In January 2020, the Competition Bureau (Canada) (the “Bureau”) restated its intention to pursue enforcement action against organizations that “make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it”. In a speech delivered by the Bureau’s Deputy Commissioner, it was explained that the Bureau’s approach in trying to “ensure truth in advertising by addressing misleading claims about consumer privacy” is complementary to the Office of the Privacy Commissioner of Canada’s mandate to protect Canadians’ privacy rights.
On May 19, 2020, a settlement resulting from the Bureau’s first enforcement action against Facebook Inc., for allegedly violating Canadian truth in advertising laws by making false and misleading representations about its privacy practices, was announced.
“Facebook did not limit the sharing of users’ personal information with some third-party developers in a way that was consistent with the company’s privacy claims,” the Bureau said in a news release. “This personal information included content users posted on Facebook, messages users exchanged on Messenger, and other information about identifiable users.”
The settlement agreement gives the Bureau monitoring rights and states that Facebook Inc. will pay $9 million in administrative monetary penalties and $500,000 in costs. As part of the settlement, Facebook Inc. also agreed not to make any materially false or misleading representations about its disclosure of users’ personal information.
This enforcement action, and the settlement, demonstrates the Bureau’s commitment to flex its enforcement powers, including imposing significant administrative monetary penalties, to protect Canadian consumers against misleading privacy policies.
PIPEDA vs The Competition Act
Under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information. Consent is considered meaningful when individuals are provided with clear information explaining what organizations are doing with their information. Private organizations typically rely on their privacy policies to obtain meaningful consent from their customers and other individuals with whom they interact.
However, the Privacy Commissioner of Canada’s ability enforce privacy laws is limited. The Privacy Commissioner is able to conduct investigations, make recommendations, expose non-compliant organizations in the public interest, and pursue recourse in the Federal court, but is not able to issue fines against organizations that publish false or misleading privacy policies or fail to comply with their published privacy policies.
In Contrast, the Competition Act imbues the Bureau with a criminal and civil enforcement regime to address false or misleading representations.
The Competition Act prohibits making a materially false or misleading representation to the public to promote, either directly or indirectly, the supply or use of a product or a business interest. This could include materially false or misleading representations about how a company collects, uses, maintains, stores or erases the personal data of its customers.
Under the Competition Act’s civil regime, proceedings before the Competition Tribunal or a court can result in potentially significant administrative monetary penalties (i.e., fines) against corporations (up to $10 million for a first occurrence and up to $15 million for subsequent occurrences). Under the criminal enforcement regime, a conviction is punishable by a fine (up to $200,000 on summary conviction and in the court’s discretion for conviction on indictment) and imprisonment (up to one year on summary conviction and up to 14 years on conviction on indictment).
What’s clear is that the Bureau will enforce provisions of the Competition Act even if the actions giving rise to the enforcement action may be subject to enforcement under PIEPDA. What this means is that organizations operating in Canada now face the prospect of scrutiny of their privacy practices and related representations by both the Bureau and the Privacy Commissioner of Canada.
Important Considerations for Business
According to the Bureau’s March 2020 Deceptive Marketing Practices Digest, the representations that are most likely to raise legal enforcement issues (and attract fines) are those that create a false or misleading general impression about:
- Whether consumer data will be collected
Businesses that collect consumer data must not make any representations that may create the general impression that they do not.
- What data will be collected
Businesses should be mindful not to make representations suggesting that they will collect less data than is actually the case. For example, representations suggesting that only a consumer’s public social media profile will be collected would raise concerns if the business is also using geolocation to track the consumer’s physical location.
- How often data will be collected
Businesses run the risk of misleading consumers if they make representations that create the general impression that the collection of a consumer’s data is a one-time event, if in fact the collection is ongoing for as long as the digital product is installed.
- Why the data is collected and what it will be used for
Businesses should also be careful not make representations that suggest that they will collect data for one purpose, such as inviting consumers to apply for jobs, when in fact the data is collected for another purpose, such as being sold to third parties.
- Whether the data will be shared with third-parties
Businesses should ensure that they do not mislead consumer about whether, and under what circumstances, their data will be shared with third parties.
- Whether consumer data will be retained, and how it will be maintained and deleted
Businesses should be aware that consumers may be influenced by representations that create the general impression that they have complete control over the destruction of their data, should they wish to stop using a digital product or service. As such, businesses should ensure that they are truthful about the extent of control consumers have over the recall or destruction of their data.
How To Ensure Your Business Is Compliant
In order to avoid inadvertently breaching PIEPDA or the Competition Act, organizations should take action to ensure that their privacy policies, marketing materials and other statements accurately describe their collection, use, disclosure, retention and destruction of consumers’ personal information. An organization may consider auditing its personal information management practices on a regular basis, but especially after transitions within the organization that may shift the way personal information is collected and stored.
Businesses would also do well to consult the plethora of resources available to increase compliance including the Privacy guide for businesses, PIPEDA compliance and training tools and Issue-specific guidance for businesses from the Office of the Privacy Commissioner of Canada.
At Mills & Mills LLP, our lawyers regularly help clients with a wide range of legal matters including business law, family law, real estate law, estate law, employment law, health law, and tax law. For over 130 years, we have earned a reputation amongst our peers and clients for quality of service and breadth of knowledge. Contact us online or at (416) 863-0125.