There is a new trend in Canada towards privacy class actions being launched following a cybersecurity breach or an improper disclosure of personal information. Indeed, privacy class actions triggered by data breaches are growing in popularity in Canada, with between twenty and thirty privacy class actions currently pending or already certified. These lawsuits follow either a cybersecurity or another similar data security breach, or the launch of a new privacy-sensitive product or innovative marketing program.
On the data security front, businesses, particularly small to mid-size entities, often lack breach response policies, proper governance tools, and employee privacy training programs to prevent or promptly respond to breaches. They lack cybersecurity preparedness, which makes them vulnerable to privacy class actions following a security breach involving personal information.
On the privacy front, many businesses have recently received bad press because of new advertising programs, online business models and services. Canadian businesses have been capturing and analyzing large amounts of data for years and they are now at the point where they want to use this data. For instance, they are looking to sell analytic tools allowing others to obtain more insights into their (actual or potential) customers or to provide more personalized products, services or advertising, both online (i.e. mobile) and offline, sometimes even using location data.
In the era of Big Data, new business models and marketing techniques are emerging, including facial recognition and personalization reaching new levels of sophistication, as well as dynamic pricing practices, to name but a few. Businesses need to consider whether personal information is properly “de-identified”, what type of information should be considered as “sensitive” in various contexts (security breaches, targeted advertising, online services, etc.), how to obtain valid consent in compliance with the “reasonable expectations” of customers, and how to deal with technological innovation, shifting social norms, and building customer trust through proper privacy practices. With new innovative technologies (Internet of things, health bracelets and wearables, to name just a few), and new business models on the rise, businesses have to ensure that their practices are legally compliant, as well as ethical, fair, and reasonable.