Announcement

October 16, 2019

OPC concludes investigation into authentication and data transfer practices used during Loblaw gift card offering

The Office of the Privacy Commissioner of Canada (OPC) has concluded an investigation related to the collection of personal information as part of a gift card offer by Loblaw Co. Ltd. The gift cards were offered in the wake of a Competition Bureau of Canada review of allegations that Loblaw, and other retailers, had overcharged customers for certain packaged bread products.

The OPC’s investigation found that Loblaw had collected, at least initially, an excess amount of personal information, including driver’s licence numbers and photos, while attempting to validate the identity of certain customers who were requesting a $25 gift card.

This over-collection was the result of Loblaw failing to explain to individuals that, while a name and address was needed to verify an identity, other more sensitive information such as driver’s licence numbers, birthdates and digital photos (the latter being a form of biometric data) could be redacted.

During the investigation, Loblaw took steps to limit the information it was collecting. The OPC was satisfied with those measures.

The investigation also addressed issues related to transfers for processing, which was the subject of a recent OPC stakeholder consultation.

The investigation found Loblaw did not require additional consent for its transfer of name and address information for processing, given that it had already obtained consent for the purposes for which the information was to be used by the third-party program administrator.

As well, Loblaw was sufficiently transparent about its cross-border data transfers to the United States and El Salvador in the program privacy policy.

Loblaw also had detailed contractual requirements that were sufficient to ensure a level of protection comparable to that which would be required under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA. In particular, Loblaw’s contract with the program administrator contained a list of specific safeguard requirements and required the third-party administrator of the program to submit to oversight, monitoring, and security audits by Loblaw of these measures.

More information about the investigation can be found in the Report of Findings.