On March 5, 2026, the Office of the Privacy Commissioner of Canada ("OPC") announced its findings and conclusions from an investigation of Loblaw Companies Ltd. ("Loblaw") regarding personal information retention practices for the PC Optimum Loyalty Program ("Loyalty Program").

The investigation found that, while Loblaw had mechanisms in place for customers to request account deletion or raise privacy concerns, the company took an unreasonable amount of time to address these requests and failed to respond to some privacy-related inquiries altogether.

The investigation also found that Loblaw retained Loyalty Program members' purchase history after their accounts had been deleted and that removing personal identifiers such as names and email addresses was an insufficient anonymization measure. Loblaw did not demonstrate that it had adequate measures in place to limit the risk that individuals could be re-identified.

For more information on privacy practices in Canada, see our full article.

Background

Loblaw Companies Ltd. is the parent company that oversees all Loblaw brands and operations, including Loblaws, Real Canadian Superstore, No Frills, and Shoppers Drug Mart. Loblaws Inc. is a specific supermarket brand owned by Loblaw Companies Ltd. The PC Optimum Loyalty Program is operated by President's Choice Services Inc., a subsidiary of Loblaw.

The Loyalty Program has more than 17 million members across Canada. It is a voluntary, free loyalty rewards program that enables customers to earn points when purchasing products through participating retail locations and third-party program participants. Members can exchange their points for eligible purchases at any participating retail store or online website operated by Loblaw.

The OPC accepted six complaints against Loblaw in which all complainants alleged that they were unable to delete their Loyalty Program accounts, including the associated purchase history, and that Loblaw was unresponsive to their inquiries regarding their deletion requests.

Issue 1: Did Loblaw adequately sddress privacy challenges raised by individuals?

The complainants claimed that Loblaw took an unreasonable amount of time to comply with their requests or to respond to their inquiries.

Principle 4.10 of Personal Information Protection and Electronic Documents Act (“PIPEDA”) states that an individual shall be able to address a challenge concerning privacy principles outlined in PIPEDA with the designated individual accountable for the organization's compliance. Principle 4.10.2 further states, in part, that organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.

The OPC found that individuals can delete their Loyalty Program account at any time through Loblaw's customer support, the app, or the website. For members using a physical card only, Loblaw explained that they can simply destroy their physical card. However, Loblaw acknowledged that it did not fully respond to certain deletion inquiries, or took an extended amount of time to respond (from May through July 2024), due to the volume of complaints and technical challenges. The OPC therefore concluded that Loblaw violated PIPEDA.

Issue 2: Did Loblaw retain personal information of members for longer than necessary?

Several complainants alleged that Loblaw retained their personal information associated with their Loyalty Program account even after it was no longer needed to offer the Loyalty Program service to them, specifically, because they had requested deletion of their Loyalty Program account.

According to the OPC investigation, after a Loyalty Program account closure, Loblaw retains the following information associated with the former member's account:

• Loyalty data, including data relating to the Loyalty Program such as points earned and redeemed, and offers and discounts used.
• Usage data, including: (1) login information (login status, registration status, hashed email address, public network IP address, and frequency, duration, and time of logins); (2) browsing behavior (pages viewed, links clicked, user events, grocery store ID if selected, points balance, and marketing consent status); and (3) device information (device type, browser version, and app version).
• Historical transaction data, meaning in-store and online purchase data, including: (1) sale product details (product ID, quantity, and amount); (2) point-of-sale information (lane number and transaction number identification); and (3) transaction details (online or in-store, date, merchant, and store identification number).

For members with physical cards only, Loblaw does not collect any usage data; it therefore retains only historical transaction data and loyalty data.

PIPEDA Principle 4.5.3 states that personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.

Loblaw stated that it chose to anonymize, rather than destroy or erase, the personal information associated with the Loyalty Program accounts once it is no longer needed for the purpose for which it was collected. Since it had removed personal data elements such as the member's name and email address, Loblaw contended that the information is maintained in a form that is not attributed to, or otherwise associated with, an identifiable individual.

The OPC therefore determined that it was required to assess whether Loblaw was taking sufficient steps to render the information it retains anonymous.

Anonymization of data under Canadian law

The term "made anonymous" is not defined in PIPEDA. However, in accordance with case law, the OPC has consistently found that information is about an "identifiable individual" where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information. Therefore, for information to be considered anonymized for the purpose of Principle 4.5.3, the organization must take steps to ensure that there is no serious possibility that the information retained may be re-identified, either alone or in combination with other available information.

OPC findings

The OPC concluded that Loblaw failed to demonstrate sufficient anonymization of customer data for several critical reasons. Most significantly, Loblaw retained public IP addresses at the network level, which can be used to approximate an individual's physical location and, when combined with transaction data, create detailed profiles of their movements and activities. Additionally, while Loblaw replaced email addresses of closed account holders with dummy addresses by changing the username to a random string, the email domain remained unchanged, potentially revealing identifying information about where a person works or their organizational affiliations. Furthermore, historical transaction data retained intrinsic re-identification potential, particularly for individuals in small communities whose unique purchasing patterns could link their entire transaction history back to them, a risk that becomes more pronounced when combined with browsing behavior and usage data.

The investigation also uncovered significant deficiencies in Loblaw's implementation of its de-identification process. In at least one instance, an employee manually inserted a complainant's actual name into the dummy email address instead of a random string, an error that Loblaw did not independently detect and that came to light only through a security alert sent to the customer. The company also failed to demonstrate that it had processes in place to remove identifiers from backup systems, which is essential for effective anonymization. Moreover, Loblaw did not adequately account for other factors affecting re-identification risk, including the fact that members' previous email addresses may still be retained separately from account data within the context of their PC Optimum ID. While Loblaw claimed to have access controls and procedures to mitigate re-identification risk, it did not provide sufficient documentation of protective measures to address these concerns.

Conclusion and OPC recommendations

Because Loblaw did not demonstrate to the OPC that the information it retains is effectively made anonymous, the OPC found that Loblaw is retaining personal information longer than needed to fulfill the identified purpose for which the information was collected, in contravention of Principle 4.5.3.

The OPC recommended organizational measures to reduce the risk of re-identification, which can include imposing binding prohibitions on attempts to re-identify such as contractual clauses or employee codes of conduct. These measures reduce the risk of re-identification by limiting the number of individuals who could have the opportunity to attempt re-identification and by decreasing the likelihood that those individuals will attempt to do so.

Key takeaways and recommendations

The OPC found both complaints to be well-founded. First, Loblaw took an unreasonable amount of time to address deletion requests and failed to respond to certain privacy-related inquiries, in contravention of PIPEDA Principle 4.10. Second, Loblaw did not demonstrate that the information it retains is effectively made anonymous, meaning it retained personal information longer than needed to fulfill the identified purpose for which the information was collected, in contravention of Principle 4.5.3.

In light of this investigation and its findings, companies operating loyalty programs in Canada should take proactive steps to ensure compliance. First, organizations should strengthen their access request processes by ensuring dedicated personnel and clear timelines are in place to meet the 30-day statutory response requirement. Second, companies should evaluate their anonymization practices, confirming that anonymized data truly cannot be re-identified and maintaining documentation of the techniques used. Third, operators should ensure their privacy policies accurately describe how personal information is collected, used, retained, and anonymized. Finally, organizations should conduct periodic privacy impact assessments to identify compliance gaps before they attract regulatory scrutiny.