Canadian Privacy Decisions

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

• Collection, use, and disclosure of personal information via AVA technology
• Adequacy of consent and notice for AVA technology
• Appropriate retention of personal information collected via AVA
• Collection, use, and disclosure of personal information via geolocation tracking

A former employee of TD Canada Trust (TD) complained that TD had outsourced fraud claims processing to a third-party provider in India without customer consent or an opt-out option. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that TD was not required to obtain additional consent as the personal information was used for the original purpose of fraud claims management. The OPC also found TD was sufficiently open about its outsourcing practices and remained accountable by ensuring comparable protection through contractual and monitoring measures.

• Requirement for consent to transfer personal information to a third-party processor for the same purpose
• Sufficiency of openness regarding outsourcing of personal information to foreign jurisdictions
• Accountability for personal information transferred to a third-party processor and ensuring comparable protection

Following complaints from two customers who were victims of tech support scams, the OPC investigated Dell's security safeguards and complaint handling practices. Dell discovered that two employees of its service provider in India had sold customer information on two separate occasions, leading to personal information breaches affecting thousands of Canadians. The OPC found that Dell's safeguards, including access controls and breach investigation procedures, were insufficient given the sensitivity of the data and the risk environment.

• Adequacy of security safeguards for personal information transferred to a service provider
• Effectiveness of access controls and monitoring for preventing insider theft of data
• Sufficiency of investigation into customer complaints alleging privacy breaches
• Appropriateness of breach notification and response

A dentist complained that RateMDs.com, a health practitioner rating website, used her personal information without consent and for lucrative purposes. The Office of the Privacy Commissioner of Canada (OPC) found that the dentist's business contact information was publicly available and did not require consent. However, the OPC found that RateMDs.com engaged in an inappropriate practice by charging a subscription fee for a service that allowed users to hide certain reviews, contravening PIPEDA's purpose provisions. RateMDs.com agreed to cease this practice, leading to a conditionally resolved outcome for that issue. The OPC also found RateMDs.com resolved issues related to openness regarding its policies on correcting inaccurate information.

• Consent for the collection, use, and disclosure of personal information.
• The appropriateness of using personal information for a business model.
• Transparency and openness regarding policies for correcting inaccurate information.
• The balance between privacy rights and public interest in online reviews.

The complainant alleged that Trans Union disclosed his credit file information to Statistics Canada without consent, and that this information was subsequently used to initiate debt collection efforts against him. The Office of the Privacy Commissioner of Canada (OPC) found that Trans Union was authorized to disclose the information under PIPEDA, as Statistics Canada had requested it under the authority of the Statistics Act. The OPC also found no evidence that Statistics Canada disclosed the complainant's information to other institutions for debt collection purposes.

• Whether Trans Union disclosed personal information without consent contrary to PIPEDA.
• Whether Statistics Canada used disclosed information for debt collection.
• Whether the disclosure was authorized by law under PIPEDA.
• Whether Statistics Canada contravened the Privacy Act in its data collection.

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

This investigation examined Loblaw's practices in its gift card program, which was established to compensate customers affected by a bread price-fixing scandal. The complainant argued Loblaw collected more personal information than necessary and was concerned about data transfers to the United States. The OPC found that while Loblaw initially collected more information than needed by requesting full identification documents, they subsequently clarified their requirements, resolving this issue. The OPC also found Loblaw's measures to protect personal information transferred to a third-party administrator in the US were sufficient and that Loblaw was transparent about cross-border data transfers.

• Collection of personal information beyond what is necessary for the stated purpose.
• Adequacy of safeguards for personal information transferred to a third-party processor in the United States.
• Sufficiency of transparency regarding cross-border data transfers.
• Requirement for additional consent for cross-border data transfers.

This joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) examined Facebook's compliance with privacy laws concerning the disclosure of user data to third-party apps, specifically the "thisisyourdigitallife" (TYDL) app. The investigation found that Facebook failed to obtain valid and meaningful consent from users whose information was disclosed, had inadequate safeguards to protect user data, and lacked accountability for the information under its control. These failures are particularly concerning given similar findings by the OPC in a 2009 investigation, indicating a lack of substantive improvement in Facebook's privacy practices.

• Meaningful consent from installing users
• Meaningful consent from affected users (friends of installing users)
• Adequacy of safeguards to protect user data from third-party apps
• Facebook's accountability for user data

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

• Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
• Equifax Inc.'s data retention and destruction practices for Canadian personal information.
• Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
• Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
• Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.

The complainant alleged that Grey House Publishing Canada (Grey House) collected, used, and disclosed his personal information without his knowledge or consent. Grey House collected the complainant's contact information from a non-profit association's webpage and included it in its print directory and database. Grey House then sold an email distribution list containing this information to Economic and Social Development Canada (ESDC), which used it to send emails promoting a federal program. The OPC found that Grey House contravened PIPEDA by collecting and using the complainant's personal information without adequate consent, as the information was not considered business contact information and did not fall under the exceptions for publicly available information. The OPC also found that Grey House contravened PIPEDA's openness principle by having an inadequate privacy statement.

• Whether the complainant's contact information constituted personal information or business contact information under PIPEDA
• Whether Grey House was conducting commercial activity under PIPEDA
• Whether Grey House obtained adequate consent to collect and use the complainant's personal information
• Whether Grey House's privacy statement adequately reflected its practices

The Office of the Privacy Commissioner of Canada (OPC) investigated 411Numbers, a website operator that provided free access to telephone numbers and associated information. A complainant alleged that 411Numbers collected, used, and disclosed his personal information without consent, used it for an inappropriate purpose (paid removal service), over-collected information for removal services, and was unresponsive to privacy concerns. The OPC found that 411Numbers contravened PIPEDA by publishing unlisted telephone numbers without consent, and that its previous practice of requiring extensive identification for removal services was an over-collection. The paid removal service was also deemed inappropriate. However, 411Numbers has since ceased its paid removal service and implemented new practices for information removal and data collection.

• Jurisdiction over a non-Canadian company with a real and substantial connection to Canada
• Collection, use, and disclosure of unlisted telephone numbers without consent
• Appropriateness of using personal information for a paid removal service
• Over-collection of personal information for identity verification during removal requests

This investigation concerned Microsoft's Windows 10 privacy settings, which were initially set to 'on' by default during installation. The Office of the Privacy Commissioner of Canada (OPC) investigated whether Microsoft obtained valid consent for the collection, use, and disclosure of users' personal information. While Microsoft made several updates to improve clarity and consent mechanisms, the OPC identified ongoing concerns regarding the meaningfulness of consent for certain settings, particularly regarding diagnostics, tailored experiences, and speech recognition. Microsoft committed to implementing further changes, including obtaining opt-in consent for all installation privacy settings, enhancing transparency, and improving data protection measures.

• Validity of consent for default privacy settings during Windows 10 installation.
• Clarity and completeness of privacy communications provided to users.
• Adequacy of measures to protect sensitive diagnostic data from being used for targeted marketing.
• Ensuring meaningful consent for cloud-based speech recognition services.

The Office of the Privacy Commissioner of Canada (OPC) investigated complaints against Profile Technology Ltd. (Profile Technology), a New Zealand-based company, for copying and using personal information from Facebook profiles without consent. The OPC found that Profile Technology's website was not merely a search engine but a social networking site, and that the information was not "publicly available" under PIPEDA. The company's practice of repurposing outdated Facebook data without consent or consideration for privacy settings was deemed inappropriate. Additionally, Profile Technology was found to be retaining help desk ticket information longer than necessary. The OPC concluded that Profile Technology contravened PIPEDA by using and disclosing personal information for purposes not appropriate in the circumstances and without consent.

• Jurisdiction over a foreign-based organization
• Definition of "publicly available" information under PIPEDA
• Requirement for consent for collection and use of personal information
• Appropriateness of purposes for using personal information

The Office of the Privacy Commissioner of Canada investigated a complaint against Facebook Inc. regarding a privacy breach where personal information of users and non-users was inadvertently disclosed through the 'Download Your Information' tool. The investigation found that while Facebook had safeguards in place, they were not adequate prior to the breach, leading to the unauthorized disclosure of contact information. Additionally, Facebook was not sufficiently open about its practice of matching contact information across address books. Facebook has since implemented corrective measures, including a new Privacy Framework and revised notices, resolving the issues.

• Adequacy of safeguards for personal information.
• Facebook's practice of matching contact information across address books and consent requirements.
• Openness and transparency of Facebook's policies and practices regarding contact information.
• Facebook's provision of access to and correction of personal information.

The complainant alleged that a courier company disclosed her personal information without consent by delivering a package addressed to her to her neighbour. The investigation found that the courier company had contravened PIPEDA's consent principle by not obtaining consent directly from the complainant for its practice of delivering packages to neighbours, nor by demonstrating due diligence to ensure the shipper had obtained such consent. In response to the OPC's recommendations, the courier company committed to ending the practice of delivering to neighbours, and this commitment was confirmed.

• Was personal information disclosed without consent by delivering a package to a neighbour?
• Did the courier company exercise due diligence to ensure the shipper obtained consent for the delivery to a neighbour practice?
• Is an unlisted telephone number on a package label sensitive personal information?