Anonymization done right: Lessons from the Federal Privacy Commissioner

Anonymization is one of the most valuable tools available to Canadian organizations that want to continue deriving insights from data after it is no longer needed for its original purpose. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), Principle 4.5.3 permits organizations to anonymize personal information rather than destroy or erase it once it is no longer required to fulfil the identified purposes for which it was collected. When done properly, anonymization allows organizations to retain useful datasets for analytics, product development and trend analysis, but the onus is on the organization to ensure – and demonstrate – that the information is sufficiently anonymized.

As a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) makes clear, anonymization requires more than simply stripping obvious identifiers from a dataset. Organizations that fall short risk regulatory findings and reputational harm.

The OPC’s Loblaw decision

On March 5, 2026, the OPC released its findings in an investigation into Loblaw Companies Ltd. related to its PC Optimum Loyalty Program. The investigation arose from complaints by customers who alleged that Loblaw had failed to delete their PC Optimum accounts and had not responded to their inquiries in a timely manner.

The OPC found that when members deleted their PC Optimum accounts, Loblaw removed personal identifiers such as names, email addresses and phone numbers but retained other data, including detailed purchase transaction histories, loyalty data, usage data, browsing behaviour and IP addresses. Loblaw took the position that this retained information was effectively anonymized.

The OPC disagreed. The Commissioner found that Loblaw had not demonstrated that it was taking sufficient steps to ensure that the retained information could not be re-identified. Key concerns included the retention of public IP addresses that could approximate physical location, the retention of email address domains that could reveal organizational affiliations, the potential for detailed transaction histories to be re-linked to individuals (particularly in smaller communities), manual processing errors in the de-identification process and a lack of evidence that identifiers were removed from backup systems.

As a result, the OPC found Loblaw in contravention of PIPEDA’s retention principle and recommended that Loblaw engage an independent third party to review and assess its anonymization process. Loblaw agreed to do so and committed to implementing any recommended risk mitigation measures within 12 months.

Anonymization as a practical tool

The Loblaw decision should not discourage organizations from using anonymization. On the contrary, the OPC expressly acknowledged that organizations can benefit from anonymized personal information. The key takeaway is that anonymization must be done properly.

Under PIPEDA, for information to be considered anonymized, organizations must take steps to ensure that there is no serious possibility that the information retained may be re-identified, either alone or in combination with other available information. This is not a one-time exercise, and the risk of re-identification can depend on various factors, such as intrinsic data characteristics, the potential for human error in conducting de-identification and who has – or could have – access to the dataset and for what purposes. The OPC emphasized that the risk of re-identification is not static and may increase over time as re-identification techniques improve and as additional datasets become available for cross-referencing.

Practical steps for organizations

Organizations that wish to use anonymization as part of their data lifecycle management should consider the following:

1. Go beyond removing direct identifiers – Stripping names and email addresses is a necessary first step but is rarely sufficient. Consider the full range of data points that could, alone or in combination, lead to re-identification.
2. Apply technical risk mitigation measures – Techniques such as aggregation (combining data about multiple individuals), data perturbation (adding randomness) and generalization can reduce the risk of re-identification. Retaining granular, individual-level records without these measures increases risk.
3. Implement organizational safeguards – Restrict access to de-identified datasets, impose contractual or policy-based prohibitions on re-identification attempts and provide appropriate training to staff who handle the data.
4. Conduct and document regular assessments – Anonymization is an ongoing process. Periodically reassess re-identification risk in light of new techniques, new datasets and changes to the data environment. Keep records of the techniques and rationales used to anonymize the data.
5. Validate anonymization outputs through testing – Periodically test anonymized datasets to determine whether individuals could plausibly be re-identified.
6. Consider independent review – Engaging a qualified third party to evaluate anonymization processes can provide assurance and demonstrate due diligence to regulators.
7. Maintain clear retention schedules – Even where data is anonymized, organizations should establish and follow retention policies that define how long data is kept and for what purposes.

Anonymization, when implemented thoughtfully, offers a practical and lawful path for organizations to retain the value of their data while meeting their privacy obligations. The Loblaw decision is a timely reminder that the standard is not perfection but organizations must be able to demonstrate that they have taken meaningful and ongoing steps to mitigate the risk of re-identification.

The MLT Aikins Technology, Intellectual Property and Privacy team regularly advises organizations on data governance, anonymization strategies and privacy compliance. If your organization is considering anonymization as part of its data management practices, or if you have questions about the OPC’s recent findings, we are here to help.

Share