Federal (Canada) Privacy Decisions

Following a data breach involving the Starwood hotel database, the Office of the Privacy Commissioner of Canada (OPC) investigated Marriott International, Inc. The investigation found that Marriott's security safeguards, accountability measures, and information retention practices were inadequate at the time of the breach, leading to unauthorized access to personal information. While Marriott has taken remedial actions and the complaint is conditionally resolved, the OPC highlighted failures in access controls, antivirus software, logging and monitoring, and information storage. The OPC also found Marriott contravened accountability principles by not adequately assessing security risks during its acquisition of Starwood and retaining personal information longer than necessary.

• Adequacy of security safeguards for personal information
• Marriott's accountability and due diligence during the acquisition of Starwood
• Timeliness of information retention and deletion practices
• Adequacy of notification and mitigation measures for affected individuals

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

Biron Health Group sent promotional emails to travellers who had undergone COVID-19 testing upon arrival in Canada, using their email addresses collected for testing purposes. The complainant alleged this violated PIPEDA. Biron argued they assumed implicit consent due to a business relationship, but the OPC found this assumption unreasonable given the mandatory nature of the testing. Biron has since ceased the practice, deleted affected email addresses, and the complaint was settled.

• Use of personal information for secondary marketing purposes without consent
• Reasonableness of assuming implicit consent in a mandatory service context
• Nature of consent required for collecting and using health-related information

The Office of the Privacy Commissioner of Canada investigated a complaint that Rogers Communications Inc. improperly enrolled a customer in its voiceprint authentication program, Voice ID, without her consent. The OPC found that while the purpose of the program was appropriate, Rogers failed to obtain valid and meaningful consent for the collection and use of voiceprints, which are considered sensitive biometric information. Rogers also did not provide a clear opt-out mechanism and improperly retained voiceprints. Rogers committed to significant changes to its program, leading the OPC to find the consent and retention issues well-founded and conditionally resolved.

• Appropriate purpose for collecting voiceprints
• Obtaining valid and meaningful consent for voiceprints
• Adequacy of opt-out mechanisms
• Retention of voiceprints after opt-out

This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.

• Adequacy of BMO's technical safeguards to protect personal information.
• Effectiveness of BMO's developer security testing and evaluation processes.
• Sufficiency of BMO's vulnerability management protocols.
• Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

The complainant alleged that a computer services company remotely accessed his laptop without his express consent during a help desk call. The Office of the Privacy Commissioner of Canada (OPC) found that the company failed to obtain meaningful express consent for remote access and did not have adequate safeguards to protect customer information. The company has since restructured, ceased offering personal help desk services, and no longer uses the remote access software, leading the OPC to find the complaint well-founded and resolved.

• Whether meaningful express consent was obtained for remote computer access.
• Whether adequate safeguards were in place to protect customer data during remote access.
• The nature of consent required for accessing potentially sensitive personal information on a customer's laptop.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a truck driver alleging that his employer, Oculus Transport Ltd., collected personal information through audio surveillance in the truck cab for inappropriate purposes. The OPC found that while Oculus had a legitimate business need for some surveillance, the continuous audio recording, even when drivers were off-duty, was excessively intrusive and disproportionate to the benefits. Oculus has since stopped using audio surveillance.

• Whether the purposes for which Oculus collected audio recordings were appropriate under PIPEDA's section 5(3).
• Whether less privacy-invasive means were available to Oculus to achieve its stated purposes.
• Whether the intrusion on drivers' privacy was proportionate to the benefits gained by Oculus.

This investigation concerned Yahoo! Canada's "Stay signed in" feature for its email service, which defaulted to keeping users logged in. The OPC found this practice posed significant privacy risks, especially on public or shared computers, as emails can contain highly sensitive personal information. Yahoo was found to have inadequate safeguards and failed to obtain meaningful consent for the disclosure of personal information that could result from this default setting. Yahoo committed to changing the feature to an opt-in basis and providing clearer warnings to users.

• Adequacy of safeguards against unauthorized access to sensitive email content.
• Whether "Stay signed in" default setting constitutes meaningful consent for disclosure of personal information.
• Clarity and prominence of privacy warnings associated with the "Stay signed in" feature.

The Office of the Privacy Commissioner of Canada (OPC) investigated a short-term lender, CashHere, after receiving an alert that it was collecting clients' online banking credentials (usernames, passwords, security questions and answers) as part of its payday loan application process. The OPC found that while the lender had a legitimate need to verify identity and income, collecting these highly sensitive credentials was not a purpose that a reasonable person would consider appropriate due to the significant privacy risks and the availability of less invasive alternatives. The investigation also uncovered a related entity, MoneyHome, engaging in similar practices.

• Appropriateness of collecting online banking credentials for loan applications
• Proportionality of privacy harms versus lender benefits
• Availability of less privacy-invasive means to verify identity and income
• Potential link between CashHere and MoneyHome

A joint investigation by Canadian privacy authorities found that Clearview AI, Inc. contravened PIPEDA and provincial privacy laws by collecting, using, and disclosing personal information without consent and for inappropriate purposes. Clearview's facial recognition tool scraped billions of images from the internet to create biometric facial arrays, which were then provided to law enforcement and other clients. The authorities concluded that Clearview's mass collection and use of sensitive biometric data was not for an appropriate purpose, nor was it obtained with the requisite consent.

• Whether Clearview obtained requisite consent for the collection, use, and disclosure of personal information.
• Whether Clearview collected, used, and disclosed personal information for an appropriate purpose.
• Whether Clearview satisfied its biometric obligations in Quebec.
• Whether Canadian privacy authorities had jurisdiction over Clearview's activities.

This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.

• Adequacy of security safeguards throughout the personal information lifecycle.
• Compliance with accountability principles, including implementing procedures and training staff.
• Appropriateness of data retention and destruction practices.
• Effectiveness of mitigation measures offered to individuals affected by the breach.