Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Today, the Office of the Privacy Commissioner (OPC) announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses.

The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices.

This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016.  The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies.

The CRTC’s proceedings against Compu-Finder are still on going.

You can read the full report of findings and compliance agreement online  here.