As organizations across sectors increase their reliance on data and automated systems, the Office of the Privacy Commissioner of Canada (OPC) has issued crucial guidance identifying specific activities deemed “no-go zones”—uses of personal information that are considered categorically inappropriate or unlawful.
In a recent publication, McMillan LLP breaks down the OPC’s guidance and provides essential legal interpretation for businesses and developers navigating these restrictions.
🚫 What Are the “No-Go Zones”?
According to the OPC, the following activities are not permitted under Canada’s privacy framework:
-
Surveillance-Based Profiling for Harmful Purposes
Includes using personal data to exploit vulnerabilities or manipulate behavior (e.g., children, marginalized communities). -
Biometric Tracking Without Justification
Using facial recognition or other biometric tools without demonstrable necessity or consent poses high legal risks. -
Data Practices That Undermine Consent
Systems designed to obscure how personal information is collected or used (e.g., dark patterns) fall into prohibited territory. -
Behavioral Influence Beyond Reasonable Expectations
AI used to nudge decisions in ways individuals wouldn’t expect or understand is seen as overstepping.
This guidance is a clear signal that regulators are drawing firm boundaries on how personal information—and AI systems—can be used.
For legal advice on ensuring your data practices and AI tools remain compliant, reach out directly to McMillan LLP—or contact us via PrivacyRules to be connected with the appropriate experts.