Violations of privacy—already overseen by the Office of the Privacy Commissioner of Canada (as well as provincial privacy commissioners)—may soon be subject to fines under the federal Competition Act. In a statement yesterday at the 26th Annual Advertising and Marketing Law Conference in Toronto, a senior Competition Bureau official confirmed that the Competition Bureau intends to take action when organizations "make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it."
The significance of this statement cannot be understated. All organizations that are in custody or control of personal information should take immediate notice given the potential fines that could be imposed for deceptive marketing practices involving privacy issues.
Under the Canadian federal and provincial privacy legislation, organizations are required to implement reasonable security for personal information in their custody or control, and to obtain meaningful consent from an individual with respect to the use and disclosure of that individual's personal information. The federal privacy legislation is seen to have little teeth in that there are no fines for failure to comply with these obligations.
In contrast, under the Competition Act, there are substantial fines for unfair or deceptive marketing practices. The Competition Bureau can seek an administrative penalty of up to $10 million, and up to $15 million for each subsequent order against the corporation. In the case of an individual, the Competition Bureau may seek an administrative penalty of up to $750,000, and up to $1 million for each subsequent order against the individual.
Privacy policies that are posted on websites and available to consumers almost always include a statement along the lines of "we take all reasonable steps to safeguard your information" or "we will only use your information for the purposes for which consent has been given". If it is suspected that a breach reveals a failure to comply with these commitments, the Competition Bureau may initiate enforcement proceedings. Even without these express statements, it is conceivable that the Competition Bureau may seek to enforce privacy violations under what is deemed to be implied representations to consumers.
The United States Federal Trade Commission (FTC) has long relied on its authority to regulate unfair or deceptive acts or practices in the context of a failure by organizations to implement reasonable safeguards or the use of personal information beyond the scope of consent. In the United States, the FTC has successfully imposed significant fines on companies for such violations.
As we previously reported, and re-iterated in May 2019, the commitment of the FTC to regulate privacy violations foreshadowed things to come in Canada. In May 2019, there was the first public indication that the Competition Act may be relied on to regulate privacy—at a forum in Ottawa, the Competition Commissioner commented that the fines for deceptive marketing practices may be appropriate for violations of privacy by app makers.
Given this trend, directors and officers should take note beyond the risk to the company itself. Recently, the FTC has entered into a settlement involving a fine against the former CEO of a company in connection with a failure to safeguard personal information by the company.1
In order to protect against the potential fines under the Competition Act, it is important that organizations (and their executives) invest the required time and resources to understand the precise categories of personal information they have in their custody or control, the measures (technological, operational and physical) implemented to protect that information, and any gaps in what is required in the circumstances given the sensitivity of the information, industry norms and guidelines that effectively prescribe particular controls. Further, organizations (and their executives) must identify how they use the personal information and whether this use falls beyond the scope of the consent obtained. This process is often referred to as a "risk and vulnerability assessment" or a "gap analysis", for which expert assistance (legal and forensic) is recommended.
Now the stakes are higher and companies must invest the resources needed to know whether they do what they say when it comes to privacy matters.
Footnote
1 In January 2020, the FTC finalized a settlement with InfoTrax Systems, LC and its former CEO further to allegations that they failed to use reasonable, low-cost and readily available security protections to safeguard the personal information they maintained.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.