Privacy Notice

Last Updated: August 8, 2024

1. Your privacy is paramount

407 ETR operates and manages Highway 407 ETR, and we also provide tolling and back-office services for the Ontario Ministry of Transportation (MTO) with respect to Highway 407, (collectively, the "Toll Highways"). This means that two privacy laws are relevant when we collect, use or disclose Personal Information: Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) for privately owned Highway 407 ETR, and Ontario's Freedom of Information and Protection of Privacy Act (FIPPA) for provincially owned Highway 407.  

Complying with these privacy laws and protecting your privacy is a top priority for us, so we've written this Privacy Notice to let you know about your rights and our obligations when it comes to the collection, use and disclosure of your Personal Information. This notice is made available and updated online at www.407etr.com and, at your request, can be printed and provided to you in English or French. We’ll let you know when we make updates. 

2. What's Personal Information?

Personal Information means any information about an identifiable individual where the information, alone or with other information that's reasonably available, can be used to identify that person. Certain information is exempted from this definition, like somebody's business contact information that's used to communicate about their employment, business, or profession.

3. Why we collect Personal Information and the choices you have

We collect Personal Information only for legitimate business purposes, and use this information after considering its sensitivity, effectiveness, as well as privacy impacts and alternatives. By summarizing things below, we’ve made it easy for you to understand the main reasons we collect Personal Information, the types of information involved, their sources, who we may share it with, and choices you may have with your Personal Information.

4. Cookies and other web data

We, and authorized third parties, use certain technologies and tools on our website (like cookies) and the 407 ETR mobile app for our primary business activities and marketing and promotional purposes. This includes delivering our services and improving and personalizing your experience. We collect this information when individuals visit 407etr.com or on407.ca, or when they participate in online chats or email communications with us.  

Cookies and IP addresses 

• First-party cookies (sent directly from our website) which may be used to customize content, keep track of website preferences, report our website’s total audience size and traffic, and help with research to improve website functionality and content.  

• Third-party cookies (sent from authorized third parties) that, for example, allows sharing across social media services, provide users targeted ads on external sites, and keep track of user preferences while using third-party services. 

• Web beacons (and similar tools like clear GIFs, pixels, and coded URLs) which may be used in online ads to determine which ads users have viewed; in promotional emails to track if an email was viewed or if its links were clicked; and to support remarketing for AdWords Ads on the Google Display Network (serving you ads across websites based on browsing interests). 

We may only access cookies we have sent to your computer, and you may limit or disable cookie use through your web browser settings. You may also choose not to click on links embedded in marketing emails you receive.

We also collect your Internet Protocol (IP) addresses to help estimate the total number of web visitors from various regions. For clarity, an IP address is automatically sent by your computer’s web browser each time a web page is requested for viewing and this IP address is logged on our servers.

Google Analytics

We use a tool called Google Analytics on our websites to provide us with information on user behaviour on our websites and allow us to advertise to users after they leave the site. Google Analytics uses the data collected through cookies to track and examine the use of the website, to prepare reports on its activities, and share them with other Google services. Advertising identifiers for mobile devices (such as Android and iOS Advertising Identifiers) are also collected. Google may use the data collected on the websites to contextualize and personalize the ads of its own advertising network (including ads that we may buy). For more information on how Google uses this data and how to control the information collected by websites, click here. You can also opt out of Google Analytics by visiting Google Analytics Opt-out. 

5. Cross-border transfers

In most cases, your Personal Information is used, disclosed, and retained in Canada. In some situations, however, we may disclose your Personal Information outside of Canada in order to achieve one or more identified purposes. Since Personal Information in another jurisdiction may be accessed there by the courts, law enforcement and national security authorities, and are generally subject to different privacy standards, we try to limit such disclosure, but where disclosure is required, we ensure there is a comparable level of protection over your Personal Information. 

6. Your consent

Meaningful consent 

Subject to applicable laws, we won't collect, use, or disclose your Personal Information without consent. In such cases, we'll explain to you the reasons why we need your Personal Information (as we are doing in this Privacy Notice) so that you can make an informed decision whether to consent or to continue consenting. Based on our explanation, you should be able to understand the nature, purpose, and consequences of the collection, use or disclosure of your Personal Information. If not, please let us know so we can clarify or elaborate.  

Express or implied consent 

Your consent can be express, either written or verbal, or implied through your action or inaction. Express consent is sought, for example, when we collect more sensitive Personal Information or if the purpose or consequence of collection is likely unexpected. Alternatively, we rely on implied consent if the purpose or consequence of collection is reasonably expected. For example, a customer that travels the Toll Highways should reasonably expect that we will collect and use their contact, vehicle, and trip details to send them a bill, as explained in the Privacy Notice, so implied consent by taking a trip is adequate. If, however, we need financial or tax information about you to assess your application or eligibility to one of 407 ETR’s financial assistance programs, we will require your express consent to collect and use such Personal Information.  

Exceptions to consent 

In limited situations, Canadian privacy law allows us to collect, use, or disclose Personal Information without your knowledge or consent. Examples include disclosures to law enforcement with a lawful order; disclosures to a person who needs the information due to an emergency threatening the life, health, or security of an individual; or disclosures to a third party to reasonably investigate illegal activity or a breach of contract, including to collect a debt owing to us. 

Withdrawing consent 

You may withdraw your consent at any time by contacting us. Please note, however, that Personal Information may continue to be collected, used, and disclosed to the extent we need it to carry out primary business activities and/or to satisfy security, legal and compliance requirements, such as if you continue travelling on the Toll Highways or have overdue amounts. Also, if you withdraw your consent while participating in one of 407 ETR’s financial assistance programs, our ability to administer the program for your benefit may be negatively impacted or may render you ineligible. 

If you use the 407 ETR mobile app and wish to stop collection of Personal Information through the app, you must delete the app completely from your mobile device. To withdraw consent to our use of Personal Information collected by the app prior to you deleting it, please contact us with your request. Withdrawing your consent may limit the services we can provide to you. For further information about the app, please see Section 9 (My Account and the 407 ETR mobile app). 

7. Accessing and updating your Personal Information

You have the right to know about the Personal Information we have about you. So, at your written request (by mail or email only), after fully verifying your identity, we'll be glad to provide you access to your Personal Information. Sometimes, there may be a small processing fee (we’ll let you know beforehand if there is). For security reasons, giving you access to requested information means emailing you a password-protected file, so you’ll need to confirm your email beforehand. Sometimes we can’t give you access to the Personal Information you're asking for, such as if it will reveal another person's Personal Information or if access is harmful in a legal, security or commercial sense. We'll write you to let you know if this is the case and the reason(s) why. If you disagree with us, you can always challenge our decision by responding back to us. 

While we try to make sure that your Personal Information is updated as needed, you would know best if it is. From time to time, please review the Personal Information we have about you in the correspondence from us. If a change or correction is needed you can make certain updates through My Account or the 407 ETR mobile app, as applicable, or simply contact us by live chat, e-mail, or phone at 407etr.com/contactus and we’ll be happy to assist. Note that while the law requires you to notify the MTO of a change in address within six days of moving, MTO does not automatically update us. So, please let us know if you've moved. 

8. Anonymous information and anonymous accounts

We may anonymize Personal Information such that it cannot reasonably be used to infer information about you or otherwise be linked to you. We may use anonymized data as needed for any purpose, subject to applicable laws, and will not attempt to re-identify it except solely for the purpose of determining if our anonymization process continues to satisfy legal requirements. We may disclose anonymized data to authorized recipients after taking steps to confirm that there is no serious possibility of re-identification, including reviewing the data prior to disclosure and imposing contractual obligations designed to ensure that the data stays confidential and anonymous. Customers have the option to limit the Personal Information disclosed to us by opening an "Anonymous Account" for travel on the Toll Highways. Limitations apply so please contact us for more information. 

9. My Account and the 407 ETR mobile app

Your use of My Account is subject to the My Account & Paperless Billing Agreement. By creating a My Account, you are the only person who may disclose, share, or grant access to information detailed there to any other person(s). For example, 407 ETR will restrict access to your account information to any person seeking such access, unless you authorize it, or you initiate sharing of a specific billing account within My Account via the web or the 407 ETR mobile app. If you share a specific billing account, those you share it with may make payments or view details for that account, including historical trip details or real-time trip details using the app. You will remain the only person who can make changes to your My Account and may revoke sharing at any time. 

Your use of the 407 ETR mobile app is subject to the 407 ETR Mobile Application Terms of Use. The types of Personal Information collected by the app, when it is collected, and/or how it is used depends on the privacy settings you select on your mobile device. The types of Personal Information that can be collected on the app include:  

• Vehicle geolocation, travel, or route information. In limited situations, non-vehicle geolocation data may be used strictly for testing, calibration, and trouble-shooting needs. 

• Mobile device ID. 

• Information about your device, browser, app use, and settings, such as what notification and location options you selected.  

You can change your settings in the 407 ETR mobile app at any time. Certain app services may, however, be negatively impacted if you choose to disable or limit location services. For information about stopping the collection or use of Personal Information collected by the app, see Section 6 (Your consent).  

We may disclose, share, or grant access to your Personal Information in relation to My Account and/or the 407 ETR mobile app for legitimate business purposes. 

10. Accountable to you

We're accountable to you for your Personal Information, and that means we're responsible for the actions of anybody we've disclosed Personal Information to, including our employees, contractors and other third-party representatives. As mentioned above, these parties are not provided your Personal Information unless it's necessary to achieve the identified purposes, and only after they agree to follow the principles in this notice, applicable privacy laws, and appropriate data security requirements. 

Best practices 

We'll only collect, use, and disclose the Personal Information we need to achieve identified purposes. For example, only Personal Information required to achieve a particular purpose will be disclosed to those responsible for helping us achieve that purpose, and these recipients must have already agreed to treat your Personal Information confidentially and securely, in accordance with applicable privacy laws. We'll also keep your Personal Information only as long as it's needed to achieve the identified purpose or as required by law. After that, we'll delete it and require anyone else with your Personal Information to delete it too. Rest assured, we'll never disclose your Personal Information to anybody for other purposes, unless required by law, nor will we trade or sell your Personal Information. 

Sensible safeguards 

We protect your Personal Information: (1) physically using security locks, badges, and protocols; (2) technologically using passwords, encryption, and other safeguards designed to prevent unauthorized access to systems; (3) organizationally through regular data security training for staff, as well as ensuring appropriate security clearances and verification procedures are in place; and (4) contractually with relevant third parties, who agree to legal terms governing privacy and security, including applicable privacy laws, before any Personal Information is disclosed to them. 

Addressing your privacy questions and concerns 

If you have any questions or comments after reading this Privacy Notice, please see our FAQ section or contact us by live chat, e-mail, or phone at 407etr.com/contactus. We will be happy to help and can provide you with more information about 407 ETR’s privacy policies and practices. In addition, our Privacy Officer is responsible for our compliance with applicable privacy laws, so if you have specific privacy concerns or wish to challenge our compliance, you can email privacyofficer@407etr.com or write to us at: Customer Advocacy & Privacy Office, 6300 Steeles Avenue West, Woodbridge, Ontario L4H 1J1.  

Since both PIPEDA and FIPPA apply to our collection, use, and disclosure of Personal Information, we've also listed the contact details of the privacy commissioners if you have any questions or concerns that we couldn’t address.