They were small businesses. What we found, generally speaking—though there were some exceptions, as you would expect—that there was an incredibly low level of awareness of PIPEDA and what was required of an organization to ensure that it was collecting the least amount of information needed for the purpose, and that it didn't keep personal information longer than it had appropriate need for it, and those kinds of things.
We found that those rules weren't being followed.