News > A Practitioner’s Guide to Privacy and Marketing in the Digital Economy

A Practitioner’s Guide to Privacy and Marketing in the Digital Economy

December 11, 2017 – By Inga Petri, Strategic Moves – At the recent CAPACOA national conference, I led an in-depth conversation about the legal frameworks affecting thinking and attitudes about data collaborations within the performing arts sector.

10 privacy tips for businessesMy aim was to move beyond “we can’t do that because the law prevents us” and foster a clearer understanding of what these laws mandate. There are three laws to consider:

  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Do Not Call List (DNCL)
  • Canadian Anti-Spam Legislation (CASL)

In provinces where there is a privacy law deemed “substantially similar” – today that applies to Quebec, Alberta and British Columbia – arts organizations in those provinces must implement those laws instead of PIPEDA.

First and foremost, these laws are designed to protect consumers. From a marketer’s perspective, I submit that anyone who respects their current and potential audiences, and seeks to build mutually beneficial relationships most likely practices ethical marketing that is compliant with these legal obligations. Further, organizations that have used US-based email engines, have had to comply with US anti-spam legislation which came into effect in 2003 which is similar to the Canadian Anti-SPAM legislation that came into effect a decade later.

A factor that makes understanding more challenging is that there are specific provisions for different types of organizations and what is considered commercial activity. There are exemptions either for entire categories of organizations in some laws or specific activities in others. In the performing arts eco-system many types of organizations exist, with wide-ranging marketing activities aimed at potential patrons, current audiences as well as a business partners. Therefore these laws cannot be applied in exactly the same way to all arts organizations.

Based on the latest references from Government of Canada web sources, here is a reference of how these three Canadian laws apply in Canada.

What it governs How private-sector organizations collect, use or disclose personal information in the course of commercial activities Designed to eliminate unwanted telemarketing calls by allowing individuals to list their phone numbers on DNCL.


Prohibits commercial email, social networking accounts and text messages without recipient’s consent


What it applies to Any factual or subjective information about an identifiable individual Commercial phone calls Commercial electronic messages
Who it applies to
  • Businesses
  • Not-for profit organizations
  • Charities
  • Businesses
  • Not-for-profit organization
  • Businesses
  • Not-for profit organizations
  • Charities
  • Crown corporations
  • Municipal government
Who or What it DOES NOT apply to
  • Public sector/Government
  • Political parties since they are not conducting commercial activities
  • Charities
  • Market researchers
  • Political parties
  • Newspaper subscription
  • Existing business relationship within 18 months
  • Sales inquiry initiated by potential customer within 6 month
  • Federal, provincial and territorial governments
  • Political Parties and candidates when they solicit a contribution.
  • Commercial messages send by people with an existing personal or family relationship to the recipient.
  • Provides information about ongoing subscription or membership.
  • Delivering agreed on goods or services.
  • Commercial messages within an organization or between organizations when the message concerns the activities of that other organization and the organizations have a relationship
  • Charitable exemption includes: raising funds. Ticket sales when used to raise funds are not considered commercial while others are. Newsletters are generally not considered commercial, with caution if they include paid advertisements.
Consent Individuals must consent to collection, use and disclosure of their private information; have right to access and correct their personal information Express consent to be contacted by your organization is required if the phone number is on DNCL Express consent to be contacted is always required, through opt-in/double opt-in.

In general, consent is not specific to a particular good or service.

Notable provisions To transfer information to a third party, that organization must comply with PIPEDA and it must refer individuals wanting access to their information to the originating organization and allow your organization to audit the third party’s compliance with the contract as necessary. Telemarketers and other organizations using phone solicitation in Canada must have an internal Do Not Call List.

They must clearly identify themselves, their phone number and their purpose, comply with record keeping provisions and restrictions on time of day calls can be made.


Marketing under the guise of research (MUGGING) and Sales under the guide of research (SUGGING) are prohibited.

Organizations must provide an un-subscribe option in their emails.

Email harvesting is prohibited.

Also prohibits installation of a computer program, including malware, spyware, viruses.

Prohibits altering transmission data such as redirecting user to a website they did not intent to visit.


Complaint-based enforcement


The regulations within PIPEDA about third party sharing of information make clear that there is no legal barrier to ticket sellers, venues or renters sharing the customer data as long as all comply with PIPEDA’s provisions. As PIPEDA governs how private-sector organizations collect, use or disclose personal information in the course of commercial activities, it is the point of transaction – i.e. collection – that matters first and foremost.

Over the years, some venues that sell tickets on behalf of rental clients have created a revenue stream through charge backs from box office services as well as list administration for marketing purposes, such as sending promotional emails to the ticket buyers for rental clients on behalf of the rental client. These are mechanisms that are created as a matter of organizational policy rather than what the law demands in and of itself.

In terms of establishing pooled customer data from several arts organizations in a city or shared geographic catchment area, PIPEDA does not apply if that data set strips out the personally identifying information, but could retain postal code information. This type of data has limited usefulness for marketing. When it comes to sharing actual customer lists and past purchase histories, the full force of PIEPDA applies and all participants in such an endeavour have to ensure that all have privacy policies that address the specifics of that sharing and have the ability to track where the personal information about an individual originated in order to satisfy the provisions for access to their information. The express consent provisions within CASL and DNCL continue to apply, which means that a shared customer database must have back end functionality that enables tracking of the specific consent provisions for each customer record, including creating an effective opt-out mechanism and internal Do Not Call Lists.

I hope that this information provides some added clarity to the question of customer data collaborations and how to enable them should organizations so desire.


Inga Petri
Strategic Moves



Proceedings from the CAPACOA Conference

Personal Information Protection and Electronic Documents Act

Do Not Call List

Canada Anti-Spam Legislation

New CRTC Guidance Mitigates Threats Associated with CASL

Sharing Data and Protecting Privacy: A Case Study from Alberta, from The Philanthropist


Recent and Related News

Attendance Trends: Why Won’t They Come?

New Findings Confirm the Association between Arts and Belonging


Share This Post

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>