The House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled its Report, entitled “Privacy and Social Media in the Age of Big Data” on April 23, 2013.

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

• Guidelines for social media and data management companies regarding accountability and openness

• Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent

• Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.

Have you heard about the Internet of things? If it is industry’s great opportunity, it might be the Privacy Officer’s brainteaser over the next few years.

Increasingly objects are becoming “smart”. No human intervention is required to record and communicate data, permitting otherwise unconnected objects to interact with one another.

Objects are being embedded with a variety of sensors. These objects collect information about their environment, their operation, and their interaction with other objects. These devices can communicate with each other and with databases through wireless networks. All the of data that these objects collect and produce becomes fodder for analysis in Big Data projects for understanding complex systems.

Even though human intervention is not required; individuals are often interacting with those objects in some way, such that the information is, at least in part, about those individuals.

As the Federal Trade Commission (FTC) puts it:

“Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The devices can provide important benefits to consumers: they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable pose privacy and security risks.”

For that reason, the FTC is holding a workshop on November 21, 2013 to study the Internet of Things.

FTC will accept submissions on the implications of these developments through June 1, 2013.

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced three recent settlements demonstrating that organizations would do well to ensure they are complying with Canada’s telemarketing rules.

On April 3, 2013, the CRTC announced a settlement for failure of a company to properly download monthly the National Do Not Call List. This resulted in the company’s dealers calling numbers that were registered. The settlement included a payment of $100,000 and, among other things, a requirement to provide an annual report documenting consumer complaints and the steps taken to resolve them.

On April 2, 2013, the CRTC announced settlements with two organizations who had used automated calling devices (robocalls) in violation of Canada’s Unsolicited Telecommunications Rules. Those rules require express consent to telecommunications through an automatic dialing-announcing device. In addition to administrative monetary penalties of $69,000 and $11,000 respectively, the CRTC’s settlement provided for, among other things, annual reporting to the CRTC for five years documenting customer complaints and steps to resolve them.

I recently had the pleasure of presenting on privacy and security issues in mobile e-commerce (“M-Commerce”) at the 7th Managing Privacy Compliance Seminar organized by Federated Press.

In my presentation, I described some important issues to consider in designing privacy compliance programs for mobile e-commerce. The topics included:

• Main takeaways from recent Canada and U.S. guidelines
• Dealing with Address Book Information
• Online Behavioural Tracking and Analytics
• Geolocation Data
• Collecting Information from Children
• Transparency and Accountability in Design
• Consent, Representations and Disclaimer

Learn more by viewing the Slideshare presentation below.

Privacy and Security in Mobile E-Commerce

On Data Privacy Day (January 28), the Canadian Radio-television and Telecommunications Commission (CRTC) amended its notice regarding a mandatory code for wireless services and invited Canadians to comment on the proposed provisions. A hearing on the wireless code is scheduled for February 11, 2013.

There are a number features of the wireless code that are particularly interesting from a privacy and data security perspective:

• The CRTC is suggesting that consumer be “provided with a personalized summary of how key terms and conditions” of a contract would apply to that consumer prior to the consumer entering into the agreement. In addition, the code would also mandate upfront, clear and concise disclosure privacy policies.

• The CRTC is also suggesting that the consumers would have recourse to make a complaint to the Commissioner for Complaints for Telecommunications Services (CCTS). It is unclear whether this might include complaints with respect to the privacy disclosures of the wireless services provider and, if so, whether the CCTS could order monetary compensation.

• The CRTC would mandate that consumers be offered an online tool to allow the consumer to monitor the balance of included usage allowances and any additional fees during a billing cycle. Consumers would also be entitled to obtain a usage alert at 50% and 100% of billing cycle limits, which would be an amount set by the consumer or $50.

The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers’ licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car for several days.

In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers’ personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank “to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers.” The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.

Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.

The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.

The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.

There were two important developments in the U.S. regarding children and mobile technologies.

FTC Staff Report

On December 10, 2012, the U.S. Federal Trade Commission (FTC) released a Staff Report entitled“Mobile Apps for Kids: Disclosures Still Not Making the Grade”. The Staff Report examines the privacy disclosures and practices of mobile apps. The survey was conducted during the summer of 2012. FTC Staff tested 400 apps. Among the interesting survey results:

• 80% of the apps (319) apparently did not disclose any information about the apps privacy practices prior to download. Many of those that contained privacy disclosures “consisted of a link to a long, dense, and technical privacy policy” according to the FTC Staff Report.

• 60% of the apps (235) transmitted the device ID to the developer, an advertising network, an analytics company, or other third party. The most common transmission was to advertising networks (by a large margin). Only 20% (44) of the 223 apps that transmitted device ID, geolocation or phone number to third parties provided any privacy disclosures.

• 58% of the apps (230) contained in-app advertising, but only 15% of the apps (59) disclosed information about the presence of advertising.

• 17% of the apps (66) contained in-app purchase functionality.

The FTC Staff Report states that FTC Staff have commenced a number of investigations where FTC have identified gaps between the company practices and disclosures, which could constitute violations of the U.S. Children’s Online Privacy Protection Act (COPPA) or the Federal Trade Commission Act’s prohibition on deceptive practices.

In Canada, app developers should be aware of provincial consumer protection legislation and the federal Competition Act, which contain prohibitions on deceptive practices, as well as federal and provincial privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which required transparency with respect to an organization’s practices regarding the collection, use, retention and disclosure of personal information. In addition, app developers marketing apps with in-app advertising should be aware of Quebec’s Consumer Protection Act, which prohibits advertising to children under 13 years of age.

Amendments to the COPPA Rule

On December 19, 2012, the FTC adopted the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). Highlights from the amendments include:

• Expanded Definition of Personal Information. The new definition includes geolocation information, photos, videos and audio files that contain a child’s image or voice. Persistent identifiers such as a unique device ID or MAC address may also be personal information.

• Extension of Rule to Third Party Applications. The FTC perceived a gap or loophole to the existing COPPA Rule that permitted advertising networks, third party plug-ins and other applications to collect personal information from children without parental consent. The amended COPPA Rule provides that an organization will be considered an “operator” of a website directed to children if it is benefits from the collection of information by a third party even where the third party is not acting as its agent. This will place an obligation on the operator to obtain consent to the collection of the personal information collected by the third party. FTC Commissioner Ohlhausen dissented from the new COPPA Rule on the basis that this extension went beyond what the statute permitted.

• New Rules for Verifiable Parental Consent. The new COPPA Rule permits obtaining consent by way of electronically scanned parental consent, video conferencing, government-issued identification or payment systems that provide notice to the primary account holder of each discrete transaction.

Canada contains no equivalent to COPPA; however, the Office of the Privacy Commissioner of Canada (OPC) has focused on children’s online privacy as a priority. In the OPC’s guidance regarding online behavioural advertising, the OPC stated:

“The most obvious type of information that should not be tracked involves children’s information. Operators of web sites that are targeted at children should not permit the placement of any kind of tracking technologies on the site. It is hard to argue that young children could meaningfully consent to such practices, and the profiling of youngsters to serve them online behaviourally targeted ads seems inappropriate in such circumstances. The Canadian advertising industry has indicated that it will require its members to not knowingly target children; this is a position that the OPC endorses and encourages.”

Given the increasing focus on meaningful consent to the collection of personal information, it may be only a matter of time before Canadian privacy commissioners issue a decision regarding the collection and use of personal information about children. In the meantime, app developers hoping to offer their apps in the U.S. should take note of the new COPPA Rule.

Few dispute that the law should protect the privacy of children. In a recent decision of the Supreme Court of Canada, the court held that the “[r]ecognition of the inherent vulnerability of children has consistent and deep roots in Canadian law” and that “[t]his results in protection for young people’s privacy” in several legislative areas.

This post doesn’t address what is socially acceptable or appropriate in terms of the collection of personal information from children or the use of that information for marketing. Instead, it focusses on some of the practical legal issues when dealing with children, personal information and marketing in Canada.

“We do not knowingly collect personal information from children under the age of 13.”

It has become boilerplate for organizations in Canada to deny that they knowingly solicit, collect or use personal information from children under 13. Why? The focus on the age of 13 is probably a product of two statutes:

COPPA. Canada’s southern neighbour has a lot of influence, particularly in respect of e-commerce. The Children’s Online Privacy Protection Act (United States) requires verifiable parental consent to the collection of children under the age of 13.

Quebec. COPPA isn’t the only reason to focus on the age of 13. Section 248 of the Consumer Protection Act (Quebec) prohibits commercial advertising directed at persons under 13 years of age. The Office de la protection du consommateur takes the position that this applies to websites as well.

Special Advertising Regulations

Marketers must also be aware of special advertising rules for children even where advertising is permitted.

Broadcast Code Regulations. Television and radio broadcasters in Canada agree to adhere to the Broadcast Code for Advertising to Children (under the age of 12) as a condition of Canadian Radio-television and Telecommunications Commission licences. This requires pre-clearing of the children’s advertising.

Advertising Standards Canada Requirements. In the online world, the Canadian Code of Advertising Standards applies. The Code provides that advertising that is directed to children “must not exploit their credulity, lack of experience or their sense of loyalty, and must not present information or illustrations that might result in their physical, emotional or moral harm.”

Identifying Children and Obtaining Consent

Modulating information and consent mechanisms is difficult enough.  However, it is complicated by the fact that the application of privacy principles tend to discourage the most obvious tool to identify children – asking the user for his or her age.

Difficulty in Obtaining Consent. In Canada, the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) and its provincial counterparts requires meaningful consent to the collection, use, retention and disclosure of personal information. In order to obtain consent, the information must be presented and modulated in complexity to the developmental level of the child.

Identification Problem. Privacy advocates do not want to encourage the collection of dates of birth. However, without information on a year of birth, it is not possible to screen out the collection of personal information from children. In one case, a parent enrolled a child in a loyalty program. When the child started to receive credit card marketing materials, the parent complained but there was no practical way for the loyalty program to know the age of the person enrolling without asking.

There is no prefect solution. Instead the organization must carefully consider the target audience and modulate consent and the use of personal information based on reasonable expectations about the demographics of that target audience.

Binding Terms of Use and Contracting with Minors

In many cases, organizations attempt to incorporate consent to the collection, use, retention and disclosure of personal information into the terms of use of the website or mobile application. However, the law is complex relating to the capacity of a minor to enter into a contract and that law varies among Canadian provinces. In Ontario, for example, a person who is 18 years of age or more is presumed to be capable of entering into a contract (s. 2(1) of the Substitute Decisions Act, 1992). However, there is no presumption that a person under the age of 18 is capable of contracting. On the other hand, if necessaries are sold and delivered to a minor, the minor is required to pay a reasonable price (s. 3(1) of the Sale of Goods Act). “Necessaries” are vaguely defined as goods suitable to the minor’s condition and his or her actual requirements. Even in the case of non-necessaries, the contract with a minor may not be voidable if the minor has already received the benefit of the contract.

In British Columbia, a person is an “infant” until reaching the age of majority of 19 years (s. 1(2) of the Age of Majority Act). Section 19 of the British Columbia Infants Act, provides that a contract with an infant is not enforceable unless, among other things, it is affirmed on reaching the age of majority. However, that rule is not as blunt as it sounds, since the court may take into account the surrounding circumstances of the contract and whether any party has changed its position before fashioning a remedy.

Obtaining consent from a parent or requiring acceptance of terms of use from a parent is not necessarily the solution. In Ontario (and other common law provinces), a contract entered into by a parent on behalf of a minor may not be enforceable against the minor.

Helping Parents and Children

The Canadian Marketing Association has tips for helping parents with children’s marketing.  The Office of the Privacy Commissioner of Canada also has a great website for youth and parents.

Canada’s Anti-Spam Law (CASL) is expected to enter into force in 2013, together with two sets of regulations that will address certain detailed requirements under the Act. Industry Canada Regulations are still underway. The Canadian Radio-television and Telecommunications Commission (CRTC) is further ahead: it enacted its Electronic Commerce Protection Regulations in March 2012.

The CRTC has moreover issued two Information Bulletins on its Regulations. The new guidelines address practical aspects of obtaining consent to send commercial electronic messages (CEMs), and providing an effective unsubscribe mechanism.

1. OBTAINING CONSENT

Specific requests for consent must be clearly identifiable to the user and indicate that the user’s consent can be withdrawn at any time. Consent can be obtained orally or in writing, and must be positive and explicit. In other words, it must be “opt-in”.

Acceptable: an icon or an empty toggle box that must be actively clicked or checked.

Not Acceptable: an opt-out mechanism (i.e. unchecking a pre-checked box); a CEM in the form of a subscription email, text message, or other equivalent form to request express consent

2. UNSUBSCRIBE MECHANISM

The unsubscribe mechanism must be consumer-friendly, simple, easy to use, and must be set out clearly and prominently. Under the Regulations it must be capable of being “readily performed”.

Email Example: a link takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

SMS Example: the user should have the choice between clicking a link, or replying to the SMS with the word “STOP” or “Unsubscribe”.

For more information, please see:

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

Wondering how Canada’s Anti-Spam Law compares to the U.S. CAN-SPAM requirements? Check out http://www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law

The Government of Ontario has commenced a consultation on a new proposed Unclaimed Intangible Property Program. The possibility of this new program for unclaimed property was mentioned in the 2012 Budget and reported on in a previous post. The Government has released a consultation paper, which includes a series of questions. The deadline for submissions is October 12, 2012. Given the additional burden this may pose for businesses, it is to be hoped that the consultation period is extended.

Ontario previously enacted an Unclaimed Intangible Property Act in 1989. However, this legislation was never proclaimed into force and ultimate was repealed as of December 31, 2011, by the operation of the Legislation Act, 2006.

The Government of Ontario is proposing that the new program for unclaimed intangible property would be based on the Uniform Unclaimed Intangible Property Act, which was developed by the Uniform Law Conference of Canada. This form of legislation would impose upon Ontario business the obligation to take prescribed steps to notify owners of abandoned unclaimed property. If the property remains unclaimed, holders must file a report and transfer the property to the Government of Ontario, which then can use the property until it is claimed (if ever). There would be fines for non-compliance. The Government of Ontario would maintain a publicly searchable registry of the property it has received. Owners may file a claim for the property.

What constitutes “property” for the purposes of the new program is up for grabs. The breadth of that definition will directly affect the number and types of business that will face additional administrative burdens. If, for example, Ontario were to include gift certificates and gift cards, this would have significant implications for Ontario retailers.

Another issue that is open for debate is the time period after which property should be considered to be abandoned. The general period of time is five years. Thus far, there has been insufficient consideration given to the interaction between Ontario’s Limitations Act, 2002 and an unclaimed property program. Legislation tends to ignore the effect of limitation periods on the enforceability of intangible property rights and, therefore, the issue of whether the property should be considered abandoned or the property rights considered unenforceable. In Ontario, the basic limitation period is two years from the date of discovery of the claim or the date on which a reasonable person with abilities and in the circumstances of the person could have discovered the claim.  However, the limitation period for demand obligations does not commence until a demand for performance is made.

The issue of limitation periods is also relevant to the transitional provisions of for an unclaimed intangible property program. Ontario is proposing not to enact a transitional period that would have exempted property that became unclaimed more than five years before the coming into force of the legislation. The effect of this is uncertain. Apart from the problem that businesses may have records for the past seven years, some businesses may have considered the rights of the property holders unenforceable for accounting purposes, provided the obligation was not a demand obligation.

During the consultation period, the Government is asking:

1. Whether any modifications to the Uniform Unclaimed Intangible Property Act should be made?
2. What types of property should be included or excluded? Do certain types of property present unique challenges?
3. Are the time periods for considering property abandoned in the Uniform Unclaimed Intangible Property Act appropriate?
4. What are the challenges for businesses in transitioning into the new program?
5. Are there additional issues that the Government should be aware of?
6. How should the Government continue the consultation as the new program is developed?

The consultation document is available here. Remember, the consultation deadline is October 12, 2012.

Last month the Bureau of Consumer Protection of the U.S. Federal Trade Commission (FTC) issued guidance regarding the marketing of mobile Apps.  The guidance should be of interest to companies engaged in cross-border e-commerce activities.  It should be noted, however, that minimum compliance with the FTC guidance may not result in a App marketer being fully compliant in Canada.

Among the key points in the FTC’s guidance document, entitled “Marketing Your Mobile App: Get It Right from the Start” are:

• Advertising has a broad compass.  The FTC reminds developers that advertising isn’t just a traditional advertisement but includes a range of representations made expressly or by implication about what the product does.  The FTC cautions that App marketers require competent and reliable evidence to support objective claims and may require competent and reliable scientific evidence to support health claims.

• Key information must be clear and conspicuous.  This isn’t just a matter of the size and readability (although those are obviously important).  It also includes the way in which information is layered.  Layering information isn’t a licence to hide information behind vague hyperlinks.

• Engage in “privacy by design”.  The Ontario Information and Privacy Commissioner’s “privacy by design” approach should be followed.  This includes the principles of limiting collection, secure storage and safe destruction.  Although the FTC did not emphasize the “privacy by design” principle of privacy as the default, the FTC did note that sharing of data that would not be expected by an average consumer should only be done with express consent.  The FTC also states that sensitive information should only be collected and used with express consent.  In addition, mobile Apps should offer consumers choices and control over their personal information.

• Honour the promises, including privacy promises, made to consumers.  The FTC cautioned that “[c]hances are you make assurance to users about the security standards you apply or what you do with their personal information.”  Systemic failure to honour these promises or take reasonable steps to protect personal information may lead to FTC enforcement action.

• Apps designed for children under the age of 13 must comply with the U.S. Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule.  This will involve additional disclosures and consent requirements.

Last month’s U.S. Federal Trade Commission’s U.S.$800,000 settlement with Spokeo, Inc. concerns an issue that I have posted about before: When is a data broker a consumer or credit reporting agency?  As discussed below, the quantum of potential exposure for violating Ontario law relating to consumer reporting may be lower than in the U.S.; however, data brokers should seek legal advice to ensure that they are compliant.

In the recent U.S. case involving Spokeo, Inc., the FTC alleged that the organization was a data broker which collected personal information about consumers from on-line and off-line sources and then created data profiles for consumers to which it sold access. The FTC also alleged that the organization failed to ensure that it was complying with the U.S. Fair Credit Reporting Act (FCRA).  In particular, the FTC alleged that the organization did not ensure that (a) the information was used for the limited purposes permitted by the FCRA, (b) the information was accurate, and (c) users of the data understood that the they were required to notify a consumer if the user of the data took an adverse action against the consumer based on the data in the report.

Ontario (and other jurisdictions in Canada) have legislation that is similar to the FCRA.  The Consumer Reporting Act (Ontario) prohibits any person from conducting or acting as a consumer reporting agency or as a personal information investigator unless registered with the Ontario Registrar of Consumer Reporting Agencies. The potential monetary liability in Ontario may be smaller than in the U.S., but it remains serious.  Violating the Consumer Reporting Act is a provincial offence. Corporations may be subject to fines of up to Cdn. $100,000 and officers and directors of those corporations may be subject to fines of up to Cdn. $25,000 (or in extreme cases, jail terms of up to 1 year or fines and jail terms).

In Ontario, a “consumer reporting agency” is a person or organization who furnishes consumer reports for gain or profit or on a regular co-operative non-profit basis. “Consumer reports” are written, oral or other communication of credit information or personal information which may be used for limited purposes.  Those purposes include:

• the extension of credit to or the purchase or collection of a debt of the consumer to whom the information pertains;
• in connection with the entering into or renewal of a tenancy agreement;
• employment purposes;
• underwriting of insurance involving the consumer; and
• a business or credit transaction involving the consumer.

A “personal information investigator” is a person who gathers personal information for consumer reporting agencies.

Consumer reporting agencies are prohibited from providing information from their files unless they have reason to believe it will be used for purposes permitted by the Consumer Reporting Act.  The Consumer Reporting Act also prohibits certain types of data from forming part of the consumer report, including among other things:

• any credit information based on evidence that is not the best evidence reasonably available;
• any unfavourable personal information unless it has made reasonable efforts to corroborate the evidence on which the personal information is based, and the lack of corroboration is noted with and accompanies the information;
• information regarding any criminal charges against the consumer where the charges have been dismissed, set aside or withdrawn; and
• information as to race, creed, colour, sex, ancestry, ethnic origin, or political affiliation.

Like the FCRA, the Consumer Reporting Act requires disclosure to a consumer if a benefit is denied or a charge to a consumer is increased because of information from a consumer reporting agency.  Consumers have the right to obtain access to their consumer reports.

Depending on its target market, a data broker may cross the line into  consumer reporting.  Organizations that are in the business of providing identity verification or background checking services or who gather data for those purposes should be particularly careful to seek legal advice to determine whether their business model has crossed the line into consumer reporting.

In a press release entitled “Harper Government Says No to Fees on Memory Cards”, Minister of Industry Christian Paradis announced the government’s plans to exclude microSD cards from the application of a levy under Canada’s private copying regime. 

In the press release and in his announcement this afternoon at an Ottawa Future Shop store, Minister Paradis stated:

“Our government worked hard to strike the right balance in the Copyright Modernization Act, which ensures world-leading consumer and user rights while giving creators the tools to protect their work and grow their businesses. [...] An additional fee on removable memory cards is not only unwarranted but unfair to Canadian consumers.”

The Copyright Modernization Act received Royal Assent on June 29, 2012.  It has not yet entered into force.  Regulations to exclude microSD cards from the levy are expected this fall.

This post is co-authored by Saba Zia.

Social media is great “word of mouth” advertising when things go right. It can also be a nightmare in damage control when things go wrong. Sometimes the unsatisfied customer just lets it rip fairly or unfairly.

In a recent Ontario case, 2964376 Canada Inc. (Ameublement Prestige Furniture) v. Bisaillon, a retailer was awarded Cdn. $15,000 in damages for defamation after the daughter of an unsatisfied customer began an e-mail campaign. Although the case deals with e-mail, there is no reason why it would not apply to social media.

The facts of the alleged unsatisfactory customer service were not unusual.  The customer had purchased a dining room table. It was damaged. There were attempts to fix it. The company offered to rebuild the table. The customer wanted a refund. When the customer didn’t get the refund, the customer’s daughter began an email campaign.

The daughter e-mailed 38 of her contacts using her work address. She inserted a logo that looked like the retailer’s and asked that the recipients to forward the email along to others. The email stated that the company was “an untrustworthy company and I strongly advise you to think twice before putting your trust and money in their hands!” and “We are all consumers and deserve to be made aware of deceitful companies who do not honour their Consumer’s Guarantee. BUYERS BEWARE!”

The Ontario court concluded that the daughter had gone too far and awarded the retailer Cdn. $15,000. E-mailing 38 people and asking them to pass it along constituted publication. Accusing the company of being untrustworthy and deceitful would clearly affect its reputation, character and business. The defence of fair comment was not available. The defamatory statements were not based on fact (at least not all of the available facts) and, in any event, the statements were based on malice. She openly stated that she wanted revenge.

Although there are other means for managing a company’s reputation, this recent case suggests that courts will take seriously an action in defamation as a last resort for dealing with a customer who goes too far.

In a previous post, I discussed British Columbia’s proposed Civil Resolution Tribunal Act.  Bill 44 was introduced on May 7, 2012 and sped through the Legislature receiving Royal Assent on May 31, 2012.  It provides for on-line non-facilitated and facilitated dispute resolution with the final stage being a tribunal hearing, which could take place on-line.  One of the controversial aspects of the Bill is that it precludes representation by lawyers except in specific circumstances, such as where the person has impaired capacity or it is in the “interests of justice.”

It is expected that it will be at least several months before the new tribunal is up and running.  The President of the Law Society of British Columbia stated in a press release that:

“While our review of the Civil Resolution Tribunal Act raised some concerns,” said Bruce LeRose, QC, president of the Society, “we hope that the participation of the legal community in the implementation working group will ensure that the promise of a voluntary dispute resolution process is fulfilled without compromising the integrity of the justice system and the rule of law.”

So, what can Canada do to become a leader in e-commerce? Canada’s House of Commons Standing Committee on Industry, Science and Technology would like to offer some suggestions for how the Government can help and Industry Canada has released its 2012-2013 Plans and Priorities.  There is not much in the way of innovation in these documents but one recurring issue is the fragmentation of consumer protection legislation.  Might the future bring greater harmonization?

Standing Committee Report

Recently, the Standing Committee released its report entitled “E-Commerce in Canada: Pursuing the Promise” in which it summarized its investigation into the market for e-commerce market in Canada and what the Government can do to assist to overcome some of the challenges to the e-commerce market.

Canadians are on-line.  Using information gathered by Statistics Canada, the Report states that 79% of Canadians had Internet access in 2010 and 74% of those with Internet access used the Internet for “window shopping” or “comparison shopping”.  E-commerce is also growing in Canada; however, the Report suggests that Canadian businesses may be under-investing in this retail channel and consumers are purchasing from U.S.-based Internet retail channels.

The Report acknowledges several barriers to e-commerce in Canada, particularly for small and medium sized enterprises (SMEs).  These include the cost of investment and access to capital.  However, they also include the fact that Canada has a huge geography and low population density.  The Report states that logistics and shipping costs in Canada are larger (even for domestic shipping) than in the United States. Furthermore, the Report notes the lack of uniformity in consumer protection laws across Canada.

The Standing Committee made 16 recommendations for the Government of Canada.  They are:

1. Place an emphasis on e-commerce in its forthcoming digital economy strategy.

2. Work with the payments industry to modernize payments systems to ensure an efficient, fair, safe, competitive and world-leading payments system in Canada.

3. Work with industry to increase the affordability, reliability and speed of broadband Internet available to Canadians.

4. Reduce “red tape” and costs of cross-border business and shipping for businesses and consumers.

5. Examine disclosure and transparency rules so that businesses and consumers are aware of the total costs of e-commerce transactions prior to purchase.

6. The Business Development Bank of Canada make information and communications technology adoption a strategic focus.

7. Bring Canada’s Anti-Spam Legislation into force to help to increase consumer confidence in the e-marketplace.

8. Work with the provinces and industry to develop strategies to meet the skilled workers shortage in information and communication technology industries.

9. Provide an easily accessible directory or service containing all government programs related to innovation and R&D to help firms access the tools and support they need to increase innovation and adopt information and communications technologies (ITC).

10. Work with Internet service providers to ensure and promote the availability of 24/7 technical support to their clients to ensure their services are functioning as required, and to ensure that clients have transparent and up-to-date access to their account information.

11. Examine ways to increase the quality of information available regarding adoption and use by Canadian SMEs, and the business impact of such adoption and use.

12. Consumers and retailers should be protected by a code of conduct applicable to on-line, mobile, and other emerging transaction technologies.

13. The Government should become a “model user” of e-commerce and on-line solutions in its procurement practices and delivery of services to Canadians.

14. Ensure Government systems are secure from potential security threats to avoid lengthy shut-downs of Government of Canada on-line services.

15. Work with industry and consumer groups to increase digital literacy and simplify terms and conditions of e-commerce transactions.

16. View financial literacy and digital literacy as being intertwined due to the widespread adoption of electronic and mobile payments systems.

 Industry Canada Plans and Priorities

Industry Canada has also released its 2012-2013 Estimates — Report on Plans and Priorities.  If you believe the government should be facilitating the building of e-commerce capacity, it might be criticized for lack of ambition (University of Ottawa Professor Michael Geist is a critic).  Some highlights are:

• Industry Canada will participate on a federal-provincial-territorial Consumer Measures Committee to examine best practices in achieving compliance with consumer protection laws.
• Industry Canada will also participate in developing or updating consumer information.
• Industry Canada will review consumer issues in cross-border transactions through participation in three projects: (1) the Organisation for Economic Co-operation and Development (OECD) review of the Guidelines for Consumer Protection in the Context of Electronic Commerce; (2) the development of an International Organization for Standardization (ISO) standard for business to consumer electronic commerce, and (3) related projects regarding on-line dispute resolution and redress.
• Industry Canada has set performance targets for its activities.  These include: (1) 86% of Canadians using the Internet; (2) 65% of Canadian businesses understanding their privacy obligations; and (3) 43% for Canadians purchasing goods and services on-line.

On May 7, 2012, the Ministry of Justice for British Columbia announced the introduction of Bill 44, the Civil Resolution Tribunal Act.  If enacted, British Columbia would become the first jurisdiction in Canada to create a tribunal to provide on-line dispute resolution services. Use of the tribunal’s services would be voluntary, except for strata corporations (condos).

Some things to note:

• Lawyers aren’t welcome.  Parties are to represent themselves unless they are a minor or a person with impaired capacity.  There are other exceptions such as if the rules for the Tribunal (to be drafted) permit representation or the tribunal finds it is in the interests of justice to permit the party to be represented.  The Trial Lawyers Association of British Columbia has already responded negatively as has the Canadian Bar Association British Columbia Branch.
• Tribunal will vet its jurisdiction. A party will make a request to the tribunal to resolve a dispute. The tribunal’s jurisdiction has not been fully described but it appears to intended for simple legal matters involving small claims.  As a prerequisite, the tribunal may require the parties to agree to on-line dispute resolution services.
• Limitation period suspension. Making a request for resolution by the tribunal will suspend the limitation period until the tribunal decides to refuse to consider the case or the parties agree to cease the process.
• Not clear whether jurisdiction can be agreed to in advance. Although the process is voluntary, it is not clear whether the process can be agreed to in advance in a consumer sales contract.  Once agreed to, the process is mandatory unless the tribunal dismisses the proceeding or the parties consent to the termination of the process.
• Staged process of dispute resolution. The intention appears to be that each case would proceed through four phases.  The first phase would be self-help dispute resolution using on-line, interactive tools.  If that did not result in resolution, the second phase would be on-line, supervised negotiations. Assuming no resolution, the third phase would involve direct intervention by a case manager to attempt to facilitate a settlement.  The final stage would be a tribunal hearing, which could take place on-line.
• Tribunal orders can be filed with the court. Final decisions of the tribunal may be filed with the British Columbia Supreme Court (or, in some cases the Provincial Court) and enforced as court orders.
• Limited judicial review. In its current form, the Bill has limited scope for judicial review of tribunal decisions. The Bill states that the standard of review is correctness but then exempts from that standard findings of fact, the exercise of discretion and the common law rules of natural justice and procedural fairness. A finding of fact can only be set aside if there is no evidence to support the finding or the finding is otherwise unreasonable. Discretionary decisions can only be set aside if the discretion is exercised arbitrarily or in bad faith, is exercised for an improper purpose, is based entirely or predominantly on irrelevant factors, or fails to take statutory requirements into account. Issues of natural justice and procedural fairness are to be reviewed taking into account the mandate of the tribunal.

Nova Scotia’s proposed Bill 65, which involves amendments to consumer protection legislation to “Ensure Fairness in Cellular Telephone Contracts” passed second reading on May 2, 2012 and is now in committee.

The proposed Bill follows the same theme as recent legislation enacted in Manitoba (discussed here) and proposed in Ontario (discussed here).

Manitoba has proclaimed into force the Consumer Protection Amendment Act (Cell Phone Contracts).  

The Act applies to contracts for cell phone services with consumers in Manitoba.  Cell phone services include wireless communication services, including voice and data.  As mentioned, the Act only applies to agreements with consumers, who are those who purchase the goods and services primarily for personal, family or household purposes.  The Act will not apply if the subscriber purchases the services primarily for business use.

Among the highlights:

• Advertisements and contracts must set out the minimum monthly cost of the services.
• The minimum monthly cost must be set out as an “all-inclusive” price.
• Consumers may cancel a cell phone contract at any time for any reason.
• Cancellation fees are limited to the prorated value of any cellphone provided to the consumer for free or at a reduced cost as an incentive for signing the contract.
• Before selling the consumer an extended warranty, the supplier must explain any other warranties that automatically apply.

The Ontario Minister of Consumer Services introduced the Wireless Services Agreements Act, 2012 on May 3, 2012.

The Bill only applies to agreements with consumers.  Consumers are those acting for personal, family or household purposes.  Accordingly, the Act will not apply to those who are self-employed and purchase smart phones for business use.  The proposed legislation will only apply prospectively to agreements entered into after the date the legislation comes into force where either the consumer or the person entering into the agreement with the consumer is located in Ontario.

Here are some of the highlights:

• The legislation will apply to wireless agreements, which are agreements with a consumer in which the supplier agrees to provide wireless services that the consumer is able to access from a mobile device such as a smart phone or cell phone.
• The legislation will apply even if the supplier does not sell the consumer the mobile device.
• Advertising must show all-inclusive costs, which must be the most prominent cost information in the advertising.
• Wireless services agreement must meet the prescribed disclosure obligations or they will not be enforceable.  Among the disclosure obligations are:
• Minimum cost obligations described on a periodic basis (e.g. monthly);
• Maximum usage of each service before the consumer will trigger additional costs not included in the minimum cost obligations; and
• Cost of optional services and any restrictions that will cause those costs to increase.
• Suppliers of wireless services must provide advance notice to the consumer if the consumer accesses a service that will result in additional costs.
• Consumers may cancel an agreement at any time for any reason.
• There are limits on cancellation fees based on prorating the economic inducements (such as discounted handsets) over the term of the contract or, for agreements of no fixed term, 48 months.