Federal (Canada) Privacy Decisions

An individual complained that an online dating service used his personal information without consent and failed to provide him access to his information after he cancelled his membership. The Office of the Privacy Commissioner of Canada (OPC) found that the original owner violated PIPEDA by denying the complainant access to his personal information and by continuing to send him marketing emails after consent was withdrawn. The OPC also found the service failed to have a privacy policy and safeguard information. While issues were found to be well-founded, they were resolved by the new owner who purged the data and implemented a privacy policy.

• Access to personal information
• Withdrawal of consent for marketing emails
• Retention of personal information
• Safeguarding of personal information

An individual complained that a legal firm failed to respond to his requests for estate information, in which he claimed beneficiary status. The Office of the Privacy Commissioner of Canada (OPC) found that the firm contravened PIPEDA by not responding within the 30-day time limit. However, the OPC also determined that the individual was only entitled to access his own personal information, not general estate information, and that the firm had conducted a reasonable search for any such information. The complaint was ultimately found to be well-founded and resolved.

• Individual's right to access general estate information as a beneficiary versus personal information.
• Organization's obligation to respond to an access request within 30 days, even if no responsive information is held.
• Determining what constitutes an individual's 'personal information' under PIPEDA in the context of estate administration.

Three individuals complained after discovering their sensitive dating profiles, posted on PositiveSingles.com, appeared on nearly 60 other affiliated dating websites without their knowledge or consent. The Office of the Privacy Commissioner of Canada found that while the profiles remained within the company's controlled network, users were not adequately informed about this practice. Furthermore, inadequate safeguards allowed some personal information to be accessed by non-members. The organization revamped its website to provide clearer disclosures about profile sharing and its network structure, and improved its security measures.

• Adequacy of consent for the use and disclosure of personal information across affiliated websites.
• Whether users were adequately informed about the company's network structure and profile sharing practices.
• Sufficiency of security safeguards to prevent unauthorized access to personal information.
• Transparency of privacy policies and practices regarding data management.

The OPC investigated a complaint alleging Apple used and shared a user's unique device identifier (UDID) without knowledge or consent for tracking and targeted advertising. While Apple initially argued UDID was not personal information, the OPC found it was, especially given Apple's ability to link it to account details. The OPC determined Apple's privacy policy lacked clarity on UDID use for advertising, though its administrative uses were acceptable. Apple has since ceased using UDID for advertising, replacing it with Ad ID, and enhanced opt-out mechanisms for Ad ID, leading the OPC to find the complaint well-founded and resolved.

• Whether UDID and Ad ID constitute personal information under PIPEDA.
• Whether Apple obtained meaningful consent for the collection, use, and disclosure of UDID and Ad ID for advertising purposes.
• Adequacy of notice provided by Apple regarding its use of UDID and Ad ID.
• Apple's responsibility for disclosures of UDID and Ad ID to third-party app developers.

A bank customer complained that the bank improperly demanded to record information from his driver's license when picking up a replacement credit card. The bank initially claimed this was for anti-money laundering purposes, but later admitted this explanation was incorrect. The Office found the demand for information was not well-founded as no information was actually collected. However, the bank contravened PIPEDA by misinforming the customer about the purpose of the collection, a contravention that was resolved by revised bank procedures and staff training.

• Whether the bank limited the collection of personal information to what was necessary.
• Whether the bank's employees could explain the purposes for collecting personal information.