Changeflow GovPing Government Staples Canada ULC Investigated for Privacy Pra...
Priority review Enforcement Amended Final

Staples Canada ULC Investigated for Privacy Practices on Resold Devices

Favicon for www.priv.gc.ca Canada OPC PIPEDA Investigations
Filed December 1st, 2025
Detected March 13th, 2026
Email

Summary

The Office of the Privacy Commissioner of Canada investigated Staples Canada ULC regarding its Openbox program for resold electronic devices. The investigation found deficiencies in data wiping procedures and employee training, leading to recommendations for Staples to improve its practices within nine months.

View original document View source feed page

What changed

The Office of the Privacy Commissioner of Canada (OPC) has concluded an investigation into Staples Canada ULC's privacy practices concerning the resale of electronic devices through its Openbox program. The investigation, initiated by a former employee complaint, found that Staples failed to adequately protect or remove user personal information from returned laptops, lacking sufficient policies, procedures, and training for staff responsible for data sanitization. The OPC cited deficiencies in meeting PIPEDA's safeguarding requirements (Principles 4.7.1 and 4.7.3).

As a result, Staples has agreed to implement corrective actions within nine months, including developing clear procedures for data wiping consistent with manufacturer guidelines, improving employee training programs, and ensuring all relevant staff complete this training. Additionally, Staples will undergo annual independent third-party spot checks of returned devices for three years to confirm adequate data sanitization. This matter is considered well-founded and conditionally resolved based on Staples' agreement to these measures.

What to do next

  1. Develop and implement clear procedures for data wiping of returned devices consistent with manufacturer guidelines.
  2. Enhance employee training programs for data sanitization tasks.
  3. Ensure all employees tasked with wiping devices complete the updated training.

Source document (simplified)

Investigation into the privacy practices of Staples Canada ULC related to electronic devices to be resold as part of its Openbox program

Table of Contents

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Takeaways

Report of Findings

Overview

Conclusion

Footnotes

PIPEDA Findings # 2025-004

December 1, 2025

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Takeaways

This investigation serves as a good reminder to companies that sell refurbished devices that:

  • A full factory reset as per manufacturer instructions should be performed to adequately wipe personal information from electronic devices such as laptops;
  • Organizations must develop and provide their employees with clear, consistent and standardized instructions on how to perform technical tasks required to remove any existing personal information from returned electronic devices; and
  • Organizations must provide their staff with training to equip them to complete technical tasks related to removing any personal information from returned electronic devices.

Report of Findings

Overview

  1. The Office of the Privacy Commissioner of Canada (“OPC”) received a complaint under the Personal Information Protection and Electronic Documents Act (“ PIPEDA ”), from a former employee of Staples Canada ULC (“Staples” or “the respondent”). The complainant alleged that Staples did not adequately protect or remove users’ personal information found on laptops that were returned by customers and that the company subsequently makes available for resale to other customers. The complainant also alleged that Staples lacked adequate internal policies or processes to equip staff to remove personal information from returned laptops, and that it did not adequately train staff on how to wipe data from returned laptops.
  2. Principle 4.7.1 of PIPEDA requires businesses to have security safeguards that protect personal information against unauthorized access and disclosure. Furthermore, Principle 4.7.3 requires the methods of protection to include physical, organizational and technological measures.
  3. The OPC found a number of deficiencies in Staples policies, procedures and training to protect personal information contained in returned laptops.
  4. To bring Staples into compliance with PIPEDA ’s safeguarding requirements, the OPC recommended and Staples agreed to demonstrate, within 9 months from the issuance of the final report, that it has: i) Developed clear procedures and standards outlining how its employees are to wipe devices in a manner that is consistent with the device manufacturers’ guidelines for factory restore and data sanitization; ii) Improved its training program for employees responsible for wiping data from returned devices; and iii) Ensured that all its employees tasked with wiping devices complete the training on this task before they wipe devices.
  5. The OPC also recommended and Staples agree to identify and arrange for, at a frequency of once a year for a period of 3 years that follow the issuance of the final report, an independent third-party to conduct an annual spot check on returned devices found in Staples stores that participate in the Openbox program. The stores should be identified by the third party, be selected across more than one province and vary from year to year. The spot checks should examine a reasonable sample of returned devices from each store under review to confirm that returned devices are adequately sanitized.
  6. Given that Staples agreed to improve its safeguards regarding the wiping of returned devices, we find this matter to be well-founded and conditionally resolved.

Background and complaint

  1. Staples is a private Canadian retail sales company with over 300 stores across the country which sells electronic goods and office supplies, including laptops. Staples operates the Openbox program, which allows customers to return laptops within 14 days of purchase, which qualified staff then refurbish and make available for resale.
  2. The complainant is a former Staples store employee, who worked as a tech sales associate. He alleged that he had observed inadequate practices at Staples with respect to ensuring that the personal information of previous customers and/or users is removed from returned laptops before they are made available for resale. For instance, he alleged that laptops were not always wiped in the required time window following the return, and in some cases were stored in a location accessible to staff members with the previous owner’s username and password showing on the device. The complainant also explained that he had observed an instance of a laptop being resold that still contained unwiped personal information (payment information) from a previous customer/user. He further alleged that Staples did not have training modules for staff on how to wipe data on returned laptops, and that most of the staff involved in these processes were not adequately trained.
  3. The complainant stated that he raised his concerns about safeguarding practices with Staples managerial staff and that the respondent did not alter its practices, prompting him to file a complaint with the OPC.
  4. For context, it should be noted that in 2011, following investigations into two similar complaints where it was determined that data had not been removed from data storage devices, the OPC conducted an audit of Staples’ policies, practices and processes for managing personal information, with particular emphasis on the management of returned products with data storage capabilities. At that time, the OPC found that Staples’ procedures were ineffective and inadequate. Staples accepted the OPC ’s recommendations to improve its practices and committed to “actively testing several means of wiping data from returned product[s]”. Footnote 1

Methodology

  1. We analyzed the representations and information provided by Staples in response to questions raised by the OPC.
  2. In addition, OPC personnel conducted store visits at four Staples stores located in Ontario and collected and analyzed a sample of returned laptops. As part of these visits, we inspected the stores to understand where and how devices are stored. We also interviewed several store employees (including managers, staff responsible for wiping returned devices, and a cashier) to gain a better understanding of the practices and procedures for accepting, storing and wiping returned laptops.
  3. To determine if the personal information of previous users was present on the returned laptops, OPC technical analysts inspected the devices, including to assess whether they had undergone a basic reset. The analysts also imaged the hard drives and analyzed the contents of these devices using forensic software.

Issue: Does Staples have adequate safeguards to protect previous users’ personal information on returned laptops?

  1. Principle 4.7.1 of Schedule 1 of PIPEDA mandates every business organization to have security safeguards that protect personal information against unauthorized access and disclosure. Furthermore, Principle 4.7.3 requires the methods of protection to include physical, organizational and technological measures.
  2. Generally speaking, we would expect retailers that make returned devices available for resale to have adequate and documented technical procedures, supported by effective training and oversight, to ensure that devices are wiped of personal information of previous owners prior to resale. In our view, in order to satisfy the requirements of Principles 4.7.1 and 4.7.3 and be deemed adequate, the technical procedures must adhere to the device manufacturer’s guidelines related to conducting a factory reset and data sanitization.
  3. Staples’ Return & Refund Policy states that “Staples ensures that any data on tech items is erased upon return.” With respect to technical procedures, Staples represented that “employees use manufacturer-recommended wipe and restore procedures.” While the OPC is satisfied that following the manufacturer’s instructions is an adequate measure, as detailed below, we found that Staples employees did not consistently follow these instructions when wiping devices.
  4. Staples indicated that “specific data wipe processes are not outlined in the Internal Policies.” Staples provided the OPC with copies of its procedures, training guide, and standards related to accepting and wiping returned devices before making them available for resale. The following is a summary of its procedures for laptops:
    1. After a customer returns a laptop, a designated staff member is to perform a data wipe and restore on it, even when the customer indicates that they have wiped all data from the laptop. Footnote 2
    2. After performing the wipe, the tech services specialist must confirm if it was successful through the receipt of software validation, Footnote 3 complete a Data Wipe Assessment Form (document which indicates the actions taken on the device), and process the return in Staples’ internal system.
    3. Within 24 hours of a return, a manager is required to verify that the data wipe and restore process was completed. The laptop only becomes available for resale once the required paperwork has been completed, and a sticker is placed on the laptop box certifying it as an Openbox item.
  5. Our review of Staples internal documents revealed that none explicitly require staff to use or review a manufacturer’s wipe and restore procedures to remove personal information from a device. The designated staff members are only instructed to “perform a data wipe & restore”.
  6. Staples represented that it does not include manufacturer-specific data wipe procedures in its internal documents “because the procedures vary by SKU ” Footnote 4 and “it would be unwieldly/unreasonable to address every possible mechanism in Staples’ materials (especially given that those methods may change over time).”
  7. We accept that it may not be practical to include device-specific instructions in internal guidance documents. However, we find that Staples’ instructions to employees on how to perform a data wipe and restore, as they stand now, are inadequate as they do not detail what actions employees should take, including where to find and how to apply device-specific instructions.
  8. Our review of the internal policies, standards and procedures that Staples submitted to the OPC also revealed that they contain contradictory instructions, Footnote 5 including the following:
    1. While Staples represented that designated staff are to follow manufacturers’ wipe and restore procedures, Staples’ Data Product Return and Re-Sale Training Guide states, instead, that “all computers must be wiped using the TechScan+ key”, an approach which we note is most often not consistent with manufacturers’ directions to wipe and restore devices.
    2. Staples represented that tech services specialists are to “Perform the data wipe and restore of the returned laptop while the customer is present” and that “If a qualified associate/technician [tech services specialist] or manager was not available to conduct a data wipe immediately, the customer would be asked to come back another time to return their laptop.” However, its internal procedures state that “All data wipes should be performed within a 72-hour period”. Footnote 6 Given these inconsistent instructions, it appears possible for a customer to return a device and leave a store without the device being wiped in their presence.
Employee training
  1. Interviews with Staples store employees engaged in the data wipe process revealed that their practices are not consistent with Staples’ policies and that actions taken vary across stores, namely:
    1. Less than two thirds of the staff interviewed indicated that the procedure to wipe returned devices is to do a factory reset.
    2. Some employees stated that they accept the return without wiping the device in the presence of the customer if the customer does not want to wait or if a tech services specialist is not available.
    3. There was a lack of clarity among staff about who in the store was responsible for collecting returned laptops and removing personal information from them.
  2. However, we did not find any evidence to substantiate the complainant’s allegations that customers’ login details would be affixed to returned laptops and that the returned devices were stored in location that was accessible to staff. We rather found evidence of employees not requiring customers’ credentials to wipe the devices and that returned laptops were stored in a secured space, accessible only to limited keyholders.
  3. Staples represented that prior to the launch of the Openbox program, training was provided to staff on the management and tracking of Openbox devices, as well as on the processes for receiving and verifying returned devices. In addition, it represented that managers are required to provide training to associates who will handle laptops as part of its Openbox program and that Divisional Sales Managers are responsible for implementing a process for ongoing training. It also provided the OPC with a copy of its training guide for employees.
  4. We found the training materials that Staples submitted to the OPC to be high-level and lacking sufficient details on the actions that staff responsible for wiping devices are required to take. For example, the training materials do not offer technical guidance on the process that employees should follow to wipe a laptop or validate that the wipe was successful.
  5. At our interviews with store staff, some tech services specialists indicated that they had never received training on how to wipe a device, and that they were self-taught. The lack of training conveyed by the interviewed tech services specialists is concerning given that they are responsible for wiping returned laptops. We also noted that their job description does not explicitly require them to know how to wipe and reset laptops.
  6. As noted earlier, the OPC conducted a technical analysis of a sample of returned devices. While the analysis established that each device appeared to have undergone a basic reset, we found that manufacturers’ guidelines Footnote 7 on how to complete a full wipe on the returned laptops had not been followed. This was evidenced by residual data of previous users found on approximately 23% of the devices analyzed by the OPC. Footnote 8
  7. Examples of following personal information was found on the devices included:
    1. Some individuals’ full names;
    2. Some individuals’ email addresses;
    3. Usernames from Windows user accounts;
    4. A fragment of a sent email;
    5. A partial image of an individual’s face; and
    6. Some additional data such as file document titles.
  8. Inadequate or incomplete wiping presents a risk that the personal information of previous customers and/or users can become available not only to store employees but also to subsequent purchasers of the device, which could result in serious consequences for these individuals, including financial loss or fraud.
  9. Based on the gaps identified in Staples procedures and training, and evidence that it did not consistently conduct full wipes according to manufacturer’s instructions on returned laptops, the OPC concluded that the existing procedures in place and employee training on how to wipe devices is not adequate. We therefore find that Staples contravened Principles 4.7.1 and 4.7.3 of Schedule 1 of PIPEDA.

Recommendations

  1. Given the contraventions identified in this report and with a view to bringing Staples into compliance with the Act, we recommended and Staples agreed that, within 9 months from the issuance of the final report, it would demonstrate to the OPC that it has:
    1. Developed and implemented clear procedures and standards outlining that Staples employees responsible for wiping devices are required to wipe devices in a manner that is consistent with the device manufacturer’s guidelines for factory restore and data sanitization;
    2. Improved training for employees responsible for wiping returned devices;
    3. Ensured that all employees tasked with wiping devices complete Staples training on this task before they wipe devices; and
    4. Identified and arranged for an independent third-party to conduct an annual spot check on returned devices found in Staples stores that participate in the Openbox program for a period of 3 years. The stores should be identified by the third party, be selected across more than one province and vary from year to year. The spot checks should examine a reasonable sample of returned devices from each store under review, to confirm that returned devices are adequately sanitized.

Staples’s Response to the Recommendations

  1. Staples noted it was in the process of updating its policies and procedures and confirmed that it would implement the recommendations set out above.

Conclusion

  1. Given all of the above, we find this matter to be well-founded and conditionally resolved.
  2. We wish to take this opportunity to highlight that organizations making devices available for resale that could contain personal data have obligations under PIPEDA to ensure that reasonable steps, aligned with manufacturers’ instructions, are consistently taken to remove any personal information prior to resale.

Footnotes

Footnote 1 Office of the Privacy Commissioner of Canada, Final Audit Report Staples Business Depot (2011).

Return to footnote 1

Footnote 2 If the devices are locked to an account, the designated staff member is to ask the customer to enter their password or pin to unlock the laptop and then performs the data wipe and restore on the laptop in the presence of the customer. The policy goes on to state that “[i]f the password cannot be processed, the return cannot be processed.”

Return to footnote 2

Footnote 3 In instances where the data wipe was not successful because the laptop was damaged or defective, Staples represented that it returns it to the manufacturer and does not make the laptop available for resale.

Return to footnote 3

Footnote 4 The Stock Keeping Unit (SKU) is the number retailers assign to products to keep track of stock levels internally.

Return to footnote 4

Footnote 5 While Staples represented that it was in the process of updating its internal training guide and therefore it contained inconsistencies with its current policies and procedures, we note that organizations are responsible for ensuring its policies, procedures and training materials are up-to-date.

Return to footnote 5

Footnote 6 Staples clarified that its standards were in the process of being updated to reflect a 24-hour timeline.

Return to footnote 6

Footnote 7 Multiple manufacturers recommend individuals follow the factory reset process to remove data from devices. While manufacturers may not guarantee that the “remove everything” or reset process removes all data from the device, following the recommended reset process to remove all data makes it difficult to recover remnant data.

Return to footnote 7

Footnote 8 The recovery of the data of previous users required a level of technical know-how and the use of open-source forensics software.

Return to footnote 8

Table of Contents

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Takeaways

Report of Findings

Overview

Conclusion

Footnotes

Date modified:

2026-01-13

Related changes

Favicon for www.priv.gc.ca Privacy Commissioner of Canada ArriveCAN App Investigation Report
Routine Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Privacy Commissioner concludes Loblaw loyalty program investigation
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Global Data Protection Authorities Statement on AI Imagery Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.pcpd.org.hk Hong Kong PCPD Arrests Two for Suspected Doxxing
Urgent Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Global Privacy Authorities Joint Statement on AI-Generated Imagery
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Privacy Commissioner Reports 2025 Work and Data Security Incidents
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection

Source

Favicon for www.priv.gc.ca
Canada OPC PIPEDA Investigations priv.gc.ca/en/rss/pipeda
Government
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various DPAs (CNIL, BfDI, AEPD, etc.)
Filed
December 1st, 2025
Compliance deadline
September 1st, 2026 (171 days)
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Retailers Manufacturers
Geographic scope
National (Canada)

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Consumer Protection Cybersecurity

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Government alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when Canada OPC PIPEDA Investigations publishes new changes.

Free. Unsubscribe anytime.