Federal (Canada) Privacy Decisions

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

• Collection, use, and disclosure of personal information via AVA technology
• Adequacy of consent and notice for AVA technology
• Appropriate retention of personal information collected via AVA
• Collection, use, and disclosure of personal information via geolocation tracking

Following complaints from two customers who were victims of tech support scams, the OPC investigated Dell's security safeguards and complaint handling practices. Dell discovered that two employees of its service provider in India had sold customer information on two separate occasions, leading to personal information breaches affecting thousands of Canadians. The OPC found that Dell's safeguards, including access controls and breach investigation procedures, were insufficient given the sensitivity of the data and the risk environment.

• Adequacy of security safeguards for personal information transferred to a service provider
• Effectiveness of access controls and monitoring for preventing insider theft of data
• Sufficiency of investigation into customer complaints alleging privacy breaches
• Appropriateness of breach notification and response