On May 19, 2020 Canada’s Competition Bureau (the “Bureau”) and the provider of a large online social media platform (the “Platform”) registered a Consent Agreement with the Competition Tribunal (the “CB Consent Order”). The Agreement resolved an inquiry by the Bureau into representations the Platform had made about its privacy practices, in particular, regarding the sharing of its users’ information with third party developers. The Agreement establishes compliance reporting and monitoring obligations for a period of ten years and provides for an administrative monetary penalty of $9 million – as well as a provision for payment of $500,000 of the Bureau’s costs.
As we have previously explained, this represents an important development in the Competition Bureau’s regulation of privacy issues, which have previously been policed by the federal and provincial privacy commissioners. The CB Consent Order portends a number of potentially significant developments in competition and privacy law in Canada. For more detail on the CB Consent Order, see the recent Dentons Data blog post, The Competition Bureau Reviews Privacy Statements for “false or misleading” Representations, Levies $9 Million Fine.
Importantly, the CB Consent Order mirrors a consent agreement reached between the US Federal Trade Commission (the “FTC”) and the Platform in 2019, (the “FTC Consent Order”), dealing with essentially identical subject matter. This post explores how the reach of the Bureau and FTC are similar (and different), how they are empowered to cooperate with each other, and details another significant enforcement action taken by the FTC in respect of a company’s privacy practices. The experience of the FTC may be helpful for Canadian companies seeking to understand the new approach of the Competition Bureau, and the developing risk.
The FTC and the Bureau
The FTC has decades of experience handling privacy matters, particularly in credit reporting and debt collection. The FTC’s earliest information privacy matters, in 1951 and then a series of cases in the 1970s, recognized the general consumer preference against commercialization of personal data. Using its enforcement powers, the FTC sued companies for deceptive data collection, and for the sale of data collected in preparing tax returns. The agency brought its first internet-related fraud case in 1994 and since then, the FTC has steadily broadened the duties for fair information handling.
The FTC’s broadest jurisdiction is its enforcement against unfair and deceptive practices under section 5 of the FTC Act. Despite a wide reach, however, section 5 has some significant limits in power. The FTC generally cannot issue a fine for section 5 violations initially—fines can only be issued for violations of consent decrees. There are additional issues relating to the scope of the FTC’s privacy jurisdiction where those privacy issues do not relate to privacy threats that can be characterized as unfair or deceptive practices. Similar issues may arise in respect of the Competition Bureau’s jurisdiction.
The FTC’s core section 5 authority does not define standards for unfairness and deception. Because its privacy enforcement must fit within this authority, some have argued that the agency’s current jurisdiction does not allow it to sufficiently protect against privacy threats that are not easily characterized as unfair or deceptive practices.
The Competition Bureau has a similar jurisdiction. As discussed in more detail in a previous post, section 74.01(1) of the Competition Act governs the civil reviewable practice of making misleading representations to the public. In particular, paragraph 74.01(1)(a) prohibits the making of representations to the public that are false or misleading in a material respect in order to promote a product, service or business interest. Section 52 of the Act establishes the criminal prohibition of knowingly or recklessly making, or permitting the making of, a false or misleading representation in a material respect.
According to the Bureau, a representation includes claims about the information businesses collect, why they collect it, and how they use it. In addition, as the Bureau expressly stated in its recent announcement, the Act applies to digital products that are “free”. Thus, search browsers, social media platforms, mobile apps, data exchanges and other similar digital businesses that provide their product or service without charge are within the scope of the Act.
A key part of the analysis is whether the representation is false or misleading in a material respect. Whether a representation is false or misleading in a material respect depends on whether or not it will influence a customer’s buying decision. When the Bureau is determining if a representation is misleading, it must consider the general impression that the representation is likely to create in a consumer’s mind, as well as its literal meaning. The analysis must consider the average consumer, while also considering the nature of the product and the audience to whom the representation be directed. Consequently, it must be proven that a data representation, or lack thereof, is material to the consumer’s decision to use the product or service.
The FTC Consent Order
The FTC Consent Order was executed on July 24, 2019, and concluded a year-long FTC investigation into the Platform’s alleged violations of an administrative order originally issued against the Platform in 2012 (“the 2012 Order”). Under the terms of the 2012 Order, the Platform was prohibited from making misrepresentations about the extent to which its users could control their personal information, the steps users needed to take to implement such controls, and the extent to which the Platform disclosed users’ personal information to third parties. In 2018, the FTC alleged that the Platform had failed to comply with these conditions by continuing to share the personal information of certain individuals connected to users, even when the users had implemented restrictive privacy settings; the result was the FTC Consent Order.
Under the terms of the FTC Consent Order, the Platform agreed to pay a $5 billion administrative penalty. The Platform also agreed to introduce a new corporate compliance program (“Compliance Program”) requiring the Platform to:
- Establish an independent privacy committee of the Platform’s Board of Directors;
- Conduct a privacy impact assessment of every new or modified product before introducing it on the Platform;
- Designate compliance officers to report to the FTC on a quarterly basis about the company’s ongoing compliance with the Program;
- Cooperate with biennial assessments of the Compliance Program performed by a third-party assessor;
- Document any data breach incidents affecting 500 or more users and report them to the FTC.
On April 27, 2020, after approval by a Federal Court, the FTC amended the 2012 Order to incorporate the terms of the FTC Consent Order.
The CB Consent Order was executed shortly thereafter and, to a large extent, replicates the allegations made in the FTC Consent Order.
Notably, the CB Consent Order also incorporates, by reference, the Platform’s obligation to implement the Compliance Program as described in the FTC Consent Order.
The 1995 Agreement between the Government of Canada and the Government of the United States of America Regarding the Application of Competition and Deceptive Marketing Practices Laws (the “Agreement”) promotes the cooperation and coordination between the FTC and the Bureau, through various notification and enforcement cooperation mechanisms. For example:
- Under Article II(1) of the Agreement, each party is to notify the other “with respect to its enforcement activities that may affect important interests of the other party.” This will be the case when enforcement activities “are relevant” to enforcement activities of the other country. Notification must be made seven days before the settlement of a matter by way of a consent order.
- Article III of the Agreement also provides for a wide range of enforcement cooperation measures, including the sharing of information about alleged anticompetitive activities.
- Finally, article IV of the Agreement provides that the two countries may directly cooperate on enforcement activities.
The nearly simultaneous resolution of the CB Consent Order and the FTC Consent Order, coupled with their common substance, suggests that the Bureau has been coordinating with, and obtaining information from, the FTC. If the Bureau is now committed to using competition law to scrutinize companies’ privacy and data practices (as seems to be the case), it is likely that it will continue to track the FTC on such matters.
The next “anti-competitive” privacy development?
On April 6, 2020, the FTC entered into a consent agreement with a Canadian Internet-of-Things (“IoT”) company (the “Smart Lock Provider”) that sells Internet-connected fingerprint-enabled padlocks (“Smart Locks”). The consent agreement resolves a complaint by the FTC that the Smart Lock Provider had engaged in deceptive acts or practices by falsely representing (1) that its Smart Locks were secure; and (2) that it took reasonable precautions and followed industry best practices to protect consumers’ personal information. According to the complaint, researchers were able to open a Smart Lock within seconds by unscrewing the back panel. Researchers had also discovered other security vulnerabilities, including:
- A vulnerability on the Smart Lock Provider’s API that allowed researchers to bypass account authentication and gain full access to all of the Smart Lock Provider‘s users’ accounts – exposing usernames, email addresses, profile photos, location history and precise geolocation of each Smart Lock;
- A vulnerability that allowed researchers to intercept the unencrypted flow of data between the Smart Lock and the app in order to identify and generate keys needed for unlocking; and
- A vulnerability that prevented users from effectively revoking access to their Smart Lock once they had provided other users with access.
The consent agreement bans the Smart Lock Provider from making deceptive statements about the extent to which it protects (1) the security of its products; and (2) the privacy, security, confidentiality, or integrity of its customers’ personal information. The consent agreement also requires the Smart Lock Provider to implement a comprehensive information security program in respect of the above. Finally, the Smart Lock Provider must obtain biennial third-party assessments and must certify its compliance annually.
It remains to be seen if the Bureau follows suit and takes similar action against the Smart Lock Provider. However, as discussed above, the Bureau has aligned with the FTC in characterizing representations made by a company about its privacy practices as being a matter for competition law. It is very possible we continue to see the Bureau follow the FTC.
The Bureau is now involved in privacy/data enforcement
Companies can expect to face privacy regulatory oversight from the Bureau, not solely from the various privacy commissioners, who (importantly) do not currently have the same ability to impose monetary penalties.
The Bureau’s involvement in privacy and data matters is a material change in risk
The Bureau’s foray into privacy practices coupled with its coordination and cooperation arrangements between the FTC, which continues to investigation privacy related issues, makes now a good time for companies to look closely at their privacy policies and practices, to make sure they are aligned. As we have previously stated:
- Representations about (i) what information is collected; (ii) how often; (iii) for how long; and (iv) what use is made of this information should be accurate. This means understanding what information and data you have, which may require a data mapping exercise.
- Privacy policies should state whether the information will be sold to, or otherwise shared with third-parties. To the extent that information is being shared with third parties, it is important to review the relevant agreements to make sure that the proper safeguards are in place.
- Privacy policies should be updated when practices change.
Approach undertakings/consent agreements cautiously
As is made clear by the CB Consent Order, the Bureau may seek to incorporate, by reference, an organization’s commitments made to the FTC (here, the CB Consent Order also incorporates, by reference, the Platform’s obligation to implement the Compliance Program as described in the FTC Consent Order).
In most cases, a single compliance program or other binding obligation will be preferred by the organization – it simplifies implementation, reduces costs, etc.
Where possible, before entering into a consent agreement with the FTC on a matter where the Bureau may investigate, organizations should ensure they have a thorough understanding of the implications on the Bureau side (for instance, an agreement to provide certain audits of security safeguards or compliance measures may, if not carefully worded, be insufficient to satisfy Canadian regulators, with the result that the organization may incur costs to re-do the work). In addition, organizations will want to be fully aware of the scope and limits of any privilege claimed over information or documents provided to the FTC as the Bureau may ask for production. Finally, organizations should be aware that in at least one instance of which we are aware, information published by the FTC (and other regulators) formed the basis of an investigation and conclusions by the Office of the Privacy Commissioner of Canada (“OPC”) in respect of an OPC-initiated complaint of an organization on the Canadian side.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information.