Canadian Privacy Decisions

This compliance letter concerns a privacy breach at Nova Scotia Power that began around March 19, 2025. A malware attack allowed a threat actor to access and exfiltrate sensitive customer information, including names, contact details, financial information, and SINs, affecting approximately 375,000 current and 540,000 former customers. Nova Scotia Power has committed to specific actions, including deleting customer SINs and undergoing an external security assessment, to address the breach. Upon the Commissioner's satisfaction with these commitments, the investigation will be discontinued.

• Adequacy of security safeguards following a significant data breach.
• Timeliness and method of notification to affected individuals.
• Collection and retention of Social Insurance Numbers (SINs).
• Breach response and remediation efforts.

The OPC investigated Loblaw Companies Ltd. regarding complaints about the deletion of PC Optimum Loyalty Program accounts. The investigation found Loblaw contravened PIPEDA by taking an unreasonable amount of time to address deletion requests and by failing to ensure that retained purchase history data was sufficiently anonymized after account closures. Loblaw has agreed to take corrective actions, including a third-party assessment of its anonymization processes.

• Adequacy of Loblaw's processes for addressing individual privacy challenges regarding account deletion.
• Compliance with PIPEDA's retention principle regarding anonymization of purchase history data.
• Timeliness of Loblaw's response to customer deletion requests.
• Sufficiency of Loblaw's anonymization techniques for retained data.

The Office of the Privacy Commissioner of Canada (OPC) investigated Bell Canada after a complainant alleged Bell contravened PIPEDA by not responding to an access request within 30 days and denying access to cellphone logs. The OPC found Bell contravened PIPEDA by delaying its response to the access request and by denying the complainant access to his phone logs, which were determined to be his personal information. Bell also failed to be open about its policies regarding shared account information. Bell has agreed to provide the requested logs and implement recommendations to improve its procedures for handling shared account requests and its privacy communications.

• Timeliness of response to an access request
• Access to personal information held by a service provider on a shared account
• Definition of personal information in the context of phone logs
• Openness of an organization's privacy policies and practices

This investigation examined Staples Canada's practices concerning the removal of personal information from returned laptops resold through its Openbox program. The Office of the Privacy Commissioner of Canada (OPC) found that Staples had deficiencies in its policies, procedures, and employee training regarding data wiping. Specifically, the OPC determined that Staples did not consistently ensure full data sanitization according to manufacturer guidelines, leading to residual personal information being found on some devices. Staples agreed to implement corrective measures, including updating procedures, enhancing training, and engaging third-party spot checks.

• Adequacy of safeguards for personal information on returned electronic devices
• Sufficiency of Staples' policies and procedures for data wiping
• Effectiveness of employee training on data sanitization
• Compliance with PIPEDA Principles 4.7.1 and 4.7.3

This investigation concerned a privately owned swimming pool's policy requiring parents to consent to the use of photos and videos of their children for promotional purposes as a condition of enrolling them in swimming lessons. The OPC found that this requirement contravened PIPEDA principles regarding consent for the collection, use, and disclosure of personal information. The swimming pool has agreed to implement an opt-in photo policy, resolving the complaint.

• Whether requiring consent for promotional photos/videos as a condition of service violates PIPEDA.
• Whether photos/videos of children in swim attire are sensitive personal information.
• Whether the swimming pool's stated business needs justified the mandatory consent policy.
• Whether consent was sought appropriately for staff training purposes.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against Google's search engine service. The complainant alleged that Google was violating PIPEDA by displaying links to old media articles about their arrest and criminal charge. While the OPC found that Google complied with accuracy requirements, it determined that the continued display of these sensitive articles, which caused significant harm to the complainant, outweighed the limited public interest. The OPC recommended Google de-list the articles, but Google refused, stating the matter should be decided by the courts.

• Whether Google contravened PIPEDA's accuracy requirements by displaying links to outdated articles.
• Whether Google contravened PIPEDA's "appropriate purposes" provision by displaying sensitive personal information linked to an individual's name.
• Balancing individual privacy rights against freedom of expression in the context of search engine results.
• Determining the public interest in accessing historical, sensitive information via search engine results.

The OPC investigated a complaint that Brinks Home failed to implement adequate safeguards, leading to the compromise of customer personal information via its online portal. While the OPC found Brinks Home had failed to adequately protect customer information, the issue was resolved through corrective actions and the subsequent sale of customer accounts. The OPC also determined that Brinks Home was not required to report the breach to the OPC or notify affected individuals because it did not present a real risk of significant harm.

• Adequacy of safeguards for personal information
• Compliance with mandatory breach reporting requirements
• Assessment of real risk of significant harm (RROSH)
• Employee error leading to unauthorized access

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against Aylo (formerly MindGeek) concerning its handling of user-uploaded intimate content. The OPC found that MindGeek failed to obtain valid consent for the collection, use, and disclosure of personal information, particularly highly sensitive intimate images. The OPC also determined that MindGeek did not provide an accessible or effective process for individuals to remove their non-consensual content from its websites. Furthermore, the investigation concluded that MindGeek lacked accountability for the personal information under its control. The complaint was found to be well-founded and remains unresolved.

• Validity of consent for collecting and using intimate images
• Effectiveness and accessibility of content takedown processes
• Accountability for personal information under control
• Jurisdiction over international operations

The Office of the Privacy Commissioner of Canada investigated a complaint against Agronomy Company of Canada Ltd. (Agronomy) following a significant data breach. The investigation found that Agronomy lacked appropriate safeguards, including multi-factor authentication, network segregation, and encryption, which contributed to the breach affecting 845 individuals. The OPC also found Agronomy lacked accountability structures. However, the complaint regarding valid consent for credit services was found not well-founded. Agronomy has since made significant improvements to its security measures and accountability practices.

• Adequacy of security safeguards
• Accountability for personal information
• Validity of consent for collection and use of personal information

The Office of the Privacy Commissioner of Canada investigated Home Depot for disclosing customer email addresses and purchase details to Meta (Facebook) through Meta's "Offline Conversions" tool without valid consent. Home Depot used this tool to measure the effectiveness of its Facebook ads. The OPC found that Home Depot's privacy statement and Meta's policy were insufficient to obtain implied consent for this disclosure, as customers were not reasonably expected to understand that their data would be shared for these secondary purposes. Home Depot has since discontinued the use of the tool and agreed to implement recommendations for obtaining express consent should they restart the practice.

• Whether Home Depot obtained valid consent for disclosing customer purchase data to Meta.
• Whether the information disclosed was sensitive.
• Whether Home Depot's privacy statement and Meta's policies provided sufficient notice and clarity.
• Whether express opt-in consent should have been obtained.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a Trimac truck driver concerned about audio and video recording in his truck cabin. The OPC found that while Trimac had legitimate safety and asset protection goals, the continuous audio recording was too intrusive, especially when drivers were off-duty. Trimac was also not initially transparent about using the data for disciplinary purposes, failing to meet consent requirements under PIPEDA. Trimac has since implemented changes, limiting audio recording to on-duty hours and improving data access controls. The OPC found the complaint conditionally resolved regarding the intrusive nature of the recording and resolved regarding the consent issue, accepting Trimac's remedial actions.

• Appropriateness of continuous audio recording in truck cabins, including during off-duty hours.
• Whether Trimac provided adequate information about the use of collected data for disciplinary purposes.
• The proportionality of privacy intrusion versus business benefits.
• The requirement for employee consent for data collection in an employment context.

Following a data breach involving the Starwood hotel database, the Office of the Privacy Commissioner of Canada (OPC) investigated Marriott International, Inc. The investigation found that Marriott's security safeguards, accountability measures, and information retention practices were inadequate at the time of the breach, leading to unauthorized access to personal information. While Marriott has taken remedial actions and the complaint is conditionally resolved, the OPC highlighted failures in access controls, antivirus software, logging and monitoring, and information storage. The OPC also found Marriott contravened accountability principles by not adequately assessing security risks during its acquisition of Starwood and retaining personal information longer than necessary.

• Adequacy of security safeguards for personal information
• Marriott's accountability and due diligence during the acquisition of Starwood
• Timeliness of information retention and deletion practices
• Adequacy of notification and mitigation measures for affected individuals

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

Biron Health Group sent promotional emails to travellers who had undergone COVID-19 testing upon arrival in Canada, using their email addresses collected for testing purposes. The complainant alleged this violated PIPEDA. Biron argued they assumed implicit consent due to a business relationship, but the OPC found this assumption unreasonable given the mandatory nature of the testing. Biron has since ceased the practice, deleted affected email addresses, and the complaint was settled.

• Use of personal information for secondary marketing purposes without consent
• Reasonableness of assuming implicit consent in a mandatory service context
• Nature of consent required for collecting and using health-related information

The Office of the Privacy Commissioner of Canada investigated a complaint that Rogers Communications Inc. improperly enrolled a customer in its voiceprint authentication program, Voice ID, without her consent. The OPC found that while the purpose of the program was appropriate, Rogers failed to obtain valid and meaningful consent for the collection and use of voiceprints, which are considered sensitive biometric information. Rogers also did not provide a clear opt-out mechanism and improperly retained voiceprints. Rogers committed to significant changes to its program, leading the OPC to find the consent and retention issues well-founded and conditionally resolved.

• Appropriate purpose for collecting voiceprints
• Obtaining valid and meaningful consent for voiceprints
• Adequacy of opt-out mechanisms
• Retention of voiceprints after opt-out