Federal (Canada) Privacy Decisions

A dentist complained that RateMDs.com, a health practitioner rating website, used her personal information without consent and for lucrative purposes. The Office of the Privacy Commissioner of Canada (OPC) found that the dentist's business contact information was publicly available and did not require consent. However, the OPC found that RateMDs.com engaged in an inappropriate practice by charging a subscription fee for a service that allowed users to hide certain reviews, contravening PIPEDA's purpose provisions. RateMDs.com agreed to cease this practice, leading to a conditionally resolved outcome for that issue. The OPC also found RateMDs.com resolved issues related to openness regarding its policies on correcting inaccurate information.

• Consent for the collection, use, and disclosure of personal information.
• The appropriateness of using personal information for a business model.
• Transparency and openness regarding policies for correcting inaccurate information.
• The balance between privacy rights and public interest in online reviews.

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

• Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
• Equifax Inc.'s data retention and destruction practices for Canadian personal information.
• Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
• Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
• Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.

The complainant alleged that Grey House Publishing Canada (Grey House) collected, used, and disclosed his personal information without his knowledge or consent. Grey House collected the complainant's contact information from a non-profit association's webpage and included it in its print directory and database. Grey House then sold an email distribution list containing this information to Economic and Social Development Canada (ESDC), which used it to send emails promoting a federal program. The OPC found that Grey House contravened PIPEDA by collecting and using the complainant's personal information without adequate consent, as the information was not considered business contact information and did not fall under the exceptions for publicly available information. The OPC also found that Grey House contravened PIPEDA's openness principle by having an inadequate privacy statement.

• Whether the complainant's contact information constituted personal information or business contact information under PIPEDA
• Whether Grey House was conducting commercial activity under PIPEDA
• Whether Grey House obtained adequate consent to collect and use the complainant's personal information
• Whether Grey House's privacy statement adequately reflected its practices

The Office of the Privacy Commissioner of Canada (OPC) investigated 411Numbers, a website operator that provided free access to telephone numbers and associated information. A complainant alleged that 411Numbers collected, used, and disclosed his personal information without consent, used it for an inappropriate purpose (paid removal service), over-collected information for removal services, and was unresponsive to privacy concerns. The OPC found that 411Numbers contravened PIPEDA by publishing unlisted telephone numbers without consent, and that its previous practice of requiring extensive identification for removal services was an over-collection. The paid removal service was also deemed inappropriate. However, 411Numbers has since ceased its paid removal service and implemented new practices for information removal and data collection.

• Jurisdiction over a non-Canadian company with a real and substantial connection to Canada
• Collection, use, and disclosure of unlisted telephone numbers without consent
• Appropriateness of using personal information for a paid removal service
• Over-collection of personal information for identity verification during removal requests

This investigation concerned Microsoft's Windows 10 privacy settings, which were initially set to 'on' by default during installation. The Office of the Privacy Commissioner of Canada (OPC) investigated whether Microsoft obtained valid consent for the collection, use, and disclosure of users' personal information. While Microsoft made several updates to improve clarity and consent mechanisms, the OPC identified ongoing concerns regarding the meaningfulness of consent for certain settings, particularly regarding diagnostics, tailored experiences, and speech recognition. Microsoft committed to implementing further changes, including obtaining opt-in consent for all installation privacy settings, enhancing transparency, and improving data protection measures.

• Validity of consent for default privacy settings during Windows 10 installation.
• Clarity and completeness of privacy communications provided to users.
• Adequacy of measures to protect sensitive diagnostic data from being used for targeted marketing.
• Ensuring meaningful consent for cloud-based speech recognition services.

The Office of the Privacy Commissioner of Canada investigated a complaint against Facebook Inc. regarding a privacy breach where personal information of users and non-users was inadvertently disclosed through the 'Download Your Information' tool. The investigation found that while Facebook had safeguards in place, they were not adequate prior to the breach, leading to the unauthorized disclosure of contact information. Additionally, Facebook was not sufficiently open about its practice of matching contact information across address books. Facebook has since implemented corrective measures, including a new Privacy Framework and revised notices, resolving the issues.

• Adequacy of safeguards for personal information.
• Facebook's practice of matching contact information across address books and consent requirements.
• Openness and transparency of Facebook's policies and practices regarding contact information.
• Facebook's provision of access to and correction of personal information.

The complainant alleged that a courier company disclosed her personal information without consent by delivering a package addressed to her to her neighbour. The investigation found that the courier company had contravened PIPEDA's consent principle by not obtaining consent directly from the complainant for its practice of delivering packages to neighbours, nor by demonstrating due diligence to ensure the shipper had obtained such consent. In response to the OPC's recommendations, the courier company committed to ending the practice of delivering to neighbours, and this commitment was confirmed.

• Was personal information disclosed without consent by delivering a package to a neighbour?
• Did the courier company exercise due diligence to ensure the shipper obtained consent for the delivery to a neighbour practice?
• Is an unlisted telephone number on a package label sensitive personal information?

This investigation examined a breach of WADA's Anti-Doping Administration and Management System (ADAMS) database, which resulted in the public disclosure of athletes' personal information, including health details. The OPC found that WADA's security safeguards were insufficient, contravening PIPEDA principles. While WADA committed to implementing recommendations, including enhanced security measures, the matter was resolved conditionally pending compliance.

• Sufficiency of security safeguards for sensitive personal information
• Access controls and authentication mechanisms for the ADAMS database
• Monitoring, logging, and incident response capabilities
• Policies, procedures, and training related to information security

The OPC investigated a complaint against an online marketplace that sent an email to members inviting them to sign a petition without their explicit consent. The OPC found that the marketplace retained information appropriately but failed to obtain adequate consent for sending the petition email, which was beyond the scope of their services. The OPC also found that the marketplace did not handle the complainant's privacy concerns effectively. The matter was conditionally resolved when the marketplace committed to implementing recommendations, including obtaining opt-in consent for such emails and improving complaint handling. The issue was later resolved upon evidence of implementation.

• Adequacy of consent for using personal information for advocacy emails.
• Proper handling and escalation of customer privacy complaints.
• Appropriate retention of personal information.
• Clarity of purposes stated in the privacy policy.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that a financial institution required customers to provide their Social Insurance Number (SIN) for identity verification purposes as a condition of opening a savings account. The OPC found that while the institution collected SINs for legally required income reporting, it could not mandate its use for identity verification. The institution agreed to make the use of SIN for identity verification optional rather than a condition of service.

• Requirement of SIN for identity verification as a condition of service.
• Appropriate use of SIN by private sector organizations.
• Interpretation of FINTRAC guidelines regarding identity verification.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against an insurance company that collected and used an individual's credit score during an auto insurance claims assessment. The OPC found that the company did not have a legal basis to use credit scores for fraud detection in this context and did not obtain meaningful consent from the individual because they failed to clearly state that providing consent was optional. The company also lacked openness in its policies regarding credit score usage.

• Appropriateness of using credit scores for fraud detection in auto insurance claims assessment.
• Whether meaningful consent was obtained for the collection and use of credit score.
• Whether the insurance company over-collected personal information.
• The company's openness regarding its credit score collection and use policies.

An individual complained that their former automobile insurance company refused to delete their personal information upon withdrawal of consent. The company initially refused, citing the need to provide insurance history to other insurers. The Office determined that the company should have treated the request as a withdrawal of consent. The company subsequently deleted the information from its records after the individual accepted the implications. However, the company was not required to ensure deletion from third-party records to which the information had been lawfully disclosed. The company was also found to be in contravention for not having clear policies on third-party disclosures.

• Withdrawal of consent for the continued use of personal information
• Deletion of personal information from an organization's records
• Deletion of personal information from third-party records after lawful disclosure
• Accountability for information disclosure policies and procedures

This report details a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Australian Office of the Information Commissioner (OAIC) into Avid Life Media Inc. (ALM), the operator of Ashley Madison. The investigation followed a significant data breach where personal information of millions of users was exposed. The OPC found that ALM contravened PIPEDA regarding information security, indefinite retention of user data, accuracy of email addresses, and transparency with users. ALM has entered into a compliance agreement with the OPC to address these issues.

• Adequacy of information security safeguards
• Indefinite retention of user data
• Accuracy of collected email addresses
• Transparency and user consent regarding data handling practices

This report details an investigation into Compu-Finder's practices of collecting and using email addresses for marketing its training courses without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that Compu-Finder contravened PIPEDA by failing to obtain meaningful consent, lacking accountability frameworks, and not being transparent about its privacy practices. While Compu-Finder agreed to implement recommendations, the complaint was found to be well-founded and resolved in part, and well-founded and conditionally resolved in part, with a compliance agreement entered into.

• Collection and use of email addresses without consent
• Lack of accountability and transparency in privacy practices
• Use of address harvesting software
• Validity of implied and express consent claims