In response to COVID-19, many businesses are adapting to two new realities: social distancing and the shutdown of non-essential services. To mitigate the impacts stemming from COVID-19, and to continue to service clients, businesses that previously had no online presence are transitioning to online platforms to stay connected to their consumers.
Canadian privacy laws require businesses to be transparent about their privacy practices and to obtain consent from individuals before collecting, using, disclosing or storing their personal information. Canada’s federal privacy legislation, The Personal Information Protection and Electronic Documents Act (“PIPEDA”) defines “personal information” as information about an identifiable individual. This information includes information such as: age, name, personal identification numbers, ethnic origin, opinions, evaluations, employee files, credit records, banking history, or any other information that can be used to identify an individual.
Last, if any business, including any online business, sends commercial electronic messages to its users, it must also ensure that its communication procedures comply with Canada’s federal anti-spam legislation, CASL. This legislation requires businesses to obtain implicit or explicit consent from users before sending them electronic messages such as emails or text messages. While explicit consent is quite straightforward, implicit consent is only recognized in certain circumstances, and can be highly fact specific. As the penalties for non-compliance with CASL range from $1 million for individuals and $10 million for businesses, any organization sending commercial electronic messages to its customers should develop and implement an anti-spam policy with the assistance of experienced legal counsel.