Tag Archives: cross-border law

US and Canada – similar countries, similar privacy laws… right? Wrong.

We are often engaged to review Privacy Policies from a U.S. and Canadian legal perspective.  In many cases these Privacy Policies were drafted by Canadian counsel without considering the laws of the client’s major market, the U.S.  The privacy laws of Canada and the U.S. are quite different and a failure to comply with U.S. privacy law can have enormous financial implications.  Accordingly, it is critical that Canadian companies ensure that their Privacy Policies are compliant on both sides of the border.

Below we detail three common privacy law issues that Canadian companies have when entering the US market.

1. The US is far bigger and more complex than Canada

In Canada, with a couple of exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) covers most privacy law issues in the commercial sphere.  Conversely, in the U.S., companies must comply with several different federal privacy laws, as well as state laws, the latter playing a major role in privacy protection.  This means that companies need to worry about complying with the privacy laws of all 50 states as well as several federal laws.

2. Same words, different meanings

Although both countries write their laws in English (In Canada – en Français aussi), words can have varying meanings under the law.  In privacy law in particular, certain key concepts are very different between Canadian and U.S. privacy laws, and companies that ignore these differences open themselves up to huge liability.

For example, the term personal information, at the core of privacy law in both countries, has different meanings in both countries and in the US there is no standard definition from one law to the next, or one state to the next. This means that while you might be compliant in Canada with the current way that you collect data from customers, the exact same data collection practice may be non-compliant in the US.

Other major privacy law concepts that differ in the US include: privacy of children under 13 years old, standards for “consent” and “breach”, rules for third-party access to personal information and jurisdiction issues.

3. Fines are far greater in the US

The price to pay for not complying with US privacy laws is far greater than not complying with Canadian privacy laws. For example, the Office of the Privacy Commissioner of Canada (OPC), the Canadian privacy law enforcement body, does not have the authority to fine companies for most privacy law violations.

In the US, by contrast, recent fines imposed by the Federal Trade Commission (FTC) and sister body, the Federal Communications Commission (FCC), consistently are in the million-dollar range and even up to $25 million in some cases.  Even simple violations such as gathering temporary personal information of children prior to getting parental consent can garner fines of up to a million dollars.  And be aware, the first piece of evidence that the FTC will use to see if a company is complying with US privacy law, is its online privacy policy. If you haven’t changed your privacy policy from a Canadian law compliant privacy policy to a cross-border compliant privacy policy, you are putting your company at huge risk.

Canada’s population is 1/10 that of the U.S.  For business, this means that most Canadian companies are going to look to the U.S. for revenue generation and in the process create exposure to U.S. laws, including privacy laws.  It’s critical that companies stay on top of their exposure to U.S. laws and engage legal counsel to ensure that their operations are fully compliant.