Privacy Penalties – Canadian Competition Bureau Wades Into Privacy Enforcement

Privacy Penalties – Canadian Competition Bureau Wades Into Privacy Enforcement

A new era of Canadian privacy regulation is upon us, as the Competition Bureau (the “Bureau”) has made good on its promise to investigate false and misleading statements concerning consumers’ privacy as a violation of the Competition Act (the “Act”).

In light of this latest development – and the significant administrative monetary penalties (“AMPs”) that may be levied in the event of noncompliance – all organizations doing business in Canada are advised to undertake an immediate review and update of their privacy-related policies and marketing to ensure that any representations about consumer privacy and data protection are not misleading or inaccurate in any respect.

A Change Is Gonna Come

The first harbingers of change began to appear last year, when the Federal Government announced its Digital Charter.  Shortly thereafter, the Minister of Innovation, Science and Economic Development (the “Minister”) wrote a letter to the Commissioner of Competition[1], drawing a connection between promoting healthy competition in a data driven environment and the need for heightened transparency and control for individuals with respect to the use, processing and portability of their personal information.  The Minister further noted that: “It will be important to understand the role that competition policy and law can play in fueling trust, innovation, and competitiveness.”[2]

At the Canadian Institute’s 26th Annual Advertising and Marketing Law Conference, the Bureau itself stated its intention to devote more attention to claims made by organizations that impact consumers’ decisions to give away their personal data. In particular, Josephine Palumbo, Deputy Commissioner, Deceptive Marketing Practices Directorate, announced that: “…when firms make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it, we will take action.”[3]

Similarly, in March of this year, the Bureau’s Deceptive Marketing Practices Digest[4] addressed the Bureau’s intention to crack down on the collection of consumers’ data in exchange for “free” online products and services, such as web browsers and apps.  Admonishing “lengthy and complex privacy policies”, the Bureau noted that consumers may not understand precisely what is happening with their personal information, how it is being collected, and by whom it is being collected and used.

Last week, these portents materialized into reality, when the Bureau announced that it had entered into a settlement agreement involving payment of a CAD $9 million AMP by a company alleged to have made false or misleading claims about the use and disclosure of Canadians’ personal information. As part of its settlement with the Bureau, the company also agreed: (i) to pay $500,000 for the costs of the Bureau’s investigation; (ii) not to make representations to the public that are materially false or misleading regarding the disclosure of personal information; and (iii) to implement a program to support compliance with the deceptive marketing provisions of the Act, which must be acknowledged and supported by senior management, and includes ongoing reporting obligations to the Commissioner of Competition.

The Competition Regime

The Act prohibits the making of a representation to the public that is false or misleading in a “material respect”. In determining whether a representation is false or misleading, the Bureau considers both the general impression that the representation is likely to create in a consumer’s mind, as well as its literal interpretation.

Importantly, it is not necessary for the Bureau to demonstrate that any person was actually deceived or misled by the representation in order to proceed with an investigation under the deceptive marketing practices provisions.

If it is determined that a business has made false or misleading representations, a variety of remedies may be ordered, including AMPs for corporations of up to $10 million on a first offence and up to $15 million for subsequent offences, and/or restitution to purchasers who were affected by the misrepresentation. Misrepresentations made knowingly or recklessly can even be prosecuted as criminal offences.

In applying the Act to privacy matters, the Bureau takes the position that businesses should assume that consumers will be influenced by their representations about how personal information is processed.  Accordingly, businesses must ensure that they do not mislead consumers about the collection and use of their personal information.  The Bureau interprets a “material respect” to include misleading consumers into making a decision, such as to disclose their personal information, that they may not have made in the absence of the misleading or deceptive information.

The Bureau has identified the following key topics as being most likely to raise concerns around creating a false or misleading general impression:

• whether consumers’ data will be collected;
• what data will be collected;
• how often data will be collected;
• why the data is collected and the purposes for its use;
• whether the data will be sold to, or otherwise shared with, third parties;
• whether consumer data will be retained, how it will be maintained, where it will be stored, and when it will be deleted; and
• the level of control that consumers have as it relates to these issues.

Takeaways for Organizations

The Office of the Privacy Commissioner of Canada has long called for significant increases to enforcement powers under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), including the ability to levy fines. However, the current focus of all governments on COVID-19 means that substantive changes to PIPEDA will likely have to wait.  In the meantime, the Bureau is poised to step in and exercise its considerable enforcement powers regarding deceptive marketing practices involving personal information.

Given the potentially significant AMPs and other repercussions, organizations doing business in Canada would be well-advised to:

• Regularly review and update their privacy compliance policies and any other representations made to consumers to ensure that they accurately reflect the organization’s personal information handling practices;
• Avoid developing privacy policies based on best guesses or incomplete information.In order to ensure that representations made in such policies are accurate, organizations must first have an excellent grasp on the types of personal information they collect and handle, how personal information is processed, disclosed and stored, and what safeguards the organization and its subcontractors have in place to protect consumers’ personal information;
• Regularly review and carefully consider any privacy-related representations made in marketing materials (including pamphlets, website content and other promotional materials) to ensure that they are not false or misleading in any respect;
• Heed the warning of the Bureau that burying privacy terms in a “lengthy and complex privacy policy” is ill-advised. Organizations should provide information about their privacy policies in manageable and easily accessible ways, for example by offering key highlights at the beginning of the policy and allowing users to control whether they wish to obtain more details; and
• Ensure that messaging around the organization’s privacy and data protection practices is consistent across all platforms to avoid ambiguity or confusion.

by Lyndsay Wasser and Kristen Pennington

[1] See: https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/04464.html.
[2] See: https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/04464.html.
[3] See: https://www.canada.ca/en/competition-bureau/news/2020/01/honest-advertising-in-the-digital-age.html.
[4] See: https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/04520.html.

a cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2020