Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2006-361

Retailer requires photo identification to exchange an item

[Principles 4.2, 4.3, 4.3.2, 4.3.3 and subsection 5(3)]

When a customer attended a store to exchange a defective item, he was annoyed to learn that he had to provide photo identification in order to make the exchange. Although the store had notices posted in a number of places indicating that photo identification is required for a return or an exchange, there was no explanation of why it is needed or how it may be used.  The Assistant Privacy Commissioner found the store’s purpose for requiring this information appropriate, and agreed that the provision of photo identification could be a condition of service in certain circumstances. However, she was concerned that the purpose was not being identified, nor the use or disclosure of personal information explained. She made a number of recommendations to the store, which the store agreed to implement.

This complaint is similar to others that were investigated by the Alberta and British Columbia Offices of the Information and Privacy Commissioner. The relevant investigation reports can be found at: Investigation Report P2005-IR-007
Order P05-01.

The following is an overview of the investigation and the Assistant Commissioner’s deliberations.

Summary of Investigation

The complainant had purchased an item, which he later noticed was defective. He returned to the store to exchange the item and was informed that he would have to provide photo identification in order to make the exchange. He did not believe that a customer should have to provide any type of identification when returning or exchanging items and found such a requirement unreasonable.

The store in question is part of a chain of stores that are owned and operated as individual franchises. While each store is responsible for administering its own privacy policy, all have adopted the privacy policy developed by the corporate head office. If there are privacy issues, they are first addressed at the store level and then elevated, if necessary, to the corporate head office. Our Office dealt with the corporate privacy officer and representatives of three stores.

The investigation established that the store collects the personal information of customers for a number of reasons, including for returns or exchanges. In reference to the latter, the store’s privacy policy states it collects personal information to “protect against fraud and error in order to protect our customers and our business.” This policy is available at every store, upon request.

The store in question confirmed that the complainant was asked to produce photo identification when he returned the item for exchange, in accordance with its practice. The store typically asks the customer to provide his or her name, address and telephone number, which is recorded in a database. This information is then verified by examining the photo identification; the information relating to the photo identification is not recorded at this store. According to the owner of the store, the complainant was informed of the reasons for the collection of the information, as well as the store’s privacy policy.

The owner also supplied our Office with copies of sales receipts. On the front of these, it states (in block letters):


On the back of the sales receipts, it states:

Easy returns: Save Your Receipt.
To return an item for an exchange or refund, bring it to any … store within 90 days, in its original condition and packaging, with your receipt …. Valid photo ID may be required. Details at our Customer Service Desk. Some exceptions may apply.

There are also signs at cash registers and the customer service desk indicating that valid photo identification may be required for returns. The requirement is also stated in the store’s catalogue under “Easy returns.” Nowhere is it indicated, however, that personal information must be provided and that photo identification is used to verify this information, nor is it stated anywhere that customer information (name, address, telephone number) is recorded in a database.

The investigation revealed that some stores in the chain differ in their personal information requirements when it comes to returns or exchanges. Some stores only require the customer’s name and telephone number, while the store the complainant attended requires the name, address and telephone number. One of the owner/managers with whom we spoke indicated that his staff always verifies personal information against photo identification. Another requires photo identification most of the time, and the third stated that it is left up to the customer care employee to decide whether photo identification is necessary. No store retains the information from the photo identification.

One of the store owners explained that he has a number of repeat customers and contractors who deal with the store on a regular basis. As he is able to get to know many of his customers, he does not feel it is necessary to ask for identification for regular customers who are known. Another store owner stated that the customers of his business are transient; as a result, he suffers more problems with fraud and theft and therefore ensures that his staff always verifies personal information against photo identification. At the store the complainant visited, both the owner and store manager confirmed that photo identification is always required. The contact information (i.e. name, address and telephone number, if recorded) is kept for seven years and then destroyed. Not all stores in the chain have set retention and destruction timeframes.

The Retail Council of Canada (RCC) provided our Office with information regarding the collection of customers’ personal information in order to obtain a refund. According to the RCC, such information is necessary to combat theft and fraud. The RCC provided us with examples of how such a purpose is met. These are:

  • Reduction of theft by employees. Employees can no longer claim that an item had been returned for refund by an unknown person. Information about the customer is now available so stores can verify the return.
  • Identification of multiple returns made by the same person or by persons who have different names but are connected with the same address or telephone number.
  • Identification of buying patterns. For example, people may buy an item and then use half of it. They then return the unused portion and claim the item is defective or was not full upon purchase.
  • Reduction of “receipt theft.” This is the theft of items listed on receipts that people find outside a store or in a mall.

According to the owner of the store in question, it would lose roughly the same amount of money through fraud or theft, regardless of whether it is an exchange or a refund. It therefore treats exchanges the same as refunds.

The representatives of the different stores stated that the information in each store’s database is not accessible by other stores or, in fact, by other areas of the store. Each store owner or general manager may look for a pattern in the return/exchanges of items at his or her own store. If a pattern of concern is noted, the store manager/owner might have to approve future returns. The representatives stated that if a pattern is discussed with a particular customer, the problematic behavior ceases.

The store representatives also confirmed that they may call other stores to ask if they are having a problem with the same individual or “identifier” (such as a telephone number or address). Neither the privacy policy nor return information that is made available to customers states that information collected for returns or exchanges may be shared with other stores. All stores will honour the return of items purchased at other stores, even those out of province. If there is a question with respect to the return, the stores state that they need to be able to call other stores to deal with the return issue or to note problematic patterns.


Issued November 14, 2006

Application: Principle 4.2 requires organizations to identify the purposes for which personal information is collected at or before the time the information is collected. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses “knowledge and consent.” It states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

In making her determinations, the Assistant Commissioner deliberated as follows:

  • She began by commenting that the purpose of the Act is to balance the individual’s right of privacy with respect to his or her personal information and the need of organizations to collect, use, or disclose personal information for appropriate purposes. In order to decide whether this balance between the individual and the organization is being met, she considered whether a reasonable person would find the organization’s purposes for requiring a piece of photo identification for a refund or exchange to be appropriate in the circumstances. It was important to note that the photo identification information is not recorded and therefore not retained.
  • The store’s purpose for collecting the customer’s name, address and telephone number is to protect against fraud and error in order to protect its customers and business. It asks for photo identification in order to verify that the information provided by the customer is accurate.
  • Although the complainant was not concerned about the collection of his name, address and telephone number, the Assistant Commissioner did consider the issue. She determined that the collection of this information in the context of a refund or exchange resulted in a minimal loss of privacy to the customer and was therefore appropriate in the circumstances.
  • At issue in this complaint then was the appropriateness of asking for a piece of photo identification.
  • The investigation established that the information from the piece of identification is not recorded at this store. The loss of privacy to the customer as a result of viewing the identification was therefore small. Employee or customer fraud, on the other hand, means higher prices for all consumers.
  • The Assistant Commissioner then addressed the question of whether there is any other way to prevent fraud and theft in the refund process, without asking for photo identification. Stores could refuse to give refunds, but such a measure would not likely be acceptable to most customers. She concluded that, at the moment, there does not seem to be another way of achieving the same end without asking for some customer personal information and authenticating it.
  • She therefore found that a reasonable person would likely consider the store’s purposes appropriate in the circumstances and in keeping with subsection 5(3).
  • The company has, in some instances, made the provision of photo identification a condition of service (in those stores where the clients are not well known to employees, for example). It has also limited the collection of this information to its purposes.
  • The Assistant Commissioner noted that making the provision of photo identification a condition of service would only be acceptable if the purposes for the collection, use or disclosure were explicitly stated, as required by Principle 4.3.3.
  • The store clearly states in a number of places (at the customer service desk, cash registers, and printed on only one side of receipts and in the catalogue) that it requires photo identification for refunds and exchanges. Yet nowhere does it explain why photo identification (or for that matter, name, address and telephone number) is required, contrary to Principle 4.2. A customer would therefore not likely be able to reasonably understand why any of this information must be collected, how long it will be retained (if recorded), or how the information will be used or disclosed. Specifically, customers are not told that photo identification is required for authentication, nor are they told that their name, address and telephone number will be recorded and may be subsequently used or disclosed. 
  • Given that individuals are not being informed of the purposes for a collection of their personal information in a manner in which they can reasonably understand how this information will be used or disclosed, the Assistant Commissioner could not conclude that the organization met the knowledge requirement or that it is obtaining meaningful consent, as required under Principles 4.3, 4.3.2, and 4.3.3.
  • She therefore found that the store’s purpose for collection was appropriate, and that making the provision of photo identification a condition of service in certain circumstances was acceptable as long as the purposes are explicitly stated. However, since the purposes were not identified nor the uses or disclosures explained, she determined that the store had not met its consent requirements.
  • The Assistant Commissioner recommended that the store do the following:
    • amend its return policy to include “exchanges;”
    • amend its return/exchange policy to reflect that it may collect, use, retain, and disclose personal information to prevent fraud; and
    • establish a retention policy for use in all of its stores to ensure consistency.
  • The store agreed to implement these recommendations.

The Assistant Commissioner concluded that the complaint was not well-founded with respect to the collection of information and well-founded and resolved with respect to both identifying purposes and consent.