Canada's Competition Bureau is making a shift towards enforcement in aspects of the digital economy. One way it is refocusing its work relates to policing false or misleading statements about the type of data organizations collect, why they collect it, and how they will use, maintain and erase it. The Bureau has substantial enforcement powers under the Competition Act to levy significant fines and penalties for deceptive online practices.
In an address to the Canadian Institute 26th Annual Advertising and Marketing Law Conference, the Bureau's Deputy Commissioner, Deceptive Marketing Practices Directorate, set out enforcement priorities and noted that "dishonest information about data privacy rank high on the list of concerns" and explained:
"While, historically, the Bureau has mostly reviewed practices where consumers were misled into purchasing a product or service, the era of Big Data means we will need to devote more attention to false claims that mislead consumers into giving away their personal data.
The issues of privacy and deceptive marketing practices intersect in the online marketplace.
The Bureau aims to ensure truth in advertising by addressing misleading claims about consumer privacy.
This is complementary with the mandate of the Office of the Privacy Commissioner, or the OPC, which is mandated to protect the privacy rights of Canadians.
For instance, when firms make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it, we will take action."
This signals a significant shift in the way Canada enforces consumer privacy. The Bureau is putting organizations on notice that their privacy statements, consents and policies cannot be false or misleading.
As an example of what the Bureau may do, one can look at the Federal Trade Commission (FTC) in the United States, which has been actively engaged in actions against companies with misleading privacy practices. FTC actions involve: claims regarding inflated promises about privacy protection; unmet assurances to consumers about how they can control their information; and information sharing with third parties without adequately bringing it to the attention of users. The FTC has been critical of broad promises to protect privacy, finding that companies have misled consumers by failing to maintain appropriate security for sensitive information.
Organizations should already be routinely reviewing their privacy policies and practices, however, this development provides another reason for scrutiny of such policies and practices and for conducting a risk assessment. A privacy review should include analysis to confirm what information the organization is collecting and why, as well as how it is used, with whom it is shared, and whether it is properly secured and destroyed. A real risk assessment will be vital for the defence of any action by the Competition Bureau.
You can find a copy of our organizational Risk Assessment Outline here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.