Collected by Design

Ann Cavoukian served as Ontario’s Information and Privacy Commissioner from 1997 to 2014. The seven foundational principles of Privacy by Design were formalised under her tenure in 2009, adopted as an international standard by the global data-protection commissioners’ conference in Jerusalem in October 2010, and written into European law as Article 25 of the GDPR in 2016. The framework was Canadian. The implementation was European. In Canada it became a slogan reproduced on Treasury Board slide decks and corporate privacy pages, and almost nowhere else. The gap between what we named and what we deployed is the entire story of how surveillance settled into everyday life.

I first met Cavoukian at a privacy conference in the early 2000s; she was already impatient. The principles were not abstract; they were a direct challenge to the default assumptions she knew were being baked into product roadmaps in real time. I have since spent what my colleagues at the Privacy and Access Council of Canada charitably describe as an eternity serving as a director there; the frustration the framework was designed to solve has simply accumulated more documentation. Ontario’s current IPC, Patricia Kosseim, is now into her second term; her office has spent five years calling out deceptive design patterns, children’s data commercialisation, and AI governance gaps with the same directness Cavoukian brought to the foundational work. That continuity is not accidental. The frustration, at this point, is institutional.

Erosion Happens at Checkout

Privacy does not erode through scandal. It erodes through onboarding screens, receipt prompts, and “would you like an e-receipt?” The Tim Hortons app collected granular location data every few minutes, including when the app was closed, between May 2019 and August 2020; the joint OPC investigation made that public on 1 June 2022. The collection had no operational purpose; it was used to infer where users lived, worked, and travelled. Cadillac Fairview installed facial-analytics technology inside mall wayfinding kiosks, captured biometric data from an estimated five million Canadians, and described the practice as “anonymous video analytics”; the OPC settled that question on 28 October 2020 in PIPEDA Findings #2020-004. Neither involved a breach. Both were design decisions described in plain English by people who built them and approved by people who reviewed them.

The “consent fatigue” Defence

On 26 January 2023 the OPC released its first PIPEDA finding of the year, against Home Depot of Canada. Between 2018 and October 2022, every customer who chose an e-receipt at a Home Depot till had their hashed email address and in-store purchase details forwarded to Meta through the “Offline Conversions” program; Meta matched the hash to a Facebook account and used the resulting profile both for Home Depot ad-effectiveness reporting and for its own ad-targeting business. Home Depot’s defence to the OPC is worth quoting because it is the entire article in one sentence: the company told the regulator it had not notified customers of the data-sharing arrangement at the point of sale because doing so would have created “consent fatigue.” That is not a misstep; that is the design philosophy declared on the record. The OPC concluded that express opt-in consent had been required and that no such consent existed.

Defaults are the Design

Default collection is the design decision; the privacy notice is the alibi. A product that needs your data to monetise ships with collection on, the disable toggle three menus deep, the consent banner engineered so “accept” is bright and “reject” reads as a punishment. This is not careless UX. It is the commercial purpose of the build, written into the wireframes before legal sees a draft. The European Data Protection Board ruled in April 2024 that “consent or pay” walls breach GDPR Article 7; an entire generation of users had by then been trained that the rational response to any permissions dialog is whatever makes it disappear fastest. We engineered that reflex; then we cited it as evidence that users do not care about privacy. Convenient.

Recommendations are not Remedies

Retrofits never work, because the business model has already metabolised the data. Try removing analytics from an ad-supported app after launch and watch the revenue projections collapse; the privacy team loses that internal meeting before it begins. The OPC accepted Home Depot’s commitments. The OPC accepted Tim Hortons’ commitments. The underlying app and retail economy did not shift by a degree. Under PIPEDA, the OPC cannot impose a single dollar in administrative monetary penalty for any of it; it can recommend, publish, and hope the next executive reads the trade press. A regulator without order-making power is a press release with letterhead, and corporate counsel know it.

The Federal Vacuum

Bill C-27, the Digital Charter Implementation Act 2022, would have replaced PIPEDA with the Consumer Privacy Protection Act, created a Personal Information and Data Protection Tribunal, and added the Artificial Intelligence and Data Act. The CPPA carried administrative monetary penalties of up to five percent of global revenue or twenty-five million dollars, whichever was greater. In October 2023 Minister Champagne tabled amendments recognising privacy as a fundamental right. The bill stalled at committee through 2024. On 6 January 2025 Parliament was prorogued; every government bill on the Order Paper died, C-27 with it. The April 2025 snap election made resuscitation impossible. The 45th Parliament has not retabled it. As of May 2026, Canada continues to run private-sector privacy through PIPEDA, a statute drafted in 2000, before the iPhone existed, before the data-broker industry existed, before any of the technologies the legislation now nominally governs existed. Quebec’s Law 25, rolled out in three stages between September 2022 and September 2024, now sets the only serious enforcement bar in the country: mandatory privacy impact assessments before any new technology project touching personal information, privacy by default written into statute, binding orders, and AMPs up to four percent of worldwide turnover. One province decided not to wait. That is not adequacy; that is a federal embarrassment.

What Parliament did manage to produce is Bill C-8, the cybersecurity bill formerly known as C-26, which passed the House on 26 March 2026 and was referred to the Standing Senate Committee on National Security, Defence and Veterans Affairs on 23 April. The Privacy and Access Council of Canada has been invited to testify before SECD on 25 May; PACC has been appearing before parliamentary committees in one form or another since before most of the current senators were appointed, which should say something about the pace of federal progress. The ask is unchanged: write the privacy protections into the statute, do not leave them to ministerial discretion and after-the-fact judicial review. Privacy Commissioner Dufresne identified the outstanding gaps on the record before SECU; the Senate has the opportunity to fix what the House did not. If those safeguards are not embedded in C-8 before Royal Assent, the surveillance architecture this bill enables will outlast every government that produced it.

Discipline at the Whiteboard

Privacy by Design starts at the whiteboard or it does not happen. Collect what the function requires; keep the data local where possible; let it expire when its purpose ends; narrow the access. None of this is exotic engineering. PIPEDA Principle 4.4 has required limited collection since 2000. The Treasury Board Directive on Privacy Practices has required Privacy Impact Assessments at design for federal institutions for over a decade. The discipline is asking, before the first commit, what minimum data set lets the product do what it claims to do, and refusing to build past that ceiling no matter how attractive the secondary use looks in a deck. Most product teams have never been asked that question because no one above them has had to answer for the answer. Cavoukian’s principles included one almost no Canadian product respects: privacy as the default setting. Not as an option. Not as a toggle. The default. Every regulatory finding that settles for “users could have opted out” concedes that principle, and sixteen years of erosion sit inside that concession.

Conclusion

The honest question for any product team in 2026 is no longer whether to add privacy controls. It is whether the data collection their roadmap depends on would survive five minutes of cross-examination at the OPC or the Commission d’accès à l’information. If the answer is no, the roadmap is the problem; the privacy policy is paperwork drafted to make the roadmap survive. Ottawa’s next privacy bill, whenever it arrives, will be tested against a single question: does it require collection to be justified at design and privacy to be the default at deployment, or does it once again ask Canadians to opt out of what was decided for them? Anything less is C-27 in new wrapping, with the same regulator drafting the same recommendations, and the same product teams writing the same alibi. Home Depot already told us the quiet part: the reason customers were not informed was that informing them would have caused consent fatigue. That sentence is the surveillance economy’s confession on the record. The next federal bill either makes that defence laughable or makes it law.

Marc-Roger Gagne MAPP

@ottlegalrebels