On January 22, 2020, Josephine Palumbo, the Deputy Commissioner of the Deceptive Marketing Practices Directorate at the Canadian Competition Bureau (the "Bureau"), spoke at the Canadian Institute's 26th Annual Advertising and Marketing Law Conference. During her remarks, titled Honest Advertising in the Digital Age, Ms. Palumbo identified the Bureau's current enforcement priorities as they relate to advertising and marketing in the digital economy. Among other things, these priorities include (a) influencer marketing; (b) fake online reviews; (c) dishonest information about data privacy; and (d) dishonest price claims.

To help businesses better understand how the Competition Act (the "Act") applies to their online advertising and marketing practices, we are publishing a series of four blogs discussing the enforcement priorities identified above. In particular, each of the blogs will describe the conduct in question, identify the provisions of the Act applicable to the conduct in question and provide some general guidance on what businesses can do to help ensure that their advertising and marketing practices comply with the Act. This is the third blog, which deals with dishonest information about data privacy.

Data Privacy and the Role of the Bureau

Data privacy is concerned with the collection, use, disclosure and maintenance of personal data. Specifically, it is concerned with ensuring that (a) individuals have control over their own personal data and (b) informed consent is obtained before businesses collect and use that personal data.

The first step in obtaining and maintaining informed consent is often the use of a privacy policy. A privacy policy is also a way for businesses to meet certain of their disclosure obligations under the Personal Information Protection and Electronic Documents Act ("PIPEDA") or substantially similar provincial legislation.

Unfortunately, privacy policies are often lengthy and legalistic documents that may not promote the goals of informed consent or proper disclosure. Additionally, if any part of a business' privacy policy is materially false or misleading, issues could potentially arise under certain deceptive marketing provisions in the Act. For example, in the Bureau's 2017 white paper, Big data and innovation: Implications for competition policy in Canada (the "2017 Big Data Paper"), the Bureau noted that deceptive practices can interact with personal data and privacy in many ways, including "false or misleading representations about the type of data collected, the purposes for which the data are collected, how the data will be used, maintained and erased ... and failing to adequately disclose information necessary for consumers to make informed choices".

As identified by the Bureau in its 2018 report, Big data and innovation: key themes for competition policy in Canada, there is a danger that false or misleading privacy policies may lead consumers to consent to the collection and use of their data in ways that they would not have otherwise consented to if properly informed. These types of concerns fall squarely within Bureau's mandate to ensure truth in advertising and protect consumers.

Josephine Palumbo affirmed the Bureau's commitment to data privacy in her recent remarks, stating (a) that "[t]he collection of data is an area where the principles of deceptive marketing are especially relevant"; (b) that "the era of Big Data means [the Bureau] will need to devote more attention to false claims that mislead consumers into giving away their personal data"; and (c) that "when firms make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it, [the Bureau] will take action". In fact, the Bureau is already taking action in the area. For example, earlier this year it was reported that the Bureau was investigating an allegation that the federal Liberal, Conservative and New Democrat parties had made deceptive statements to the public through their respective privacy policies.

The Law

Both privacy and competition laws have a role to play when it comes to data privacy and the use of privacy policies.

Federal and provincial privacy laws, including PIPEDA, set out the privacy obligations that businesses must adhere to when they collect, use or disclose personal information in the course of their commercial activities. Businesses that collect personal information must be aware of and comply with their obligations under this legislation. Failure to do so could result in significant fines.

Privacy policies may also raise concerns under the false or misleading representations provisions of the Act. In summary, these provisions prohibit a business from making a representation to the public, in any form whatever, that is false or misleading in a material respect. Representations regarding how a business will treat an individual's personal data will almost certainly be considered material.

In considering whether a representation is false or misleading in a material respect, businesses must consider both the literal meaning of the representation and the general impression conveyed by the representation – including in the context of privacy policies. For example, even if a privacy policy fully and accurately describes a business' data practices (and is therefore literally true), concerns could potentially still arise if the policy creates a false or misleading general impression. In this regard, the 2017 Big Data Paper states as follows:

Fundamentally, companies are putting themselves at risk when they collect information that consumers would not expect to be collected in the normal course of business and only disclose this material information in terms and conditions that are likely to be overlooked by consumers. Consumers form a general impression about the type of data being collected and how their data will be used; companies should ensure that such general impression corresponds with the data being collected and how the data are, in fact, used. The collection and use of data that go beyond what consumers would reasonably expect increases the likelihood of deception.

The 2017 Big Data Paper also includes the following examples of situations that could lead to privacy policies being considered false or misleading:

  • Collecting data that is not linked to the functionality of the good or service being used

For example, as considered in a recent complaint investigated by the U.S. Federal Trade Commission (the "FTC"), a simple flashlight app may be collecting personal location data in order to sell it to third-party organizations. As the collection of location data has no connection to the operation of the mobile app, consumers may not be aware that they need to take steps to protect their personal information.

  • Misleading public representations that do not accord with the actual functionality of the product or service

For example, the FTC has recently taken action against Snapchat regarding numerous inconsistencies between the company's representations regarding data privacy and the actual functionality of the Snapchat app. These inconsistencies include the app's marketing, which highlights the idea that "snaps" would disappear forever after expiring, despite the fact that there were many ways in which third-parties could save or access these snaps after expiry.

Failing to ensure that your privacy policy complies with the false or misleading representations provisions of the Act can have serious consequences, including administrative monetary penalties, restitution and reputational harm – and in some cases criminal fines and jail time. For example, administrative monetary penalties for making false or misleading representations contrary to the civil provisions of the Act have ranged from $10,000 to $10 million.

Best Practices for Business

While by no means exhaustive, the following guidelines will help businesses avoid making false or misleading representations regarding their data practices:

  • Ensure privacy policies comply with all applicable requirements under PIPEDA and other privacy legislation.
  • Ensure privacy policies are accessible and use clear language (consider the Ontario Privacy Commissioner's tips for better online privacy policies).
  • Ensure that the use and collection of data is undertaken in compliance with the company's privacy policy, and make certain that any changes to the collection or use of data are immediately reflected in public representations.
  • Where the type of data collected or the use of that data may not fall within a customer's reasonable expectation (for instance, where the data collection is incidental and not required for use of the product or service), be particularly clear regarding data practices and do not rely on a lengthy and legalistic privacy policy.
  • Ensure that any marketing or public representations regarding the use or functionality of a product or service do not misrepresent the actual functionality of the product or service, or the company's data privacy practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.