January 26, 2021
We udpated this publication on March 4, 2022.
Privacy is critical to every business in every sector, including startups and growing businesses: to comply with the law, to foster positive customer perception, and to be attractive to investors. The consequences of getting privacy wrong can be significant, and for a startup or a growing business, perhaps even fatal. When to start: right from day one – or right now. Where to start: with “Privacy by Design”. How to start: with these five key privacy questions that startups and growing businesses frequently ask.
1. Why is “privacy” relevant for my business; isn’t it only relevant for businesses in certain sectors, like information technology, or for large businesses?
If your business has users or customers, or in any way collects, uses or discloses personal information (in other words, pretty much every business in Canada), “privacy” is not just relevant to your business: it’s critical.
Privacy law compliance. Canada has a mosaic of privacy laws. It’s important that you understand which apply to your business – and it’s likely more than one:
Customer perception. It’s equally important that your customers feel your business is transparent about its privacy practices, and that your use of their personal information is in line with their expectations. If you use your customers’ personal information in a way they don’t expect, such as collecting cell phone numbers to confirm a customer’s account but then also using it to send promotional text messages, it can be perceived as “creepy” and invasive – something your business will want to avoid – in addition to possibly being illegal.
Investor readiness. Investors are also attuned to the importance of privacy law compliance – and the effects of non-compliance – on a business. Sophisticated investors will include privacy in any due diligence investigations, and failing to pass privacy muster could cost you a deal. If your goal is to attract investors for growth, or even ultimate acquisition now or down the road, understanding how privacy issues affect your business and ensuring your business’s privacy practices are both legally compliant and commercially sound will play an important role in making it attractive to investors.
2. What happens if I get “privacy” wrong?
The consequences of getting privacy wrong can be significant – and for a startup or a growing business, perhaps even fatal:
Failed investment or acquisition due diligence. Like everyone else, investors and purchasers are acutely aware of privacy and data security and of the liability risks of privacy and data security breaches. Missing the mark on privacy will likely to lead to failing the due diligence inquiries of an investor or a purchaser – and ultimately, failing to close the deal.
Bad press, reputation damage, lost customers – and lost value. Today’s media is all over news of a data or privacy breach, and is not sympathetic to either the breaching companies or the people associated with them. Think Marriott/Starwood, Equifax, and Capital One, to name but a few. The prevalence of digital and social media makes it easier than ever to spread negative publicity further than ever before. That can immeasurably harm a business’s reputation, and lead to lost customers – and ultimately lost value of the business.
Expensive fixes. There are upfront costs required to bake privacy compliance into business practices and processes at the building stage, which can be discouraging to often cash-poor startups and growing businesses. But the upfront costs of doing it right the first time are significantly lower than the cost to fix those same practices and processes later on.
Expensive (or impossible) insurance. In the business-to-business sector, customers are increasingly demanding that their service providers have cyber-risk insurance coverage. Unless you can demonstrate your privacy and cybersecurity diligence, this insurance is either extraordinarily expensive – or impossible – to get.
And expensive defences. Those upfront costs are also significantly lower than both the legal costs to defend a privacy or data breach civil lawsuit or regulatory complaint, and the financial liability exposure to which such a claim exposes the business. It’s all about risk mitigation: planning upfront reduces the chances that a breach (and thus a lawsuit or complaint), will occur at all, and if it does, then your business will have a better shot at successfully defending against it.
Serious fines for the business – and its directors. Fines for beaching the Digital Privacy Act can be serious. For example, if a business fails to comply with the Act’s breach response regulations, both the company and its corporate directors personally can be liable for fines of $100,000 per incident. Fines for breaching CASL can also be serious. For example, on March 5, 2015, the Canadian Radio and Television Commission (CRTC) handed out its first corporate penalty for a breach of Canada’s Anti-spam Law (aka CASL): $1.1 million against Compu-Finder. On April 23, 2019, the CRTC handed out its first personal penalty for a breach of CASL: $100,000 against the President and CEO of nCrowd, Inc. And when the CPPA becomes law, fines for beaching it will be significant: it authorizes the imposition of administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is higher, for the most serious offences.
3. When should a business start thinking about – and acting on – “privacy”?
Start right from day one – or if you didn’t start then, start right now.
4. Where do I start?
Start with “Privacy by Design” (or PbD): the concept that a business can’t rely only regulatory compliance to ensure privacy, but instead must make privacy its “default mode of operation”, “embedded in every standard, protocol and process”. Developed by Dr. Ann Cavoukian, Ph.D. and former Information & Privacy Commissioner of Ontario, Privacy by Design (PbD) (for which she named McInnes Cooper’s David Fraser an “Ambassador”) advocates that businesses can achieve this objective by practicing these “7 Foundational Principles”:
5. How do I implement PbD in my startup or growth-stage business?
Startups and early growth stage businesses are in the best place to implement Privacy by Design because they can build it into their culture right from the ground up. To help your business build a “privacy first” culture, keep these key issues in mind:
Data. Think about it, track it, understand its full cycle, and who has access to it throughout.
Marketing. Balance data analytics goals with user privacy.
Human Resources. Train your employees on privacy issues.
Vendors/infrastructure. Think about your vendors and third party suppliers (for example, cloud service providers), and know and understand their privacy policies.
Developers. Make sure developers you work with understand privacy issues.
Privacy Design Documentation. For each and every element of each and every project, ask yourself these questions and document and understand the answers:
Please contact your McInnes Cooper lawyer or any member of the Privacy, Data Protection & Cyber Security Law Team @ McInnes Cooper to discuss how we can help your startup get privacy right.
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2021. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.
Mar 2, 2023
All businesses need written contracts. Determining what written contracts are essential depends on many factors, including the nature of the…
Feb 1, 2023
On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings requiring companies using targeted…
Jan 26, 2023
In November 2022, the Ontario Court of Appeal definitively decided an organization whose information systems are breached by a malicious third…
Dec 14, 2022
If you’re at the stage in the financing lifecyle where venture capital is the right route to grow your business, here are five tips to help…
Oct 28, 2022
Finally closing on October 27, 2022, the tumultuous Elon Musk/Twitter M&A deal drama has been unfolding for months, with both sides making…
Jul 20, 2022
There’s a new privacy law coming to Canada. In June, the federal government introduced a complete overhaul of the privacy law regime that both…
Jun 30, 2022
On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects…
Apr 20, 2022
If you’ve reached the stage in your financing lifecycle where you’re ready to take your company public, you might think you’ve only got…
Jan 25, 2022
More and more people are using smart contracts: the global smart contracts market was valued at USD $145M in 2020; it’s projected to be valued…
Dec 16, 2021
We updated this publication on December 21, 2022. The name of the game is to have a plan to mitigate the risk that a data breach will happen…
Jun 24, 2021
Many employers use equity compensation plans like employee stock option plans to attract, motivate, and retain talent. One reason stock options…
Mar 18, 2021
Your startup idea has blossomed into a viable business: you’ve incorporated a company, it’s been growing steadily, and you’re at the stage…
Nov 24, 2020
An economic downturn can result in an M&A uptick: there can be more attractive targets on the market, and sellers can be more motivated to…
Nov 19, 2020
This publication has been updated as at June 30, 2022. NOTE: On June 16, 2022, the Government of Canada introduced Bill C-27: Digital…
Nov 17, 2020
Spurred by the COVID-19 Pandemic and bricks-and-mortar closures, businesses - from SMEs to multinationals, startups to mature businesses,…
Oct 7, 2020
Properly incorporating and structuring is key to position a startup to attract investors and strategic partners and, if desirable, achieve a…
Aug 12, 2020
This publication has been updated as of May 5, 2021. The ongoing COVID-19 pandemic has led many employees to continue working from home, by…
Jul 6, 2020
On June 26, 2020, the Supreme Court of Canada released Uber Technologies Inc. v. Heller, a much-awaited decision regarding the enforceability of…
Jun 12, 2020
The financial technology (Fintech) industry uses technology to support and enhance financial and banking services.
Feb 12, 2020
Intellectual property (IP) can be a business’s most valuable (even only) asset. Once you’ve taken steps to understand what the five main IP…
Jan 30, 2020
NOTE: The new tax rules for employee stock option plans take effect on July 1, 2021. Learn more at Limited Options: New Employee Stock Option…
Apr 8, 2019
Growing a business takes people. In early days, many startups have just one “employee”: the founder. At some point, the founder might retain…
Mar 28, 2019
Organizations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – those that collect, use or…
Feb 20, 2019
On February 14, 2019, the Supreme Court of Canada decided yet another criminal law decision that will likely have broader ramifications for…
Dec 19, 2018
On December 13, 2018, the Supreme Court of Canada confirmed that a third party can’t waive a person’s right to privacy or their rights under…
Sep 10, 2018
As of January 2019, incorporating a limited company in N.S. will be more economical. On September 7, 2018, the N.S. government announced it’s…
Aug 20, 2018
Every organization subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) - every organization that…
Aug 3, 2018
As of November 1, 2018, organizations in Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will face…
Jul 18, 2018
Most businesses – from startups to SMEs to multi-nationals, and from private family-owned businesses to public corporations – will use…
Jun 13, 2018
Businesspeople (and their legal counsel) are on the road more than ever before: according to Statistics Canada, while Canada-U.S. traffic is…
Apr 2, 2018
Equity compensation plans are a valuable and versatile tool for many corporations, from early-stage startups to established blue-chips.…
Jan 12, 2018
Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to…
Dec 22, 2017
Blockchain technology has already been a transformative force in a number of sectors. Its most prominent use to date has been as the…
Nov 16, 2017
Corporations are the leading business vehicle in modern commerce. For startups, properly structuring and incorporating is critical to avoid…
Oct 31, 2017
Intellectual Property (IP) can be a valuable asset – even the most valuable asset – of a business. So it’s worth making sure the business…
Jul 17, 2017
A corporation does not always sail in calm or safe waters. Cash shortages, unattainable or unmet goals, Board disagreements over the best course…
Jul 13, 2017
When growing your business, you face many decisions, including choosing the business structure that is right for you. Your legal team can be…
Jun 28, 2017
On June 28, 2017, the Supreme Court of Canada confirmed a Canadian court can issue an interlocutory injunction (an order requiring an entity or…
Jun 23, 2017
On June 23, 2017, the Supreme Court of Canada decided that in a contest between the choice of forum clause in Facebook’s online terms of use…
Jun 7, 2017
On June 7, 2017, the federal government repealed the regulations that would have brought into effect the sections of Canada’s Anti Spam…
Apr 20, 2017
On April 13, 2017, Canada’s federal government introduced legislation that, if passed into law, will legalize recreational cannabis in Canada.…
Apr 6, 2017
Adding a third jurisdiction to Gard Update’s comparison between privilege in the corporate context under U.S. and English law, McInnes Cooper…
Mar 30, 2017
Social media platforms, like Instagram, Twitter, LinkedIn, YouTube, Facebook and GooglePlus, arguably have more followers and are more closely…
Mar 30, 2017
There are very few examples of a Canadian court interpreting and opining on the provisions of an information technology contract. So the Ontario…
Feb 24, 2017
This publication has been updated as at January 12, 2023. Many organization (66%) store the personal information of customers. employees,…
Feb 22, 2017
On January 1, 2022, the Atlantic Immigration Pilot Program became the permanent Atlantic Immigration Program (AIP). Learn more at From Pilot to…
Jan 25, 2017
Doing business with the public sector creates an often overlooked – but very real – risk that the confidential information a business…
Jan 13, 2017
On January 11, 2017, Emera Inc. offered an electrifying opportunity for renewable energy developers to potentially access the New England…
Dec 15, 2016
On December 13, 2016, the Province of Nova Scotia released for comment draft regulations that will establish the Solar for Community Buildings…
Nov 28, 2016
On November 25, 2016, the Supreme Court of Canada decided privilege wins again - twice. In two separate decisions - Lizotte v. Aviva Insurance…
Nov 22, 2016
On November 17, 2016 the Supreme Court of Canada decided a mortgagee has the mortgagor’s implied consent to disclose its discharge statement…
Oct 21, 2016
All shareholders – whether in a startup, a small or large business or a family-owned business – can benefit from a shareholders’…
Oct 19, 2016
We updated this publication on January 17, 2023. For many businesses, large and small, their “Intellectual Property” (IP) is one of their…
Oct 19, 2016
Business owners wear many hats – including employer. Your employees may be your business’s greatest asset, but they could also be your…
Aug 9, 2016
This publication has been updated as at January 27, 2023. A key legal decision in starting or growing your business is choosing the…
May 10, 2016
This publication has been updated as at April 18, 2022. Access to sufficient capital is always a business issue, from the startup stage right…
Mar 24, 2016
When a business responds to a public sector Request for Proposal or Expression of Interest (both of which we’ll refer to as an RFP for these…
Jan 27, 2016
On January 21, 2016, the Ontario Superior Court of Justice dramatically expanded the scope of legal privacy protection – and the liability…
Jan 18, 2016
On January 14, 2016, the Ontario Superior Court decided that Canadians have a clear privacy interest in their records of their cellular…
Oct 19, 2015
Access to sufficient capital to fund operations, research and development, and other costs is a key challenge for start-ups and for some small…
Sep 29, 2015
The anti-spam sections of Canada’s Anti-spam Legislation (CASL) took effect on July 1, 2014 amidst hype, controversy and dire warnings. Were…
Jul 29, 2015
On July 27, 2015, the Federal Court of Canada decided a lawsuit by medical marijuana program participants against the Federal Government…
Jun 2, 2015
Effective April 22, 2015 the NS Government enacted the NS Missing Persons Act, lowering the threshold for police to get an order to access…
Apr 2, 2015
The market for the sale and the supply of goods is a global one for many businesses in today’s economy. Both exporting goods from Canada and…
Mar 25, 2015
On March 3, 2015 Canada’s Privacy Commissioner determined that Health Canada breached privacy laws by mailing letters to over 40,000 Marihuana…
Mar 6, 2015
On March 5, 2015, the Canadian Radio and Television Commission (the CRTC, the main agency charged with administering and enforcing most of CASL)…
Jan 26, 2015
NOTE: Substantial changes to Canada’s Trademarks Act took effect on June 17, 2019 Learn more at New Canadian Trademarks Regime Effective June…
Dec 11, 2014
On December 11, 2014 the Supreme Court of Canada continued its trend to recognize privacy rights – and develop the law to protect them –…
Dec 11, 2014
On January 15, 2015, the software provisions of Canada’s Anti-Spam Legislation (CASL) will take effect. CASL’s anti-spam sections, touted…
Dec 1, 2014
The construction industry - project owners, contractors, subcontractors and trades - might be relaxing, ignoring the hype around Canada’s…
Oct 14, 2014
CASL’s anti-spam sections came into force on July 1, 2014. Every organization that CASL affects should now be complying with it – and their…
Aug 1, 2014
Most Canadians have heard about Canada’s Anti-Spam Legislation (CASL): we’ve been bombarded with “CASL Compliant” emails asking us to…
Jun 16, 2014
On June 13, 2014 the Supreme Court of Canada decided that Canadians have a reasonable expectation of privacy in their online activities, and…
Jun 12, 2014
The countdown to CASL is almost over: there are only 13 business days until the anti-spam provisions of CASL – and most of the penalties for…
Jun 11, 2014
Note: For an update on Crowdfunding, read: New Kid on the Block – Crowdfunding Joins Traditional Equity-Based Funding Options for Start-ups…
May 8, 2014
On July 1, 2014 – less than two months from now - the anti-spam sections of Canada’s Anti-Spam Legislation (CASL) take effect. Individuals…
Apr 15, 2014
The countdown to CASL is on: on July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (“CASL”) take effect. Individuals…
Mar 19, 2014
As organizations turn to cloud computing services, ensuring compliance with legislation and reducing privacy risks is key. In Canada, there is…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) will take effect. CASL is: Broad. It applies…
Feb 28, 2014
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) take effect. CASL will apply to just about every…
Nov 8, 2013
On November 7, 2013, the SCC decided police require specific authorization in a search warrant to search the data in a computer because of the…
Nov 28, 2012
On October 19, 2012 the Supreme Court of Canada (SCC) decided that a teacher criminally charged with possession of child pornography and…
Oct 22, 2012
Mr. Cole was a high school teacher with an employer owned and issued laptop computer. He also used it for incidental personal purposes, which…
May 6, 2011
In March 2011, the Ontario Court of Appeal found that an employee had a limited expectation of privacy in the contents of a work computer. The…
Apr 7, 2011
Note: Click here to read an updated version of this Legal Update in Cloud Computing: A Privacy FAQ as seen in as seen in CCCA Magazine, Spring…
Subscribe to McInnes Cooper to stay current with our leading insights on legal updates, trends, news, events, and services.