Earlier this year, the Firm hosted our 12th Annual National Retail and Consumer Markets Summit – our annual client-focused event that canvasses a selection of the most timely and relevant developments facing the industry, which was held virtually this year. Themes that emerged from the Summit included personalization for customers, authenticity in showing customers a company’s values and focusing on effective integration of technology into businesses.
The following is Part 3 which explores navigating commercial technology contracts and highlights 2022 legal updates in the RCM sector.
Commercial technology contracts: trends, tips and opportunities
Across the RCM industry, trends point towards deeper relationships with customers through built-in personalization, immersive experiences, and increased engagement. Technology underpins most of these trends, from data and analytics to new cloud-based platforms. Organizations that wish to leverage such technologies to enhance customer experiences (including through the use of AI) should be aware that their use could be subject to applicable privacy laws, which requires the organization to seek and obtain meaningful consent from customers in order to use these technologies. Typically, this means that organizations must include several contractual terms in their customer-facing agreements and disclosures in their privacy notices to ensure that they have the necessary permissions and rights to use customer data with these technologies.
In many ways, technology and the power of data are necessary tools to maintain a competitive position in the RCM sector. In this session, McCarthy Tétrault’s Conrad Lee and Jade Buchanan discussed trends, tips and opportunities related to commercial technology contracts. The summary below: (i) provides an overview of certain legal trends in the use of technology in the RCM landscape; and (ii) sets out some key considerations for commercial agreements and privacy notices in relation to the use of this technology.
Technology Trends: Cloud, Machine Learning, AI and Big Data
Today, cloud-based platform services dominate the IT space, where customers can access services directly through their web browser. On the enterprise and retail level, platforms provide, among other digital tools and services, online digital e-storefronts (e.g., Shopify), real-time inventory tracking (e.g., SAP), mailing list integration (e.g., MailChimp) and powerful customer relations and marketing analytics (e.g., Salesforce). Together, these cloud-based platforms can be collaboratively used to continuously improve the customer experience.
Recently, certain online platforms have been leveraging machine learning algorithms, which can be used to adapt AI models based on a customers’ online activity in real time. The customer may barely notice the changes, but these machine learning algorithms can customize dashboards (including the look and feel of the dashboard based on a customer’s interests), push forward specific recommendations (such as identifying specific categories of products to market to the customer), and improve the customer experience over time based on specific customer inputs and interactions with various platforms and online retailers.
As customer inputs and interactions with a platform could provide personal insights on a customer’s behaviours, the use of this information could be subject to applicable privacy laws, and the organization must obtain a customer’s consent in order to use their data. The following section provides tips on how organizations can include certain terms in their customer-facing contracts and privacy notices to ensure that they obtain the necessary consents to leverage the use of online platforms.
Tips on drafting an agreement for data rights between an organization and their customers
Retailers and brands should clearly set out data rights in their customer-facing agreements, and ensure that they have sought and obtained sufficient consents from individuals. For example: (i) clauses in customer-facing agreements should clearly delineate whether the retailer/brand or the customer owns data processed on the retailer or brand’s platform, and clearly define the scope of the licenses granted in respect of such data; and (ii) an effective individual privacy consent clause must clearly identify what personal information may be collected and stored, how the retailer or brand plans to use of personal information, and whether the personal information will be disclosed to any third parties.
Recent developments and trends in privacy law compliance
As privacy legislation develops around the world, a cost-effective way to accommodate region-specific law is to draft region-specific carve out clauses. Federally, Bill C-11 was intended to revamp PIPEDA but has yet to be revived. Quebec’s Bill 64 is a recently enacted provincial privacy legislation that has different requirements than PIPEDA. As the laws change, it is possible that terms may need to be adjusted based on the region in which the personal information is being collected.
Prepare for changes to the Competition Act
Debbie Salzberger discussed the Government of Canada’s intention to review the Competition Act in the digital era. With reference to ESG and environmental advertising, the Competition Bureau has not shied away from enforcing misleading claims; this year, Keurig was fined $3 million and shall give an additional $800,000 to charity because it published misleading claims regarding the recyclability of K-Cup pods. In a similar vein, the Bureau’s proposal to broaden the enforcement scope of competitor collaborations is creating some concern about coordinated action (e.g., emission credit swaps, ESG standard setting and boycotts of environmentally damaging products or processes). In this evolving landscape, best practices include: (i) be precise about environmental claims, (ii) present only substantiated, tested claims, (iii) avoid exaggeration related to environmental benefits of the product/service, (iv) avoid implied or unclear environmental endorsements and (v) exercise care in competitor collaborations.
The rise of digital payments and regulation
Ana Badour discussed the current payments landscape. According to a recent study by Payments Canada, the COVID-19 pandemic has accelerated the use of digital payments. Between 2015 and 2020, cash payments were down 44% while credit card and prepaid card payments were up 32% and 34% respectively.
Retail markets are also seeing an increased use of point-of sale instalment loans, also known as “buy now pay later” (“BNPL”) loans. These types of loans, which were in the past typically reserved for high ticket items including furniture or appliances, are increasingly being offered for smaller purchases including clothes and groceries. Often, BNPL payments are offered at zero percent financing, enable customers to pay over a period of time, and serve as an alternative to the use of credit cards.
Government bodies have begun focusing on various regulatory aspects of BNPL loans, including proposing to launch consultations at the federal level on the criminal rate of interest provisions of the Criminal Code (currently set at 60%). With respect to BNPL loans, the Government of Ontario conducted a recent consultation on “High-Cost Credit in Ontario: Strengthening Protections for Ontario Consumers”, summarizing the potential benefits and risks associated with instalment payment plans.
The payments regulatory landscape is also continuing to evolve more generally. The federal government is working with key stakeholders to lower the average overall cost of interchange fees for merchants. The Retail Payments Activities Act was enacted in 2021, and will require payment service providers to be regulated by the Bank of Canada once the applicable regulations are issued and the Act comes in effect. In addition, Payments Canada is continuing its modernization initiative including the development of a new real-time payments rail.
Working for Workers Act: Changes in Ontario employment legislation
Justine Lindner presented the impacts of the new Working for Workers Act in Ontario. Over the past year, the Act generated media attention for its ban on non-compete agreements and requirement for employers to create a written policy on disconnecting from work.
As of October 25, 2021, the legislation prohibits employers from entering into non-compete agreements with employees (save for a few exceptions). That being said, in practice, restrictive covenants such as non-compete agreements can be difficult to enforce at common law, although courts are more likely to enforce non-solicitation and non-disclosure agreements. The latter clauses are not prohibited by the Act, and many employers are revisiting these terms to consider improving upon them in light of the now prohibition on non-competition agreements.
With respect to “disconnecting from work” policies, employers with 25 or more employees must put in place a policy on “disconnecting from work” by June 2022. In practice, however, the Act does not require disconnection from work, only that an employer create a policy on disconnecting from work. As of now, employees will only have a “right to disconnect” to the extent that the employer creates such a right in its policy.
Prepare for privacy upheaval in Quebec via Bill C-64
Karine Joizil presented on Bill C-64, Quebec’s new privacy legislation. The enactment of Bill 64 (the Act to Modernize Legislative Provisions respecting the Protection of Personal Information) overhauls Québec’s privacy regime and has consequences for companies doing business in that province, or that handle the personal information of Québec residents. Aimed at promoting transparency and enhancing data privacy, the significant changes to the former Private Sector Act include more stringent obligations for businesses, greater accountability and tougher penalties for non-compliance. Here are some highlights:
- Consent is fundamental, and is relevant for the purposes of collection, the means of collection, rights of access and rectification, and companies will have to include a right to withdraw the consent given. This obligation will come into force on September 22, 2023.
- The requested consent must be manifest, free, informed and given for specific purposes. Consent requested in writing must be presented separately from the contract and assistance must be provided to help the customer with obtaining consent. Collecting data for anti-fraud provisions or for security purposes is exempt from the consent requirement.
- Individuals must be informed when they are the subject of a decision based solely on automated processing of their personal information. The decision must identify the reasons and key factors for the AI decision, and the right to have the personal information used to make the decision rectified. This obligation will come into force on September 22, 2023.
- Companies must designate a privacy officer to ensure compliance and implementation of the new legislation. This obligation will come into force on September 22, 2022.
- There is an obligation to promptly report confidentiality incidents that present a risk of serious injury to the Commission and notify any individual whose personal information is leaked. This obligation will come into force on September 22, 2022.
Concrete steps a company may take to respond to the new legislation include: (i) making inventories of personal information collected and frequent locations of transfer, (ii) updating privacy policies, (iii) preparing template Privacy Impact Assessments, (iv) preparing model clauses to provide adequate protections and (v) preparing a breach registry and updating existing breach reporting documentation.