PIPEDA Findings #2022-003: Telecommunications firm failed to obtain appropriate consent for voiceprint authentication program
The Office of the Privacy Commissioner of Canada investigated a complaint that Rogers Communications Inc. improperly enrolled a customer in its voiceprint authentication program, Voice ID, without her consent. The OPC found that while the purpose of the program was appropriate, Rogers failed to obtain valid and meaningful consent for the collection and use of voiceprints, which are considered sensitive biometric information. Rogers also did not provide a clear opt-out mechanism and improperly retained voiceprints. Rogers committed to significant changes to its program, leading the OPC to find the consent and retention issues well-founded and conditionally resolved.
- Appropriate purpose for collecting voiceprints
- Obtaining valid and meaningful consent for voiceprints
- Adequacy of opt-out mechanisms
- Retention of voiceprints after opt-out
Complaint partially well-founded — corrective measures agreed to
The OPC found the purpose of the voiceprint program to be appropriate but determined that Rogers failed to obtain valid consent for collecting sensitive biometric data and did not have adequate opt-out or retention policies, leading to a conditionally resolved outcome based on Rogers' commitments to improve its practices.
AI-generated summary for reference only. Always verify against the official decision ↗
Rogers agreed to implement significant changes to its Voice ID program, including obtaining express consent before tuning, clearly informing customers about opt-out options, deleting voiceprints upon opt-out, and improving training and monitoring.
- s.5(3) PIPEDA
- Principle 4.3 PIPEDA
- s.6.1 PIPEDA
- Principle 4.3.2 PIPEDA
- Principle 4.3.8 PIPEDA
- Principle 4.5.3 PIPEDA
This summary is for informational purposes only and does not constitute legal advice.