Digital Brain
digital brain
digital brain

Privacy Penalties – Canadian Competition Bureau Wades Into Privacy Enforcement

May 2020 Privacy Law Bulletin, Business Law Bulletin 4 minute read

A new era of Canadian privacy regulation is upon us, as the Competition Bureau (the “Bureau”) has made good on its promise to investigate false and misleading statements concerning consumers’ privacy as a violation of the Competition Act (the “Act”).

In light of this latest development – and the significant administrative monetary penalties (“AMPs”) that may be levied in the event of noncompliance – all organizations doing business in Canada are advised to undertake an immediate review and update of their privacy-related policies and marketing to ensure that any representations about consumer privacy and data protection are not misleading or inaccurate in any respect.

A Change Is Gonna Come

The first harbingers of change began to appear last year, when the Federal Government announced its Digital Charter.  Shortly thereafter, the Minister of Innovation, Science and Economic Development (the “Minister”) wrote a letter to the Commissioner of Competition[1], drawing a connection between promoting healthy competition in a data driven environment and the need for heightened transparency and control for individuals with respect to the use, processing and portability of their personal information.  The Minister further noted that: “It will be important to understand the role that competition policy and law can play in fueling trust, innovation, and competitiveness.”[2]

At the Canadian Institute’s 26th Annual Advertising and Marketing Law Conference, the Bureau itself stated its intention to devote more attention to claims made by organizations that impact consumers’ decisions to give away their personal data. In particular, Josephine Palumbo, Deputy Commissioner, Deceptive Marketing Practices Directorate, announced that: “…when firms make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it, we will take action.”[3]

Similarly, in March of this year, the Bureau’s Deceptive Marketing Practices Digest[4] addressed the Bureau’s intention to crack down on the collection of consumers’ data in exchange for “free” online products and services, such as web browsers and apps.  Admonishing “lengthy and complex privacy policies”, the Bureau noted that consumers may not understand precisely what is happening with their personal information, how it is being collected, and by whom it is being collected and used.

Last week, these portents materialized into reality, when the Bureau announced that it had entered into a settlement agreement involving payment of a CAD $9 million AMP by a company alleged to have made false or misleading claims about the use and disclosure of Canadians’ personal information. As part of its settlement with the Bureau, the company also agreed: (i) to pay $500,000 for the costs of the Bureau’s investigation; (ii) not to make representations to the public that are materially false or misleading regarding the disclosure of personal information; and (iii) to implement a program to support compliance with the deceptive marketing provisions of the Act, which must be acknowledged and supported by senior management, and includes ongoing reporting obligations to the Commissioner of Competition.

The Competition Regime

The Act prohibits the making of a representation to the public that is false or misleading in a “material respect”. In determining whether a representation is false or misleading, the Bureau considers both the general impression that the representation is likely to create in a consumer’s mind, as well as its literal interpretation.

Importantly, it is not necessary for the Bureau to demonstrate that any person was actually deceived or misled by the representation in order to proceed with an investigation under the deceptive marketing practices provisions.

If it is determined that a business has made false or misleading representations, a variety of remedies may be ordered, including AMPs for corporations of up to $10 million on a first offence and up to $15 million for subsequent offences, and/or restitution to purchasers who were affected by the misrepresentation. Misrepresentations made knowingly or recklessly can even be prosecuted as criminal offences.

In applying the Act to privacy matters, the Bureau takes the position that businesses should assume that consumers will be influenced by their representations about how personal information is processed.  Accordingly, businesses must ensure that they do not mislead consumers about the collection and use of their personal information.  The Bureau interprets a “material respect” to include misleading consumers into making a decision, such as to disclose their personal information, that they may not have made in the absence of the misleading or deceptive information.

The Bureau has identified the following key topics as being most likely to raise concerns around creating a false or misleading general impression:

  • whether consumers’ data will be collected;
  • what data will be collected;
  • how often data will be collected;
  • why the data is collected and the purposes for its use;
  • whether the data will be sold to, or otherwise shared with, third parties;
  • whether consumer data will be retained, how it will be maintained, where it will be stored, and when it will be deleted; and
  • the level of control that consumers have as it relates to these issues.

Takeaways for Organizations

The Office of the Privacy Commissioner of Canada has long called for significant increases to enforcement powers under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), including the ability to levy fines. However, the current focus of all governments on COVID-19 means that substantive changes to PIPEDA will likely have to wait.  In the meantime, the Bureau is poised to step in and exercise its considerable enforcement powers regarding deceptive marketing practices involving personal information.

Given the potentially significant AMPs and other repercussions, organizations doing business in Canada would be well-advised to:

  • Regularly review and update their privacy compliance policies and any other representations made to consumers to ensure that they accurately reflect the organization’s personal information handling practices;
  • Avoid developing privacy policies based on best guesses or incomplete information.In order to ensure that representations made in such policies are accurate, organizations must first have an excellent grasp on the types of personal information they collect and handle, how personal information is processed, disclosed and stored, and what safeguards the organization and its subcontractors have in place to protect consumers’ personal information;
  • Regularly review and carefully consider any privacy-related representations made in marketing materials (including pamphlets, website content and other promotional materials) to ensure that they are not false or misleading in any respect;
  • Heed the warning of the Bureau that burying privacy terms in a “lengthy and complex privacy policy” is ill-advised. Organizations should provide information about their privacy policies in manageable and easily accessible ways, for example by offering key highlights at the beginning of the policy and allowing users to control whether they wish to obtain more details; and
  • Ensure that messaging around the organization’s privacy and data protection practices is consistent across all platforms to avoid ambiguity or confusion.

by Lyndsay Wasser and Kristen Pennington

[1] See:
[2] See:
[3] See:
[4] See:

a cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2020

Insights (5 Posts)

Featured Insight

The 2022 Construction Labour “Open Period” – What Employers Need to Know

March 1 – April 30, 2022 is the “Open Period” for ICI collective agreements, and many non-ICI agreements, in Ontario. During this period members of construction unions can apply to the Ontario Labour Relations Board to terminate a union’s bargaining rights with their employer, or – more commonly – a rival union can apply to the Board to displace an existing union, in what is commonly known as a “raid”.

Join us on Wednesday, February 2nd for a discussion about what employers should expect and need to know if a decertification application or a displacement application involving their employees is filed at the Board. Our discussion will cover:

Wednesday, February 2, 2022
Featured Insight

Alberta Securities Commission Provides Guidance On Shareholder Rights Plans, Break Fees and Use of Equity Swaps in Take-over Bid Context

An Alberta decision has held that the use of swaps in a hostile take-over bid can be abusive, and added guidance on shareholder rights plans and break fees.

Read More
Jan 12, 2022
Featured Insight

Mandatory COVID-19 Vaccination Policy Upheld

An Ontario arbitrator upheld an employer's vaccine mandate for both a site where a 3rd party obligation existed and a related site with no such obligation.

Read More
Jan 12, 2022
Featured Insight

Ontario Arbitrators Continue to Uphold Terminations of Employees who Breach COVID-19 Safety Protocols

A recent decision by an Ontario arbitrator further affirmed the notion that dishonesty during COVID screening protocols by an employee can lead to termination.

Read More
Jan 12, 2022
Featured Insight

PropTech: Property Technology, the New Frontier in Real Property, Part 2: Benefits

In this bulletin, we discuss the benefits of using PropTech for businesses in the real estate space and for consumers of such products.

Read More
Jan 11, 2022