The right to block use of your personal information
In a seashell
Under PIPA’s section 19, you have the right to request an organisation to cease, or not to begin, using your personal information for the purposes of advertising, marketing or public relations, or where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to you or to another individual.
People ask
-
How can I ask an organisation to cease, or not to begin, using my personal information?
-
What can I do if the organisation does not respond or I am dissatisfied with the outcome?
-
How should I make a complaint about how an organisation has handled my information?
-
What should organisations do?
-
How long should the organisation take?
-
Can the organisation charge a fee for this?
How can I ask an organisation to cease, or not to begin, using my personal information?
To exercise your right to block the use of your personal information, you should:
-
Make your request directly to the organisation, and
-
Say what information you want the organisation to cease, or not to begin, using and why.
You should inform the organisation directly that you don’t want them to process your information. You need to explain why you believe the organisation should stop using your information in this way.
You must make your request in writing. The added value of having everything in writing is that it will allow you to explain your complaint, provide evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response. You will also have clear proof of your actions if you decide to challenge the organisation’s response.
What can I do if the organisation does not respond or I am dissatisfied with the outcome?
If you are unhappy with how the organisation has handled your request, you should first complain to the organisation.
Having done so, if you remain dissatisfied, you can make a complaint to PrivCom. You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.
How should I make a complaint about how an organisation has handled my information?
You can use this template letter to help you raise your complaints.
What should organisations do?
On receiving a request, an organisation must cease, or not begin, using the personal information for the purposes of advertising, marketing or public relations; and must cease, or not begin, using the personal information that you have identified in your request, or provide the individual with written reasons as to why the use of such personal information is justified.
The organisation cannot refuse your request and must stop using your information for direct marketing purposes. For example, they cannot carry on using your information to try to sell or promote things to you.
However, this does not automatically mean that the organisation needs to erase all your personal information. They may put you on their ‘suppression list’ – this is their list of people who have said that they don’t want their information used for direct marketing purposes. Having a suppression list means that if the organisation buys any new direct marketing lists, they can check against it to make sure they don’t use your information for direct marketing when you have asked them not to.
Additionally, they may still be able to legitimately continue using your information for other purposes.
Data protection law also contains exemptions. If an exemption applies, the organisation can either fully or partly refuse to comply with your request.
The organisation can also refuse to comply if they believe that your request is “manifestly unreasonable”.
There is no set definition of what makes a request “manifestly unreasonable”. It will depend on the specific circumstances of your request. As an example, an organisation may consider a request to be “manifestly unreasonable” when it is clear that it has been made with no real purpose except to cause them harassment or disruption to the organisation.
In such circumstances the organisation can:
-
request a reasonable fee to deal with the request; or
-
refuse to deal with the request.
In either case, it will need to tell you and justify its decision.
If, after considering your request, the organisation decides it does not need to cease, or not to begin, using your information, it must still respond to you. It should explain to you why it believes it does not have to comply, and let you know about your right to complain about this decision to PrivCom, or through the courts.
How long should the organisation take?
An organisation has 45 days to respond to your request. In certain circumstances, the organisation may need extra time to consider your request and can take up to an extra 30 days. If it is going to do this, it should let you know promptly that it needs extra time and the reason why.
Can the organisation charge a fee for this?
An organisation can only charge a fee if the request is “manifestly unreasonable”. It may then ask for a reasonable fee to cover administrative costs associated with the request.