Canadian Privacy Decisions

An individual complained that a loyalty program had provided his children's names and addresses to its partner credit card companies, resulting in the children receiving unsolicited marketing materials. The issue arose because the loyalty program did not record the dates of birth for its minor members, meaning they were not identified as minors in its system. Although the program updated the children's profiles and removed their information from the system, ongoing marketing mailings persisted for a period due to advance list generation.

• Disclosure of children's personal information to third parties for marketing purposes.
• Failure to identify and protect the personal information of minors.
• Unreasonable delay in resolving the issue and stopping marketing mailings.

An individual complained that a web-based company retained his personal information for too long after cancelling his free trial membership. The complainant also alleged the company lacked accountability as it did not answer all his privacy questions and had no designated privacy officer. As a result of the complaint, the company revised its privacy policy to clarify retention periods and purposes, and designated a privacy officer. The complainant was satisfied with these changes, and the complaint was settled.

• Excessive retention of personal information
• Lack of accountability and designated privacy officer

A tenant complained that the caretaker of his apartment building disclosed to other tenants that his rent cheque had bounced. The caretaker's wife confirmed the disclosure and also shared other tenants' confidential rental information. The building management firm apologized to the tenant and reminded the caretaker and his wife of their privacy obligations. The firm was also advised to create a privacy policy.

• Disclosure of tenant's rent cheque status
• Disclosure of other tenants' financial information
• Adequacy of management firm's response
• Need for a privacy policy

An individual complained that her dental clinic disclosed information about her overdue account to a person who had referred her to the clinic. The clinic contacted the referral source to inquire about the complainant’s whereabouts and disclosed that her bill was overdue, the amount owing, and that it would be sent to collections. The clinic acknowledged this was against its privacy policy. The parties reached a monetary settlement, including an apology, and the OPC agreed the matter was settled.

• Disclosure of personal information to a third party
• Disclosure of account status and amount owing

An individual complained about receiving promotional material and telemarketing calls after applying for a department store credit card, believing she had not consented to this use of her information. The store explained that its application form provided opt-out information below the signature line, which the complainant had signed. The OPC confirmed this opt-out mechanism was permissible under the Act. The complainant was satisfied with the explanation and requested removal from marketing lists, which the store fulfilled, settling the complaint.

• Consent for marketing purposes
• Clarity of opt-out mechanisms on application forms

An individual complained that her condominium corporation disclosed information about a dispute she was involved in to all condominium owners. The corporation initially believed the disclosed information was only publicly available contact details. The OPC clarified that the information about the dispute itself was personal information that had been disclosed without consent. The corporation apologized, and the matter was considered settled.

• Definition of personal information
• Disclosure of sensitive personal information without consent
• Disclosure of information about disputes

An individual complained that a business failed to provide him with his personal information and its privacy policy. The business initially refused access to information predating its PIPEDA obligations and did not have a privacy policy. After the OPC intervened, the business provided the remaining information and drafted a privacy policy, which was given to the complainant, settling the matter.

• Access to personal information
• Availability of privacy policy

A student complained about being required to provide his Social Insurance Number (SIN) to rent an apartment. The property management firm initially required the SIN for identity verification, credit checks, and collections. Following the OPC's guidance and federal policy against the SIN becoming a universal identifier, the firm revised its lease agreement to only require a driver's license for identification, making SIN provision optional.

• Necessity of collecting SIN for identity verification and credit checks
• Requirement of SIN as a condition of service for renting an apartment
• Overtly indicating to the customer that SIN provision is optional

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an individual concerned that her credit card receipt contained her name, credit card number, and expiry date. The OPC found that while the restaurant's equipment did not mask this information, it was collected, used, and stored in a manner consistent with privacy principles, and there was no unauthorized disclosure. The matter was settled when the complainant was informed that industry-wide masking of credit card receipts was expected by 2007.

• Collection, use, and storage of credit card information on receipts
• Adequacy of credit card receipt masking technology
• Compliance with privacy principles despite lack of masking

A member of a not-for-profit association complained that he was required to present a second piece of identification, in addition to his membership card, to receive member discounts. The association implemented this policy to prevent non-members from misusing membership privileges, which violated agreements with vendors and resulted in lost revenue. The complainant was satisfied with the explanation and the complaint was settled.

• Necessity of collecting supplementary identification
• Verification of membership eligibility
• Prevention of misuse of membership privileges

A complainant raised concerns about a retail chain printing customer names, credit card numbers, and expiry dates on receipts, and requiring a driver's licence and credit card information for refunds. The retail chain subsequently updated its systems to mask personal information on receipts and changed its refund policy to no longer record identification details, only collecting name, address, and telephone number. Both the complainant and the OPC were satisfied with these changes.

• Collection of personal information on receipts
• Collection of personal information for refunds
• Necessity of collecting personal information

An individual complained that a bank employee improperly disclosed her account balance to her estranged husband. The bank acknowledged that its employee likely contravened PIPEDA by disclosing the information without consent. The matter was settled between the complainant and the bank, and the OPC agreed to consider the complaint settled, as no systemic issues were found.

• Improper disclosure of personal information by a bank employee.
• Lack of knowledge and consent for disclosure of personal information.
• Adequacy of bank's privacy policies and training.

An individual complained that a retail store inappropriately collected her personal information and disclosed it to a financial institution, and that the financial institution used and disclosed her information without consent. The retail store's salesperson processed the credit application before obtaining the customer's signature, leading to an approved credit card despite the customer's decision not to proceed. The financial institution stated it did not share information with third parties and took corrective actions, including removing an inquiry from the customer's credit file. The retail store also implemented new procedures.

• Inappropriate collection of personal information by a retail store
• Unauthorized disclosure of personal information to a financial institution
• Use and disclosure of personal information by a financial institution without consent
• Failure to obtain customer signature before processing credit application

An individual complained about receiving an unsolicited commercial email from a company's sales agent. The company was unaware of this practice, which it does not approve of. The company instructed the agent to cease using email for marketing, and the agent confirmed compliance. The complainant was satisfied, and the matter was settled.

• Use of unsolicited commercial email for marketing
• Company's awareness and control over agent practices
• Company's privacy policy and officer appointment

This report details an investigation into CIBC's handling of misdirected faxes containing customer personal information, which occurred between 2001 and 2004. The investigation found that CIBC's privacy practices failed to adequately address these incidents, resulting in breaches of customer data and trust. The bank has since implemented significant remedial measures to enhance its privacy safeguards.

• Adequacy of CIBC's privacy policies and procedures
• Effectiveness of CIBC's response to misdirected fax incidents
• Timeliness and appropriateness of customer notification following a privacy breach
• Organizational awareness and adherence to privacy obligations