Canadian Privacy Decisions

The OPC investigated Loblaw Companies Ltd. regarding complaints about the deletion of PC Optimum Loyalty Program accounts. The investigation found Loblaw contravened PIPEDA by taking an unreasonable amount of time to address deletion requests and by failing to ensure that retained purchase history data was sufficiently anonymized after account closures. Loblaw has agreed to take corrective actions, including a third-party assessment of its anonymization processes.

• Adequacy of Loblaw's processes for addressing individual privacy challenges regarding account deletion.
• Compliance with PIPEDA's retention principle regarding anonymization of purchase history data.
• Timeliness of Loblaw's response to customer deletion requests.
• Sufficiency of Loblaw's anonymization techniques for retained data.

The Office of the Privacy Commissioner of Canada (OPC) investigated Bell Canada after a complainant alleged Bell contravened PIPEDA by not responding to an access request within 30 days and denying access to cellphone logs. The OPC found Bell contravened PIPEDA by delaying its response to the access request and by denying the complainant access to his phone logs, which were determined to be his personal information. Bell also failed to be open about its policies regarding shared account information. Bell has agreed to provide the requested logs and implement recommendations to improve its procedures for handling shared account requests and its privacy communications.

• Timeliness of response to an access request
• Access to personal information held by a service provider on a shared account
• Definition of personal information in the context of phone logs
• Openness of an organization's privacy policies and practices

This investigation examined Staples Canada's practices concerning the removal of personal information from returned laptops resold through its Openbox program. The Office of the Privacy Commissioner of Canada (OPC) found that Staples had deficiencies in its policies, procedures, and employee training regarding data wiping. Specifically, the OPC determined that Staples did not consistently ensure full data sanitization according to manufacturer guidelines, leading to residual personal information being found on some devices. Staples agreed to implement corrective measures, including updating procedures, enhancing training, and engaging third-party spot checks.

• Adequacy of safeguards for personal information on returned electronic devices
• Sufficiency of Staples' policies and procedures for data wiping
• Effectiveness of employee training on data sanitization
• Compliance with PIPEDA Principles 4.7.1 and 4.7.3

This joint investigation by Canadian privacy authorities found that TikTok's collection and use of personal information, particularly from children, for ad targeting and content personalization was inappropriate and lacked valid consent. TikTok failed to implement adequate age verification measures, leading to the collection of data from underage users without a legitimate purpose. The investigation also found that TikTok's privacy communications were unclear, not easily accessible, and not available in French, failing to provide meaningful consent from adult and youth users for its data practices.

• Appropriate purpose for collecting and using children's personal information.
• Obtaining valid and meaningful consent for tracking, profiling, and targeted advertising.
• Transparency obligations regarding collection and use of personal information for user profiling.
• Adequacy of age assurance measures to prevent underage users from accessing the platform.

The Office of the Privacy Commissioner of Canada investigated a complaint against Agronomy Company of Canada Ltd. (Agronomy) following a significant data breach. The investigation found that Agronomy lacked appropriate safeguards, including multi-factor authentication, network segregation, and encryption, which contributed to the breach affecting 845 individuals. The OPC also found Agronomy lacked accountability structures. However, the complaint regarding valid consent for credit services was found not well-founded. Agronomy has since made significant improvements to its security measures and accountability practices.

• Adequacy of security safeguards
• Accountability for personal information
• Validity of consent for collection and use of personal information

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a Trimac truck driver concerned about audio and video recording in his truck cabin. The OPC found that while Trimac had legitimate safety and asset protection goals, the continuous audio recording was too intrusive, especially when drivers were off-duty. Trimac was also not initially transparent about using the data for disciplinary purposes, failing to meet consent requirements under PIPEDA. Trimac has since implemented changes, limiting audio recording to on-duty hours and improving data access controls. The OPC found the complaint conditionally resolved regarding the intrusive nature of the recording and resolved regarding the consent issue, accepting Trimac's remedial actions.

• Appropriateness of continuous audio recording in truck cabins, including during off-duty hours.
• Whether Trimac provided adequate information about the use of collected data for disciplinary purposes.
• The proportionality of privacy intrusion versus business benefits.
• The requirement for employee consent for data collection in an employment context.

Following a data breach involving the Starwood hotel database, the Office of the Privacy Commissioner of Canada (OPC) investigated Marriott International, Inc. The investigation found that Marriott's security safeguards, accountability measures, and information retention practices were inadequate at the time of the breach, leading to unauthorized access to personal information. While Marriott has taken remedial actions and the complaint is conditionally resolved, the OPC highlighted failures in access controls, antivirus software, logging and monitoring, and information storage. The OPC also found Marriott contravened accountability principles by not adequately assessing security risks during its acquisition of Starwood and retaining personal information longer than necessary.

• Adequacy of security safeguards for personal information
• Marriott's accountability and due diligence during the acquisition of Starwood
• Timeliness of information retention and deletion practices
• Adequacy of notification and mitigation measures for affected individuals

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

The Office of the Privacy Commissioner of Canada investigated a complaint that Rogers Communications Inc. improperly enrolled a customer in its voiceprint authentication program, Voice ID, without her consent. The OPC found that while the purpose of the program was appropriate, Rogers failed to obtain valid and meaningful consent for the collection and use of voiceprints, which are considered sensitive biometric information. Rogers also did not provide a clear opt-out mechanism and improperly retained voiceprints. Rogers committed to significant changes to its program, leading the OPC to find the consent and retention issues well-founded and conditionally resolved.

• Appropriate purpose for collecting voiceprints
• Obtaining valid and meaningful consent for voiceprints
• Adequacy of opt-out mechanisms
• Retention of voiceprints after opt-out

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

This investigation concerned Yahoo! Canada's "Stay signed in" feature for its email service, which defaulted to keeping users logged in. The OPC found this practice posed significant privacy risks, especially on public or shared computers, as emails can contain highly sensitive personal information. Yahoo was found to have inadequate safeguards and failed to obtain meaningful consent for the disclosure of personal information that could result from this default setting. Yahoo committed to changing the feature to an opt-in basis and providing clearer warnings to users.

• Adequacy of safeguards against unauthorized access to sensitive email content.
• Whether "Stay signed in" default setting constitutes meaningful consent for disclosure of personal information.
• Clarity and prominence of privacy warnings associated with the "Stay signed in" feature.

This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.

• Adequacy of security safeguards throughout the personal information lifecycle.
• Compliance with accountability principles, including implementing procedures and training staff.
• Appropriateness of data retention and destruction practices.
• Effectiveness of mitigation measures offered to individuals affected by the breach.