The Lexpert Guides to the Leading US/Canada Cross-Border Corporate and Litigation Lawyers in Canada profiles leading business lawyers and features articles for attorneys and in-house counsel in the US about business law issues in Canada.
Issue link: https://digital.carswellmedia.com/i/138095
DOING BUSINESS ONLINE IN CANADA are in violation and more extreme measures could follow should Canadian companies not take heed," says Barbara McIsaac in Borden Ladner Gervais LLP's Ottawa office. Companies doing business online will also be affected by the privacy guidelines on apps that the privacy commissioners of Canada, Alberta and BC issued jointly in October 2012. "Studies suggest that up to 57 percent of users have either dropped an app or avoided installing it because of privacy concerns," Elder says. "So it's not just about legal requirements but also about the business reality that people are very suspicious and concerned regarding misuse of their personal information." The guidelines, aimed both at developers and businesses implementing the apps, raise five key privacy considerations, including the accountability of the developer; openness and transparency in the developer's privacy practices; collecting and keeping only the information needed to implement the app's purpose; obtaining meaningful consent on small screens; and the importance of timing as a component of consent. Currently, very few apps give detailed and standalone descriptions of how data will be collected and used. "The upshot is that the guidelines recommend an approach to app development that isn't widely followed in the industry," says Patrick Flaherty in Torys LLP's Toronto office. "That's partly because many of the apps are developed in the US, where there's less sensitivity to privacy generally." Another touchy issue in the privacy arena is online behavioral advertising (OBA). The Privacy Commissioner of Canada has published OBA guidelines intended to ensure that advertisers' practices are transparent and comply with federal private-sector privacy legislation. While the guidelines confirm that OBA is a "reasonable purpose" for collecting personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA) subject to certain restrictions, advertisers must comply with PIPEDA's knowledge and consent requirements. The legislation's knowledge requirements envisage that advertisers have an OBA policy that is "accessible, easy-to-read, and accurate"; on the consent side, PIPEDA allows advertisers to use "opt-out" processes so long as they are easy to use and make consumers aware that information is being collected for OBA before it is actually collected. Businesses must also destroy user information once it has been utilized. So how do businesses deal with all of this? Here are a few suggestions from the lawyers at Borden Ladner Gervais: where customers' personal information is collected, used or disclosed by the organization. Consider relevant third parties such as distributors or marketing agencies, and the location of any external servers. Establish procedures to ensure that the collection, use or disclosure of personal information comply with Canadian requirements. Ensure transparency by obtaining customers' consent for use and disclosure of personal information at the time of collection. Provide enough information to allow all customers to make an informed choice. Establish a convenient procedure for opting out of or withdrawing consent. Clearly communicate and educate relevant employees on "PRIVACY LEGISLATION IS A FACT OF LIFE FOR ANY COMPANY DOING BUSINESS IN CANADA. IF ANYTHING IT WILL GET WORSE BY BECOMING STRICTER AND MORE RIGOROUS AS CONSUMERS CONTINUE TO DEMAND THAT COMPANIES TAKE INFORMATION SERIOUSLY." Conduct an internal audit to account for all the functions policies that need to be implemented as a result of changing requirements. Consider holding staff training sessions to ensure everyone is clear on both the guidelines and the risks. Put into place a gatekeeping process to ensure that established procedures for monitoring compliance are being followed. Check with in-house counsel before launching any advertising campaigns or engaging in any formal consumer-engagement activities and ensure they have the opportunity to review policies or materials before they are distributed to the market. Review online contracts and procedures to determine whether they satisfy legislative requirements. Obtain insurance to protect the business as well as corporate directors and officers from liability where possible. Julius Melnitzer is a legal affairs writer in Toronto. www.lexpert.ca | LEXPERT • June 2013 | 17 B-00-Features.indd 17 13-05-17 9:29 AM