Commissioner Releases Report Concerning Collection and Retention of Personal Information by Two Retail Stores

August 3, 2005

Commissioner Frank Work authorized an investigation under the Personal Information Protection Act (“PIPA” or “the Act”) after receiving complaints alleging that two Canadian Tire stores contravened the Act.

The complainants reported that a Canadian Tire store in Calgary and a Canadian Tire Store in Sherwood Park refused to complete a return of good transaction unless the customers provided their Drivers’ Licence (D/L) numbers or other identification.

The investigator found that the Calgary store contravened the Act by collecting and retaining D/L numbers in its merchandise return system. There was no evidence that the Sherwood Park Store retained the complainant’s D/L number.

The investigation revealed that:

  • For the purposes of deterring fraud, the stores collect certain personal information of individuals returning goods.  Simply asking for a name, address and telephone number was sufficient to meet their purposes.
  • Viewing picture identification to confirm the name, address and telephone number in some cases was sufficient; it was not necessary to collect and retain more sensitive personal information such as a D/L number.

In response to this Office’s investigation, the Calgary Store immediately ceased collecting and retaining ID as part of its return of goods transactions. As well, Canadian Tire Corporation Limited, in consultation with the Canadian Tire Dealers’ Association (CTDA) committed to redesign the merchandise return computer system used by all Canadian Tire stores so that ID can no longer be entered into the system. They also agreed to purge the existing numbers from the system. The CTDA agreed to communicate this report to all Canadian Tire Associate Dealers, and to revise corporate merchandise return policies required as a result of this report.  This will assist in harmonizing the practices across all Canadian Tire stores.

The circumstances in this case illustrate that organizations need to carefully consider and limit the amount of personal information collected for legitimate business purposes.