Anonymization Pitfalls: Lessons from the OPC

• Home
• Insights
• Publications
• Anonymization Pitfalls: Lessons from the OPC

Anonymization Pitfalls: Lessons from the OPC

Organizations increasingly rely on anonymization as a means of unlocking the value of data while mitigating privacy risks. When properly executed, anonymization can take datasets outside the scope of Canada's private-sector privacy laws, allowing organizations to retain and use the resulting data for analytics, product development, and operational improvements without the constraints that ordinarily apply to the processing of personal information.

However, as recent enforcement activity by the Office of the Privacy Commissioner of Canada ("OPC") demonstrates, the bar for effective anonymization is high, and the consequences of falling short are significant. In this bulletin, we examine the OPC's recent findings against Loblaw Companies Ltd. ("Loblaw") regarding the retention of data from closed PC Optimum loyalty program accounts, discuss the standard for sufficient anonymization under the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and highlight the practical and legal obligations that persist even after data has been anonymized.

The OPC's Loblaw Investigation: A Cautionary Tale

In PIPEDA Findings #2026-001, the OPC investigated complaints arising from Loblaw's handling of account deletion requests under its PC Optimum loyalty program, a voluntary rewards program with over 17 million members across Canada.[1] When members closed their PC Optimum accounts, Loblaw deleted certain personal identifiers (name, email address, phone number, and address) but retained other account data, including historical transaction data, loyalty program data, and usage data (login information, browsing behaviour, IP addresses, and device information). Loblaw took the position that, having stripped the direct identifiers, the retained data was no longer associated with an identifiable individual and was therefore anonymized.

The OPC evaluated whether Loblaw's approach was sufficient to render the retained data anonymous for the purposes of PIPEDA Principle 4.5.3, which requires that personal information no longer needed to fulfil identified purposes be destroyed, erased, or made anonymous. The OPC found that Loblaw had not demonstrated sufficient anonymization and was therefore retaining personal information in contravention of PIPEDA.

The OPC identified several deficiencies in Loblaw's anonymization process:

• Loblaw retained public IP addresses, which can approximate a user's physical location and, when cross-referenced with transaction data, create a detailed profile of an individual's movements.
• When replacing email addresses with dummy values, Loblaw retained the domain portion of the original email address, which can reveal identifying information such as an individual's employer or organizational affiliation.
• The OPC found that historical transaction data has intrinsic re-identification potential, particularly for individuals in small communities whose purchasing patterns may be distinctive.
• The OPC identified implementation failures, including a manual processing error in which an employee inserted a complainant's name into the dummy email address, an error that went undetected by Loblaw's internal controls.
• Finally, Loblaw did not demonstrate that it had considered the impact of other data it held (such as login credentials stored separately) that could be cross-referenced with the retained data to facilitate re-identification.

The OPC noted that Loblaw did not aggregate, scramble, or otherwise perturb the underlying data from closed accounts: each former member's historical transaction data, usage data, and loyalty data remained associated as a separate data set. The OPC emphasized that where an organization chooses to anonymize rather than destroy personal information, the onus is on the organization to ensure, and demonstrate, that the information is sufficiently anonymized.

To resolve the matter, the OPC recommended that Loblaw engage an independent third party to assess its anonymization process and ensure that there is no serious possibility of re-identification, or alternatively, delete the information upon account closure. Loblaw agreed to conduct the third-party assessment, and the OPC found this aspect of the complaint to be well-founded and conditionally resolved.

When Is Data Sufficiently Anonymized?

The Loblaw decision demonstrates that simply stripping direct identifiers from a data set is not, on its own, sufficient to achieve anonymization under PIPEDA. The OPC has consistently held that data will still be considered "personal information" where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information. For data to be considered anonymized, an organization must demonstrate that there is no serious possibility of re-identification.

By contrast, in its earlier investigation into the Public Health Agency of Canada (PHAC)'s use of de-identified mobility data during the COVID-19 pandemic, the OPC found that the combination of de-identification measures and safeguards against re-identification (including robust hashing of device identifiers, data aggregation with minimum cell sizes, contractual prohibitions on re-identification, access controls, and supervised data access) was sufficient to reduce the risk of identifying individuals below the "serious possibility" threshold.[2] The PHAC case illustrates that anonymization can be achieved through a layered approach combining both technical and organizational measures.

Drawing on both decisions, organizations seeking to anonymize personal information should, at a minimum:

1. apply technical de-identification measures such as removing or hashing direct identifiers;
2. employ additional techniques such as aggregation, perturbation, or scrambling to reduce the risk of singling out individuals;
3. implement organizational safeguards including access controls, contractual prohibitions on re-identification, and audit or supervision capabilities; and
4. conduct ongoing assessments of re-identification risk.

Context is essential to any anonymization assessment. The risk of re-identification depends on factors intrinsic to the data, such as the uniqueness of individual records and the granularity of the information retained, as well as external factors, including who has access to the data, their motivation to re-identify, and the availability of additional data that could be cross-referenced. An anonymization approach that is adequate in one context may not be sufficient in another.

Finally, organizations operating in Quebec should be aware that Quebec's Act respecting the protection of personal information in the private sector contains additional requirements governing the anonymization process, including the obligation to use generally accepted best practices and to conduct a risk assessment before anonymizing personal information. The anonymization process must also be supervised by a person qualified in the field. These requirements go beyond the general principles articulated in PIPEDA and impose specific procedural obligations that must be carefully followed.

The "Inescapable" Privacy Law Requirements for Anonymized Information

Even where an organization has successfully anonymized personal information, organizations should not assume that privacy considerations no longer apply. While anonymized information may fall outside the scope of Canada's private-sector privacy laws, any increase in the risk of re-identification, whether through changes in available data, advances in re-identification techniques, or disclosures to third parties, may render the information "personal information" once again, triggering the full application of privacy laws.

In practice, this means that many privacy law requirements remain effectively applicable to anonymized data sets. For example, if an organization fails to maintain adequate access controls and contractual protections against re-identification, the resulting increase in risk may be sufficient to bring the data back within the scope of privacy legislation. Similarly, the identity and capabilities of any party to whom the data is disclosed are relevant: information that is anonymized in the hands of one organization may not be considered anonymized in the hands of another that possesses additional data capable of facilitating re-identification.

For instance, disclosing an anonymized data set containing device identifiers to a technology company such as Apple or Google (entities that likely hold extensive device-level information on millions of users) could create a serious risk of re-identification through cross-referencing. Any such disclosure would likely need to be accompanied by robust safeguards, such as contractual prohibitions on re-identification, audit rights, and technical access controls.

Similarly, an anonymized data set containing IP addresses may not constitute personal information while held by a commercial organization, but this assessment could change if the data is made available to law enforcement bodies that possess additional means and motivation to link the information to identifiable individuals in the context of an investigation.

These dynamics make certain privacy law requirements (e.g., safeguards, disclosure limitations, third-party management) effectively inescapable for any anonymized data set where a residual risk of re-identification remains.

What If You Cannot Meet the Threshold for Anonymization?

If an organization cannot meet the threshold for anonymization, the effort is not in vain. De-identification measures reduce privacy risk and may support compliance with other privacy law obligations, even if they fall short of true anonymization. However, organizations must recognize that information which is not fully anonymized is subject to the full requirements of applicable privacy legislation. Under PIPEDA, for example, the organization must ensure that it has obtained valid consent to process the information (unless a recognized exception applies), that it processes the information for appropriate purposes only, and that it destroys or erases the information when it is no longer needed for the purposes for which it was collected.

Takeaways

The legal landscape governing anonymization and de-identification in Canada is complex and continues to evolve. Standards vary across jurisdictions: PIPEDA, Quebec's private-sector privacy legislation, and provincial health information statutes each impose distinct requirements.

Recent OPC decisions underscore that the bar for effective anonymization is high, that the onus falls squarely on the organization to demonstrate sufficiency, and that the assessment is ongoing rather than a one-time exercise. Organizations that collect, retain, or process personal information should seek legal advice to ensure that their anonymization and de-identification practices meet the applicable legal requirements and are supported by appropriate technical and organizational safeguards.

[1] OPC, PIPEDA Findings #2026-001 (March 5, 2026), available here.
[2] OPC, Investigation into the collection and use of de-identified mobility data in the course of the COVID-19 pandemic (May 29, 2023), available here. While this investigation was made under the federal Privacy Act, this legislation has a similar definition of "personal information."

by Robbie Grant

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2026