Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a short-term lender, CashHere, after receiving an alert that it was collecting clients' online banking credentials (usernames, passwords, security questions and answers) as part of its payday loan application process. The OPC found that while the lender had a legitimate need to verify identity and income, collecting these highly sensitive credentials was not a purpose that a reasonable person would consider appropriate due to the significant privacy risks and the availability of less invasive alternatives. The investigation also uncovered a related entity, MoneyHome, engaging in similar practices.

• Appropriateness of collecting online banking credentials for loan applications
• Proportionality of privacy harms versus lender benefits
• Availability of less privacy-invasive means to verify identity and income
• Potential link between CashHere and MoneyHome

A joint investigation by Canadian privacy authorities found that Clearview AI, Inc. contravened PIPEDA and provincial privacy laws by collecting, using, and disclosing personal information without consent and for inappropriate purposes. Clearview's facial recognition tool scraped billions of images from the internet to create biometric facial arrays, which were then provided to law enforcement and other clients. The authorities concluded that Clearview's mass collection and use of sensitive biometric data was not for an appropriate purpose, nor was it obtained with the requisite consent.

• Whether Clearview obtained requisite consent for the collection, use, and disclosure of personal information.
• Whether Clearview collected, used, and disclosed personal information for an appropriate purpose.
• Whether Clearview satisfied its biometric obligations in Quebec.
• Whether Canadian privacy authorities had jurisdiction over Clearview's activities.