Investigation into the personal information retention practices of Loblaw for the PC Optimum Loyalty Program

Table of Contents

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Takeaways

Report of findings

Overview

Analysis

• Issue 1: Does Loblaw adequately address privacy challenges raised by individuals?
• Issue 2: Does Loblaw retain personal information of PC Optimum members for longer than necessary? Conclusion

Footnotes

PIPEDA Findings #2026-001

March 5, 2026

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Takeaways

An investigation by the Privacy Commissioner of Canada into complaints related to Loblaw Companies Ltd.’s retention of the purchase histories of former members of the PC Optimum Loyalty Program underscores the importance of ensuring that anonymized data cannot be relinked to individuals.

1. PIPEDA Principle 4.5.3 states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Where an organization chooses to anonymize personal information rather than destroy or erase it, the onus is on the organization to ensure, and demonstrate, that the information is sufficiently anonymized.
2. For information to be considered anonymized for the purpose of Principle 4.5.3 of PIPEDA, organizations must take steps to ensure that there is no serious possibility that the information retained may be reidentified, either alone or in combination with other available information.
3. Ensuring that the risk of re-identification is sufficiently low is an ongoing process – as improvements of re-identification techniques, or the availability of additional data that could be used to reidentify, can increase the risk over time.
4. Failure to fully respond in a timely manner to privacy concerns constitutes a contravention of Principle 4.10 of PIPEDA which states that an individual shall be able to address a challenge concerning privacy principles with the designated individual accountable for the organization’s compliance.

Report of findings

Overview

1. Starting in May 2024, the Office of the Privacy Commissioner of Canada (OPC) began receiving complaints against Loblaw concerning issues with the deletion of PC Optimum Loyalty Program accounts. The account deletions appeared to be related to a boycott movement against Loblaw and their affiliated stores Footnote 1, initiated by a Reddit Footnote 2 group.
2. Loblaw Companies Ltd. is the parent company that oversees all Loblaw brands and operations, including Loblaws, Real Canadian Superstore, No Frills, and Shoppers Drug Mart. Loblaws Inc. is a specific supermarket brand owned by Loblaw Companies Ltd. The PC Optimum Loyalty Program (referred to as PC Optimum or the Program) is operated by President’s Choice Services Inc. (PCSI), a subsidiary of Loblaws Inc. For the purpose of this report, we will refer to these companies collectively as Loblaw.
3. The Program has more than 17 million members across Canada. It is a voluntary and free loyalty rewards program that enables customers to earn points when purchasing products through participating retail locations and third-party program participants. Members can exchange their points for eligible purchases at any participating retail store or online website operated by Loblaw.
4. Individuals have the option of joining the Program without providing their name (or any other personal information) by picking up a physical PC Optimum card at participating stores. Alternatively, they can register for an online PC Optimum account by creating a login (email address and password) and providing their first name through the PC Optimum App or Website. Footnote 3
5. The OPC accepted a total of six complaints against Loblaw in which all complainants alleged that they were unable to delete their PC Optimum accounts including the associated purchase history, and that Loblaw was unresponsive to their queries regarding their deletion requests.
6. Following receipt of these complaints, the OPC launched an investigation to determine whether:
   1. Loblaw addresses privacy challenges raised by individuals regarding the deletion of their PC Optimum account in a manner that complies with PIPEDA ’s Challenging Compliance principle 4.10 (Issue 1); and
   2. Loblaw retains personal information for only as long as necessary when a member deletes their PC Optimum account in accordance with PIPEDA ’s retention requirements (Issue 2).
7. In regard to Loblaw’s compliance with PIPEDA ’s Challenging Compliance principle, we determined that Loblaw does have mechanisms for members to request the deletion of their PC Optimum account and to raise privacy issues. Loblaw explained that the deletion requests were received during a period of time when it received an unprecedented volume of customer inquiries and requests. Nevertheless, since it took Loblaw an unreasonable amount of time to address these deletion requests and the company failed to respond to some privacy-related inquiries, we conclude that Loblaw contravened principle 4.10 of PIPEDA. That said, during the investigation, Loblaw took measures to enhance its’ procedures to ensure that it addresses all privacy concerns in a timely manner going forward. Therefore, we find this aspect of the complaint to be well-founded and resolved.
8. In regard to compliance with PIPEDA ’s retention principle, Loblaw represented that, upon account closure, rather than deleting all information associated with closed PC Optimum accounts, Loblaw deletes from the accounts the personal identifiers (name, email, phone number and address, to the extent that such details were provided by the Program member as part of their online account profile), while retaining most other information, including purchase transaction data. While PIPEDA ’s retention principle does permit organizations to anonymize personal information once no longer necessary instead of destroying or erasing it, Loblaw did not demonstrate during our investigation that it was or is taking sufficient steps to ensure that information is properly anonymized.
9. To resolve the issue, the OPC recommended that Loblaw engage an independent third party to review and assess their anonymization process to ensure that there is no serious possibility of re-identification from the retained personal information associated with a closed PC Optimum account or, alternatively, that it deletes the information associated with a closed PC Optimum account upon the account closure, or within a short period after.
10. Although Loblaw disagreed with our finding and maintains that the personal information from a closed PC Optimum account is retained in a form that is no longer associated with an identifiable person, it agreed to conduct a third-party assessment. We therefore find this aspect of the complaint to be well-founded and conditionally resolved.

Analysis

1. As a preliminary matter, we note that one complainant, who only had a PC Optimum card (no online account), also alleged that Loblaw had collected unnecessary personal information by requiring them to create an online account to delete their PC Optimum account. Principle 4.4 states, in part, that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. The OPC therefore expects Loblaw to limit the collection of a member’s personal information only to that which is necessary to delete their PC Optimum account.
2. Loblaw explained that members who only use a physical card can simply destroy their physical card to end their participation in the Program and are not required to provide any additional personal information to Loblaw to cease their participation in the Program. Loblaw explained that the complainant’s experience resulted from a miscommunication and that the complainant received an automated response intended for members with an online account. We therefore find this aspect of the complaint not well-founded. Loblaw subsequently updated their internal procedures as well as information on their website intended for members regarding account deletion requests for individuals who only have a PC Optimum physical card.

Issue 1: Does Loblaw adequately address privacy challenges raised by individuals?

1. Complainants claimed that it took Loblaw an unreasonable amount of time to comply with their request, or to receive a response to their inquiries.
2. Principle 4.10 of PIPEDA states that an individual shall be able to address a challenge concerning privacy principles outlined in PIPEDA with the designated individual accountable for the organization’s compliance. Furthermore, Principle 4.10.2 of PIPEDA states, in part, that organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.
3. Therefore, the OPC expects Loblaw to have a process in place for individuals to raise privacy concerns related to the deletion of their PC Optimum account, and to respond and investigate these concerns.

Loblaw’s Process to Delete PC Optimum Accounts and Respond to Related Inquiries

1. Individuals can delete their PC Optimum account at any time through Loblaw’s Customer Support, the App or their Website. For members using a physical card only, Loblaw explained that they can simply destroy their physical card. However, Loblaw acknowledged that it did not fully respond to certain deletion inquiries or took an extended amount of time to respond (from May through July 2024) due to the volume of complaints and technical challenges.

Improvements made by Loblaw

1. During the investigation, Loblaw conducted an in-depth review of their internal workflow to respond to deletion requests and made enhancements to their account deletion process to ensure that members are informed of the status of their request within a reasonable amount of time. Loblaw also provided additional training to their staff and resolved the technical issues that had resulted in some members not receiving final confirmation emails. Finally, Loblaw also responded to all the complainants to confirm their account deletion.

Conclusion on Issue 1

1. We find that, while Loblaw did have processes in place for members to raise privacy challenges, in this case, it failed to respond to all inquiries, contravening Principle 4.10 of PIPEDA. However, we also find that Loblaw enhanced their procedures to address privacy concerns in a timely manner, resolving this aspect of the complaint.

Issue 2: Does Loblaw retain personal information of PC Optimum members for longer than necessary?

Preliminary Matter – retention of Customer Support logs and inactive login credentials

1. As a preliminary matter, we learned during the investigation that in addition to the PC Optimum account information discussed below, when a member deletes their PC Optimum account, Loblaw retains the logs of the member’s interactions with Customer Support and copies of associated correspondence for the purpose of addressing any post-closure concerns. While the OPC finds it reasonable that Loblaw retains such information for a limited amount of time, if not already in place, Loblaw must establish retention schedules for the deletion of these records as required by Principle 4.5.2 of PIPEDA. Footnote 4
2. The OPC also learned that following the deletion of a PC Optimum account, Loblaw separately retains the member’s universal login credentials (email and password), referred to as the “ PCid ” unless the member specifically requests the deletion of their PCid or of all of their personal information. Where an individual still has another Loblaw-associated account accessible via their PCid, such as JoeFresh or Shoppers Drug Mart’s online platform, we find that this is reasonable. However, we were concerned that Loblaw retains PCid s for longer than necessary for members who have no other account given that their PCid s no longer serve a clear purpose.
3. Principle 4.5.3 of PIPEDA states, in part, that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Loblaw indicated that it does, on occasion, conduct ad-hoc reviews and delete PCid s for accounts that have been inactive for a period of time. In order to ensure that inactive PCid s are deleted in a more timely manner, we recommended, and Loblaw agreed, to conduct reviews at least annually, and delete any PCid s with no active account. Footnote 5 We therefore find this matter resolved.

Retention of PC Optimum account data

1. Several complainants alleged that Loblaw retained their personal information, associated with their PC Optimum account, even after it was no longer needed to offer the PC Optimum service to them (i.e., because they had requested deletion of their PC Optimum account). Loblaw confirmed that when a member deletes their online PC Optimum account, their contact information is deleted and replaced with a dummy email address, but that Loblaw retains the member’s Historical Transaction Data, Loyalty Data, and Usage Data (account online activity), defined further at paragraph 32.
2. As noted above, PIPEDA Principle 4.5.3 states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Our investigation enabled us to confirm that, with respect to information associated with a closed PC Optimum account, Loblaw is choosing to anonymize, rather than destroy or erase, the personal information associated with the PC Optimum accounts once it is no longer needed for the purpose for which it was collected – i.e., to deliver the PC Optimum services. Since it had removed the personal data elements such as the member’s name and email address, Loblaw considers that the information is maintained in a form that is not attributed to, or otherwise associated with, an identifiable individual.
3. At issue, therefore, is whether Loblaw is taking sufficient steps to render the information it retains anonymous. In our view, where an organization chooses to anonymize personal information rather than destroy or erase it, the onus is on the organization to ensure and demonstrate that the information is sufficiently anonymized. We would expect this to be done on an ongoing basis, taking into consideration both of the following:
   1. circumstances that could affect only some individuals in the dataset (such as uniquely identifiable purchase patterns), and
   2. evolving circumstances and technology (such as new techniques, or changes in the availability of other data that could increase the risk of re-identification).
4. For the reasons outlined below, we find that Loblaw did not demonstrate that it is sufficiently anonymizing personal information that it is retaining and is therefore in contravention of Principle 4.5.3 of PIPEDA.

Determining Appropriate Anonymization of Data

1. The term “made anonymous” is not defined in PIPEDA. However, in accordance with case law, the OPC has consistently found that information is about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information. Footnote 6
2. We therefore find that for information to be considered anonymized for the purpose of Principle 4.5.3, the organization must take steps to ensure that there is no serious possibility that the information retained may be reidentified, either alone or in combination with other available information.
3. Assessing and mitigating the possibility of re-identification is a growing and rapidly evolving field, one that any organization choosing to anonymize information, rather than erase or destroy it, must thoroughly understand to achieve effective data anonymization. Footnote 7
4. The risk of re-identification of personal information depends on various factors. These include internal factors such as (1) intrinsic data characteristics, (2) de-identification techniques used, and (3) the potential for human error in conducting de-identification. External factors include (4) the availability of additional data for cross-checking, (5) who has, or could have, access to the dataset and for what purposes, their motivation to re-identify data and their knowledge that a specific individual’s information is included in the dataset, and (6) the expertise and resources used in re-identification. Footnote 8
5. Moreover, the risk of re-identification is not a static consideration and may increase over time with the improvement of re-identification techniques and the availability of additional resources and data that may be linked to the de-identified dataset. Footnote 9
6. Therefore, for the information that it retains for closed PC Optimum accounts to be considered anonymized, Loblaw must demonstrate—with appropriate consideration of the relevant risk factors—that there is no serious possibility that the information can be linked to identifiable individuals either by itself, or in combination with other available data.
7. For reference, we understand that, after the PC Optimum account closure, Loblaw retains the following information associated with the former member’s account:
   1. Loyalty Data, including data relating to the Program such as points earned and redeemed, offers and discounts used;
   2. Usage Data, including:
   3. Login Information (login status (i.e., “logged in”; “not logged in”), registration status (i.e., “registered”), hashed email address and public network IP address as well as frequency, duration and time of logins);
   4. Browsing behaviour (pages viewed, links clicked, user events, grocery store ID if selected, points balance, marketing consent status), and
   5. Device information (type, browser version, app version).
   6. Historical Transaction Data, meaning in-store and online purchase data Footnote 10, including:
   7. Sale product details (product ID, quantity and amount);
   8. Point-of-sale information (i.e., lane number, transaction number identification), and
   9. Transaction details (online or in-store, date, merchant, and store identification number). For members with physical cards only, Loblaw does not collect any Usage Data; it therefore only retains historical Transaction and Loyalty Data.
8. Loblaw represented that upon a PC Optimum account closure, Loyalty Data, Usage Data and Historical Transaction Data are retained for purposes such as conducting data analytics and to make data-driven decisions about the Program’s operations, including the enhancement and development of new product and service offerings and to assess customer trends.
9. The OPC requested that Loblaw provide a sample copy of the retained historical Transaction Data and Usage Data. Loblaw did not provide sample copies of this retained data. Based on the data points that Loblaw described, we find that stripping accounts of names, phone numbers and email addresses alone is insufficient for Loblaw to demonstrate that the data it retains is anonymized.

Loblaw has not demonstrated sufficient anonymization

1. We reached the conclusion that Loblaw has not demonstrated sufficient anonymization for the following reasons:
2. First, Loblaw retains public IP address data. Loblaw maintains that the IP address retained is at the “network level”, which it claims does not provide precise or individual-level location information. We disagree with this statement given that an individual’s public IP address can be used to approximate their physical location, which, when cross-referenced with their transaction data, can create a detailed profile of their movements and activities.
3. Second, because the email field is mandatory in its Client Relationship Management (“ CRM ”) system, Loblaw represented that customer service agents are required to replace a closed account holder’s email address with a dummy address by replacing the username portion of the email (content before the @ symbol) with a random and unique string of characters. Footnote 11 This is consistent with the evidence the OPC received from complainants. These complainants, who received a security alert from Loblaw indicating that their email had been changed, discovered that their address domain remained unchanged following their account closure. An email address’ domain (the part of an email address that comes after the @ symbol), can in some cases reveal identifying information about a person, for instance, about where they work, or an organisation they are affiliated with.
4. Third, Historical Transaction Data has some intrinsic potential, at least for certain individuals, to be re-identifiable. Take, as a hypothetical example, a case of an individual in a small community who purchased supplies for a community event – the rest of their transaction history could then be linked to them via that purchase. When combined with Usage Data, such as browsing behaviour, the risk becomes even more pronounced.
5. Fourth, we saw indicators of insufficiently mitigated risk in the implementation of the de-identification process. Specifically:
   1. Manual processing errors: In one complaint we received, while completing a request for deletion of the individual’s PCid, an employee inserted the complainant’s name in the dummy address instead of a random string of characters. Loblaw provided no indications that it independently detected this error in the anonymization process. The complainant only became aware of the error because they received a security alert from Loblaw indicating that their email had been changed—a notification that Loblaw indicated should not have been triggered in this context. We find that similar errors may, therefore, go unnoticed.
   2. Deletion in back-up systems: Effective anonymization must include ensuring that information is also removed from back-up systems. Footnote 12 However, Loblaw did not demonstrate to the OPC that it has a process in place to ensure that identifiers associated with closed PC Optimum accounts are removed from back-up systems.
6. Finally, Loblaw did not demonstrate that it has considered the impact of other factors that could affect re-identification risk. For instance, although Loblaw states that it deletes members’ personal identifiers from the CRM system, we understand that a member’s previous email address may still be retained (stored separately from the PC Optimum account data) within the context of the PCid (see paragraph 20 above). As previously mentioned (see paragraph 29), the availability of additional data for cross-checking increases the risk of re-identification. Loblaw represented that access controls and procedures are implemented to mitigate the risk of re-identification. However, Loblaw did not provide sufficient documentation regarding protective measures to reduce the impact of this risk factor.

Effective Protection Against Re-Identification

1. Our conclusions above do not mean that organizations can never benefit from anonymized personal information. A range of risk mitigation strategies can, in conjunction with careful and periodic assessment, be used to ensure that there is no serious possibility of re-identification.
2. As noted in paragraph 28, effectively assessing and mitigating re-identification risk is a growing and rapidly evolving field. Currently available risk mitigation approaches include both technical measures – such as aggregating (combining data about multiple individuals together so that any one individual’s own data is obscured), scrambling or perturbing (adding randomness to) data, and organizational measures – such as limiting access, prohibiting re-identification, and providing appropriate training.
3. We understand that Loblaw does not aggregate, scramble or perturb the underlying data retained from closed accounts; rather, the Historical Transaction Data, Usage Data and Loyalty data remains associated and forms a separate data set for each former member.
4. Organizational measures to reduce the risk of re-identification can include imposing binding prohibitions on attempts to re-identify, such as via contractual clauses or employee codes of conduct, as well as limiting access to the data. This reduces the risk of re-identification by limiting the number of individuals who could have the opportunity to attempt re-identification, and by limiting the likelihood that those individuals will attempt re-identification. Loblaw represented that the access to the data it retains from PC Optimum accounts is only granted to specific staff. Customer Support agents, for example, who maintain access to retained correspondences and logs and who may be aware of the individual’s original login credential associated with the program do not have access to the de-identified data. It also noted that it is working on enhancing training for relevant personnel.

Conclusion on Issue 2 and Recommendation

1. As explained above, the OPC has not received sufficient information from Loblaw to establish that Loblaw is ensuring that the information it retains is effectively anonymized. Therefore, we find that Loblaw is retaining personal information no longer needed to fulfil the identified purpose for which the information was collected, in contravention of Principle 4.5.
2. To resolve the issue, the OPC recommended that Loblaw engage an independent third party to review and assess their anonymization process to ensure that there is no serious possibility of re-identification from the retained personal information associated with a closed PC Optimum account or, alternatively, that it deletes the information associated with a closed PC Optimum account upon the account closure or shortly thereafter.
3. Although Loblaw disagreed with our finding and maintains that the personal information from a closed PC Optimum account is retained in a form that is no longer associated with an identifiable person, it agreed to conduct a third-party assessment, to provide the OPC with a summary report from the third party review, and commit to the implementation of any necessary risk mitigation measures recommended within 12 months of the issuance of the OPC ’s report. We therefore find this aspect of the complaint to be well-founded and conditionally resolved.

Conclusion

1. Issue 1: Loblaw took an unreasonable amount of time to address the deletion requests and did not respond to certain privacy-related inquiries. Therefore, we find that Loblaw contravened Principle 4.10 and find this part of the complaint to be well-founded. Given the enhancements made by Loblaw detailed above, we find this aspect of the complaint to be resolved.
2. Issue 2: Because Loblaw has not demonstrated to the OPC that the information it retains is effectively made anonymous, we find that Loblaw is retaining personal information longer than needed to fulfil the identified purpose for which the information was collected, in contravention of Principle 4.5.3. Since Loblaw has agreed to our recommendation to conduct a third-party assessment of their anonymization process and implement any recommended risk mitigation measures, we find this aspect of the complaint to be well-founded and conditionally resolved.

Footnotes

Footnote 1 One month into Loblaw boycott what effect has it had on grocery store giant?, City News Everywhere, June 2, 2024.

Return to footnote 1

Footnote 2 Reddit is a social media platform where users share and discuss content in community forums.

Return to footnote 2

Footnote 3 See PC Optimum’s website for more information about Loblaw’ loyalty program.

Return to footnote 3

Footnote 4 Principle 4.5.2 states in part “Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods.”

Return to footnote 4

Footnote 5 In addition, the OPC recommended, and Loblaw agreed, that during these reviews, Loblaw will delete PCid s where a PC Optimum account has been closed and any other unclosed accounts associated with the PCid that have had no activity for an extended period of time (such that it is reasonable to presume the account(s) are inactive).

Return to footnote 5

Footnote 6 See OPC website, Interpretation Bulletin: Personal Information, citing (Gordon v. Canada (Health), 2008 FC 258 (CanLII).

Return to footnote 6

Footnote 7 For more information about anonymization see OPC website, Reducing identifiability in cross-national perspective: Statutory and policy definitions for anonymization, pseudonymization, and de-identification in G7 jurisdictions (October 11 2024), and the Information Commissioner’s Office of the United Kingdom’s website, Guidance on Anonymization.

Return to footnote 7

Footnote 8 Investigation into the collection and use of de-identified mobility data in the course of the COVID-19 pandemic, OPC, May 29, 2023, at paragraph 15.

Return to footnote 8

Footnote 9 Investigation into the collection and use of de-identified mobility data in the course of the COVID-19 pandemic, OPC, May 29, 2023, at paragraph 18.

Return to footnote 9

Footnote 10 Transaction Data is collected by Loblaw in their capacity as a merchant whether the customer has a PC Optimum account or not. However, when a customer has a PC Optimum account, this information is collected and associated to their PC Optimum account.

Return to footnote 10

Footnote 11 Loblaw later said that its staff replace the whole email address, not just the username portion of the email as part of their account closure process. However, it did not explain either the evidence to the contrary for the cases noted above, or its previous representations that its policy is to replace the username portion of the email addresses. We therefore conclude that at least some of the time, domain portions of email addresses are being retained.

Return to footnote 11

Footnote 12 Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information. See Security and Privacy Controls for Information Systems and Organizations, control SI-12, sub-paragraph 3, page 352.

Return to footnote 12

---

Table of Contents

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Takeaways

Report of findings

Overview

Analysis

• Issue 1: Does Loblaw adequately address privacy challenges raised by individuals?
• Issue 2: Does Loblaw retain personal information of PC Optimum members for longer than necessary? Conclusion

Footnotes

Date modified:

2026-03-05