The Privacy Commissioner of Canada has discovered that Staples Canada failed to adequately erase personal information from returned laptops that the company subsequently resold. This finding raised serious concerns about the retailer's data management practices.

In a recent analysis conducted by the privacy watchdog's staff, laptops returned by customers at four Staples stores in Ontario were examined. The investigation revealed that 23 percent of these devices contained sensitive personal information, such as customer names, email addresses, account details, fragments of emails, and even partial images of individuals' faces.

As a result of these findings, the Privacy Commissioner mandated Staples to establish comprehensive standards for properly wiping devices within nine months. This plan must include enhanced staff training and the engagement of an independent third-party organization to perform annual spot checks on the returned devices to ensure compliance with privacy regulations.

The commissioner's inquiry into Staples' data handling protocols was prompted by allegations made by a former sales associate, who claimed that returned laptops were not consistently wiped clean. The whistleblower reported troubling instances where computers were stored displaying the previous owner's username and password. Alarmingly, there was at least one case where a laptop was resold still containing unwiped personal information from a previous customer.

This is not the first time Staples has faced scrutiny regarding its data protection practices. An audit conducted by the Privacy Commissioner in 2011 investigated similar issues, and the current findings indicate that some of these issues have continued to reoccur over the past 15 years. The persistence of these problems raises questions about the effectiveness of Staples' previous measures to improve data security.

The implications of this situation are significant, as it underscores the challenges retailers face in ensuring that customer data is handled responsibly, particularly when it comes to returned electronics. As technology continues to evolve and consumer privacy becomes a more pressing concern, retailers like Staples will need to invest in robust data protection measures to maintain consumer trust and comply with privacy regulations.

The Privacy Commissioner's report was initially published on January 13, 2026, highlighting the urgent need for Staples to take immediate and effective action to address these privacy concerns. As customers increasingly prioritize the security of their personal information, the consequences of failing to protect it can be damaging both to consumers and to the retailers themselves.

As the situation develops, it will be essential for Staples to implement the recommended changes and demonstrate a commitment to safeguarding customer privacy. The potential risks of mishandling personal data can lead to reputational damage, legal consequences, and a loss of consumer confidence in the retailer's ability to protect sensitive information.