The worlds of competition law and privacy law have been spinning closer together in Canada for the past several years. In the Competition Bureau’s Big Data and Innovation paper released in February 2018, the Bureau stated that its “mandate to ensure truth in advertising may overlap with the OPC’s [Office of the Privacy Commissioner’s] mandate to protect privacy rights. Both mandates are important to protect consumers in the digital economy. The Bureau will continue to enforce provisions of the Act even if the offending actions may be subject to enforcement under PIPEDA.”
The Bureau has reiterated this statement (and approach) in a series of speeches, reports and guidance, in which the Bureau has signalled that it would aggressively pursue its goal of enforcing competition law in the digital economy. For example, in our blog post in September 2019, we discussed the Bureau’s intention to pursue anti-competitive conduct in the digital economy under the Competition Act (“Act”), and in its Deceptive Marketing Practices Digest, Vol., 5 published in March of this year (“Digest”), the Bureau focused its attention on privacy-related false or misleading representations under the Act.
The Bureau has now followed through and on Tuesday, May 19, 2020, it announced that it had signed a consent agreement settling a false or misleading claim about the extent to which users of a digital platform could control access to their personal information. This is the first time the Bureau has concluded a case treating privacy statements relating to the use and disclosure of personal information as false or misleading representations. The agreement establishes compliance reporting and monitoring obligations for a period of ten years and provides for an administrative monetary penalty of $9 million, as well as a provision for payment of $500,000 of the Bureau’s costs.
This is an important wake-up call for any businesses that have ignored the Bureau’s ambitions in privacy enforcement and raises questions about the overlapping authority of the Bureau and the Office of the Privacy Commissioner of Canada (“OPC“). It also reflects the additional tools that are available to the Competition Bureau (and not the OPC) to impose regulatory fines where a privacy policy or statement may be inaccurate. (As an aside, this may be an important issue in the development of Canadian privacy laws, as those undergo a review.)
Background on false and misleading representations
Section 74.01(1) of the Act governs the civil reviewable practice of making misleading representations to the public. In particular, paragraph 74.01(1)(a) prohibits the making of representations to the public that are false or misleading in a material respect in order to promote a product, service or business interest. Section 52 of the Act establishes the criminal prohibition of knowingly or recklessly making, or permitting the making of, a false or misleading representation in a material respect.
According to the Bureau, a representation includes claims about the information businesses collect, why they collect it, and how they use it. In addition, as the Bureau expressly stated in its recent announcement, the Act applies to digital products that are “free”. Thus, search browsers, social media platforms, mobile apps, data exchanges and other similar digital businesses that provide their product or service without charge are within the scope of the Act.
In the Digest, the Bureau stops short of saying that the use of the word “free” by businesses in marketing, for example, a “free mobile app” etc., is at risk of being a false or misleading representation in and of itself, given the business is collecting data. But the Bureau does seem concerned that not all individuals are aware that their data is collected by businesses when they use such products or services, alluding to the “hidden cost of free digital products and services”. The Bureau disagrees that it is universally true that digital consumers know that if they do not pay for a product with money, then they must be paying for it with their data. This raises the question of how knowledge of the nature of the transaction (services for data) interplays with knowledge and consent under privacy laws.
In a material respect?
A key part of the analysis is whether the representation is false or misleading in a material respect. Whether a representation is false or misleading in a material respect depends on whether or not it will influence a customer’s buying decision. When the Bureau is determining if a representation is misleading, it must consider the general impression that the representation is likely to create in a consumer’s mind, as well as its literal meaning. The analysis must consider the average consumer, while also considering the nature of the product and the audience to whom the representation be directed. Consequently, it must be proven that, a data representation, or lack thereof, is material to the consumer’s decision to use the product or service
The Bureau states in the Digest that the guiding principle for its enforcement approach is that representations should not mislead consumers in a “material respect”, if, for example, the representation would lead consumers to give their data to companies that they would not otherwise have provided, but for the false or misleading information.
Privacy policies and terms and conditions – the disclaimer issue
The Bureau has consistently warned advertisers that the use of disclaimers and fine print cannot be used to correct an otherwise false or misleading representation. In other words, disclaimers may be used to expand upon the main representation, such as providing additional details or clarify potential ambiguities. However, disclaimers cannot contradict the representation, as fine print that is used to restrict, contradict or somehow negate the main message, can mislead consumers.
The Bureau equally warns about the use of language buried in terms and conditions, or in a privacy notice to cure the main representation. For example, a main representation that states that information will be used to create and manage the user’s profile, while language buried in the privacy notice states the same information will also be used for marketing, profiling, etc., would be problematic.
Intersection with privacy laws: double the risk?
Organizations now face a kind of double jeopardy for statements made in their privacy policies and other statements about personal information. The OPC (and its provincial counterparts) are focused on privacy laws, which emphasise the ability of a user to provide valid consent. The Bureau is focused on false or misleading representations. It is entirely possible that organizations could not only find themselves investigated by the OPC for a failure to obtain adequate consent under privacy law, but also the subject of a Bureau investigation into whether those same representations were false or misleading. This will create complex issues in respect of information sharing between the two agencies, privilege, and litigation risk that organizations will need to think through.
Practical considerations for businesses
As the Bureau notes in the Digest, the representations that are most likely to raise issues are those that create a false or misleading general impression about:
- Whether consumer information will be collected: Do not represent that you do not collect information, when in fact you do. This may be of particular importance in the context of the use of cookies and online behavioural data, which is not as obvious to the individual. Further, businesses must remember to update their policy as they add new cookies and similar technologies to their websites and apps.
- What information will be collected: Do not collect more information than what is represented.
- How often information will be collected: Do not suggest collection is a one-time event when in fact, information is collected on an ongoing basis.
- Why the information is collected and what it will be used for: Similar to privacy laws, all uses of data must be disclosed in a clear and comprehensible manner.
- Whether the information will be sold to, or otherwise shared with third-parties: Similar to privacy laws, the transfer or disclosure of information, and to whom, for what purpose, and in what circumstances, must be disclosed.
- Whether consumer information will be retained and for how long, and how it will be maintained and deleted: The Bureau states consumers may be influenced by representations that create the general impression that they have complete control over the destruction of their information, should they wish to stop using a digital product or service. As such, businesses should ensure that they are truthful about the extent of control consumers have over the recall or destruction of their information.
Given the Bureau’s demonstrated interest in pursuing deceptive use of privacy statements, businesses would be well-advised to re-visit their personal information handling practices, particularly their disclosure practices, to ensure such data practices are accurately reflected with their statements about privacy. Businesses may also wish to take this opportunity to provide updated training, in particular to their privacy, advertising and IT teams.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information.
