Skip to main content
This website uses cookies. By continuing to use this website you are agreeing to our use of cookies as described in our privacy policy.
Bulletin

Comments Regarding Customers or Users: Do You Really Have “Free Rein”?

Fasken
Reading Time 4 minute read
Subscribe

Privacy and Cybersecurity Bulletin

Very belligerent customer, brainless, customer is annoying, total idiot customer, customer is a huge a****** who thinks she’s allowed to do anything, total pain in the a** customer, crazy, heavy African accent, Jewish customer, customer with a heart problem, customer with a mental illness, alcoholic customer, put her husband with Parkinson’s on the phone, customer who had a herniated disc operation 3 months ago.

This is a sampling of some of the 5,858 comments that were held to be irrelevant about customers maintained by the customer service department of a French household appliance company. Aside from the negative effect on the company’s public image, the National Commission on Informatics and Liberty (Commission nationale de l’informatique et des libertés, or the "CNIL") also sanctioned this behaviour by ordering the company to [translation:] "take the necessary measures to prevent excessive comments from being recorded in the company's databases, and in particular set up a system for automatic detection of such comments and make employees aware of the need to record only necessary and relevant data". [1] Recently, the CNIL has once again drawn the attention of businesses to the necessity of adopting good practices in this matter.[2]

This case may seem rather excessive [3], especially as it is miles away from our Canadian borders. However, the practice of recording internal comments about customers/users in databases (or “free comment fields”), especially in CRM systems [4], is common in most Canadian organizations, for example, in order to track customer records or personalize the business relationship. Furthermore, as in Europe, such a practice has inherent personal data protection issues (in that the comments are information about identifiable individuals), with the resulting risks of sanctions and harm to reputation.

In Short, the Principle is Simple: You Can’t Write Just Anything in Free Comment Fields!


Canadian laws concerning the protection of personal information set out the requirement of “necessity”. Thus, in Québec, businesses may only collect information “necessary” for the purposes of the file, in addition to having a “serious and legitimate reason” for doing so [5]. Furthermore, when establishing or using the file, businesses may not: “otherwise invade the privacy or injure the reputation of the person concerned”.[6] At the federal level, the fundamental concept is similar in that: “[t]he collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means”.[7] Lastly, within the European Union, Article 5 of the General Data Protection Regulation (the “GDPR”) clearly states that personal data must be: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Thus, the information provided must not infringe on a person’s image or prevent them from receiving a benefit to which they may have a claim simply due to the presence of disparaging, discriminatory or even injurious comments.

What are the rules and good practices to adopt to promote the harmonious use of free comment fields within your organization?[8]

 

  • Institute a policy on the use of free comment fields, including tips and examples of preferred vocabulary (as well as any special rules for treating sensitive information, such as the person’s health, religion, or sex life);
  • Train and sensitize employees, particularly teams in direct contact with customers or users, so that they can understand and identify inappropriate, subjective or insulting comments;
  • Promote the use of drop-down menus offering objective assessments as much as possible;
  • Conduct regular audits using automated tools to check words contained in free comment fields; and,
  • Assess organization-specific risks (B2C, CRM, organization size) and take into account the rights of individuals to their personal information -- that they may request access to comments about them, along with the dramatic legal and reputational consequences that this could entail.

In the end, if you do not have free rein to comment on your customers or users, it is up to your organization to take control and stay on the right path, improving your reputation along the way.

Free comments: the ball is in your court!

 


 


[1] CNIL, decision no. 2015-063, June 26, 2015.
[2] CNIL, « Zones bloc note et commentaires : les bons réflexes pour ne pas déraper », 28 février 2019(Available in French only).
[3] It should be noted here that the CNIL has already had occasion to issue several formal notices and warnings due to the misuse of free comment fields. See especially CNIL, decision no. 2011-205, October 6, 2011.
[4] “Customer Relationship Management.”
[5] Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, sections 4, 5, 6 and 9.
[6] Civil Code of Québec, CQLR c. CCQ-1991, art. 37.
[7] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Schedule 1, Principle 4.4.
[8] CNIL, “Zones bloc note et commentaires : les bons réflexes pour ne pas déraper,” 28 février 2019(Available in French only).

    Subscribe

    Receive email updates from our team

    Subscribe