Reference entries (17)
- reference OPC PIPEDA Case #2009-004 — combining *publicly available* directory info with geo-demographic stats did NOT create new personal info requiring consent; **by analogy, sufficiently aggregated/de-identified MLS market stats likely fall outside PIPEDA consent (DS for the threshold)**
- reference CREA Privacy Code (in place since 2001) — 10 PIPEDA principles; brokerages must obtain seller/buyer consent for board collection/use/disclosure and produce proof on request
- reference OPC PIPEDA Case #2005-303 (and BCREA #409) — using OTHER agents' MLS sales records in a "top 5 sellers" ad without consent breached Principle 4.3
- reference OPC Case Summary #2009-002 — sold price + address is personal information; pulling from MLS does NOT qualify for "publicly available" consent exemption (decisive against MLS-sourced republication)
- reference Ontario has no substantially-similar private-sector privacy law → PIPEDA applies in full to MLS personal info (only BC, AB, QC have substantially-similar laws)
- reference PIPEDA has no independent cause of action — complaints must go to the Privacy Commissioner first (s.14); FCA confirmed (Lexology / TRREB v. IMS)
- reference TREB's PIPEDA-based privacy/business-justification defence failed on the facts — wide use, inconsistent enforcement, no CPO/CIO evidence; principle remains theoretically open
- reference Seller opt-outs propagate — opting a listing out of VOW forces opt-out of IDX/aggregators too; sellers can disable AVMs and blogging
- reference MLS data is personal information in the agent's hands; the Authorized User Agreement is a confidentiality agreement (PropTx Rules definitions)
- research-notes Research notes (capture-layer): inside the MLS box — what an Ontario member agent's account exposes, what goes unused, and what they're licensed to do with it (June 2026)
- reference IBM/Ponemon Cost of a Data Breach (Jul 30, 2024; 604 orgs; Mar 2023-Feb 2024): Canadian average CA$6.32M (down from CA$6.94M in 2023); 2025 figure ~CA$6.98M per separate edition
- reference Quebec Law 25, GDPR (EU/UK), CCPA/CPRA (US) — analog privacy regimes; Quebec Law 25 specifically imposes stronger GDPR-comparable obligations than PIPEDA
- reference PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this
- reference PIPEDA penalties — up to CAD $100,000 per violation for knowingly failing to report, notify, or maintain breach records; OPC can refer to AG
- reference PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months
- reference PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights
- reference Research brief: client portals for SMBs — the honest case (June 2026)
