Skip to main content

The Globe and Mail

How a car-repair shop breaches privacy law

The road to legal hell is paved with the best of intentions, and some pretty good customer service ideas.

Here's a perfect example.

Last week I took my car into the shop for some scheduled service. I've been taking it to the same place since I've owned it, and the service is nothing short of fabulous. Their estimates are bang on. Their turnaround time is great, and I don't mind when they want to hang on to the car for an extra day and run it in traffic to make sure it's working properly.

Story continues below advertisement

They manage my expectations. They loan me a car when I need one. And when I don't, they drive me into Vancouver right in front of my office building, rather than dumping me unceremoniously at the closest Skytrain station.

There's only one thing. As soon as I walk into the immaculately laid out sales and service area and I'm offered coffee, I see a 52-inch widescreen TV that provides all of the day's appointment information, with the schedule starting around 8 a.m. There's the time of the appointment, the full name of each customer, the model of each customer's car, the license plate number of each vehicle, as well as the name of the representative the customer is scheduled to see.

There could be about 25 appointments on that TV, and the names, cars and licence-plate information is on a perpetual loop, so you see all of the information every three minutes. It's a nice touch, from a customer service perspective.

Imagine my surprise when I saw my colleague Simon's name on the screen. We practice at different law firms, and he and his wife were at my wedding reception 25 years ago. I know it's him – he has an unmistakable last name. But now I know what kind of car he drives, what his license-plate number is, and where he goes for repairs.

A few days later, I saw Simon getting into his car and I told him about the display of his personal information. "Do you think this is a breach of your privacy?" I asked.

He said 'yes:' he didn't want the world to know his name, what car he drove and what the licence plate number was. He admitted the TV display had caught his attention a few years earlier, when he saw Matthuis Ohlund's name on the screen getting his car fixed while Mr. Ohlund was still in Vancouver playing for the Canucks.

Any hockey groupie wanting an autograph, or an upset fan looking to rant about a bad game with a key player, or a celebrity stalker could have obtained information about Mr. Ohlund that would otherwise have been very difficult. Or the groupie/ranter/stalker could have just waited until the end of the day when Mr. Ohlund's car was ready.

Story continues below advertisement

Personal information isn't normally flashed on a big screen. Sometimes people inadvertently uses the "cc" function in a blast e-mail instead of "bcc," so everyone else on the list knows you're in Weight Watchers or in AA. Or a mistake by a small dress-shop owner who wants to let you know when she's having a sale. She does the right thing and asks for written permission to send you information, but then she pushes the sign-up sheet in front of you, containing everyone's names, e-mail addresses, bra sizes, and favourite brand of thong.

The inadvertent display of a customer's personal information can be caught by laws regulating its collection and use by businesses in Canada.

In Alberta and B.C., it's regulated through their respective Personal Information Protection Acts (PIPA). Each province maintains a comprehensive website where individuals can learn about their privacy rights. Businesses can also learn what they have to do to avoid privacy blunders as well as expensive legal actions and their legal obligations. The links are here for BC and here for Alberta.

In other provinces, this is achieved federally through the Personal Information Protection and Electronic Documents Act (PIPEDA). Custodians in Ontario are required to collect personal health information in accordance with the rules set out under province's Health Information Protection Act (HIPA).

According to Vancouver privacy lawyer Maria Holman, "personal information" in Canada means information about an identifiable individual. If I can figure out who a person is, even if the name isn't there, it's personal information, and no one should be giving it out or using it without the individual's consent.

If your business collects, stores or uses personal information, it has some very specific responsibilities. If you or your staff are unaware of your legal obligations respecting privacy, you should consult with your lawyers.

Story continues below advertisement

There's a lot more to it than I can relate here, but your business can't collect personal information without consent. When you ask for consent, you have to explain why you want it, who else will see it, who you want to share it with, and how you will protect it. The individual has to agree to all of those uses and disclosures.

Showing an entire waiting room in a repair shop my name, the kind of car I drive and my license plate number on a big-screen TV likely breaches these legal obligations.

Even though I don't play for the Canucks.

Tony Wilson  is a franchising, licensing and intellectual property lawyer at  Boughton Law Vancouver, he is an adjunct professor at Simon Fraser University (SFU), and he is the author of two books: Manage Your Online Reputation, and Buying a Franchise in Canada. His opinions do not reflect those of the Law Society of British Columbia, SFU or any other organization.

Report an error Editorial code of conduct
As of December 20, 2017, we have temporarily removed commenting from our articles. We hope to have this resolved by the end of January 2018. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to