Canadian Privacy Decisions

This investigation concerned a privately owned swimming pool's policy requiring parents to consent to the use of photos and videos of their children for promotional purposes as a condition of enrolling them in swimming lessons. The OPC found that this requirement contravened PIPEDA principles regarding consent for the collection, use, and disclosure of personal information. The swimming pool has agreed to implement an opt-in photo policy, resolving the complaint.

• Whether requiring consent for promotional photos/videos as a condition of service violates PIPEDA.
• Whether photos/videos of children in swim attire are sensitive personal information.
• Whether the swimming pool's stated business needs justified the mandatory consent policy.
• Whether consent was sought appropriately for staff training purposes.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.