On September 23, 2024, the Competition Tribunal ruled in favour of the Competition Bureau and found that Cineplex Inc. (“Cineplex”), the largest cinema chain in Canada, engaged in “drip pricing” by adding an online booking fee ranging from $1.00-$1.50 for tickets purchased online or through the Cineplex app. The fees were collected from June 2022 to December 31, 2023 (when the Competition Bureau initiated its investigation). The Competition Tribunal found that the online booking fee was misleading and contained drip pricing because the existence and the amount of the fee was not initially disclosed when consumers were making their purchases. Instead, it only became visible after the tickets were selected and the purchaser clicked to ‘proceed’ to the next screen.

Cineplex has been ordered to pay a record penalty of $38.5 million, equivalent to the amount it collected from consumers through the aforementioned $1.50 fee. Cineplex says it will appeal the decision to the Federal Court of Appeal.

What is drip pricing?

Drip pricing involves offering what appears to be low prices to attract consumers; but followed by the addition of further mandatory fees so that the original prices are unattainable. The mandatory fees can be for just about anything; including “processing fees”, “booking fees”, “cleaning fees”, “administrative fees”, to name a few. The issue occurs when such fees are not disclosed to the consumer accurately and clearly, including by being excluded from the advertised price and then are incrementally revealed during the purchasing process – i.e. “dripping” into the final price.

This practice is against the Competition Act (the “Act”), unless the additional fixed charges or fees are imposed by the government on purchasers, such as sales tax. Amendments to the Act came into force on June 24, 2022, which explicitly recognize drip pricing as a harmful business practice.

The Takeaway

This ruling marks the first case in which the Competition Tribunal has applied the recently-enacted drip pricing provisions, namely subsection 74.01(1.1) of the Act. It sends a strong message to Canadian businesses that it intends to enforce this new provision and the penalties for contravening it can be sever. To avoid potential drip pricing complaints and penalties, businesses should display their full prices upfront, including all incremental or additional fees.

If you have questions about your current advertising and marketing practices, in relation to drip pricing or any of the other recent additions to the Act, we’re happy to assist.

The post Not Just a Drop in the Bucket: Competition Tribunal Orders Record-Breaking Penalty for Drip Pricing appeared first on Sotos LLP.

You can read our submission here.

In brief, we are proposing a private right of action to courts for abuse of dominance. This has already worked in the US and the EU. It’s being used in the UK, Australia, New Zealand, South Korea, Argentina, and Saudi Arabia. By adding three words to the Competition Act, Minister Champagne can increase innovation, protect small towns, and allow billions of dollars in compensation to be recovered by consumers who have been wronged. We urge Minister Champagne to adopt these changes.

The post Review of the Competition Act appeared first on Sotos LLP.

COVID-19-related scams, in particular, have surged.  The Washington Post reports that, according to IBM’s X-Force research division, coronavirus email scams have increased by 14,000 percent in just the past two weeks.  Such emails often try to get the recipient to divulge sensitive information, such as usernames and passwords.  Phony websites claiming to sell PPE and COVID-19 “cures” have proliferated.   “Zoombombing” – interrupting zoom calls to spread racist, pornographic, or vulgar content – is becoming commonplace.  Fake texts, asking people to click on harmful links, have increased.

Franchise systems may be particularly vulnerable to these kind of cyber-attacks.  By their very nature, franchise systems are decentralized.  Often, many different people have access to a franchise system’s computers and electronic information, including franchisors, franchisees, their respective employees, suppliers, and other third parties.  In the wake of the global pandemic, many more people may now have access to these online systems.  This decentralization and increased access poses certain challenges at the best of times.  During a crisis, it is even more difficult to ensure compliance with cybersecurity best practices.

What can you do to keep your franchise systems safe online?  Education is your first line of defence.  Here are some basic tips that you can circulate to everyone who has access to your online systems:

• Exercise caution in opening attachments/clicking on links – be especially on guard if the link/attachment relates to COVID-19. Be cautious of messages with a sense of urgency to them, or those that include deadlines.  If the link or attachment is available from a reputable and recognized website (for instance, the Government of Canada), you may wish to access the article/link directly from the website, rather than through the attachment or link.
• For emails, double check the sender’s information – if an email address looks suspicious, don’t respond and delete it. In particular, scrutinize emails inviting you to join a videoconference or chat.  Look for spelling errors in names and websites – these can be a red flag that the invitation is not legitimate. When in doubt, contact the sender via another means, such as by phone or text, to confirm the invitation is actually from them.
• Be wary of texts – particularly those relating to coronavirus or COVID-19, or relating to “your” subscriptions/accounts. We’ve seen suspicious texts claiming to be from the government, major banks, and “Netflix”, among others.  Many of these texts are actually phishing scams, trying to get you to click on a harmful link.
• Videoconference best practices – change your videoconference settings so that only the meeting host can share their screen, make calls private, and consider requiring participants to enter a password to join the meeting.
• Family/household members – if you’re sharing a device with anyone, including children, take the time to educate them about good online practices. Device security is only as strong as the weakest link.

Adrienne is a partner with Sotos LLP in Toronto, Canada’s largest franchise law firm.  She provides counsel to many franchised businesses.  Adrienne can be reached directly at 416-572-7321 or aboudreau@sotosllp.com.

The post Cybersecurity and COVID-19 appeared first on Sotos LLP.

Cyber-attacks are becoming more common.  Many security experts will tell you that it’s not really a question of if your system will be targeted – it’s a question of when.

At the same time as cyber risk is increasing, franchise systems are looking to and depending upon innovative technologies to help grow their business.  Because new technologies and system success are so closely connected, franchisors simply can’t afford to ignore cyber threats.

Franchise systems are particularly vulnerable to cyber-attacks.  By their very nature, franchise systems are decentralized.  Often, many different people have access to a franchise system’s computers and electronic information, including franchisors, franchisees, their respective employees, suppliers, and other third parties.  Where there is a high rate of turnover for franchisees’ employees, new people are accessing these electronic systems all the time.  This widespread access poses certain challenges, in that it may be more difficult to implement cyber security policies and ensure compliance.

Post-attack

In the case of a successful cyber-attack on a single franchise unit, the resulting damage may have a disproportionate effect on a franchise system’s brand and goodwill.  Customers and others will view the incident as a problem with every unit in the franchise system, rather than a problem with a single unit.  The resulting hit to a franchise system’s reputation can be particularly severe, especially in cases where a cyber-attack results in a data breach, and customers’ personal information is made public.

Of course, such attacks can have a negative impact on sales throughout the system, and impact the financial viability of individual franchisees.  However, there can be other effects as well.  Post-attack, it may be more difficult for a franchisor to grow its system and attract new franchisees.

Where a franchise system stores information online, such as secret recipes, proprietary methods, and business plans, this information becomes vulnerable to cyber-attacks.  Breaches could lead to brand secrets being made available to the public and to competitors.

Cyber-attacks may also lead to expensive lawsuits.

In short, cyber-attacks can damage a franchise system’s brand, and the financial health and future of the franchise system.

In light of all the potential consequences of a cyber-attack, it may be very tempting for a franchisor to step in and try to manage all the risk by itself. However, cyber defence is a team effort.  In particular, the franchisor-franchisee relationship prevents franchisors from stepping in to directly manage its franchisees’ businesses.  Franchisors therefore need to make sure they are working with their franchisees within the context of the franchisor-franchisee relationship, to equip the franchisees  with the right advice, resources, and assistance to mitigate cyber threats.

Know your cyber situation 

Where to start?  Before you can get to where you want to go, you have to know where you are.  A cyber security audit is the first step in your cyber defence action plan.   Consider:

• What technology protections are currently in place? Do you have effective risk mitigation software in place?  Is your software up to date?  Is it being updated periodically?  Is information encrypted properly, where needed?  A qualified cyber security professional can be extremely helpful in making sure your software, systems, and hardware are providing the necessary level of protection.
• What contractual protections are currently in place? With your legal counsel, review and update the franchise disclosure document, franchise agreement, and manuals to ensure that cyber risks have been properly addressed. Most franchise agreements are long-term contracts.  If these contracts were entered into many years ago, they likely do not expressly address cyber risk issues.  Your counsel can help you to determine whether existing provisions in the franchise agreement can address the new risks posed by technology.  For instance, a provision requiring a franchisee to maintain appropriate insurance may be broad enough to include cyber insurance coverage (discussed more below).  Provisions requiring franchisees to obtain ongoing training may be broad enough to include cyber security training.   In addition to your franchise agreements, a franchisor will also want to consider contracts entered into with suppliers and others.  Do these contracts contain appropriate provisions that shift the risk of cyber-attacks to the right entity?  For instance, if a supplier experiences a data breach that leaks your employees’ or customers’ information, does that supplier have any responsibility to pay for the harm that its breach has caused?  A well-drafted contract can help to make sure someone else’s cyber-attack doesn’t become your cyber problem.
• What insurance protections are currently in place? There are now cyber insurance products available that provide protections against the types of harm that can result from a successful cyber-attack.   It’s important when obtaining cyber insurance that you work with a knowledgeable broker who understands your business so that you can make sure your policy: a) protects the right people and companies; b) against the most likely risks; c) in the proper amounts.   Things that you may want included in your cyber insurance policy include the payment of ransoms (for ransomware attacks), legal services needed following an attack, the cost of public relations professionals to help the franchise system post-attack, and forensics (to determine how the attack occurred, and/or to repair computer systems). In the unfortunate event that you find yourself a victim of a cyber-attack, adequate cyber insurance can ensure that there are sufficient resources to handle the crisis in a way that minimizes brand damage.
• What data collection, data-sharing, data security and social media policy protections are currently in place? Has everyone with access to your computer systems been trained to recognize and avoid common cyber threats?  Do they know how to properly report any cyber-attacks or data breaches that may occur?  Remember, policies aren’t going to help if no one knows they exist and no one has been trained on their application.  Consider making cyber security training a requirement for everyone that has access to your computer systems, and a standard part of the onboarding process.  When individuals leave the franchise system, make sure their access to your computer systems is revoked.
• What information is being collected, from whom, and who is inputting the data? This is important for understanding the system’s potential risk exposure, and what potential breaches could occur. It is important to determine what legal obligations you have in relation to collected information.  These obligations vary by region, but generally speaking, an organization that collects personal information will have legal obligations relating to its protection, storage, and use.  Know the laws that apply to you.
• Why is data being collected? Consider limiting data collection to only the information that is truly essential to collect. This will decrease the volume of information that needs to be managed and protected.  Make sure it is clear in all your agreements and policies who owns the data collected from customers and others.
• Who has access to the information? Consider those who are able to access the information, including any third party vendors that may have access. It’s best to limit access to only those who need it.
• Have a crisis plan that addresses cyber-attacks. Even if you’ve taken every precaution, it’s still possible for risk to become reality.  A well thought out crisis plan is essential in the event of a cyber-attack. A crisis plan should identify the most likely risks to your system and develop specific action plans in response to each one.  Responsibilities for managing the crisis response should be clearly defined and assigned to the person best positioned to respond to the risk.  Pre-drafting communications and other public statements in anticipation of likely attacks is a key step in making sure you are ready to deal with a cyber-attack.   For example, customers  affected by a data breach will not be willing to wait days for you to make a public statement.  In the digital age, people want near immediate communication, especially during a crisis.

The nature of cyber risk is constantly evolving, and having a strong “cyber defence” is critical.  The right protections, and crisis-planning, can be the difference between a system that weathers a cyber storm and one that doesn’t.

Adrienne is a partner with Sotos LLP in Toronto, Canada’s largest franchise law firm.  She provides counsel to many franchised businesses.  If you would like to discuss how your business can better guard against cyber risk, Adrienne can be reached directly at 416-572-7321 or aboudreau@sotosllp.com

This article was originally published in the Franchise Voice Fall 2019 Edition.

The post Cyber Risk appeared first on Sotos LLP.

• reducing barriers for direct-sales businesses that provide products and services when the consumer has initiated contact;
• leveling the playing field by increasing consumer protections to deter non-compliant businesses in this sector; and
• strengthening enforcement powers required to target businesses that cause harm to consumers.

In March 2018, the Ministry introduced a variety of new rules (the “2018 Rules”) to regulate unsolicited door-to-door sales for numerous types of products and services, including air conditioners, air cleaners, air purifiers, duct-cleaning services, furnaces, water heaters and treatment devices, water filters, and HVAC services (collectively, the “Restricted Products” and/or “Restricted Services”). These rules included restrictions on when a salesperson attending at a potential consumer’s home could offer or sell these Restricted Products and Services to the consumer, depending on the manner in which contact between the salesperson and the potential consumer was initiated.

With the 2018 Rules having now been in effect for just over a year, and drawing on the experiences of business and consumers alike, the Consultation Paper is aimed at fine-tuning the 2018 Rules to maximize consumer protection while ensuring business can continue to efficiently conduct their affairs. In particular, the Consultation Paper highlights the concern that, despite the introduction of the 2018 Rules, many businesses continue to employ high-pressure sales practices, misrepresentation, and non-compliant contracts to sell Restricted Products and Services door-to-door. Inversely, it notes that many businesses that comply with the 2018 Rules face substantial barriers to legitimately carrying out their business.

The key changes proposed by the Consultation Paper to address these concerns include:

Simplifying Consumer-Initiated Transactions for Restricted Products or Services

Currently, for a business to sell or contract for one of the Restricted Products or Services at a consumer’s home, the consumer must have initiated contact with the business and invited the representative to attend at their home for that specific purpose (unless a written contract is already in place between the parties).

Businesses have indicated that these restrictions are overbroad, especially in situations where a potential consumer requests a business’ representative attend at their home for a purpose other than entering into a new contract. The Consultation Paper provides an example of a business representative called to repair a Restricted Product such as a furnace, discovering that the furnace in question is in need of replacement, but being unable to offer for sale a new furnace to the consumer as a result of the representative not being contacted specifically for the purpose of selling a new furnace.

To address this issue, the Consultation Paper proposes amending the Act to allow businesses to solicit consumers or enter into new contracts for any Restricted Product or Service at the consumer’s home so long as: (i) the consumer has contacted the business and invited a business representative to attend at their home, and (ii) one of the following conditions has been met:

• the consumer has invited the business representative to their home to enter into a contract for a Restricted Product or Service;
• the representative is attending at the consumer’s home as part of an ongoing consumer agreement related to a Restricted Product or Service;
• the consumer has invited the representative to their home to enter into a consumer agreement for the servicing of a Restricted Product; or
• a person authorized to do so by statute has prohibited or restricted the use of a Restricted Product by tagging, sealing or other means.

It is worth noting that any contract formed in contravention of the proposed rules would be void, and the consumer will be permitted to retain the products and services without obligation.

Easing Restrictions on Businesses Entering into Business-Initiated Commercial Relationships

Current direct-sales rules prohibit businesses from cold-calling a potential costumer to sell or offer a contract for a Restricted Product or Service unless a pre-existing written contract for a Restricted Product or Service is already in place between the business and the consumer.

Industry members have indicated that these rules are overly restrictive, as a business is prevented from entering into an agreement for a Restricted Product or Service with a consumer as a result of not having a pre-existing contractual agreement to provide a Restricted Product or Service with that consumer, even though the business may otherwise have a pre-existing business relationship of other sorts with that consumer.

The Consultation Paper proposes that businesses with a pre-existing business relationship with a consumer, even if there is no written agreement in place between the parties for a Restricted Product or Service, be able to contact and offer to consumers Restricted Products and Services without advance consent from the consumer. Such pre-existing business relationships could be grounded in the presence of a previous written contract that is no longer in effect, previous work orders or purchaser orders between the parties, or other records indicating proof of payment.

Expanding Rescission Rights when a Business has Engaged in an Unfair Practices, and Amending Notice Requirements upon Assignment of the Contract

Currently, if a business has represented its products or services in a false, misleading, or deceptive fashion, the deceived consumer must provide the business with a notice indicating that it intends to rescind the agreement within one year of the effective date of the contract.

The Consultation Paper proposes that consumers who have been misled or deceived instead be provided up to one year from the date they discover the unfair practice to rescind the contract, rather than having one year from the effective date of the contract to rescind, as is the case right now. This change would ensure that deceived consumers will be permitted to rescind contacts that have been misrepresented to them, regardless of whether the unfair practice was apparent within one year following the date of the contract or not.

Moreover, the Consultation Paper proposes to amend the Act to require the service provider to provide the consumer with notice should the service provider intend to assign its contract to another entity.

Strengthening Enforcement Mechanisms

The Consultation Paper also proposes a variety of amendments to the Act aimed at ensuring that sufficient enforcement mechanisms exist to discourage and punish improper business practices. The key changes proposed include:

• expanding the mandate and authority of those charged with enforcing the Act to ensure they have the powers necessary to compel businesses to comply with the Act;
• requiring businesses to ensure that, upon cancellation by a consumer of a service contract that is subject to the Act, all ancillary and related agreements consumers were formerly subject to (such as financing arrangements or registered security interests relating to the primary contract) are also fully terminated; and
• amending the Act to allow for Administrative Monetary Penalties (AMPs) to be imposed on parties that contravene the provisions of the Act.

It is important that businesses engaged in direct sales and marketing campaigns understand the regulatory environment affecting their sales processes. Sotos LLP provides counsel to many businesses engaged in direct sales to consumers through all forms of direct and indirect marketing and channels of distribution.

The post Ontario Proposes Changes to Direct Selling Rules under the Consumer Protection Act appeared first on Sotos LLP.

All businesses are subject to The Personal Information Protection and Electronic Documents Act (PIPEDA) and this Act now requires them to:

1. report any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals to the Privacy Commissioner of Canada,
2. notify those individuals affected by the breaches, and
3. keep records of all breaches.

You are only required to report a breach if it is reasonable to believe that the breach creates a risk of significant harm to an individual.  What is considered “significant harm” covers a wide range of things, from bodily harm to negatively affecting someone’s credit record.

The obligation to report the breach is that of the organization in control of the personal information.  What is considered “control” is not defined in the Act, however, the Office of the Privacy Commissioner of Canada (OPC) notes that PIPEDA’s accountability principle provides that an organization remains responsible for any personal information that it has transferred to a third party for processing.  Therefore, even if a breach happens when the information is in the hands of a third party, the principal organization will still be responsible for reporting it.

PIPEDA requires that you keep and maintain a record of every breach of security safeguards involving personal information, whether or not it goes reported. These records should include:

• The date (or estimated date) of the breach
• A general description of the breach
• The nature of the information involved in the breach
• Whether or not the breach was reported.

Along with submitting a breach report to the OPC, organizations are also responsible for notifying any individual to whom the security breach poses a real risk of significant harm. This notification must be made as soon as possible, and must clearly explain the significance of the breach and provide enough information for the individual to be able to take steps to mitigate possible harm. Furthermore, the organization must also notify any government institutions that it believes could reduce the risk of harm resulting from the breach.  For example, you should notify law enforcement if you believe ‘bad actors’ have accessed your customers’ information.

Lastly, it is important that organizations develop a framework for assessing the real risk of significant harm.   The OPC suggests a two-pronged assessment that considers (1) the sensitivity of the information involved in the breach, and (2) the probability that the information has been or will be misused.

At Sotos LLP, we advise businesses on all aspects of privacy law and best processes for statutory compliance.

The post What you need to know about mandatory reporting of breaches of security safeguards appeared first on Sotos LLP.