Anonymization requirements under PIPEDA clarified (mostly)

On March 5, 2026, the Office of the Privacy Commissioner of Canada (“OPC”) clarified the definition of “made anonymous” under the Personal Information Protection and Electronic Documents Act SC 2000, c 5 (“PIPEDA”), and the appropriate anonymization practices for personal information as part of its Report of Findings into the practices of Loblaws Companies Ltd. (“Grocer“).

Key Takeaways

The OPC’s Report sets out the OPC’s expectations regarding anonymization under PIPEDA, and the risk factors and mitigation techniques in connection with re-identification.

• “Made anonymous” – Under PIPEDA, personal information that is no longer required to fulfil identified purposes should be “destroyed, erased, or made anonymous”. Making  personal information anonymous means “the organization must take steps to ensure that there is no serious possibility that the information retained may be re-identified, either alone or in combination with other available information.” While this definition is only partially informative, it provides a threshold of re-identification required for proper anonymization and the OPC expands on processes and measure required both for anonymization itself and ongoing re-identification risk assessments.
• Re-identification risk – The risk of re-identification depends on several factors, including (i) intrinsic data characteristics, (ii) de-identification techniques, (iii) potential for human error in de-identifying, (iv) availability of additional data for cross-checking, (v) who has, or could have, access to the dataset and for what purposes, their motivation to re-identify data and their knowledge that a specific individual’s information is included in the dataset, and (vi) the expertise and resources used in re-identification.
• Anonymization as a process – It is important to note that re-identification risk is not static, and may increase over time – as improvements of re-identification techniques, or the availability of additional data could be used to re-identify over time. Organizations should view anonymization as a continuous process and repeatedly assess re-identification features available.
• Risk mitigation techniques – Mitigation techniques such as (i) aggregating, (ii) scrambling or perturbing, and (iii) organizational measures (such as limiting access, prohibiting re-identification of data, and providing appropriate training) can all be effective risk mitigation approaches.

In practice, organizations should continuously review their anonymization practices against the re-identification risks, using the factors above, to ensure that there is no serious risk of re-identification, and implement the risk mitigation techniques referenced by the OPC.

Background

The OPC’s investigation resulted from multiple complaints it received in May 2024 in connection with requests by individuals that the Grocer delete their loyalty program accounts (“Accounts”). The OPC accepted six complaints which alleged that Account holders were unable to delete their Accounts, including associated purchase history, and that Grocer was not responsive to inquiries regarding their deletion requests.

Issues

OPC’s investigation into Grocer sought to address the following issues:

1. Does Grocer adequately address privacy challenges raised by individuals?
2. Does Grocer retain personal information of the Account holders longer than necessary?

OPC Findings

Issue One: Adequacy of response to privacy requests

The OPC determined that while the Grocer had mechanisms in place for Account holders to delete their accounts, the Grocer took an unreasonable amount of time to respond to privacy-related inquiries,  specifically that a span of 3 months is an extended period of time to respond to a deletion request. The OPC found this contravened Principle 4.10.2 which states organizations must put procedures in place to receive and respond to complaints about the organization’s handling of personal information. However, the OPC found that this issue was ultimately resolved as Grocer implemented improvements in its Account deletion process which will facilitate prompt responses to account holders who delete their Account and have questions about privacy-related matters.

Issue Two: Length of retention of personal information

The OPC determined that the Grocer retained personal information for longer than necessary in contravention of Principle 4.5.3 of PIPEDA (which states that personal information which is no longer needed should be destroyed, erased, or made anonymous). The problems were twofold. Specifically, while the Grocer deleted personal information from the Accounts, it still retained activity data and purchase history along with customer support communications. In response, OPC found that Grocer must establish retention schedules for such information, if it does not have one in place.

The OPC also found that once Accounts are deleted, the Grocer still retained the user’s universal login credentials (username and password). The OPC determined this was reasonable where the user had another Grocer-associated account that used these credentials; however, for users that had no other account, the OPC found that this retention was unreasonable. It recommended that Grocer conduct reviews at least annually, and delete the universal login credentials with no active Account.

Anonymization criteria

Most importantly, the OPC found that the Grocer was retaining personal information longer than necessary as its procedures for anonymizing data were insufficient. As a result, while the Grocer believed it was keeping information that was anonymized (and therefore outside the regulatory perimeter), the OPC found that the Grocer’s anonymization processes were inadequate, the information was still identifiable and therefore subject to PIPEDA, and as a result its continued retention was a contravention of Principle 4.5 of PIPEDA. To address the issue, OPC recommended that Grocer undergo an independent third-party review to assess its anonymization process to ensure there is no serious possibility of re-identification.

In making this determination, OPC found that Grocer’s “anonymization” practice of stripping Accounts of names, phone numbers, and email addresses was insufficient to demonstrate that the data is anonymized. OPC determined that Grocer’ anonymization procedures had a serious risk of re-identification because the Grocer:

1. retained public IP address data, which in the OPC’s view could be used to estimate an individual’s physical location and along with an individual’s transaction data could create a profile of their activities;
2. failed to properly change account holders’ email address domains as part of its Account closing scheme (e.g., jane.doe@workplace.com,  which could still provide identifying information such as user’s place of work);
3. retained historic transaction data, which the OPC stated was particularly problematic because it could be combined with other usage data which the Grocer retained, such as browsing behaviour;
4. had issues in its de-identification process such as manual processing errors (i.e. entering names in anonymization procedures) and failures to delete information from back-up systems; and
5. failed to consider other factors affecting re-identification risk such as email addresses being stored separately but which could nonetheless be linked to a deleted Account.

The OPC stated that an organization “must demonstrate – with appropriate consideration of the relevant risk factors – that there is no serious possibility that the information can be linked to identifiable individuals either by itself, or in combination with other available data.”

The OPC emphasized that the onus to demonstrate adequate anonymization falls on the organization. They OPC also emphasized that this should be done on an ongoing basis, taking into consideration both of the following: the circumstances that could affect only some individuals in the dataset (such as uniquely identifiable purchase patterns), and evolving circumstances and technology (such as new techniques, or changes in the availability of other data that could increase the risk of re-identification).

The assessment of any particular instance of anonymization will depend on various risk factors, which include internal factors such as (1) intrinsic data characteristics, (2) de-identification techniques used, and (3) the potential for human error in conducting de-identification and external factors such as (4) the availability of additional data for cross-checking, (5) who has, or could have, access to the dataset and for what purposes, their motivation to re-identify data and their knowledge that a specific individual’s information is included in the dataset, and (6) the expertise and resources used in re-identification.

In light of the risk factors, an organization must then take appropriate steps to anonymize the information and address the risk of re-identification. A range of risk mitigation strategies can be employed, including technical measures – such as aggregating (combining data about multiple individuals together so that any one individual’s own data is obscured), scrambling or perturbing (adding randomness to) data, and organizational measures – such as limiting access, prohibiting re-identification via contractual terms, and providing appropriate training.

The OPC noted that “[a]ssessing and mitigating the possibility of re-identification is a growing and rapidly evolving field, one that any organization choosing to anonymize information, rather than erase or destroy it, must thoroughly understand to achieve effective data anonymization”. As  result, the OPC recommended that the Grocer retain a qualified third party to review the Grocer’s anonymization process and recommend re-identification risk mitigation measures. The Grocer disagreed with the OPC’s Findings in respect of its anonymization practices, but nonetheless agreed to retain the third party.

---

For further guidance on implementing anonymization assessments, please reach out Melika Mostowfi or other members of the Dentons Privacy and Cybersecurity group.