This publication has been updated as of March 4, 2022.

Privacy is critical to every business in every sector, including startups and growing businesses: to comply with the law, to foster positive customer perception, and to be attractive to investors. The consequences of getting privacy wrong can be significant, and for a startup or a growing business, perhaps even fatal. When to start: right from day one – or right now. Where to start: with “Privacy by Design”. How to start: with these five key privacy questions that startups and growing businesses frequently ask.

1. Why is “privacy” relevant for my business; isn’t it only relevant for businesses in certain sectors, like information technology, or for large businesses?

If your business has users or customers, or in any way collects, uses or discloses personal information (in other words, pretty much every business in Canada), “privacy” is not just relevant to your business: it’s critical.

Privacy law compliance. Canada has a mosaic of privacy laws. It’s important that you understand which apply to your business – and it’s likely more than one:

• Canadian commercial privacy laws. PIPEDA (the Personal Information Protection and Electronic Documents Act) is the current Canadian federal privacy law that regulates the collection, use and disclosure of personal information by businesses in the private sector. Quebec, Alberta and British Columbia each has its own private sector privacy law deemed substantially similar to PIPEDA that apply to businesses operating wholly within those provinces. Businesses to which PIPEDA applies must also comply with the Digital Privacy Act (DPA) and its mandatory data breach response obligations. In November 2020, the federal government proposed replacing PIPEDA with the Consumer Privacy Protection Act (CPPA). While the proposed CPPA didn’t pass into law, a new federal privacy law is anticipated in the next few years. What that law will look like, and its implications for organizations’ obligations respecting the collection, use and disclosure of personal information aren’t yet known – but are likely to be significant.
• Canadian health privacy laws. Each province has its own privacy law that deals specifically with personal health information. While these laws regulate “health information custodians” or “trustees”, any organization providing services to the health sector that touches health information must build privacy protection into its services.
• Public sector laws. There are also privacy laws in Canada applicable to public sector organizations, such as government organizations, schools and hospitals. These laws govern collection, use and disclosure of personal information as well as the public’s right to access information. But even if your business isn’t a “public sector” organization, these laws might still impact you if you do business with any public sector organization subject to these laws. For example, if you submit a business proposal to a public body, the law could permit public disclosure of the proposal upon request, making it important that those doing business with the public sector understand the key confidentiality risks and the strategies to help manage them.
• Canadian Anti-spam law. Canada also has a complicated and onerous anti-spam law (Canada’s Anti-Spam Law (CASL)) intended to prevent businesses from spamming people by sending commercial electronic messages without the proper consent. The rules are tricky and complex, but businesses must comply with them: fines for failing to do so are hefty, not to mention the resulting negative publicity.
• Canadian civil laws. Courts are recognizing a growing number of civil claims based on privacy breach, such as “intrusion upon seclusion”, “publicity to private life”, “public disclosure of private facts” (a.k.a. “breach of confidence”) and “negligence”. If, for example, there is a breach of your customer database that results in a loss or theft of personal information (for example, customer email addresses), those affected might start a class-action lawsuit based on one of these privacy claims that could lead to costly litigation, settlement and negative publicity.
• International privacy laws. In today’s borderless and increasingly digital business world, businesses must also consider the other countries where their customers are – and the privacy laws in them. The laws of some countries, such as U.S. breach notification laws (for example, the California Consumer Privacy Act or “CCPA”) and the European General Data Protection Regulation (GDPR), explicitly apply beyond their geographic borders to protect their residents’ privacy, and have serious fines for non-compliance. Canada’s proposed CPPA also takes an expansive approach to its application. When passed, it will expressly apply to all personal information an organization collects, uses or discloses, including interprovincially or internationally.

Customer perception. It’s equally important that your customers feel your business is transparent about its privacy practices, and that your use of their personal information is in line with their expectations. If you use your customers’ personal information in a way they don’t expect, such as collecting cell phone numbers to confirm a customer’s account but then also using it to send promotional text messages, it can be perceived as “creepy” and invasive – something your business will want to avoid – in addition to possibly being illegal.

Investor readiness. Investors are also attuned to the importance of privacy law compliance – and the effects of non-compliance – on a business. Sophisticated investors will include privacy in any due diligence investigations, and failing to pass privacy muster could cost you a deal. If your goal is to attract investors for growth, or even ultimate acquisition now or down the road, understanding how privacy issues affect your business and ensuring your business’s privacy practices are both legally compliant and commercially sound will play an important role in making it attractive to investors.

2. What happens if I get “privacy” wrong?

The consequences of getting privacy wrong can be significant – and for a startup or a growing business, perhaps even fatal:

Failed investment or acquisition due diligence. Like everyone else, investors and purchasers are acutely aware of privacy and data security and of the liability risks of privacy and data security breaches. Missing the mark on privacy will likely to lead to failing the due diligence inquiries of an investor or a purchaser – and ultimately, failing to close the deal.

Bad press, reputation damage, lost customers – and lost value. Today’s media is all over news of a data or privacy breach, and is not sympathetic to either the breaching companies or the people associated with them. Think Marriott/Starwood, Equifax, and Capital One, to name but a few. The prevalence of digital and social media makes it easier than ever to spread negative publicity further than ever before. That can immeasurably harm a business’s reputation, and lead to lost customers – and ultimately lost value of the business.

Expensive fixes. There are upfront costs required to bake privacy compliance into business practices and processes at the building stage, which can be discouraging to often cash-poor startups and growing businesses. But the upfront costs of doing it right the first time are significantly lower than the cost to fix those same practices and processes later on.

Expensive (or impossible) insurance. In the business-to-business sector, customers are increasingly demanding that their service providers have cyber-risk insurance coverage. Unless you can demonstrate your privacy and cybersecurity diligence, this insurance is either extraordinarily expensive – or impossible – to get.

And expensive defences. Those upfront costs are also significantly lower than both the legal costs to defend a privacy or data breach civil lawsuit or regulatory complaint, and the financial liability exposure to which such a claim exposes the business. It’s all about risk mitigation: planning upfront reduces the chances that a breach (and thus a lawsuit or complaint), will occur at all, and if it does, then your business will have a better shot at successfully defending against it.

Serious fines for the business – and its directors. Fines for beaching the Digital Privacy Act can be serious. For example, if a business fails to comply with the Act’s breach response regulations, both the company and its corporate directors personally can be liable for fines of $100,000 per incident. Fines for breaching CASL can also be serious. For example, on March 5, 2015, the Canadian Radio and Television Commission (CRTC) handed out its first corporate penalty for a breach of Canada’s Anti-spam Law (aka CASL): $1.1 million against Compu-Finder.  On April 23, 2019, the CRTC handed out its first personal penalty for a breach of CASL: $100,000 against the President and CEO of nCrowd, Inc. And when the CPPA becomes law, fines for beaching it will be significant: it authorizes the imposition of administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is higher, for the most serious offences.

3. When should a business start thinking about – and acting on – “privacy”?

Start right from day one – or if you didn’t start then, start right now.

4. Where do I start?

Start with “Privacy by Design” (or PbD): the concept that a business can’t rely only regulatory compliance to ensure privacy, but instead must make privacy its “default mode of operation”, “embedded in every standard, protocol and process”. Developed by Dr. Ann Cavoukian, Ph.D. and former Information & Privacy Commissioner of Ontario, Privacy by Design (PbD) (for which she named McInnes Cooper’s David Fraser an “Ambassador”) advocates that businesses can achieve this objective by practicing these “7 Foundational Principles”:

• Be proactive and preventative – not reactive and remedial.
• Make privacy the default setting.
• Embed privacy into the design – of everything.
• Privacy is a positive-sum goal: it’s privacy AND, not privacy OR.
• Employ end-to-end data security.
• Practice privacy visibility and transparency.
• Keep it user-centric and human-centered.

5. How do I implement PbD in my startup or growth-stage business?

Startups and early growth stage businesses are in the best place to implement Privacy by Design because they can build it into their culture right from the ground up. To help your business build a “privacy first” culture, keep these key issues in mind:

Data. Think about it, track it, understand its full cycle, and who has access to it throughout.

Marketing. Balance data analytics goals with user privacy.

Human Resources. Train your employees on privacy issues.

Vendors/infrastructure. Think about your vendors and third party suppliers (for example, cloud service providers), and know and understand their privacy policies.

Developers. Make sure developers you work with understand privacy issues.

Privacy Design Documentation. For each and every element of each and every project, ask yourself these questions and document and understand the answers:

• Collection. What information from or about users do we collect? Is it personal information? How sensitive is the information?
• Use. How do we use each data element?
• Sharing. Do we ever externally expose the information? How and for what purpose.
• Notice & Control. How are we telling our users what’s going on with their personal information and how do we make sure they have control over their information and how we’re using it.
• Storage & Access. Where do we store the information? On a device? In the cloud? Whose cloud? How’s is it secured.
• Deletion & Retention. How long do we keep the information? Why?

---

Please contact your McInnes Cooper lawyer or any member of the Privacy, Data Protection & Cyber Security Law Team @ McInnes Cooper to discuss how we can help your startup get privacy right.

---

McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.

© McInnes Cooper, 2021. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.