Canadian Privacy Decisions

This joint investigation by privacy authorities across Canada found that OpenAI contravened privacy laws in its collection, use, and disclosure of personal information through its ChatGPT models GPT-3.5 and GPT-4. Specifically, the investigation found that OpenAI's collection of personal information from publicly accessible websites for training purposes was overbroad and inappropriate. The company also failed to obtain valid consent and be sufficiently transparent about its data practices. While OpenAI has since implemented new mitigation measures and committed to further improvements, some provincial authorities found the new measures insufficient to meet their specific legislative requirements.

• Appropriateness of purpose for data collection and use
• Validity of consent and transparency obligations
• Accuracy of generated information
• Individual rights to access, correction, and deletion

This compliance letter concerns a privacy breach at Nova Scotia Power that began around March 19, 2025. A malware attack allowed a threat actor to access and exfiltrate sensitive customer information, including names, contact details, financial information, and SINs, affecting approximately 375,000 current and 540,000 former customers. Nova Scotia Power has committed to specific actions, including deleting customer SINs and undergoing an external security assessment, to address the breach. Upon the Commissioner's satisfaction with these commitments, the investigation will be discontinued.

• Adequacy of security safeguards following a significant data breach.
• Timeliness and method of notification to affected individuals.
• Collection and retention of Social Insurance Numbers (SINs).
• Breach response and remediation efforts.

This case involves a compliance agreement between the Privacy Commissioner of Canada and the World Anti-Doping Agency (WADA) concerning WADA's collection, use, and disclosure of athletes' personal information through its Anti-Doping Administration and Management System (ADAMS). Following a complaint and an investigation, WADA agreed to implement remedial measures to ensure personal information in ADAMS is used solely for anti-doping purposes. The agreement resolves the Commissioner's investigation, with the understanding that WADA does not admit contravention of PIPEDA and preserves its jurisdictional defenses. The investigation will be discontinued upon WADA's satisfactory completion of the agreed-upon measures.

• WADA's jurisdiction under PIPEDA for its interprovincial or international activities
• WADA's practices regarding the collection, use, and disclosure of athletes' personal information in ADAMS
• Ensuring ADOs use personal information in ADAMS strictly for anti-doping purposes
• Compliance with privacy obligations concerning sensitive personal information

The OPC investigated Loblaw Companies Ltd. regarding complaints about the deletion of PC Optimum Loyalty Program accounts. The investigation found Loblaw contravened PIPEDA by taking an unreasonable amount of time to address deletion requests and by failing to ensure that retained purchase history data was sufficiently anonymized after account closures. Loblaw has agreed to take corrective actions, including a third-party assessment of its anonymization processes.

• Adequacy of Loblaw's processes for addressing individual privacy challenges regarding account deletion.
• Compliance with PIPEDA's retention principle regarding anonymization of purchase history data.
• Timeliness of Loblaw's response to customer deletion requests.
• Sufficiency of Loblaw's anonymization techniques for retained data.

The Office of the Privacy Commissioner of Canada (OPC) investigated Bell Canada after a complainant alleged Bell contravened PIPEDA by not responding to an access request within 30 days and denying access to cellphone logs. The OPC found Bell contravened PIPEDA by delaying its response to the access request and by denying the complainant access to his phone logs, which were determined to be his personal information. Bell also failed to be open about its policies regarding shared account information. Bell has agreed to provide the requested logs and implement recommendations to improve its procedures for handling shared account requests and its privacy communications.

• Timeliness of response to an access request
• Access to personal information held by a service provider on a shared account
• Definition of personal information in the context of phone logs
• Openness of an organization's privacy policies and practices

This investigation examined Staples Canada's practices concerning the removal of personal information from returned laptops resold through its Openbox program. The Office of the Privacy Commissioner of Canada (OPC) found that Staples had deficiencies in its policies, procedures, and employee training regarding data wiping. Specifically, the OPC determined that Staples did not consistently ensure full data sanitization according to manufacturer guidelines, leading to residual personal information being found on some devices. Staples agreed to implement corrective measures, including updating procedures, enhancing training, and engaging third-party spot checks.

• Adequacy of safeguards for personal information on returned electronic devices
• Sufficiency of Staples' policies and procedures for data wiping
• Effectiveness of employee training on data sanitization
• Compliance with PIPEDA Principles 4.7.1 and 4.7.3

This investigation concerned a privately owned swimming pool's policy requiring parents to consent to the use of photos and videos of their children for promotional purposes as a condition of enrolling them in swimming lessons. The OPC found that this requirement contravened PIPEDA principles regarding consent for the collection, use, and disclosure of personal information. The swimming pool has agreed to implement an opt-in photo policy, resolving the complaint.

• Whether requiring consent for promotional photos/videos as a condition of service violates PIPEDA.
• Whether photos/videos of children in swim attire are sensitive personal information.
• Whether the swimming pool's stated business needs justified the mandatory consent policy.
• Whether consent was sought appropriately for staff training purposes.

This joint investigation by Canadian privacy authorities found that TikTok's collection and use of personal information, particularly from children, for ad targeting and content personalization was inappropriate and lacked valid consent. TikTok failed to implement adequate age verification measures, leading to the collection of data from underage users without a legitimate purpose. The investigation also found that TikTok's privacy communications were unclear, not easily accessible, and not available in French, failing to provide meaningful consent from adult and youth users for its data practices.

• Appropriate purpose for collecting and using children's personal information.
• Obtaining valid and meaningful consent for tracking, profiling, and targeted advertising.
• Transparency obligations regarding collection and use of personal information for user profiling.
• Adequacy of age assurance measures to prevent underage users from accessing the platform.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against Google's search engine service. The complainant alleged that Google was violating PIPEDA by displaying links to old media articles about their arrest and criminal charge. While the OPC found that Google complied with accuracy requirements, it determined that the continued display of these sensitive articles, which caused significant harm to the complainant, outweighed the limited public interest. The OPC recommended Google de-list the articles, but Google refused, stating the matter should be decided by the courts.

• Whether Google contravened PIPEDA's accuracy requirements by displaying links to outdated articles.
• Whether Google contravened PIPEDA's "appropriate purposes" provision by displaying sensitive personal information linked to an individual's name.
• Balancing individual privacy rights against freedom of expression in the context of search engine results.
• Determining the public interest in accessing historical, sensitive information via search engine results.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

The OPC investigated a complaint that Brinks Home failed to implement adequate safeguards, leading to the compromise of customer personal information via its online portal. While the OPC found Brinks Home had failed to adequately protect customer information, the issue was resolved through corrective actions and the subsequent sale of customer accounts. The OPC also determined that Brinks Home was not required to report the breach to the OPC or notify affected individuals because it did not present a real risk of significant harm.

• Adequacy of safeguards for personal information
• Compliance with mandatory breach reporting requirements
• Assessment of real risk of significant harm (RROSH)
• Employee error leading to unauthorized access

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against Aylo (formerly MindGeek) concerning its handling of user-uploaded intimate content. The OPC found that MindGeek failed to obtain valid consent for the collection, use, and disclosure of personal information, particularly highly sensitive intimate images. The OPC also determined that MindGeek did not provide an accessible or effective process for individuals to remove their non-consensual content from its websites. Furthermore, the investigation concluded that MindGeek lacked accountability for the personal information under its control. The complaint was found to be well-founded and remains unresolved.

• Validity of consent for collecting and using intimate images
• Effectiveness and accessibility of content takedown processes
• Accountability for personal information under control
• Jurisdiction over international operations

The Office of the Privacy Commissioner of Canada investigated a complaint against Agronomy Company of Canada Ltd. (Agronomy) following a significant data breach. The investigation found that Agronomy lacked appropriate safeguards, including multi-factor authentication, network segregation, and encryption, which contributed to the breach affecting 845 individuals. The OPC also found Agronomy lacked accountability structures. However, the complaint regarding valid consent for credit services was found not well-founded. Agronomy has since made significant improvements to its security measures and accountability practices.

• Adequacy of security safeguards
• Accountability for personal information
• Validity of consent for collection and use of personal information

The Office of the Privacy Commissioner of Canada investigated Home Depot for disclosing customer email addresses and purchase details to Meta (Facebook) through Meta's "Offline Conversions" tool without valid consent. Home Depot used this tool to measure the effectiveness of its Facebook ads. The OPC found that Home Depot's privacy statement and Meta's policy were insufficient to obtain implied consent for this disclosure, as customers were not reasonably expected to understand that their data would be shared for these secondary purposes. Home Depot has since discontinued the use of the tool and agreed to implement recommendations for obtaining express consent should they restart the practice.

• Whether Home Depot obtained valid consent for disclosing customer purchase data to Meta.
• Whether the information disclosed was sensitive.
• Whether Home Depot's privacy statement and Meta's policies provided sufficient notice and clarity.
• Whether express opt-in consent should have been obtained.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a Trimac truck driver concerned about audio and video recording in his truck cabin. The OPC found that while Trimac had legitimate safety and asset protection goals, the continuous audio recording was too intrusive, especially when drivers were off-duty. Trimac was also not initially transparent about using the data for disciplinary purposes, failing to meet consent requirements under PIPEDA. Trimac has since implemented changes, limiting audio recording to on-duty hours and improving data access controls. The OPC found the complaint conditionally resolved regarding the intrusive nature of the recording and resolved regarding the consent issue, accepting Trimac's remedial actions.

• Appropriateness of continuous audio recording in truck cabins, including during off-duty hours.
• Whether Trimac provided adequate information about the use of collected data for disciplinary purposes.
• The proportionality of privacy intrusion versus business benefits.
• The requirement for employee consent for data collection in an employment context.