The recent proposed settlement of the We-Vibe privacy class action lawsuit provides helpful lessons for businesses that collect customers’ personal information.

The Lawsuit

The class action lawsuit was commenced in the United States in September 2016 and was based on claims that the defendant Canadian manufacturer of We-Vibe brand personal vibrator devices secretly collected, recorded and transmitted customers’ highly sensitive information (including date and time of device use, user-selected vibration intensity level and vibration mode or pattern, and device temperature and battery life) about customers’ use of their devices and the corresponding We-Connect mobile app (which could be used by a customer or a “connected” lover to remotely control the customer’s device). The defendant denied all wrongdoing and maintained that its data collection practices were lawful.

On March 9, 2017, the litigating parties filed for approval a proposed settlement agreement that requires the defendant to create two separate settlement funds totaling $5 million Canadian, to purge previously obtained customer email addresses and other data, and to improve its privacy practises (including updating its privacy policy and ensuring that mobile app users are notified of the privacy policy as part of the mobile app user on-boarding process). The required privacy practices are consistent with Canadian privacy laws and guidance issued by Canadian privacy commissioners.

Privacy Law Compliance – Valid Consent

Canadian privacy laws are based on the fundamental principle that, subject to limited exceptions, an individual’s valid consent is required for the collection, use or disclosure of the individual’s personal information except where consent is inappropriate. An individual’s consent is legally valid only if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

The key to valid consent is openness and transparency – easily accessible, complete and understandable explanations of an organization’s personal information practices. Organizations commonly explain their personal information practises in a published privacy policy. However, Canadian privacy commissioners have explained that a privacy policy alone might not be sufficient, particularly in an online or mobile environment. Canadian privacy commissioners have encouraged organizations to use other communication tools (e.g. online banners, real time/just-in-time notifications and standardized icons), in addition to a privacy policy, to explain their personal information practices. Canadian privacy commissioners have also recommended that privacy disclosures relating to a mobile app be made before the app is downloaded/installed and again before the app is used for the first time.

Regulatory Guidance

Following are some helpful guidance documents published by Canadian privacy commissioners: Ten Tips for a Better Online Privacy Policy and Improved Privacy Practice Transparency; Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps; Guidelines for Online Consent; Ten Tips for Communicating Privacy Practices to Your App’s Users; and The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments.