The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, May 20, 2006
David Canton's regular IT column in the London Free Press is about the practice of printing full debit and credit card numbers on receipts. (See: London Free Press - David Canton - Printing card data not smart.)
This is a practice that really bugs me. In three days in Toronto last week, every debit and credit card receipt I accumulated had my full number and expiry date printed on it. I was in Toronto for a Canadian Institute conference on Privacy Compliance, which I co-chaired. The topic of receipts came up in discussions with the Assistant Privacy Commissioner of Canada, the Alberta Commissioner and the British Columbia Commissioner. The Alberta Commissioner, Frank Work, discussed the incident that David mentions in his column and one of the more interesting things he discovered in his investigation: there's a black market for these receipts and they are $25.00 each.
The assistant federal commissioner, Heather Black, mentioned that the Commissioner's office had canvassed most of the POS suppliers in Canada, who assured them that they are rolling out upgraded machines as fast as they can. Not fast enough, in my personal opinion.
For those retailers whose receipts are generated through a full POS system, I expect it's just a software patch that would do the job. The dedicated card terminals may need something more.
But even if it is a "hardware problem", why not give cashiers a jiffy marker to black out the digits? There's no reason to have them on the receipt since it is all settled electronically and the transaction code is enough to reconcile the day's accounts. As for me (at least in restaurants, where I'm asked to sign the slip and have the time to linger), I black out my card number myself.
Labels: alberta, bc, information breaches, retail
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.