Class Actions In Canada Part 4: A Cross-Border Perspective On Privacy Class Actions

In this installment of our class action series, we explore trends in Canadian privacy class actions and point out similarities and differences in the approaches taken in the United States and Canada in these types of lawsuits.

Canadian privacy class actions have been on the rise for the last decade, emerging from a wealth of new technologies, novel business practices, new legislation and common law torts, and an ever-growing body of jurisprudence south of the border. In both Canada and the U.S., privacy class actions largely fall into three categories:

claims that challenge a corporation's business practices (e.g., cookies, targeted advertising); claims that arise from accidental breaches (e.g., lost storage devices); and claims relating to intentional, targeted misconduct (e.g., hacking, employee snooping). In all categories, the size of the classes and the quantum of damages claimed tend to be large—actions involving approximately 1 million consumers and seeking $1 billion in damages are not uncommon. Importantly however, most cases settle for a fraction of the compensation sought. Generally, plaintiffs must establish some evidence of actual harm and may not simply seek damages for mere fear of identity theft, although no decisions have yet tested the line between harm and mere fear in a trial on the merits.1 Although moral damages for humiliation or anxiety arising from privacy violations are sometimes awarded, they are nominal—in the range of $2,000-$20,000 per claim.

Business Practices

Canadian privacy class actions challenging business models and practices relating to the handling of personal information are frequently commenced but the jurisprudence in this area is limited: although courts are increasingly willing to find privacy claims that meet the low bar for certification, few proceedings to date have been decided on their merits.2

Online services or products that actively encourage users to provide, use and share personal information—notably social media companies—are particularly exposed to this type of claim. Other recent examples of privacy class actions related to business practices include the unauthorized collection of intimate data related to the use of sexual aid products,3 unauthorized access to client financial information by an insurance company,4 and Google's collection of cellular location data without user consent and even when location services were disabled.5

Litigants have claimed that a company's use or disclosure of personal information has exposed them to harms such as identity theft, harassment, embarrassment and mental distress.6 Legal claims have been brought on the basis of a reasonable expectation that businesses will protect customers' personal information, a company's alleged contravention of its own privacy policy, the alleged collection, use or disclosure of personal information without consent, breaches of provincial privacy statutes, and assertions that a company diverted users' private data to third parties for profit. Global technology companies are often named in tag-along class proceedings in Canada following the commencement, or settlement, of similar actions in the U.S.

Recently, a class action was commenced against We-Vibe (operating as Standard Innovation Corporation). The Statement of Claim alleges that highly intimate and sensitive user data related to the company's sexual aid products was collected, used, and stored without consent.7 In 2017, a settlement was reached in the U.S. related to the same complaint for approximately US$3.75 million.8

Between 2007 and...