Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with CHUM

 

July 2003

 

Terry McQuay, Nymity's President, recently spoke with Christina Litz, Legal Counsel and Privacy Officer from Chum Limited about how they have become a leader in privacy and compliance with PIPEDA. CHUM Limited, one of Canada's leading media companies and content providers, owns and operates 29 radio stations, eight local television stations and 17 specialty channels, as well as an environmental music distribution division. In addition to its international licensing arrangements and joint ventures, the Company's original content is seen in over 150 countries worldwide. CHUM content is also provided to online audiences on new media platforms, including interactive television, wireless services and exclusive CHUM-branded Internet properties.

 

Nymity: As a federally regulated organization CHUM had to comply with PIPEDA in 2001. How difficult was the process to become compliant?


Litz : We really did not find compliance that difficult at all. That's not to say that privacy compliance doesn't require a lot of work -- but from a corporate philosophy standpoint, there was no resistance to implementing the kind of changes that PIPEDA calls for.

CHUM has a strong online presence though such websites as www.muchmusic.com and we are always striving to come up with solutions that reinforce the trust of our online users -- especially where a lot of our users include young people. In other words, privacy has always been a concern for CHUM. At the time that compliance came along, and by coincidence, we were also rolling out a new platform for our websites -- so it was quite easy to make sure this new platform included PIPEDA-compliant methods of collecting, using and subsequently disclosing information. We re-evaluated what information we were collecting; from what age we should be collecting information from: and how the information could be securely stored. On the last point, we conducted a security audit with a team from IBM to make sure that, to the extent that it was possible, the personal information we collected was secure.


Nymity: What were the privacy issues that had the most impact on business at CHUM?

 

Litz : We do a lot of promotions and contests online with third party advertiser clients. Some advertisers, for obvious reasons, are interested in knowing details of the users who are participating in their promotion and some are interested in further communications with our users. It is our position at CHUM that without explicit opt-in consent of a user, this information cannot be provided to our third party clients. Because most of our third-party advertising clients don't fall under the purview of PIPEDA until 2004, this has been a bit of a hurdle.

That being said, once the clients have been "educated" we don't find it to be an impediment to our online business -- most of our clients are also quite interested in coming up with the best ways to increase the trust of online users.

We (CHUM and its clients) re-evaluated what kind of information we were collecting and disclosing. If, for example, a client is interested in sending out a promotional email to those who have signed up for one, there is really no reason they need to be receiving a list of home addresses, or even names for that matter. The same can be said for demographic information. Although pre-PIPEDA clients may have been receiving demographic information that was tied to personal information (such as the names and ages of participants), most clients didn't actually need nor did they have an interest in collecting names. They just wanted to know what age group was participating in their promotion. Once we explore that issue with our clients, most clients are quite happy to receive anonymous aggregate information about participants in their particular promotion -- and for those who want to receive a "list" of the users so that they can subsequently communicate with these users, they are quite happy to work with us to come up with explicit opt-in language for the promotion.

Clients who receive personal information must sign a short agreement that details about how they can use the personal information and for how long (which must be consistent with the opt-in consent language) and that the personal information will be kept in line with the requirements of PIPEDA. We haven't had any problems getting clients to sign this agreement.


Nymity: How receptive were your business partners to these changes?


Litz : Again, for the most part, we haven't had any problems. It's mostly just been an education issue. To that, we sent out a letter at the beginning of 2001 explaining what kind of changes were making and why. Our promotions team, too, is very educated about PIPEDA and has been great in working with clients on working through any privacy issues that come up in a particular promotion.


Nymity: What about the companies that already had privacy policies in place?

 

Litz : We've just started to see the issue of competing privacy policies come up and I imagine this will increasingly be a problem as 2004 approaches. At CHUM, we take a very conservative approach to privacy and our interpretation of the requirements under PIPEDA. Some companies don't feel the same way we do about what is required under PIPEDA. For example, we operate on a 100% opt-in consent basis. In our readings of the federal investigation decisions under PIPEDA, and from a corporate philosophy standpoint, we don't feel that we have a choice in this respect. Some clients don't agree with us. At the end of the day, though, CHUM is the party that is collecting the personal information, so we need to operate from our privacy framework. Most clients accept that.


Nymity: Was it difficult to go to 100% positive consent?

 

Litz : The only challenge came in making sure the personal information we had collected pre-PIPEDA had the proper consents attached. To the extent that an opt-in consent had not been used to store personal information, our databases were wiped clean and we started from scratch. Although this is an extreme solution and I think there are practical ways of getting around this (for example, sending out an email saying that if people don't respond by a certain date, their information will no longer be stored), there was really no reason we needed the personal information so it wasn't a big problem for us.

In terms of 100% positive consent, again, it goes to increasing the trust of our online users. If you make your opt-in request specific and clear, I think you'll find that users are still quite interested in opting-in. Some of our clients use the information to mail free products, or send information about future promotions. So long as you make this clear in the opt-in language, people will opt-in. It's when the language is vague that users become wary of checking the opt-in box. They worry their information is going out into cyber space and that they have no control over it.

We've further re-enforced the notion of positive consent by allowing users to look into what consents have been provided to CHUM in the past. This is done through our username and password account system. To participate in a CHUM contest, users sign up (with minimal personal information) for a username and password. This username and password is then used to enter subsequent promotions. Although this system was implemented for the ease of use of our online users, it was also implemented so that that our users had better control over their personal information. At any time, users can logon to our system and see a complete list of all of the contests/promotions they have entered in the past 6 months, what information we have on file, and what opt-in consents they have provided in the past. Through this account, they can change and update their information, remove their personal information from our databases and withdraw consents previously given.


Nymity: You have built retention into both your policies and your systems. Please explain.

 

Litz : If a username and password has not been used for 6 months, this information is deleted from our databases. Through discussion with privacy experts, and our observations of how often people were using our websites, we felt that this was an acceptable time to store personal information under PIPEDA in connection with the purposes for the collection of the information.


Nymity: You are potentially dealing with information belonging to minors. Were there special considerations that you had to deal with for minors' information?

 

Litz : PIPEDA is silent on how companies should deal with personal information collected from minors. We don't have legislation similar to the US Children's Online Privacy Protection Act. We did know, however, that it wasn't appropriate to be collecting personal information from certain age groups without parental involvement. Although some companies have gone to great and interesting lengths in order to gain parental consent (such as emailing the parent a consent which they then must fax back to the company), we weren't interested in entering into this territory. So the difficulty just came in deciding the cut-off. Again, through discussions we had with various privacy experts, outside counsel, and in looking at guidelines set in COPPA, 13 seemed appropriate. We now require birth date as a mandatory field in signing up for a CHUM username and password. If someone under the age of 13 tries to sign-up, they will be prevented from doing so.


Nymity: Were there any special privacy considerations regarding your bulletin boards or online classifieds?

 

Litz : Not really. It is not necessary to provide personal information to participate in bulletin boards or online classifieds. To the extent that personal information is provided through the postings an individual user makes (for example, if a user provided his first and last name with a phone number if the bulletin board), they are consenting to that use of personal information.


Nymity: Please describe the ongoing compliance activates at CHUM.

 

Litz : At this point, we have all our policies in place, all the education has been done and we are practically operating in a PIPEDA compliant environment. So now we need to make sure things stay that way, which can sometimes be a challenge in a large cross-Canada company that values station independence. However, through informal audits (which can be as simple as me, from time to time, visiting our websites to see what everyone is doing) to more formal audits (which involves sending detailed questionnaires to business managers with subsequent verbal follow-up), which we did pre-PIPEDA and will do again soon, we feel that we can handle this challenge.


Nymity: If you had to do it all over again ( i.e. become compliant) what would you do differently?

 

Litz : Overall, I don't think we would have done much differently. There was always strong corporate and management support for PIPEDA compliance at CHUM -- this is important if some "radical" changes need to be made in order to become PIPEDA-compliant.

Perhaps, I could have recruited some more help. Although, we had a team approach to working on PIPEDA compliance, once you get to the actually nitty gritty details of implementation, there is a lot of work to be done.

Also, everyone says this, but knowing now what kind of work was involved, it's better to start compliance as early as possible. Look for practical opportunities to implement privacy practices (such as we did when we did a re-launch of our websites) and to communicate to your clients/customers about changes that may be taking place (for example, if a company mail-out is going out, include something about your privacy regime).

 

 

 

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY