Canada: U.S. And Canadian Privacy Considerations For Mergers And Acquisitions

Last Updated: June 4 2013

The exchange of information about individuals, including customers, employees and security holders, is often an integral part of merger and acquisition transactions. Compliance with privacy law is and will continue to be a considerationin merger and acquisition transactions in light of evolving privacy regulation and enforcement regarding personal information. This article provides an overview of U.S. and Canadian privacy considerations for mergers and acquisitions.

U.S. and Canadian Privacy Law Overview

The law relating to privacy differs significantly as between the U.S. and Canada.

A.  U.S. privacy law

The United States has various federal and state privacy laws that apply to certain types of information, entities and circumstances. There are also federal and state privacy guidance and industry standards that are considered best practices. For example, the U.S. Federal Trade Commission ("FTC") final privacy report on consumer privacy describes best practices and applies to commercial entities which collect or use consumer data that can be "reasonably linked" to a specific consumer, computer or device with certain exceptions. (See: Federal Trade Commission, FTC Report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012)). While the U.S. federal and state privacy laws, guidance, cases and industry standards generally address the collection, use and disclosure of personal information, the requirements are specific to the types of personal information and entities and circumstances involved. Particular U.S. federal and state privacy laws, guidance, cases and industry standards may also have provisions regarding transactions (including  mergers and acquisitions) and related provisions (see, e.g., the Health Insurance Portability and Accountability Act (Pub. L. No. 104-191), as amended by the Health Information Technology for Economic and Clinical Health Act (enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5) (collectively, "HIPPA") and the Gramm-­Leach-Bliley Act (15 U.S.C. 6801-6809) (the "GLB Act")).

i.     U.S. federal privacy laws

As to U.S. federal privacy laws that could be involved in mergers and acquisitions, the FTC enforces privacy under section 5 of the Federal Trade Commission Act (15 U.S.C. 45), which prohibits "....unfair or deceptive acts or practices in or affecting commerce...." and applies to persons or entities, with certain exceptions. In addition, the U.S. Department of Health & Human Services' Office for Civil Rights and state attorneys general enforce HIPPA, which applies to the use or disclosure of protected health information (i.e., individually identifiable health information, with certain exclusions) by health plans, health-care providers and health-care clearinghouses (i.e., covered entities) as well as by persons and entities that provide certain services to, for or on behalf of covered entities (i.e., business associates).Also, various state and federal regulators, including the FTC, enforce the GLB Act, which applies to financial institutions and covers non-public personal information (i.e., personally identifiable information provided by a consumer to a financial institution, resulting from any transaction with or service performed for the consumer orotherwise obtained by the financial institution). Moreover, the FTC, state attorneys general and certain other regulatorsenforce the Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.), which applies to an operator of a website or online service, including a mobile application, directed to children under age 13 or having actual knowledge that it is collecting or maintaining personal information from children under age 13.

ii.       U.S. state privacy laws

There are different U.S. state privacy laws that could be involved in mergers and acquisitions. These state privacy laws cover personal information, commonly meaning name plus (1) social security number, (2) driver's license number or state identification card number or (3) financial account or credit or debit card information. For instance, state breach notification laws cover the notification that is required for a breach involving personal information and generally apply to persons and entities that own or license or maintain (but do not own) the personal information of residents of a particular state (see, e.g., Cal. Civ. Code Section 1798.82). Note that there is also breach notification for covered entities and business associates regarding protected health information under HIPPA. Moreover, state security procedures laws cover the obligation to maintain reasonable security procedures and practices to protect personal information and often apply to persons and entities that own or license personal information of residents of a particular state. Of note, the Massachusetts security procedures law (201 CMR 17.00 et seq.), which applies to persons and entities regardless of whether they are located in the U.S. (including Massachusetts) and regardless of whether they also must comply with HIPPA or the GLB Act, requires such persons and entities to develop, implement and maintain a comprehensive written information security program. Furthermore, state social security number laws cover restrictions on the use of social security numbers and generally apply to persons and entities (see, e.g., Cal. Civ. Code Section 1798.85).

B.  Canadian privacy law

In Canada, there is a patchwork of general private-sector privacy statutes consisting of federal legislation, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), and provincial legislation in the provinces of British Columbia, the Personal Information Protection Act, S.B.C. 2003, c. 63 (the "BC PIPA"), Alberta, the Personal Information Protection Act, S.A. 2003, c. P-6.5 (the "Alberta PIPA"), and Quebec, An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39.1 (the "Quebec Act"). PIPEDA is enforced by the Office of the Privacy Commissioner of Canada which may investigate privacy-related complaints, make findings, conduct audits and take other steps permitted under the legislation. Alberta and British Columbia also have independent Offices of the Information and Privacy Commissioner and the Quebec Act is enforced by the Commission d'accès à l'information du Québec.

Other provinces, such as Ontario, do not have comprehensive privacy legislation that applies to private-sector entities. Instead, Ontario has enacted the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ("PHIPA"). In general terms, PHIPA has more limited application and primarily applies to the collection, use and disclosure of personal health information by a health information custodian, such as a hospital or physician. The provinces of New Brunswick, Newfoundland and Labrador, Manitoba and Saskatchewan have also promulgated health information protection legislation.

Because the health information protection statutes are more narrowly focused, the broader private-sector statutes of Alberta, British Columbia, Quebec and the federal jurisdiction more frequently arise in the context of commercial transactions. These privacy statutes govern the collection, use and disclosure of "personal information", which is broadly defined as information about an identifiable individual (but, in some cases, excluding employment contact information). The general rule under these Canadian privacy statutes is that personal information must not, with limited exceptions, be collected, used or disclosed unless consent is obtained from the individual to whom the personal information pertains.

PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity within a province except where there is privacy legislation in that province that has been determined by the Governor in Council to be substantially similar to PIPEDA. The Alberta, British Columbia and Quebec statutes have been held to be substantially similar to PIPEDA (as have the Ontario PHIPA and the New Brunswick Personal Health information Privacy and Access Act, S.N.B. 2009, c. P-7.05, with respect to the collection, use and disclosure of health information only). As such, where applicable, provincial privacy legislation will apply to the collection, use and disclosure of personal information in the context of commercial transactions within those provinces.

Both the Alberta PIPA and BC PIPA include exceptions to the consent rule that specifically deal with the handling of personal information in the context of a "business transaction". In general terms, these statutes provide that personal information may be collected, used or disclosed without consent if the information is "necessary" for parties to decide whether to proceed with a "business transaction" or whether to finalize the deal. In order to take advantage of the business transaction exemption, the parties to the transaction must have entered into an agreement, which among other things, must include provisions that the collection, use and disclosure of the information must be restricted to the purposes of the transaction and that, if the transaction is completed, the acquiring entity (the "Acquirer") may only use the information for the same purposes for which the information was initially collected. "Business transaction" is defined in section 20(1) of the BC PIPA as the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization. The definition in section 22(1)(a) of the Alberta PIPA also refers to "the taking of a security interest in respect of, an organization or a portion of an organization or any business or activity or business asset of an organization and includes a prospective transaction of such a nature". Note, however, that the Alberta PIPA business transaction exemption will not apply where the primary objective or result of the transaction is the sale, disposal or disclosure of personal information itself. The BC PIPA contains a similar exclusion.

Neither PIPEDA nor the Quebec Act contains a "business transaction" exemption. Accordingly, parties to a transaction ought to make an assessment as to whether the legislation is applicable to a particular collection, use or disclosure of personal information, and if so, whether either or both parties must obtain consent before collecting, using and disclosing that information in the context of the transaction.

Where transactions have a cross-border element, PIPEDA will continue to apply to the collection, use and disclosure that takes place across provincial or national borders. However, the reach of PIPEDA has certain constitutional limitations. Even in the absence of substantially similar provincial privacy legislation, PIPEDA will not generally apply to the collection, use and disclosure by provincially regulated entities of the personal information of such entities' employees. This limitation may give entities more freedom to collect and disclose employee personal information during the course of a transaction. That said, some caution is required since the law in this area is still developing. There is at least one decision of the Alberta Privacy Commissioner that suggests that "employee information" may lose its character as such and become general "personal information" and certain sensitive personal information may not constitute "business transaction information" when used or disclosed in a business transaction (see: Builders Energy Services Ltd., P2005-IR-005, July 12, 2005 (Alberta Information and Privacy Commissioner)). Using the same reasoning, it may remain an open question whether PIPEDA may apply not only to personal information about clients, customers and suppliers, but also to employees in those provinces where the entity being acquired (the "Target") has employees (other than B.C., Alberta and Quebec where the provincial statutes apply).

In addition to the privacy statutes, there is a growing body of common law in which privacy rights have been recognized. For example, the Ontario Court of Appeal recently recognized a new and independent cause of action in tort for invasion of privacy in the case of Jones v. Tsige (2012), 108 O.R. (3d) 241 (C.A.).

Given the patchwork of Canadian law applicable to a merger or acquisition, the parties will need to consider the objective of the transaction, what kind of personal information will be collected, used or disclosed as part of the transaction, what personal information will transfer to the Acquirer at closing and what uses the Acquirer will make of that information post-closing.

Due Diligence/Representations and Warranties

In general, an acquisition transaction will generally involve a due diligence phase where the Acquirer will investigate the Target. The parties will simultaneously or thereafter commence preparing the merger or acquisition agreement. As part of that merger or acquisition agreement, the Target will generally make representations and warranties about the status of its business, and the parties will make various covenants to each other.

As part of due diligence, the Acquirer should assess whether the Target is compliant with applicable privacy requirements (including privacy law, guidance, cases and industry standards) as well as the Target's policies (including website or mobile application privacy policies). The merger or acquisition agreement may contain representations and warranties specific to privacy compliance in addition to a general representation and warranty to the effect that the Target is in compliance with all applicable laws. Specific privacy representations and warranties could be to the effect that the Target (1) complies with all applicable privacy law, guidance, cases and industry standards and (2) complies with its own privacy policy.

The Target should involve persons at the Target with responsibility for or knowledge of its privacy compliance (for example, a privacy officer) in the transaction. Privacy counsel also should be involved and co-ordinate with such persons to ensure that the representations and warranties of the Target are accurate, and if acting for the Acquirer, that the due diligence in respect of these matters is adequate. Whether, when and the extent to which privacy counsel are engaged by the Target varies depending upon the direction provided by the Target and its advisers.

There are clear advantages to retaining privacy counsel at the outset. In Canada, the "business transaction" exception available in two of its privacy statutes only applies if the parties have entered into a non-disclosure or confidentiality agreement ("NDA") that sets out specific parameters around the collection, use and disclosure of personal information in the context of the business transaction. By comparison, an NDA relating to a U.S. Target in a non-regulated industry typically defines confidential information broadly (including corporate information) and does not specifically state how personal information will be handled. In either case, privacy counsel can make recommendations in an effort to ensure that both the applicable legal requirements and that the parties' intentions are met.

A.  Compliance with laws and other requirements

Another significant risk in privacy counsel not being engaged at the outset of the transaction is that the Target could make representations and warranties about its privacy compliance that are not true. This risk is also a factor if privacy counsel is engaged at the outset but limited to reviewing and commenting on the merger or acquisition agreement with scant information about the actual privacy compliance of the Target. A merger or acquisition agreement commonly provides that an entity must indemnify the other parties to the agreement for losses relating to the breach or inaccuracy of representations and warranties that the entity makes. Where non-compliance is found, covenants or closing conditions could be added to the merger or acquisition agreement regarding remediation.

A representation and warranty by the Target that it complies with all applicable privacy law, guidance, cases and industry standards could have application worldwide where there is no qualifying language. Factors such as the location in which the Target is based, where the Target conducts business, the industry in which the Target conducts business, the locations in which the individuals whose information is collected, used or disclosed reside, and the types of such information, must be considered. Different countries have different privacy laws, guidance, cases and industry standards as well as different privacy regulators and enforcement. Just as U.S. privacy counsel would be in a position to assess and assist with U.S. privacy compliance, Canadian privacy counsel would be in a position to assess and assist with Canadian privacy compliance.

If the Target has minimal awareness of its privacy compliance obligations and of its non-compliance, it would not be in a position to represent and warrant that it complies with all applicable privacy law, guidance, cases and industry standards. If the Acquirer requires such a representation, the Target will generally wish to add knowledge and materiality qualifiers to the representation. In addition, exceptions could be made to the representation and warranty in an accompanying disclosure schedule.

B.  Compliance with privacy policies

The Target can anticipate that the Acquirer will usually request copies of privacy policies, and that the Target represent and warrant that it is in compliance with such policies. If the Target is representing and warranting that it complies with its own privacy policy, the Target will first need to confirm that it actually has a privacy policy.

An operator of a commercial website or an online service (including a mobile application) that collects personally identifiable information about any California resident through the Internet must have and conspicuously post or make available a privacy policy that complies with the California Online Privacy Protection Act, which the California Attorney General enforces (see: California Bus. and Prof. Code Sections 22575 and 22577(b) and Press Release, State of California Department of Justice, Office of the Attorney General, Attorney General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy Law (Dec. 6, 2012)).

All Canadian entities are required to implement privacy policies and provide training on and comply with such policies. Many entities will have both an outward-facing privacy policy (applicable to its clients, customers and the public in general), as well as an employee privacy policy that is applicable internally only.

Whether in the U.S. or Canada, there may be different versions of a privacy policy from the Target. Among other things, a privacy policy describes the types of information that the privacy policy applies to and whether this information can be shared with third parties. The Acquirer should determine whether any covered types of information to be transferred in the transaction can be shared with third parties under the privacy policy. When a privacy policy is prepared or updated, a transaction may not be contemplated and such disclosure to an Acquirer may not be provided for in the privacy policy.

i.     Risk of enforcement

There is a risk of enforcement by the FTC regarding the specific privacy policy language regarding restrictions on sharing information with third parties as the contemplated transfer of personal information in the transaction could be in violation of the Federal Trade Commission Act. The FTC could already be aware of the merger or acquisition in the antitrust context. Also, state attorneys general also could take action (see: Tiffany Kary, Borders to Sell Intellectual Property to Barnes & Noble, Business Week (Sept. 26, 2011) and Matt Richtel, in Settlement with F.T.C.,The New York Times (July 22, 2000)). The transaction could be significantly impacted particularly where customer information, including as part of a database, is a key asset in the transaction. The structure of the transaction (for example, whether an asset, stock or merger transaction) also has importance.

A.   Borders Group

The FTC has weighed in on contemplated asset transactions in the bankruptcy context, most recently regarding the Borders Group and XY. A letter requested from the FTC in a bankruptcy proceeding regarding the contemplated sale of certain consumer personal information in the possession of Borders described the FTC's concerns that any sale or transfer of the personal information of Borders' customers would contravene Borders' express promise not to disclose such information and could constitute a deceptive or unfair practice.

Borders collected consumer personal information under at least three privacy policies. The first policy stated in relevant part: "Borders, Inc., Walden Book Company, Inc., and their related companies believe that your personal information – including your purchase history, phone number(s), and credit card data – belongs to you. We collect this type of information to serve you better when you provide it to us, but we do not rent or sell your information to third parties. From time to time, we may ask if you are interested in receiving information from third parties whose services or information we think would be of value to you. In those instances, we will only disclose your email address or other personal information to third parties if you expressly consent to such disclosure. (Emphasis in original)." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)). Borders' second privacy policy contained the same privacy language as the first privacy policy, with no substantive changes.

The third privacy policy contained the same language restricting the sale or rental of personal information and also included the following language: "Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)). The FTC viewed this language " applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).

According to the FTC, "[i]n light of the promises Borders made to its customers, [the FTC] believe[s] it would be appropriate for Borders to obtain express consent from its customers, specifying the potential purchaser, before it transfers the data. The consent process would allow customers to make their own determination as to whether a transfer of their information would be acceptable to them. For consumers who did not consent, their data would be purged." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).

The FTC continued: "....[i]f the bankruptcy court declines to require consent to the transfer in light of other considerations, the Toysmart settlement is an appropriate model to apply here. As in Toysmart, [the FTC's] concerns about the transfer of customer information inconsistent with privacy promises would be greatly diminished if all the following conditions were met:

  • Borders agrees not to sell the customer information as a standalone asset;
  • The buyer is engaged in substantially the same lines of business as Borders;
  • The buyer expressly agrees to be bound by and adhere to the terms of Borders' privacy policy; and
  • The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders' policy." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).

After the federal bankruptcy court approved the sale of Borders assets, including its customer list, acquirer Barnes & Noble sent a letter to Borders' customers notifying them of this approval and of the customer information to be transferred. Borders' customers could opt-out of having their customer data transferred to Barnes & Noble by a specified deadline and Barnes & Noble would ensure that their data that Barnes & Noble received from Borders would be disposed of in a secure and confidential manner. If Borders' customers did not opt-out, their information would be covered under the Barnes & Noble privacy policy (see: and Federal Trade Commission, For Your Information (Oct. 6, 2011)).

B.    XY

In a letter from the FTC to initial individual stakeholders in XY Corporation who were seeking to establish ownership and obtain possession of sensitive personal information from subscribers to the defunct XY gay male youth-oriented magazine and website through a bankruptcy proceeding, the FTC said: ".... the XY privacy policy is simple, explicit, and clear. Subscribers and members were told that their personal information would not be sold, shared, or given away to 'anybody.' This includes the names, addresses, profile information, and credit card information submitted by subscribers. It also includes unpublished articles that were submitted, for which permission to publish had not yet been secured. Therefore, any sale or transfer of the data to a new company, new owner, or other third party would directly contravene the privacy representations and could constitute a deceptive practice by the original company or its principals. Such practice also could be unfair. In addition, the receipt of such data by a third party, knowing that such receipt violated the privacy policy, could be unfair" (see: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)).

The FTC continued:  "...the continued use of the XY [personal information], even by the existing owner, would not necessarily be consistent with the original purpose for which the data was provided. Indeed, due to the nature of the information, the passage of time, and the closure of the magazine and website in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)).

Since the FTC believed that any sale, transfer or use of the XY personal information raises serious privacy issues and could violate the Federal Trade Commission Act as well as to avoid the possibility of this information falling into the wrong hands, the FTC asked that it be destroyed (along with any credit card data still being retained) as soon as possible (See: Letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)). After receiving a copy of the FTC's letter to XY, the court overseeing bankruptcy proceedings involving XY ordered the destruction of the information. (See: remarks of David C. Vladeck, Director, Federal Trade Commission Bureau of Consumer Protection, International Association of Privacy Professionals Practical Privacy Series, Washington, DC (Dec. 7, 2010).

C.   Covenants

In addition to the representations and warranties dealing with privacy law issues, consideration will need to be given as to whether the covenants in the merger or acquisition agreement give rise to any privacy law concerns. For example, it is relatively common to include a covenant that the Target will disclose or provide to the Acquirer all books and records of the business upon completion of the transaction. Many of those books and records may contain personal information.

In Canada, the parties should consider whether they must obtain the consent of the individuals to whom the personal information pertains before collecting or disclosing that information. In some circumstances, it is possible that express or implied consent has already been obtained through the use of agreements, privacy notices or privacy policies to customers or employees dealing with the disclosure of personal information in the context of a transaction. If the scope of the consents is limited, the Target may request that the Acquirer covenant to use or disclose the personal information collected in the transaction only for the purposes for which it was disclosed to the Target in the first place. If the Acquirer has alternative plans for the personal information, privacy counsel can advise on whether there are risks and, if so, the potential exposure.

Ongoing Privacy Compliance

Entities engaged in a merger or acquisition transaction will have privacy compliance obligations before, during and after the merger or acquisition. Following the closing of the transaction, the Acquirer may be limited in the uses and disclosures that it can make of the information transferred to it as part of the transaction.

Depending on the business, a chief privacy officer or other person with responsibility for privacy matters may be engaged to manage ongoing compliance issues. Privacy counsel in appropriate countries may also be engaged to assist both with the entity's ongoing privacy compliance requirements and with any mergers and acquisitions. By monitoring compliance issues with appropriate guidance, such entities will be in a position to identify and address the various privacy compliance issues that can arise at any time.


Privacy compliance issues can impact an entity's brand and reputation and its bottom line. Given the heightened sensitivity to exposure and liability around privacy breaches and compliance with privacy law requirements, it is always prudent to take into consideration privacy law requirements when considering a potential merger or acquisition. For example, a past privacy breach or incident will have an impact on certain aspects of the merger or acquisition transaction, including representations and warranties to be made in the merger or acquisition agreement, whether or not the breach or incident was reported to any affected individuals, authorities or others in a particular country. For the Acquirer, due diligence about the privacy compliance and breaches or incidents of the Target may be key.

In all cases, privacy policies should be reviewed and assessed, including those related to websites and mobile applications. Consideration should be given to whether the policies contain provisions about sharing information with third parties, particularly in light of the regulation and enforcement risk in the U.S. If the policies do not refer to the sharing of personal information as part of a merger or acquisition transaction in Canada, consideration will need to be given as to whether consent is required to collect, use and disclose personal information in the context of a transaction. Any covenants relating to personal information in the merger or acquisition agreement may be modified accordingly.

Following the closing of the transaction, in the ever-changing world of privacy law, entities, chief privacy officers or other persons with responsibility for privacy matters and, as necessary, privacy counsel should continue to work together to monitor and address legal and business developments.

Article by Melissa J. Krasnow, Partner, Dorsey & Whitney LLP, and Andrea York, Partner, Blake, Cassels & Graydon LLP

Melissa J. Krasnow is a corporate Partner with Dorsey & Whitney LLP. Her practice encompasses privacy, electronic and mobile commerce, social media, Internet, anti-money laundering and corporate governance and compliance law, as well as domestic and cross-border mergers and acquisitions. She is a Certified Information Privacy Professional/US (CIPP/US) who serves on the Certification Advisory Board for the CIPP/US program and the Canadian Advisory Board of the International Association of Privacy Professionals.

Andrea York is a Partner in the Privacy and Employment & Labour groups at Blake, Cassels & Graydon LLP and is Co-chair of the Firm's Privacy group. Her practice focuses on providing key advice to employers in a broad range of privacy and employment law contexts, including those that arise in M&A transactions, litigation and in the area of compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
27 Oct 2016, Seminar, Toronto, Canada

Please join members of the Blakes Commercial Real Estate group as they discuss five key provisions of a commercial real estate purchase agreement that are often the subject of much negotiation but are sometimes misunderstood.

1 Nov 2016, Seminar, Toronto, Canada

What is the emotional culture of your organization?

Every organization and workplace has an emotional culture that can have an impact on everything from employee performance to customer or client satisfaction.

3 Nov 2016, Seminar, Toronto, Canada

Join leading lawyers from the Blakes Pensions, Benefits & Executive Compensation group as they discuss recent updates and legal developments in pension and employee benefits law as well as strategies to identify and minimize common risks.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.