Canadian Privacy Decisions

The complainant alleged that Apple Canada Inc. ("Apple") unnecessarily required payment information and date of birth for downloading a free application. The investigation found that while the date of birth collection was acceptable for authentication, Apple's privacy policy did not fully identify the purposes for its collection. The collection of payment information was also found to be an issue, as Apple did not clearly communicate that it was not required for downloading free applications. Apple agreed to revise its privacy policy and implement recommendations to improve clarity and user experience.

• Identification of purposes for collection of personal information
• Limiting collection of personal information to what is necessary
• Openness about information management policies and practices
• Requirement of payment information for free application downloads

A life insurance company discovered a potential breach of personal information when a new envelope design exposed sensitive data, including SINs, of 53 pension plan members. The company took prompt action by notifying affected individuals, offering credit monitoring services, and implementing new security measures to prevent recurrence. The OPC noted the company's response demonstrated best practices in handling such incidents.

• Potential exposure of sensitive personal information (SIN, date of birth, beneficiary information) due to envelope design.
• Adequacy of the company's response to the potential breach.
• Measures taken to prevent future incidents.

An individual complained that her bank required her to provide the last six digits of her Social Insurance Number (SIN) to set up a verified credit account for online purchases. The complainant believed this collection was unnecessary and sought an alternative. The bank initially maintained its practice but, after being informed of a similar OPC finding regarding transparency, discontinued the practice and updated its website to remove this authentication method. The complaint was resolved.

• Bank's collection of partial SIN for account verification
• Transparency of alternative authentication methods
• Adequacy of information provided on the bank's website

A customer complained that his investment firm's Know Your Client (KYC) form required an unreasonable amount of personal information, contrary to PIPEDA. The firm argued the information was necessary to comply with regulatory obligations set by the Investment Industry Regulatory Organization of Canada (IIROC). The OPC investigated whether the firm collected more information than necessary for legitimate purposes. Ultimately, the OPC found that the firm's collection of detailed financial and personal information, including spousal income and investment experience, was justified to meet IIROC's KYC and suitability requirements.

• Whether the investment firm explicitly specified the purposes for collecting personal information.
• Whether the stated purposes for collection were legitimate.
• Whether the firm collected more personal information than necessary to fulfill those purposes.
• Whether the collection was a condition of service that violated PIPEDA.

An individual complained to the OPC after an internet search engine continued to display her résumé and personal information, even after she had it removed from the original job posting site. The search engine initially did not comply with her requests to remove the information. The OPC intervened, and the search engine subsequently removed the cached copy of the information using its URL removal tool.

• Right to withdraw consent for use/disclosure of personal information
• Search engine's obligation to de-index personal information
• Effectiveness of search engine URL removal tools

An investigation was launched after a complaint that Google's AdSense service delivered targeted advertisements for CPAP devices based on the complainant's online search for medical devices. The OPC found that Google used online behavioural advertising (OBA) to deliver these ads, which involved sensitive health information, without express consent. Google argued the ads were contextual, but the OPC determined they constituted OBA and contravened PIPEDA Principles 4.3 and 4.3.6 regarding consent for the use of sensitive information. Following recommendations, Google implemented remedial measures, leading to the complaint being conditionally resolved.

• Was sensitive health information used for online behavioural advertising without express consent?
• Did Google's practices comply with PIPEDA Principles 4.3 and 4.3.6 regarding knowledge and consent for the use of personal information?
• Did Google's privacy policy accurately reflect its practices regarding the use of sensitive health information for targeted advertising?
• Were Google's monitoring and compliance mechanisms adequate to prevent policy violations?

An individual complained that an online dating service used his personal information without consent and failed to provide him access to his information after he cancelled his membership. The Office of the Privacy Commissioner of Canada (OPC) found that the original owner violated PIPEDA by denying the complainant access to his personal information and by continuing to send him marketing emails after consent was withdrawn. The OPC also found the service failed to have a privacy policy and safeguard information. While issues were found to be well-founded, they were resolved by the new owner who purged the data and implemented a privacy policy.

• Access to personal information
• Withdrawal of consent for marketing emails
• Retention of personal information
• Safeguarding of personal information

An individual complained that a legal firm failed to respond to his requests for estate information, in which he claimed beneficiary status. The Office of the Privacy Commissioner of Canada (OPC) found that the firm contravened PIPEDA by not responding within the 30-day time limit. However, the OPC also determined that the individual was only entitled to access his own personal information, not general estate information, and that the firm had conducted a reasonable search for any such information. The complaint was ultimately found to be well-founded and resolved.

• Individual's right to access general estate information as a beneficiary versus personal information.
• Organization's obligation to respond to an access request within 30 days, even if no responsive information is held.
• Determining what constitutes an individual's 'personal information' under PIPEDA in the context of estate administration.

An individual complained that a retailer withheld access to her personal information, which she stated was necessary for ongoing litigation between them. The Office of the Privacy Commissioner of Canada (OPC) declined to investigate, finding that court procedures offered a more appropriate means for the complainant to address her access issues. The OPC noted that a provincial court judge had indicated the complainant could seek further disclosure through cross-examination. Therefore, the OPC determined that the complaint could be more appropriately dealt with by the court.

• Whether court procedures provide a more appropriate means to address access issues related to ongoing litigation.
• Whether the retailer contravened PIPEDA by refusing access to personal information based on litigation privilege.
• Whether the OPC should decline to investigate when court procedures can address the access issues.

Three individuals complained after discovering their sensitive dating profiles, posted on PositiveSingles.com, appeared on nearly 60 other affiliated dating websites without their knowledge or consent. The Office of the Privacy Commissioner of Canada found that while the profiles remained within the company's controlled network, users were not adequately informed about this practice. Furthermore, inadequate safeguards allowed some personal information to be accessed by non-members. The organization revamped its website to provide clearer disclosures about profile sharing and its network structure, and improved its security measures.

• Adequacy of consent for the use and disclosure of personal information across affiliated websites.
• Whether users were adequately informed about the company's network structure and profile sharing practices.
• Sufficiency of security safeguards to prevent unauthorized access to personal information.
• Transparency of privacy policies and practices regarding data management.

The OPC investigated a complaint alleging Apple used and shared a user's unique device identifier (UDID) without knowledge or consent for tracking and targeted advertising. While Apple initially argued UDID was not personal information, the OPC found it was, especially given Apple's ability to link it to account details. The OPC determined Apple's privacy policy lacked clarity on UDID use for advertising, though its administrative uses were acceptable. Apple has since ceased using UDID for advertising, replacing it with Ad ID, and enhanced opt-out mechanisms for Ad ID, leading the OPC to find the complaint well-founded and resolved.

• Whether UDID and Ad ID constitute personal information under PIPEDA.
• Whether Apple obtained meaningful consent for the collection, use, and disclosure of UDID and Ad ID for advertising purposes.
• Adequacy of notice provided by Apple regarding its use of UDID and Ad ID.
• Apple's responsibility for disclosures of UDID and Ad ID to third-party app developers.

An individual complained that a property management company was over-collecting personal information, including Social Insurance Number (SIN), driver's licence information, and banking information, on its rental application forms. The Office of the Privacy Commissioner of Canada (OPC) also investigated the company's lack of a privacy policy. The company committed to making it clear that the request for SIN, driver's licence, and banking information was optional and to posting a privacy policy on its website. The complainant was satisfied with these changes.

• Collection of SIN, driver's licence, and banking information on rental applications
• Requirement for a privacy policy on the company website
• Responsibility for third-party practices

A bank customer complained that the bank improperly demanded to record information from his driver's license when picking up a replacement credit card. The bank initially claimed this was for anti-money laundering purposes, but later admitted this explanation was incorrect. The Office found the demand for information was not well-founded as no information was actually collected. However, the bank contravened PIPEDA by misinforming the customer about the purpose of the collection, a contravention that was resolved by revised bank procedures and staff training.

• Whether the bank limited the collection of personal information to what was necessary.
• Whether the bank's employees could explain the purposes for collecting personal information.

An individual complained to the OPC after a telecommunications firm disclosed his personal account and debt information to his tenant without his consent. The firm had merged the landlord's account with the new tenant's account when the tenant opened his own account. The firm accepted responsibility, corrected the accounts, and made amends with the landlord, leading to the early resolution of the complaint.

• Disclosure of personal information without consent
• Merging of accounts belonging to different individuals
• Collection of debt without proper verification

A customer complained that his cell phone service provider disclosed his personal information to an imposter and inadequately responded to his request for access to his data. The Office of the Privacy Commissioner of Canada (OPC) found that the provider contravened PIPEDA by allowing an employee to disclose sensitive account details without proper authentication. The OPC also found that the provider initially failed to meet the 30-day deadline for responding to the customer's access request, but this aspect was later resolved. The OPC recommended the company review its privacy management programs.

• Disclosure of personal information without consent
• Failure to properly authenticate a caller
• Adequacy and timeliness of response to access request
• Effectiveness of employee training and adherence to procedures