Canadian Privacy Decisions

The OPC investigated a complaint against an online marketplace that sent an email to members inviting them to sign a petition without their explicit consent. The OPC found that the marketplace retained information appropriately but failed to obtain adequate consent for sending the petition email, which was beyond the scope of their services. The OPC also found that the marketplace did not handle the complainant's privacy concerns effectively. The matter was conditionally resolved when the marketplace committed to implementing recommendations, including obtaining opt-in consent for such emails and improving complaint handling. The issue was later resolved upon evidence of implementation.

• Adequacy of consent for using personal information for advocacy emails.
• Proper handling and escalation of customer privacy complaints.
• Appropriate retention of personal information.
• Clarity of purposes stated in the privacy policy.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.

• Adequacy of information security safeguards for children's data
• Failure to test for and mitigate known vulnerabilities
• Insufficient access controls and cryptographic protection
• Lack of comprehensive security management program