Sep 25, 2013

    T&Cs don't mean firms can sell your data

    THERE will soon be more protection for consumers' personal details when they sign up for services, which could save them grief from receiving unsolicited marketing calls or e-mail messages.

    In some cases, companies offering the services cannot insist that the details collected from consumers be sold to third parties, if doing so is beyond what is reasonable for the company to provide the services. This is based on Government guidelines released yesterday.

    For example, a customer signs up for a spa package, and the terms and conditions state that the spa company might share and sell her personal details to third-party marketing agencies.

    The customer requests that this disclosure not be done, but the spa refuses, citing how the terms and conditions are standard, and she must agree to them.

    In this case, even if the customer agrees for her details to be sold to third parties, permission to do so is not considered valid since it is beyond what is reasonable for providing spa services.

    The customer should be able to sign up for the package without having to agree to the disclosure and sale of her details.

    A company doing otherwise could face penalties, such as a fine of up to $1 million, under the Personal Data Protection Act.

    The Act came into effect at the beginning of the year, but will be enforced from July 2 next year. It seeks to protect personal details from being misused.

    Yesterday's released guidelines arose in part from public feedback that the Personal Data Protection Commission received between February and April. The guidelines elaborate and provide interpretations on specific requirements under the Act. The Commission administers the Act.

    Some firms might require people to opt out of the collection and use of their personal details. So, some companies might think that not opting out means consumers have agreed to the collection and use of their details.

    But the Commission said, generally, "failure to opt out may be due to other reasons than the individual's desire to give consent".

    "Failure to opt out will not be regarded as consent in all situations. Rather, whether or not a failure to opt out can be regarded as consent will depend on the actual circumstances and facts of the case," it said.

    For instance, a retailer collects personal details from its customers so that it can deliver products bought by them. It later mails a flyer to them which says that customers agree to the disclosure of their details to another company to market products, unless the customers write back to opt out by a certain date.

    If the company receives no reply from the customer, the customer's inaction is unlikely to show that he has agreed, because he might not have read the flyer.