In 2003, the United States Congress passed the Fair and
Accurate Credit Transactions Act, intended to enhance existing
provisions against identity theft and to better protect consumers.
It included the mandatory requirement, also incorporated into the
federal Fair Credit Reporting Act, that credit (and debit)
card numbers be truncated on electronically printed receipts. This
US legislative requirement has prompted interest regarding the
state of the law in Canada as to what credit card information may
be printed on customer and merchant sales receipts.
Current Canadian legislation has no similar explicit restriction
regarding what credit card data may be included on such receipts.
However, the policies of both the federal and provincial Privacy
Commissioners indicate it is best practice to limit the details
printed so as to safeguard privacy and curb identity theft.
The Office of the Privacy Commissioner of Canada (OPCC) has
indicated businesses should avoid creating so-called
"dangerous receipts," that is, credit card receipts that
include complete credit card numbers. Under the federal
Personal Information Protection and Electronic Documents
Act (PIPEDA), businesses are required to protect
personal information, and they are encouraged to use equipment that
does not print the entire credit card number on a receipt. Where a
business keeps a merchant copy sales receipt, it must ensure that
the personal information collected is used and stored in a manner
consistent with PIPEDA, and that such information is not
disclosed without authorization. Consumers are advised to keep
receipts with full credit card numbers in a safe place and to
destroy them when no longer needed.
Industry representatives had advised the OPCC that the masking
of credit card receipts would soon be an industry-wide practice,
and that by 2007 all equipment used to process credit card payments
would mask or truncate numbers. Despite these assurances, the
Privacy Commissioner noted in March 2008 that unmasked receipts
continue to be printed and that this issue requires attention from
Privacy statutes and Privacy Commissioner policy in Ontario,
Alberta and British Columbia maintain an approach consistent with
that at the federal level. This includes recommendations that
businesses truncate or otherwise obscure credit card numbers, but
without explicit statutory requirements to do so.
In April 2007, the Legislative Assembly of British Columbia
appointed a Special Committee to conduct a statutory review of the
Personal Information Protection Act (PIPA), which
came into force on January 1, 2004. The Report of the Special
Committee, Streamlining British Columbia's Private Sector
Privacy Law, was released on April 17, 2008. It considered the
safety of credit card receipts and whether it was necessary to
amend legislation to specifically address the masking of credit
The committee heard a proposal to amend PIPA's
implicit consent section to address credit card truncation. Under
the proposed provision, a purchaser would be deemed to have
consented to the collection, use and disclosure of personal
information when conducting business with a credit card, and to
have provided consent to use the card information to process the
business transaction. Nonetheless, this consent would not extend to
posting the full card number, the expiration date, and the
purchaser's name and signature on the receipt for anyone to
The committee concluded that such legislative change was
unnecessary, as businesses operating in British Columbia are
increasingly using point-of-sale technology that includes only the
last four digits of a customer's credit card number and omits
the expiration date.
The committee did consider that some small businesses would
still be making imprint copies of the credit card. A proposed
"identity tag" system, which would identify the person
who accepted the credit card and hold them accountable for credit
card information sold or stolen for financial fraud purposes, was
considered too impractical to implement. Rather, the committee
recommended that the Office of the Information and Privacy
Commissioner use its website to encourage small business owners to
use safe methods in processing credit and debit card transactions,
and to highlight the risks associated with the improper handling
and disposal of such receipts.
McCarthy Tétrault Notes:
The current Canadian consensus is that, despite the absence of
specific laws requiring number truncation on receipts, it remains
good practice for businesses to convert to technology that permits
the masking of cardholder information in order to protect personal
data in accordance with privacy and personal information
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The British Columbia Court of Appeal has recently considered whether the doctrine of unconscionability can be invoked to set aside a contractual clause providing for the payment by one party to the other...
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).