Legal Considerations for Operating Your Business Online

In response to COVID-19, many businesses are adapting to two new realities: social distancing and the shutdown of non-essential services. To mitigate the impacts stemming from COVID-19, and to continue to service clients, businesses that previously had no online presence are transitioning to online platforms to stay connected to their consumers.

While these businesses are coming up with creative ways to market and sell their goods and services online, the quick shift to e-commerce platforms means they will also have to ensure that they are aware of the legal implications of operating a business online. This guide provides an overview of two important legal documents any business operating online should have in place: Terms of Use and a Privacy Policy, as well as a summary of Canada’s anti-spam legislation, which applies to all businesses communicating with their clients through electronic messages.


Terms of Use

These terms are also referred to as “terms and conditions” or “terms of service”, and are posted on a website to govern the relationship between the business and the website user. While Canadian courts recognize Terms of Use as a legally binding contract, the terms must be implemented in a way that makes them enforceable. To be enforceable, the website user must be given actual notice of the Terms of Use, and there must be some form of acceptance on behalf of the website user which is either active or implied.

As a business owner, you should ensure that the Terms of Use are drafted in a way that minimizes potential liability from website users, as well as to ensure that users abide by certain rules, such as prohibitions against infringement of materials, or illegal conduct. There is no “one-size fits all”, as the Terms of Use are tailored to apply to the nature of the business. In the context of e-commerce, Terms of Use commonly include terms related to:

  • Payment
  • Customer service
  • Order confirmation
  • Shipping/Shipping Delays
  • Returns
  • Sales Tax
  • Intellectual Property Protection
  • Collection of personal information
  • Canadian Anti-Spam Legislation (“CASL”) Compliance


Privacy Policy

Canadian privacy laws require businesses to be transparent about their privacy practices and to obtain consent from individuals before collecting, using, disclosing or storing their personal information. Canada’s federal privacy legislation, The Personal Information Protection and Electronic Documents Act (“PIPEDA”) defines “personal information” as information about an identifiable individual. This information includes information such as: age, name, personal identification numbers, ethnic origin, opinions, evaluations, employee files, credit records, banking history, or any other information that can be used to identify an individual.

Similar to Terms of Use, a Privacy Policy is also posted to a business’ website. To comply with Canadian privacy laws, the Privacy Policy should be carefully drafted to address each of the requirements under federal or provincial privacy laws, as applicable to the business. It should also address the ten general principles of PIPEDA:

  • Accountability
  • Identifying purpose
  • Consent
  • Limiting collection
  • Limiting use, disclosure, and retention
  • Accuracy
  • Security and safeguards
  • Openness
  • Individual access
  • Challenging compliance

Such principles should be cited in a carefully drafted Privacy Policy, which is tailored to the specific type of information collected, and the particular industry of the business.



Last, if any business, including any online business, sends commercial electronic messages to its users, it must also ensure that its communication procedures comply with Canada’s federal anti-spam legislation, CASL. This legislation requires businesses to obtain implicit or explicit consent from users before sending them electronic messages such as emails or text messages. While explicit consent is quite straightforward, implicit consent is only recognized in certain circumstances, and can be highly fact specific. As the penalties for non-compliance with CASL range from $1 million for individuals and $10 million for businesses, any organization sending commercial electronic messages to its customers should develop and implement an anti-spam policy with the assistance of experienced legal counsel.

If your business has transitioned to an online platform, whether or not as a result of COVID-19, now is the time to implement the protective measures summarized above. By first understanding the nature of your business, we will work with you to create a customized Terms of Use and Privacy Policy, and help you implement an anti-spam policy to ensure that your business is protected as you transition to an e-commerce platform.