Canadian Privacy Decisions

This investigation concerned a privately owned swimming pool's policy requiring parents to consent to the use of photos and videos of their children for promotional purposes as a condition of enrolling them in swimming lessons. The OPC found that this requirement contravened PIPEDA principles regarding consent for the collection, use, and disclosure of personal information. The swimming pool has agreed to implement an opt-in photo policy, resolving the complaint.

• Whether requiring consent for promotional photos/videos as a condition of service violates PIPEDA.
• Whether photos/videos of children in swim attire are sensitive personal information.
• Whether the swimming pool's stated business needs justified the mandatory consent policy.
• Whether consent was sought appropriately for staff training purposes.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

The OPC investigated a complaint that Brinks Home failed to implement adequate safeguards, leading to the compromise of customer personal information via its online portal. While the OPC found Brinks Home had failed to adequately protect customer information, the issue was resolved through corrective actions and the subsequent sale of customer accounts. The OPC also determined that Brinks Home was not required to report the breach to the OPC or notify affected individuals because it did not present a real risk of significant harm.

• Adequacy of safeguards for personal information
• Compliance with mandatory breach reporting requirements
• Assessment of real risk of significant harm (RROSH)
• Employee error leading to unauthorized access

The Office of the Privacy Commissioner of Canada investigated Home Depot for disclosing customer email addresses and purchase details to Meta (Facebook) through Meta's "Offline Conversions" tool without valid consent. Home Depot used this tool to measure the effectiveness of its Facebook ads. The OPC found that Home Depot's privacy statement and Meta's policy were insufficient to obtain implied consent for this disclosure, as customers were not reasonably expected to understand that their data would be shared for these secondary purposes. Home Depot has since discontinued the use of the tool and agreed to implement recommendations for obtaining express consent should they restart the practice.

• Whether Home Depot obtained valid consent for disclosing customer purchase data to Meta.
• Whether the information disclosed was sensitive.
• Whether Home Depot's privacy statement and Meta's policies provided sufficient notice and clarity.
• Whether express opt-in consent should have been obtained.

This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.

• Adequacy of BMO's technical safeguards to protect personal information.
• Effectiveness of BMO's developer security testing and evaluation processes.
• Sufficiency of BMO's vulnerability management protocols.
• Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.

The complainant alleged that a computer services company remotely accessed his laptop without his express consent during a help desk call. The Office of the Privacy Commissioner of Canada (OPC) found that the company failed to obtain meaningful express consent for remote access and did not have adequate safeguards to protect customer information. The company has since restructured, ceased offering personal help desk services, and no longer uses the remote access software, leading the OPC to find the complaint well-founded and resolved.

• Whether meaningful express consent was obtained for remote computer access.
• Whether adequate safeguards were in place to protect customer data during remote access.
• The nature of consent required for accessing potentially sensitive personal information on a customer's laptop.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a truck driver alleging that his employer, Oculus Transport Ltd., collected personal information through audio surveillance in the truck cab for inappropriate purposes. The OPC found that while Oculus had a legitimate business need for some surveillance, the continuous audio recording, even when drivers were off-duty, was excessively intrusive and disproportionate to the benefits. Oculus has since stopped using audio surveillance.

• Whether the purposes for which Oculus collected audio recordings were appropriate under PIPEDA's section 5(3).
• Whether less privacy-invasive means were available to Oculus to achieve its stated purposes.
• Whether the intrusion on drivers' privacy was proportionate to the benefits gained by Oculus.

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

• Collection, use, and disclosure of personal information via AVA technology
• Adequacy of consent and notice for AVA technology
• Appropriate retention of personal information collected via AVA
• Collection, use, and disclosure of personal information via geolocation tracking

Following complaints from two customers who were victims of tech support scams, the OPC investigated Dell's security safeguards and complaint handling practices. Dell discovered that two employees of its service provider in India had sold customer information on two separate occasions, leading to personal information breaches affecting thousands of Canadians. The OPC found that Dell's safeguards, including access controls and breach investigation procedures, were insufficient given the sensitivity of the data and the risk environment.

• Adequacy of security safeguards for personal information transferred to a service provider
• Effectiveness of access controls and monitoring for preventing insider theft of data
• Sufficiency of investigation into customer complaints alleging privacy breaches
• Appropriateness of breach notification and response

This investigation examined Loblaw's practices in its gift card program, which was established to compensate customers affected by a bread price-fixing scandal. The complainant argued Loblaw collected more personal information than necessary and was concerned about data transfers to the United States. The OPC found that while Loblaw initially collected more information than needed by requesting full identification documents, they subsequently clarified their requirements, resolving this issue. The OPC also found Loblaw's measures to protect personal information transferred to a third-party administrator in the US were sufficient and that Loblaw was transparent about cross-border data transfers.

• Collection of personal information beyond what is necessary for the stated purpose.
• Adequacy of safeguards for personal information transferred to a third-party processor in the United States.
• Sufficiency of transparency regarding cross-border data transfers.
• Requirement for additional consent for cross-border data transfers.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.

• Adequacy of information security safeguards for children's data
• Failure to test for and mitigate known vulnerabilities
• Insufficient access controls and cryptographic protection
• Lack of comprehensive security management program

The complainant discovered that his financial institution had disclosed his Registered Education Savings Plan (RESP) account information dating back to 1999 to the police. The OPC found that while production orders allow disclosure of information, the financial institution disclosed documents beyond the scope of the specific production order and did not have valid consent. The institution agreed to review its procedures and provide training to staff regarding disclosures pursuant to production orders.

• Disclosure of personal information beyond the scope of a production order
• Validity of consent based on a general privacy policy for law enforcement disclosures
• Sensitivity of financial information

The complainant alleged that the respondent's property history reports included personal information without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that insurance claims data, as described in this case, was not personal information about an individual. However, information about drug activity at a property was deemed personal information. The respondent agreed to cease including drug activity details in its reports, leading the OPC to find the complaint well-founded and resolved.

• Whether drug activity information in property reports constitutes personal information.
• Whether drug activity information is publicly available under PIPEDA Regulations.
• Whether consent was adequately obtained for the collection, use, and disclosure of personal information.

A complainant alleged that a financial institution refused to provide access to personal information related to a disputed credit card transaction. The institution initially claimed the information was confidential commercial information under PIPEDA. While the OPC found the institution's initial claim of exemption was unfounded, it later determined that the redacted information was not the complainant's personal information, but related to third parties. The OPC concluded the complaint was well-founded due to the delay and improper initial claim, but resolved as the complainant ultimately received access to his entitled personal information.

• Whether the financial institution properly withheld personal information under the confidential commercial information exemption (PIPEDA s. 9(3)(b)).
• Whether the financial institution responded to the access request within the time limits prescribed by PIPEDA.
• Whether the withheld information constituted the complainant's personal information or third-party information.
• Whether the complainant received appropriate access to personal information concerning a disputed credit card transaction.

The complainant alleged that a telecommunications company's response to her access request was incomplete, specifically regarding disclosures of her personal information to third parties, including law enforcement. The Office of the Privacy Commissioner found that the company's standard response did not meet its obligations under Principle 4.9 of PIPEDA. The company has since provided a direct response to the complainant and has amended its policy to ensure compliance with access to information requests.

• Adequacy of response to an access request concerning disclosure of personal information.
• Compliance with PIPEDA Principle 4.9 regarding informing individuals of disclosures.
• Application of PIPEDA subsections 9(2.1) to 9(2.4) concerning disclosures to government institutions.
• Obligations regarding disclosures to third parties beyond government institutions.