News release
Staples investigation a reminder to businesses to fully delete personal data on electronic devices before resale
January 13, 2026 – Gatineau, Quebec
An investigation by the Privacy Commissioner of Canada into Staples Canada has found that the company did not fully remove users’ personal information from returned laptops that it later resold.
The results of the investigation were similar to those of an audit of Staples by the Office of the Privacy Commissioner of Canada that was conducted in 2011. At that time, the company committed to improving its practices, including by testing various means of wiping data, yet this most recent investigation revealed that some of the same problems persist 15 years later.
The Privacy Commissioner has identified key takeaways for all companies subject to the Personal Information Protection and Electronic Documents Act, Canada’s federal law for private-sector organizations, to keep in mind when selling returned devices. They are reminded to:
- Perform a factory reset using the manufacturer’s instructions to fully wipe personal information from any electronic devices that are resold;
- Provide employees with clear, consistent and standardized instructions on how to remove personal information from returned devices; and
- Fully train staff so that they can complete technical tasks related to wiping data from electronic devices.
Staples has confirmed that it is now updating its policies and that it will implement the Privacy Commissioner’s recommendations.
Quote
“This investigation is an important reminder to all companies that sell returned computers and other electronic devices that they must protect the personal information of their customers by fully wiping devices before reselling them.”
Philippe Dufresne
Privacy Commissioner of Canada
Related links
Media contact
Office of the Privacy Commissioner of Canada
communications@priv.gc.ca
- Date modified: