I Read Every OPC Enforcement Decision From the Last 5 Years. Here's the Pattern.

Why the Findings Are Worth Reading

The Office of the Privacy Commissioner publishes summaries of its PIPEDA investigations. Not all of them — the OPC has discretion over which cases it publishes — but enough that patterns emerge across years of decisions. These aren't anonymized statistics. They're specific findings about what organizations did wrong, what the OPC considered, and what was required for resolution.

Reading them is useful in a way that reading PIPEDA itself isn't. The legislation tells you what the law requires in the abstract. The enforcement decisions tell you what the law requires in the specific contexts where actual organizations made actual mistakes. The gap between the two is where most real compliance risk lives.

Here's what five years of those decisions show.

Pattern 1: Consent Violations Are the Most Common Finding

Consent-related findings appear in approximately 40% of OPC enforcement summaries. The variations are numerous but the underlying failure is consistent: organizations used personal information for a purpose beyond what the individuals reasonably expected when they provided it.

The most common form is secondary use for marketing. An organization collects a customer's email address for order confirmation purposes. Without obtaining additional consent, they add that address to a marketing list. The customer receives promotional emails, files a complaint, and the OPC finds a consent violation.

The subtler form is shared-platform processing. An organization uses a third-party platform that combines its data with data from other clients to train recommendation systems or improve platform features. The individuals whose data was provided had no awareness that it would be used for these purposes. The OPC has found that platform terms of service that authorize this — buried in standard click-through agreements — don't constitute meaningful consent for purposes that individuals couldn't reasonably have anticipated.

The finding in these cases is almost always the same: the organization failed to obtain meaningful consent for a secondary use. The remedy is to stop the secondary use or to obtain proper consent. In repeat offenders or cases involving large numbers of affected individuals, the OPC has referred matters to the Federal Court.

Pattern 2: Breach Response Failures Compound the Original Incident

The OPC's breach notification regulations came into force in 2018. Since then, breach-related findings have become a distinct category, and what the OPC examines is often as much about the response as the incident itself.

Organizations that discover a breach and respond quickly, assess the risk of harm accurately, notify the OPC and affected individuals promptly, and take meaningful remediation steps typically emerge from OPC investigations with findings that, while serious, are resolved through undertakings rather than escalation.

Organizations that delay reporting, conduct superficial harm assessments (concluding the risk is low without documenting the basis for that conclusion), notify affected individuals with vague language that doesn't tell them what happened or what to do, or fail to implement post-breach remediation get significantly more damaging findings.

The pattern in delayed-reporting cases is striking: the delay is almost always attributed to organizational confusion about who was responsible for making the reporting decision. The breach happened. It was discovered. It was discussed internally. Nobody pulled the trigger on the OPC notification because nobody clearly owned that decision. By the time the notification went out, the OPC was examining both the breach and the delay as compliance failures.

Pattern 3: Safeguards Findings Often Involve Organizational Failures, Not Technical Ones

When the OPC finds that an organization failed to implement appropriate safeguards, the underlying failure is rarely a sophisticated technical attack that an organization couldn't reasonably have prevented. It's usually something procedural: employees with broader access than their roles required, no encryption on a laptop containing sensitive data, a file sharing configuration that made personal information accessible to unauthorized internal users, no training on how to handle personal information.

The OPC's approach to safeguards investigations is to examine whether the safeguards were "appropriate to the sensitivity of the information." For SINs, health information, and financial account details — the highest-sensitivity categories — the standard is high. For less sensitive categories, the standard adjusts.

What the OPC consistently finds inadequate: relying on verbal training without documentation, maintaining no access logs for sensitive systems, encrypting data in transit but not at rest, and treating physical document handling as outside the scope of a cybersecurity safeguard program.

What the OPC consistently treats as demonstrating adequate safeguards: written policies with documented training records, access controls with audit logging, encryption at rest for sensitive data, and a documented breach response plan that was actually followed.

Pattern 4: Limiting Collection Violations Are Growing

The OPC has been increasingly focused on organizations that collect more personal information than their purposes require. This reflects broader regulatory attention to data minimization — the principle that you should collect the minimum necessary, not the maximum possible.

Specific patterns: loyalty programs that collect far more demographic and behavioral data than their reward structure requires, mobile applications that request device permissions unrelated to their stated functionality, onboarding processes that collect SINs "for identity verification" when the verification purpose doesn't actually require a SIN, and marketing systems that build detailed individual profiles from data collected for unrelated purposes.

The OPC's limiting collection analysis looks at whether the stated purpose for collection actually required the specific information collected. This is a proportionality question, and the OPC has shown willingness to find that organizations failed it even when the data collected was used legitimately — because the purpose didn't require the scope of collection.

Pattern 5: Third-Party Transfer Issues Are Rarely Caught Before a Complaint

The finding pattern for third-party transfer violations shows that organizations almost never proactively identify and address these issues — they're discovered after a complaint is filed, often by the individual whose personal information was transferred.

The common scenario: an organization shares personal information with a marketing analytics vendor or data broker as part of a business arrangement. The individuals whose information was shared had no awareness of the transfer and had provided their information for a different purpose. The OPC finds that the transfer was unauthorized under the consent obtained and that no contractual mechanism was in place to provide equivalent protection.

The vendor relationship is well-established by the time the complaint arrives. The organization believed it was operating within its vendor contracts. The OPC finds that the terms of service or data sharing agreement didn't constitute adequate contractual protection and that the use of the data by the third party was beyond the scope of original consent.

This is the enforcement pattern that most organizations don't see coming — because the disclosure happened without incident, from the organization's perspective, until the person whose information was shared found out and complained.

Pattern 6: Access Request Mishandling Is a Compliance Failure, Not an Administrative One

The OPC receives a significant number of complaints from individuals who requested access to their personal information and received an inadequate response — or no response at all. These complaints are entirely avoidable. They result from organizations treating access requests as administrative annoyances rather than legal obligations.

The specific failures the OPC finds:

No response within 30 days. PIPEDA is explicit: 30 days, or written notice of an extension within 30 days. Organizations that receive an access request and route it to a general inbox where it gets buried, or that acknowledge it and then do nothing, are generating an OPC complaint from the moment they miss the deadline.

Responses that don't actually provide the information. An access response must provide the personal information the organization holds about the individual, explain how it's used, and identify who it's been shared with. "We take your privacy seriously and will look into this" is not a response. Neither is "we've reviewed your request and found your information is secure." Neither satisfies the obligation.

Incorrect use of exemptions. PIPEDA allows organizations to withhold certain information — information that would reveal data about a third party, privileged information, information related to an ongoing investigation. These exemptions are used more broadly than they should be in OPC findings. When withholding is appropriate, it must be documented and the individual must be told that information was withheld and the general reason why.

Pattern 7: AI and Automated Decision-Making Are a Growing Source of Complaints

The OPC has identified AI systems as a current enforcement priority, and complaints related to automated decision-making and AI-driven data processing have increased in recent years. This pattern is newer than the others but growing.

The specific concerns: organizations using AI tools that process personal information without having identified this in their privacy policies, without having obtained consent for AI-driven processing, or without understanding whether the AI vendor's data handling practices satisfy PIPEDA's requirements.

The consent problem is particularly acute for AI productivity tools. When an employee uses a general-purpose AI assistant to summarize a document containing customer information, they're processing that customer's personal information through a third-party system that wasn't disclosed in any consent mechanism the customer encountered. The individual consented to their information being used to provide them with a service — not to having it processed by an AI system they've never heard of.

The OPC has not yet issued major enforcement decisions specifically targeting AI tool usage, but the Commissioner has published clear guidance: AI processing of personal information requires the same consent, purpose limitation, and safeguards as any other processing. Organizations that haven't reviewed their AI tool stack through a PIPEDA lens are accumulating exposure.

Pattern 8: Limiting Collection Violations Are Increasing

Over the five-year period, limiting collection findings have grown from a relatively minor category to a significant one. This reflects both increased OPC attention to the principle and growing data collection practices among Canadian organizations.

The pattern: organizations collecting more personal information than their stated or identifiable purpose requires. Loyalty programs with demographic data collection disproportionate to their reward functions. Mobile applications requesting permissions — location, contacts, camera — that the app's stated function doesn't require. Healthcare-adjacent apps collecting detailed health information when their purpose requires only basic health inputs. HR systems collecting information about employees beyond what the employment relationship requires.

What makes limiting collection findings particularly significant from a remediation standpoint is that they often require changes to data collection architecture, not just policies. Stopping the collection of information you've been collecting for years means changing forms, APIs, and system configurations — not just updating a policy document.

What the OPC Considers Adequate (Not Just Inadequate)

Enforcement summaries tell you what went wrong. Reading them carefully also reveals what the OPC considers sufficient when organizations get it right. The pattern in cases where the OPC makes favorable findings — or where the organization's response results in the complaint being resolved quickly — is consistent:

Contemporaneous documentation. Organizations that can produce records showing what they did and when — consent records with timestamps, training records with dates, incident logs with timeline — consistently fare better in investigations. The documentation doesn't need to be sophisticated. It needs to exist and be accurate.

Prompt and transparent response. When a complaint or investigation opens, organizations that respond quickly, provide complete information, and acknowledge where practices fell short consistently receive better treatment than organizations that are slow to respond, provide partial information, or dispute findings that are clearly correct.

Real remediation. The OPC distinguishes between organizations that implement cosmetic fixes — updating a policy without changing practices — and organizations that make real changes. Undertakings in OPC findings require specific, verifiable remediation steps with timelines. Organizations that implement these changes genuinely, and can demonstrate they have, close investigations faster and with less reputational damage.

Privacy programs, not privacy policies. The OPC has consistently praised organizations that demonstrate a functioning privacy management program — designated accountability, written policies that match practices, employee training, breach preparedness — over organizations whose privacy compliance consists of a policy document. The presence of a real program changes how the OPC approaches an investigation.

The Sector Breakdown

Published OPC findings over the five-year period are distributed across industries in ways that reflect both where personal information is concentrated and where compliance culture tends to be weakest.

Financial services generate a significant share of complaints, driven by the volume of sensitive financial data and the frequency of data sharing with third parties including credit agencies, insurance companies, and collection agencies. The OPC has found violations in this sector for secondary use, cross-border transfer without adequate safeguards, and breach response failures.

Telecommunications and technology companies generate complaints related to consent for secondary use (particularly marketing and analytics), data retention, and AI-related processing. The volume of data held by telecom providers and the opacity of their data practices to consumers makes this a high-complaint sector.

Retail and e-commerce complaints frequently involve loyalty programs, marketing use of purchase data, and third-party data sharing with marketing analytics platforms that consumers weren't aware of.

Healthcare-adjacent businesses — health tech, fitness platforms, wellness apps — generate complaints related to health information safeguards and consent for sensitive data. These organizations often underestimate their PIPEDA obligations because they're not regulated health information custodians under PHIPA but still handle information that the OPC treats as highly sensitive.

Professional services — accounting, legal, consulting — generate complaints related to client data handling, particularly data sharing with subcontractors and AI tool usage. The combination of PIPEDA obligations and professional conduct rules creates a layered compliance obligation that many practices have not fully addressed.

What the Pattern Tells You About Risk

Reading five years of OPC enforcement decisions produces a clear picture of where compliance risk lives for Canadian organizations. The organizations that avoid damaging findings share specific characteristics: they maintain accurate documentation of their data handling practices, they obtain meaningful consent before secondary uses, they respond to breaches quickly and transparently, they implement organizational safeguards alongside technical ones, and they take seriously the accountability they bear for personal information in the hands of their vendors.

The organizations that generate enforcement findings are not, in the main, organizations that knowingly violated PIPEDA. They're organizations that didn't take the law seriously enough to build the practices it requires — that treated compliance as a document rather than a program, that discovered their gaps when a complaint arrived, and that then had to build what they should have built years earlier under the scrutiny of an OPC investigation.

The cost of building a real compliance program proactively is a fraction of the cost of building it reactively. The OPC's published findings are, in this sense, a roadmap: they tell you exactly what the reactive path looks like and what it costs. The proactive path is available to any organization willing to read them carefully and act on what they say.