Privacy Research

The following CIPPIC research reports were funded by the Office of the Privacy Commissioner of Canada, with assistance from the Social Sciences and Humanities Research Council.

Digital Rights Management and Consumer Privacy: An Assessment of DRM Applications Under Canadian Privacy Law. (Sept. 2007)

CIPPIC conducted a study in the fall and spring of 2006/07 on the impact of digital rights management (DRM) on consumer privacy.Our study analyzed the behaviour of 16 different digital services and products that utilized DRM, and compared that behaviour with the disclosures of the organizations distributing the DRM. We observed undisclosed tracking of usage and surfing habits, and unexplained communications with third parties including marketing companies. We also found that the organizations using these technologies often failed to comply with basic requirements of Canadian privacy law.

Executive Summary of report: English, Français

On the Data Trail: How Detailed Information About You Gets Into The Hands Of Organizations With Whom You Have No Relationship (April 2006)

In this report on the Canadian data-brokerage industry, CIPPIC exposes the many ways in which consumer information is gathered and traded in the marketplace. The study found, among other things, that detailed personal information about individual consumers is collected from a variety of sources including product warranty/registration cards, rebate and special offer responses, contest entry forms, online registration forms, payment processing centers, and surveys that consumers are often enticed to complete in exchange for coupons or other benefits. It is then compiled into lists that are rented or sold to marketers. Detailed demographic information about geographically defined groups, available from Statistics Canada as well as private sources such as credit bureaus and market research companies, is also widely used for target marketing purposes.

Executive Summary of report: English, Français.

Compliance with Canadian Data Protection Laws: Are Retailers Measuring Up? (April 2006)

This study was conducted with a view to the impending five-year Parliamentary review of federal data protection legislation (the Personal Information Protection and Electronic Documents Act). CIPPIC assessed the compliance of 64 online retailers with specific legal requirements for accountability, openness and consent. It also separately assessed the compliance of 72 online and offline retailers with the requirement to provide individuals with access to their personal information, upon request. Among other things, the study found that:

  • It is unreasonably difficult for consumers to get answers to basic questions about company data protection policies over the phone;
  • A significant proportion of privacy policies are unclear, even when tested by people with university education;
  • Even more policies are incomplete, often failing to identify third parties with whom the company shares customer information or to describe the type of information shared;
  • The vast majority of companies rely on "opt-out" methods of obtaining consumer consent, but many fail to bring the opt-out option to the customer's attention or require the customer to go to unnecessary effort in order to exercise the opt-out;
  • Many companies bury notice of their secondary uses and disclosures of customer data, along with notice of the consumer's right to opt-out, in lengthy privacy policies that few consumers would have the time to read and understand;
  • Many companies that use or share customer data for unnecessary purposes do not offer consumers a choice regarding such unnecessary uses or disclosures;
  • A number of companies suggest that they do not use or share consumer information without the consumer's explicit consent when in fact they do;
  • Few companies provide complete responses to written requests for specific information about what personal information the company holds about the individual, how it is used, and to whom it is disclosed.

Executive Summary of report: English, Français.


Back to top

This page last updated: June 2, 2007

Webpage URL: