Language selection

Search

Investigation into authentication and transfer practices used during Loblaw gift card offering

PIPEDA Findings #2019-003

October 16, 2019

Overview

The Competition Bureau of Canada uncovered that Canadians were overcharged for some packaged bread products in Loblaw, and other stores across CanadaFootnote 1. In response, Loblaw offered eligible customers a $25 Loblaw Card that could be used to purchase items sold in their grocery stores.

The complainant attempted to register for a Loblaw Card. He was notified by Loblaw that as part of its process to confirm that they were issuing a $25 Loblaw Card to a single eligible person, they were writing to request some additional information, specifically a copy of either: (i) a current utility bill or (ii) a valid driver’s licence.

The complainant objected to having to provide the additional information as he felt Loblaw was collecting information unnecessary for its Loblaw Card Program. He also expressed concern about the information being processed by a Program Administrator in the United States.

We found that Loblaw failed to be sufficiently specific about what information individuals could redact from the ID they submitted, such that it collected more information than necessary from individuals who submitted un-redacted ID. Loblaw did ultimately rectify this issue for subsequent registrants by publically clarifying the limited information it required from individuals submitting ID. Accordingly, we find that the matter is, with respect to over-collection, well-founded and resolved.

Secondly, in our view, given the limited, albeit sensitive, information that was shared with the Program Administrator, as well as the limited purposes and duration for which that information would be used, Loblaw’s detailed contractual requirements were sufficient to ensure a level of protection that was comparable to that which would be required under the Act. We found that Loblaw did not require additional consent for its transfer of name and address information for processing, given that it had already obtained consent for the purposes for which the information was to be used by the Program Administator. We found that Loblaw was also sufficiently transparent about its cross-border data transfers, via its written communications to registrants. This aspect of the complaint was not well-founded.

Complaint

  1. The complainant alleged that Loblaw Companies Ltd. (“Loblaw”) collected more personal information than was necessary for the purpose of granting a $25 gift card (“Loblaw Card”) as part of the Loblaw Card Program.
  2. In addition, the complainant was concerned about the privacy implications associated with Loblaw transferring data to an organization in the United States.

Summary of Investigation

Background

  1. The Competition Bureau of Canada uncovered that Canadians were overcharged for the cost of some packaged bread products in Loblaw stores and other grocery stores across Canada. In response, Loblaw offered eligible registrants a $25 Loblaw Card that could be used to purchase items sold in their grocery stores across Canada.
  2. Registrants were eligible to receive a Loblaw Card if:
    1. they registered by May 8, 2018; and
    2. in the period between January 1, 2002 and March 1, 2015, they:
      1. had purchased one or more of the specified brands of packaged bread from Loblaw or its specified associated stores; and
      2. were the age of majority in their province.
  3. Loblaw engaged a third party (the “Program Administrator”) to administer the Loblaw Card Program on its behalf.

Information from the Complainant

  1. The complainant met the above conditions and attempted to register for the Loblaw Card. He received written notice from Loblaw informing him that:

    “As part of our process to confirm that we are issuing a $25 Loblaw Card to a single eligible person, we are writing to request some additional information. To confirm your residential address, please submit a scanned copy or photo of either (1) a current utility bill or (2) a valid driver’s licence through our online secure portal (…). Alternatively you can provide this information via mail to (address provided). Please do not send an original document.

    We need this information within 30 days so that we can finish processing your registration. Your utility bill or driver’s licence will not be used for any purpose other than to verify your eligibility to receive a $25 Loblaw Card and will be destroyed as soon as the verification is complete. If we do not receive this information within 30 days, we will have to reject your registration without further notice.

    If you have any questions, please contact us via email at (email provided).”

  2. In response to the notice, the complainant sent an email to Loblaw as he felt the company was collecting unnecessary additional information relative to the Loblaw Card Program, and he did not understand why he had been singled out. In addition, he expressed concern about the information being processed by Loblaw’s third-party processor in the United States. As a result of his concerns, he did not provide Loblaw with the additional requested information.
  3. As he did not receive a further response from Loblaw, the complainant filed the subject complaint.

Representations by the respondent

  1. Loblaw advised our Office that an individual wishing to participate in the Loblaw Card Program had to provide their name, residential address, date of birth, telephone number and email address. This information was requested to confirm eligibility, and to enable the Program Administrator to communicate with the registrants, manage fraud, and track and prove card activation and use.
  2. According to Loblaw, fraud measures included putting into effect the “I’m not a robot” “captcha” on the online registration form, requesting that registrants provide certain information as part of the registration process, and in a small proportion of the registrations (approximately 10% of cases), requesting additional identification showing the individual’s name and address, such as a utility bill or driver’s licence (the “ID”), to authenticate the individual. Loblaw explained that requests for ID were based on certain triggers which included multiple requests under a single or similar name, multiple requests from a single address, or irregularities in the registration (e.g., where a street or email address appeared to be invalid).
  3. Loblaw asserted that these measures were necessary to ensure that Loblaw Cards were issued only to identifiable, eligible individuals, and to be able to demonstrate in court, if necessary, that sufficient fraud measures were put in place to ensure that the Loblaw Cards were distributed only to those who were entitled to receive them (since proof of purchase was not a requirement for individuals to qualify for the program).
  4. Loblaw explained that since “in-person” ID examination was not feasible, the decision was made to collect copies of the information, verify it and then immediately destroy it.
  5. Loblaw further explained that registrants were informed about the reasons for its collection of personal information on the registration website. The registration form advised “We are collecting your personal information to verify your eligibility and communicate with you, as well as to manage fraud, track and prove card activation and use…”. The form also contained a link to the “Program Privacy Policy”.
  6. The registration form also required registrants’ consent to the following statement:

    I understand, confirm and agree that:

    - The Program Administrator may contact me as the Program Administrator deems appropriate for more information about my registration form, including requesting appropriate forms of ID.

  7. Since some registrants, like the complainant, became concerned about the additional collection of personal information, Loblaw clarified its request for ID in subsequent messaging in the media. Loblaw advised publically that, when requesting ID, it was only seeking to confirm that an individual resided at the address provided on the registration form. Loblaw also informed that it only needed to verify the name and address, and that any additional information, such as the driver’s licence number, could be redacted.
  8. Additionally, on March 16, 2018, Loblaw revised its communication to registrants to make clear that it was seeking only to confirm the name and residential address on “any current form of identification or documentation that shows your name and address”, no longer specifically requesting a driver’s licence.
  9. Loblaw also updated the Q & As on its website, to include information indicating that should registrants choose to submit a driver’s licence, they could redact their driver’s licence number and any other information, other than their name and residential address.
  10. Loblaw explained, in the Program Privacy Policy, its transfers to third parties for the purposes of administering the program. The Policy states, in part, that:

    1. Scope & Interpretation

    […] The Loblaw Card Program is administered by JND Legal Administration (the “Program Administrator”) on behalf of Loblaw. Blackhawk Network (Canada) Ltd. (“Blackhawk”) will be fulfilling and distributing the cards as well as tracking their activation and use on behalf of Loblaw, and Peoples Trust Company (“Peoples”) will act as the card issuer on behalf of Loblaw” […] …

    4. How Your Personal Information Will Be Used and Shared

    Your Personal Information will be used to verify your eligibility to receive a $25 Loblaw Card, communicate with you, fulfill and distribute cards, process card transactions, verify your identity, provide customer service, process claims for lost or stolen cards, reduce the risk of fraud, track and prove card activation and use, and for any other purpose authorized or permitted by law. The Personal Information submitted by you may be shared amongst Loblaw, the Program Administrator, Blackhawk and Peoples for the purposes referred to above. […]

    and;

    5. Retention and Cross-border Transfer

    Personal Information may be stored, accessed, or used in a country outside of Canada by Loblaw, the Program Administrator, Blackhawk and/or Peoples, or by service providers engaged by any of them, for any of the purposes identified in Section 4 above including the United States and El Salvador. Where Personal Information is located outside of Canada, it is subject to the laws of that jurisdiction which may differ from those in your jurisdiction and any Personal Information transferred to another jurisdiction will be subject to law enforcement and national security authorities in that jurisdiction. Subject to these laws, Loblaw, the Program Administrator, Blackhawk and Peoples will use reasonable measures to maintain protections of your Personal Information that are equivalent to those that apply in Canada. You hereby give your consent to such cross-border transfers (including to El Salvador and to the United States) of such Personal Information for any of the purposes set out in Section 4, above.
    [Our emphasis added]

  11. This information was provided via a link on the registration page and as part of the Loblaw Card Cardholder Agreement, which registrants agreed to in order to register for the card.
  12. Loblaw confirmed that as stated in the Program Privacy Policy, they engaged a third party who is experienced in administering such programs. The Program Administrator is located in the United States and collects the ID through a secure online channel or by mail. Once the information is verified, it is immediately destroyed and no information is retained.
  13. Loblaw’s privacy communications also referenced the potential for data transfers to El Salvador. Loblaw explained to our Office that, consistent with its privacy communications, registrants’ information would also have been accessed by a Salvadoran company sub-contracted by Blackhawk, another service provider, to provide call-center services in support of card distribution.
  14. As part of the investigation, our Office reviewed: (i) the Loblaw Card program registration form; (ii) the Program Privacy Policy; (iii) the relevant security addendum agreement entered into between Loblaw and the third party Program Administrator; and (iv) other related policies.

Application

  1. In making our determinations, we applied Principles 4.1.3, 4.3, 4.4 and 4.8 of Schedule 1 of the Act.
  2. Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
  3. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Principle 4.3.4 provides, in part, that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Principle 4.3.6 further states, in part, that an organization should generally seek express consent when the information is likely to be considered sensitive.
  4. Principle 4.4 states, in part, that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.
  5. Principle 4.8 requires an organization to make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Analysis and Findings

Limiting Collection

  1. The first issue at hand is whether or not Loblaw’s collection of ID for purposes of administering the Loblaw Card Program was in excess of that necessary for its identified purposes.
  2. Loblaw informed registrants, on the registration website itself and via a link to its Program Privacy Policy: (i) that it may request ID; and (ii) of the purposes for its collection of personal information, including to verify identity and reduce the risk of fraud. In addition, the notice sent to the complainant requesting additional information advised that the ID was requested, consistent with these identified purposes, in order for Loblaw to be able to “confirm [his] residential address”.
  3. The investigation confirmed that the registrants had options for the ID to be provided, such as a utility bill or other current form of ID that showed their name and residential address. In addition, Loblaw advised our Office that when ID was provided, it was used only to verify the address, and then destroyed. No other information from the ID was used, recorded or retained.
  4. We note that organizations must take care to limit both the type and amount of personal information collected to that which is necessary to fulfill the identified purposes. Organizations should also be specific about what kind of personal information they need to collect. Loblaw initially failed to inform the complainant, and other registrants who were contacted for additional ID, of what specific information was required, and that certain sensitive information, such as their driver’s licence photograph or number, was not required. As a result, some registrants, such as the complainant, chose not to send additional ID; others sent ID, including in many cases, a full scan of their driver’s licence.
  5. Subsequent to the complainant filing this complaint with our Office, Loblaw clarified publically, and through a revision to its notice to registrants, that it only needed to verify the registrant’s name and address, and that any additional information, such as driver’s licence number or other information, could be redacted.
  6. After reviewing the evidence, we are satisfied that Loblaw’s request for documentation confirming name and address, in certain identified circumstances, would have been necessary to ensure that only eligible individuals received a Loblaw Card and to prevent fraudulent requests for multiple cards.
  7. We also note that Loblaw obtained express consent from the registrants for its collection of registrants’ name and address information, for purposes of verifying eligibility and managing fraud, in accordance with Principle 4.3.
  8. However, we are of the view that Loblaw was collecting, at least initially, more information than necessary to fulfil these purposes by asking for full copies of the ID, when it only needed proof of name and address, such that it would have accepted redacted copies. Since Loblaw subsequently resolved this issue by taking further actions to clarify the scope of its collection of ID, we find this aspect of the complaint, with respect to Principle 4.4 of the Act, to be well-founded and resolved.

Trans-Border Data Flows

  1. The complainant was also concerned that Loblaw engaged a third-party Program Administrator in the United States to manage the Loblaw Card program on its behalf. Accordingly, our Office considered Loblaw’s transfer of personal information to the Program Administrator for processing.
  2. Our analysis of this matter was informed by our Office’s Guidelines for Processing Personal Data Across BordersFootnote 2 (the " Guidelines"). More specifically, we considered:
    (i) if Loblaw ensured a comparable level of protection while individuals’ personal information was being processed by the Program Administrator; (ii) if Loblaw was required to obtain additional consent for the transfer of personal information for processing; and (iii) if Loblaw was sufficiently open with respect to its data transfers to third-party processors.

Accountability

  1. The Guidelines specify that “organizations must protect the personal information in the hands of processors” and that “the primary means by which this is accomplished is through contract.”
  2. During our investigation, Loblaw advised our Office that it had entered into a contract with the Program Administrator, JND Legal Administration (“JND”). JND is an organization that provides legal administrative and management services, and which, Loblaw represented, has deep expertise in administering programs such as the one in question. Loblaw provided copies of the security addendum to its contract with JND.
  3. Our Office confirmed that the contract limited JND’s use of personal information to that associated with administering the Loblaw Card program.
  4. The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.
  5. As outlined above, the additional ID’s requested by the Program Administrator were collected through a secure channel (if online) or by mail, verified and then destroyed.
  6. In our view, given the limited, albeit sensitive, information that was shared with the Program Administrator, as well as the limited purposes and duration for which that information would be used, Loblaw’s detailed contractual requirements were sufficient to ensure a level of protection that was comparable to that which would be required under the Act. Therefore, in our view, Loblaw did not contravene Principle 4.1.3 of Schedule 1 of the Act.
  7. Additionally, Loblaw confirmed that its contract with Blackhawk provided for similar safeguards to those required under its contract with JND. These, in turn, included a requirement for Blackhawk to ensure contractual protections that are at a minimum equivalent to those provided for by its own contract with Loblaw when sub-contracting, for instance with the Salvadoran organization.

Consent

  1. As stated above, we are of the view that Loblaw should not have been collecting ID information beyond name and address, which were required for its purposes. It follows that the excess information, including digital photo and driver’s licence number, should not have been transferred for processing.
  2. With respect to the name and address information, , the Guidelines provide that, “assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”
  3. In this case, Loblaw obtained, via a prominent notice in the email it sent to registrants requesting their ID, express consent to collect and use that name and address information for the sole purpose of verifying their eligibility for the program.
  4. Ultimately, the purposes for which the name and address information was transferred for processing were consistent with those for which consent was originally obtained, such that additional consent for the transfer was not required.

Openness

  1. Finally, the Guidelines provide that “organizations must also be transparent about their personal information handling practices”, which includes advising customers that their personal information may be sent to another jurisdiction for processing, and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
  2. In our view, based on the information provided by Loblaw in its Program Privacy Policy, as detailed in paragraph 18 of this report, Loblaw was sufficiently transparent about its cross-border transfers, as required by Principle 4.8.

Conclusion

  1. Accordingly, we conclude that the matter is well-founded and resolved for Principle 4.4 and not well-founded for Principles 4.1.3 and 4.8.
Date modified: