province to province.
The various privacy commissioners across the country are familiar with
this challenge, says Elizabeth Denham, Assistant Privacy Commissioner
of Canada, who spoke as part of a panel at a recent Retail Council of
Canada (RCC) conference held in Mississauga, Ont.
Federal privacy legislation PIPEDA (Personal Information Protection
Electronic Documents Act), which has been in force since 2004, applies
coast to coast with the exception of B.C., Alberta and Quebec. Those
provinces have their own privacy legislation.
“It’s critical for us for harmonize (the various points of view),” she
says, adding that the federal commissioner’s office meets monthly with
privacy officers from B.C., Alberta and Quebec. “It benefits businesses
and it benefits Canadians to have (agreement). As much as possible, we
try to harmonize our approach. It’s not perfect, but we’re doing the
best we can.”
One of the biggest security issues facing retailers is managing return
policies, says Sears Canada Inc.’s associate vice-president of loss
prevention and safety Don Berezowski. There is potential for stolen or
fraudulently obtained goods being returned to retailers illegally,
particularly if retailers don’t insist on having a receipt present.
Some retailers have adopted a policy of collecting shoppers’ driver’s
licence numbers at the time of purchase to better track merchandise,
should it end up back in the store as a returned item.
Denham says she understands that retailers might see the value of
collecting this information, but so far, no retailer has been able to
prove there is a strong relationship between ID collection and a
reduction in false returns. Moreover, retailers may be faced with a raft
of data storage and security problems if they choose to go that route,
particularly since driver licences are one of the main sources of
Denham suggests that retailers invent their own ID system (with unique
numbers assigned to customers) should they wish to track purchases and
returns in this manner.
Berezowski says that retailers are often confused by the range of ID
collection options: which ones are frowned upon and which are
permissible. The problem is only exacerbated when front line staff have
to be trained.
Derek Nighbor, senior vice-president of national affairs at the Retail
Council of Canada, acknowledges that this can be a major problem for
retailers and suggests they avoid collecting driver’s licences
altogether. “We have recommended it as a best practice,” he says. “Just
don’t go there. Less is more.”
The RCC works with the privacy commissioner to determine best practices
and provide guidelines that are helpful to retailers. For example,
retailers are well within their rights to ask a customer to show a
driver’s licence as a means to confirm identity, provided they don’t
store that information. They can also insist that a customer sign the
back of their credit card if they haven’t done so already.
The best policy, says Nighbor, is to be transparent in all dealings
with customers and employees when it comes to data collection. But how
retailers can share information with each other is still a grey area.
Retailers may be keen to provide information about potential
shoplifters or fraudsters operating in their area ”“ particularly when
in-store cameras can easily capture images that could be useful in
identifying a suspected criminal.
This is where jurisdictional disharmony is perhaps most evident, says
Denham. While PIPEDA is quite restrictive, both B.C. and Alberta allow
for information-sharing between store owners, but to varying degrees.
In every case, there must also be co-operation with a police authority;
in some cases there must be an official investigation underway in order
for potentially incriminating information to be shared.
The Victoria, B.C., police department is currently experimenting with
an Internet portal that would allow local retailers to submit
information and pictures if they have cause for concern.
The variations in privacy legislation around these types of initiatives
is troubling, says Denham. “We’ll be watching the Victoria pilot very
If retailers want to make sure they’re in the right when it comes to
privacy compliance, they should seek the counsel of their local privacy
commissioner, says Berezowski. “You need to be in tune with this. It’s
big dollars out there and it affects the bottom line.”
The federal privacy commissioner’s office is planning on publishing a
document before the end of 2008 which will help retailers find
alternatives to driver’s licence collection. In the meantime, “We give
advice for free,” says Denham. “Give us a call.”