Category Archives: Privacy Policy

US and Canada – similar countries, similar privacy laws… right? Wrong.

We are often engaged to review Privacy Policies from a U.S. and Canadian legal perspective.  In many cases these Privacy Policies were drafted by Canadian counsel without considering the laws of the client’s major market, the U.S.  The privacy laws of Canada and the U.S. are quite different and a failure to comply with U.S. privacy law can have enormous financial implications.  Accordingly, it is critical that Canadian companies ensure that their Privacy Policies are compliant on both sides of the border.

Below we detail three common privacy law issues that Canadian companies have when entering the US market.

1. The US is far bigger and more complex than Canada

In Canada, with a couple of exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) covers most privacy law issues in the commercial sphere.  Conversely, in the U.S., companies must comply with several different federal privacy laws, as well as state laws, the latter playing a major role in privacy protection.  This means that companies need to worry about complying with the privacy laws of all 50 states as well as several federal laws.

2. Same words, different meanings

Although both countries write their laws in English (In Canada – en Français aussi), words can have varying meanings under the law.  In privacy law in particular, certain key concepts are very different between Canadian and U.S. privacy laws, and companies that ignore these differences open themselves up to huge liability.

For example, the term personal information, at the core of privacy law in both countries, has different meanings in both countries and in the US there is no standard definition from one law to the next, or one state to the next. This means that while you might be compliant in Canada with the current way that you collect data from customers, the exact same data collection practice may be non-compliant in the US.

Other major privacy law concepts that differ in the US include: privacy of children under 13 years old, standards for “consent” and “breach”, rules for third-party access to personal information and jurisdiction issues.

3. Fines are far greater in the US

The price to pay for not complying with US privacy laws is far greater than not complying with Canadian privacy laws. For example, the Office of the Privacy Commissioner of Canada (OPC), the Canadian privacy law enforcement body, does not have the authority to fine companies for most privacy law violations.

In the US, by contrast, recent fines imposed by the Federal Trade Commission (FTC) and sister body, the Federal Communications Commission (FCC), consistently are in the million-dollar range and even up to $25 million in some cases.  Even simple violations such as gathering temporary personal information of children prior to getting parental consent can garner fines of up to a million dollars.  And be aware, the first piece of evidence that the FTC will use to see if a company is complying with US privacy law, is its online privacy policy. If you haven’t changed your privacy policy from a Canadian law compliant privacy policy to a cross-border compliant privacy policy, you are putting your company at huge risk.

Canada’s population is 1/10 that of the U.S.  For business, this means that most Canadian companies are going to look to the U.S. for revenue generation and in the process create exposure to U.S. laws, including privacy laws.  It’s critical that companies stay on top of their exposure to U.S. laws and engage legal counsel to ensure that their operations are fully compliant.

UI/UX Invalidated your Contract

Online contracts are only effective if implemented correctly.   I’ve written on different processes for implementing online contracts, which is often easier to accomplish in the web context.  In the mobile context, implementation is challenging given the need to balance user experience with contract formation.

How you structure contract formation in your mobile application involves negotiation between the UI/UX team and legal counsel and a balancing of user experience against the risks of the contract unenforceability.  With millions of DAU, the risks are enormous.

A recent case illustrates this risk and shows that even sophisticated startups can run the risk of a weaker contract formation process and be burned.  Lyft presented users with this acceptance screen:

LI Image

It includes the typical web approach to contract acceptance, with a check box stating: [I agree] to the Terms of Service (link).  Recently, a NY court determined that this process did not clearly indicate to users that a contract was being agreed to.  The combination of a series of “Next” screens, the small size of the contract formation text (relative to the large, pink “Next” button) and that the contract was presented in the context of an unrelated phone number request all contributed to the court’s conclusion that users were not sufficiently notified of what they were agreeing to and, as a result, did not accept the Lyft Terms of Service.

Luckily for lyft, prior to the lawsuit, a new contract formation process was implemented, one I’ve advocated for myself:

One mobile approach is to present the agreement to the user, require that they scroll through the agreement and, once scrolled through, the user is presented with the following button at the bottom of the page:  [I agree] to the Terms and Conditions.

Take away:

  1.  At a minimum, mobile applications should have prominent language indicating that a contract is being presented to users (ideally as a separate screen labeled “Terms of Service” or similar).
  2. Contract language should be noticeable and not blend into the background as a user registers for the application.  Try to alter the flow of the registration process so the user recognizes that something new is occurring.
  3. Any button on the contract page should state “I agree” or “I accept”, rather than “Next” and this button should not overwhelm the contract link.

In my opinion, the scrolling process described above is one of the better approaches for implementing a contract into a mobile application.  Other approaches are available but your UI/UX team needs to work with legal counsel to ensure that design considerations do not overwhelm contract enforceability.

Implementing Terms of Service and Other Electronic Agreements

All too frequently, Terms of Service, Terms of Use and End User License Agreements (see our post on the differences between each) are found unenforceable when challenged in court because the agreements are not properly implemented.

To simply describe the implementation process (see our post on the technical aspects):

  1.  Present the agreement to the user; then
  2.  Require the user to affirmatively agree, usually through a click, to the agreement.

In the web context, implementation typically looks like this:

[Check box] I agree to the Startup Company Terms and Conditions (linked to the terms and Conditions)

[Continue] (or similar language, such as “Purchase” etc.)

In the above implementation approach, the user cannot proceed unless they check the box and click the button at the bottom of the page.

In the mobile context, implementation is more challenging given the need to balance legal implementation and user experience.  While the above approach can work, it may not be ideal from a UI/UX perspective.

One mobile approach is to present the agreement to the user, require that they scroll through the agreement and, once scrolled through, the user is presented with the following button at the bottom of the page:

[I agree] to the Terms and Conditions.

Given the differences between each mobile application, agreement implementation on mobile takes many forms and the above approach may not work for you.

Spending the time to determine the most effective way to implement your electronic agreements is vital as the agreements are worthless if found to be unenforceable.

How to Implement Electronic Signatures

Online agreements require an electronic form of your signature, whether you click “I agree” or use a digital version of your offline signature.  Electronic signature laws in the U.S. and Canada do not address the correct signature format.  Instead, these laws focus on the correct process for creating an enforceable signature.

Three key considerations guide the electronic signature process:

1.  Identification

How do you identify the signatory?  In the case of a prospective user agreeing to a Terms of Service, identification may come in the form of an email address, first and last name and IP address.  Given the impersonal nature of online agreements, the identification challenge is establishing that signatory is, in fact, the signatory.

2.  Intention

How do you establish intention to sign?  Intention could be established through a digital version of your offline signature applied to a document or a user clicking “I agree.”  Ultimately, the user must understand what they are agreeing to and that they are, in fact, agreeing.  For example, placing the “I agree” button after the agreement provides the user an opportunity to understand the agreement before being asked to agree to it.

3. Integrity

How are electronic signature records retained to ensure originality and ease of production? Integrity may be established through a fixed user acceptance process whereby any user, in order to access a website, was required to accept certain terms.  Alternatively, in the case of a more traditional signed agreement, the agreement copy was retained in a locked file format, with date and time of signature logged.  In both cases, establish an electronic audit trail.

While there is no correct type of online signature, there is a correct process for online signatures that should be considered whenever an online agreement is required.