Thursday, October 24, 2019 8:42:30 PM
OPC concludes investigation into authentication and data transfer practices used during Loblaw gift card offering
The Office of the Privacy Commissioner of Canada (OPC) has concluded an investigation related to the collection of personal information as part of a gift card offer by Loblaw Co. Ltd. The gift cards were offered in the wake of a Competition Bureau of Canada review of allegations that Loblaw, and other retailers, had overcharged customers for certain packaged bread products.
The OPC’s investigation found that Loblaw had collected, at least initially, an excess amount of personal information, including driver’s licence numbers and photos, while attempting to validate the identity of certain customers who were requesting a $25 gift card.
This over-collection was the result of Loblaw failing to explain to individuals that, while a name and address was needed to verify an identity, other more sensitive information such as driver’s licence numbers, birthdates and digital photos (the latter being a form of biometric data) could be redacted.
During the investigation, Loblaw took steps to limit the information it was collecting. The OPC was satisfied with those measures.
The investigation also addressed issues related to transfers for processing, which was the subject of a recent OPC stakeholder consultation.
The investigation found Loblaw did not require additional consent for its transfer of name and address information for processing, given that it had already obtained consent for the purposes for which the information was to be used by the third-party program administrator.
As well, Loblaw was sufficiently transparent about its cross-border data transfers to the United States and El Salvador in the program privacy policy.
Loblaw also had detailed contractual requirements that were sufficient to ensure a level of protection comparable to that which would be required under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA. In particular, Loblaw’s contract with the program administrator contained a list of specific safeguard requirements and required the third-party administrator of the program to submit to oversight, monitoring, and security audits by Loblaw of these measures.
More information about the investigation can be found in the Report of Findings.
Recent ATDS News
- Form 8-K - Current report • Edgar (US Regulatory) • 09/20/2023 08:05:42 PM
- Form S-1/A - General form for registration of securities under the Securities Act of 1933: [Amend] • Edgar (US Regulatory) • 08/29/2023 09:25:53 PM
- Form 10-Q - Quarterly report [Sections 13 or 15(d)] • Edgar (US Regulatory) • 08/14/2023 08:13:21 PM
- Form 8-K - Current report • Edgar (US Regulatory) • 07/24/2023 09:27:27 PM
FEATURED Cannabix Technologies and Omega Laboratories Inc. Provide Positive Developments on Marijuana Breathalyzer Testing • Jul 11, 2024 8:21 AM
ECGI Holdings Enhances Board with Artificial Intelligence (AI) Expert Ahead of Allon Apparel Launch • ECGI • Jul 10, 2024 8:30 AM
Avant Technologies to Meet Unmet Needs in AI Industry While Addressing Sustainability Concerns • AVAI • Jul 10, 2024 8:00 AM
Panther Minerals Inc. Launches Investor Connect AI Chatbot for Enhanced Investor Engagement and Lead Generation • PURR • Jul 9, 2024 9:00 AM
Glidelogic Corp. Becomes TikTok Shop Partner, Opening a New Chapter in E-commerce Services • GDLG • Jul 5, 2024 7:09 AM
Freedom Holdings Corporate Update; Announces Management Has Signed Letter of Intent • FHLD • Jul 3, 2024 9:00 AM