Litigation Management for the In-House Generalist and Business Leader (Part 4)

Understanding the basics of litigation management is essential for in-house counsel, and can give business leaders more perspective on playing the “litigation card.” Recently InsideCounsel Magazine published the fourth in a six-part article series entitled “Litigation Management for the In-House Generalist” co-authored by myself and Michael Geibelson, a partner at Robins Kaplan LLP and a top-notch litigator.  Part 4 in the series discusses retaining outside counsel, and the role in-house counsel needs to play in litigation.  Click here to read the article, and enjoy.

 

Litigation Management for the In-House Generalist and Business Leader (Part 3)

Understanding the basics of litigation management is essential for in-house counsel, and can give business leaders more perspective on playing the “litigation card.” Recently InsideCounsel Magazine published the third in a six-part article series entitled “Litigation Management for the In-House Generalist” co-authored by myself and Michael Geibelson, a partner at Robins Kaplan LLP and a top-notch litigator.  Part 3 in the series looks three more important areas of focus early in the litigation cycle – insurance, indemnification, and litigation holds.  Click here to read the article, and enjoy.

Litigation Management for the In-House Generalist and Business Leader (Part 2)

Understanding the basics of litigation management is essential for in-house counsel, and can give business leaders more perspective on playing the “litigation card.” Recently InsideCounsel Magazine published the second in a six-part article series entitled “Litigation Management for the In-House Generalist” co-authored by myself and Michael Geibelson, a partner at Robins Kaplan LLP and a top-notch litigator.  Part 2 in the series looks at nine actions you can take when you receive a complaint which will pay dividends later in the litigation process.  Click here to read the article, and enjoy.

Put Electronic Signatures to Work for You

Companies and in-house law departments are increasingly adopting new technology-driven processes to create efficiencies in their day-to-day operations.  One such process is the use of electronic signatures, or “e-signatures.”  E-signatures provide many benefits to companies if implemented correctly, but there are some important caveats to keep in mind.  Understanding what they are and how to use (and not use) them is critical.

What is an electronic signature?The federal Electronic Signatures in Global and National Commerce (E-SIGN) Act defines an electronic signature as “an electronic sound, symbol or process which is attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”  In other words, an electronic signature is an electronic identifier of a person who places it on a document or record and intentionally consents to, accepts, or approves that document or record in a way that the identifier can be attributed to that person. An easy way to remember this is as an electronic identifier that’s affixed, accepted and attributable.  The good news is that E-SIGN’s definition is technology-agnostic, meaning it will apply to new developments in e-signature technology.

Examples of e-signatures include a person’s signature captured on a tablet on a contract followed by pressing a “Purchase” button; pressing a button (e.g., “1”) on your phone on a recorded line to accept a new 2-year cable subscription; checking a box to indicate that you have read and accept a software EULA; or a Google Wallet or Apple Pay transaction automatically done by computers (“electronic agents”) which you initiated and a merchant accepted electronically.

Is it the same as a digital signature? No, although many people use the terms interchangeably.  A digital signature is a more secure form of electronic signature that uses encryption or a biometric identifier to ensure the signature is authentic and can be linked back to the signer.  It can’t be tampered with thanks to the encryption or biometric identifier. (Examples include using a private encryption key to sign a document, or using a thumbprint to embed a digital code in a document.) Digital signatures are commonly found in financial transactions and where being able to detect a forged signature is critical.

Are electronic signatures legal?  Yes.  In 2000, Congress enacted the E-SIGN Act, which states that electronic signatures on contracts and records related to commercial transactions are just as effective as a physical (or “wet” signature). However, if a law or regulation requires a written contract or record, an electronic signature isn’t sufficient if the contract or record can’t be retained and accurately reproduced by all parties. 48 states have enacted their own e-signature law based on the Uniform Electronic Transactions Act (UETA). (MD and VA have enacted a different model law called the Uniform Computer Information Transactions Act (UCITA) that covers computer information.) There are specialized digital signature laws applicable to some industries, such as the federal e-signature regulation specifically related to the FDA. Electronic signatures are generally valid in other countries.

It’s important to note that there are some types of contracts and records that cannot be electronically signed, such as wills, trusts, and marriage certificates/divorce decrees.

Can e-signed documents be notarized?  Yes, but it’s still fairly uncommon. E-SIGN permits electronic notarization.  However, most e-signature providers are still adding functionality to support electronic notarization of an e-signature. You’ll need to find a notary authorized to do e-notarizations (in Minnesota, for example, becoming an e-notary requires an additional authorization on top of your standard notary license). You still have to electronically sign an agreement in the presence of an e-notary (except in Virginia which permits remote notarization, e.g., via video conference), which basically defeats the purpose.  As e-signatures continue to gain traction, e-notarization will likely start to catch up.

If I want to use electronic signatures with my contracts, is there anything I should add to them?  Consider adding a disclaimer such as this to your contract templates: “The Parties agree that electronic signatures are intended to bind each Party with the same force and effect as an original handwritten signature, and a copy containing an electronic signature is considered an original.” UETA requires that the parties have agreed to conduct business electronically. Although it can be inferred from the conduct of the parties, including an affirmative statement can be helpful (and demonstrates to your clients and vendors that you are embracing 21st century contracting methods).

Are there e-signature risks I should watch out for?  The biggest risk is that an e-signature you were relying on turns out to be unenforceable. Just because E-SIGN says that an e-signature has the same legal effect as a physical signature doesn’t mean that it’s automatically enforceable. Parties seeking to avoid liability under a contract may look to attack the validity of the contract in the first place by claiming it was never validly signed.  The identifier on a contract (e.g., “/s/ Scott Signer”) isn’t enough to establish that it’s a valid electronic signature — you have to be able to attribute that identifier to me to provide that I was the one that wrote it.  This gets even more complicated when trying to use e-signatures on a small device, such as a smartphone.

Think of e-signatures as falling into one of two buckets based on whether the contract or record being electronically signed is considered “low priority” (the enforceability is not likely to be challenged, such as on a low-value, one-time transaction), or “high priority” (enforceability of the agreement is very important given the strategic or monetary value of the transaction).  For low priority contracts and records unlikely to be challenged, being able to conclusively attribute an e-signature to a person may be less critical, so an identifier on a contract or record (“/s/ Scott Signer”) without a strong authentication mechanism may be “good enough.”  For high priority contracts and records, being able to conclusively establish affixation, acceptance and attribution is critical, so using a strong e-signature process (such as an e-signature provider) that validates the identity of each signatory, and keeps copies of the signed agreement available to each signatory, can help ensure enforceability.

The reverse is also true — be careful that you don’t unintentionally create an electronic signature (e.g., with an email signature).  You don’t want someone trying to argue that your email saying “yes, that sounds good” to a business offer, where your email had your signature as General Counsel or Chief Operating Officer, constituted a binding agreement.  (I use a disclaimer in my long-form work email signature that emails cannot be used as an electronic signature.)

 

I would strongly encourage all companies interested in using electronic signatures on contracts to consider an electronic signature provider such as EchoSign or DocuSign.  E-signature providers have well-developed systems that make it easy for companies to execute contracts, forms, and other records electronically through a legally defensible process, can support “batch sending” of documents for signature via a mail merge-like process, and can be configured to automatically send fully executed copies to all parties (as well as to your Legal department or contract manager).

Litigation Management for the In-House Generalist and Business Leader (Part 1)

Understanding the basics of litigation management is essential for in-house counsel, and can give business leaders more perspective on playing the “litigation card.”  Yesterday InsideCounsel Magazine published the first in a six-part article series entitled “Litigation Management for the In-House Generalist” co-authored by myself and Michael Geibelson, a partner at Robins Kaplan LLP and a top-notch litigator.  Part 1 in the series introduces the six phases of litigation and provides important information on what to consider when commencing litigation.  Click the link above (or click here) to read the article, and enjoy!

AppChoices – Behavioral Advertising Controls Gone Mobile

Online behavioral advertising (also known as “interest-based” advertising and “targeted” advertising) is the use of information collected about an individual’s online behavior (e.g, web browsing history) to serve online advertisements through ad networks tailored to that individual’s interests. Online behavioral advertising is broken into two categories — first party (online ads served on a website based on an individual’s online behavior on that website) and third party(online ads served on a website based on an individual’s online behavior on other websites). Online behavioral advertising is designed to increase the click-through rate by serving ads of greater interest to consumers.  Studies have shown that a majority of consumers prefer targeted online ads over irrelevant ones.  However, behavioral advertising also raises privacy concerns, as to deliver targeted advertising to an individual you need to collect information about that individual (and the scope of collected information could be broad, potentially including sensitive information).

Back in 2009, the FTC released a report on online behavioral advertising recommending industry-self regulation of third party online behavioral advertising (and implying they would step in if industry self-regulation was ineffective).  In response to the FTC’s report, a group of advertising and marketing trade associations including the Direct Marketing Association, Interactive Advertising Bureau, Better Business Bureau, and Network Advertising Initiative formed the Digital Advertising Alliance.  The DAA developed the “AdChoices” program to provide consumers with the ability to control whether data about them can be used for third party online behavioral advertising purposes.

The primary consumer-facing aspects of the AdChoices program are (1) the DAA Icon, an “i” in a triangle, which companies can use to provide more prominent notice of that company’s interest-based advertising practices; and (2) the Consumer Choice page, a web page introduced in 2010 through which consumers can opt out of the collection and use of web viewing data for online behavioral advertising and other applicable uses.  It’s a good idea for companies to include a link to the Consumer Choice page in their privacy policy.

Since 2010, more and more advertising (including behavioral advertising) is served through ad-supported mobile apps. As a result, last week the Digital Advertising Alliance (“DAA”) introduced two enhancements to the AdChoices program to extend it to mobile apps:

  • The AppChoices mobile application, available for Android and Apple devices, that gives consumers the ability to opt out of the collection of app usage data for online behavioral advertising and other applicable uses.  The AppChoices app can be downloaded from major app stores.  The DAA hosts a page with app store links at http://www.aboutads.info/appchoices.
  • The Consumer Choice page for Mobile Web, an updated and mobile-optimized version of the current Consumer Choice page.

The purpose of the DAA is to demonstrate to the FTC that industry self-regulation of behavioral advertising works.  The industry groups forming the DAA know that if they fail in their mission, the FTC will step in to regulate behavioral advertising.  FTC regulations on behavioral advertising would likely be more onerous than the current self-regulatory principles, and may favor privacy protections over the benefits of targeted advertising to consumers and businesses. This is why businesses should be rooting for the DAA to succeed, and should support their efforts. Look for a major push from the DAA and its member groups to drive increased adoption and usage of both current and new self-regulatory tools in the marketplace.  Companies should consider including updating their privacy policies to include information about the AppChoices download page as well as a link to the Consumer Choice page.

Don’t get Hooked by Phishing or Spear Phishing

Cyber attacks such as the Anthem breach, the Home Depot breach, and the Target breach are becoming almost commonplace.  Major cyber attacks compromising information about millions of people often start not with a bang, but a whisper – a “phishing” or “spear phishing” email through which an attacker tries to acquire login credentials that can be used to launch a sophisticated and crippling attack. Over 90% of cyber attacks take the form of, or start with, a spear phishing attack, and phishing attacks are also very common. These attacks happen both in the office and at home. Phishing and spear phishing attacks can happen at any time, and can target any person or employee.

What is “Phishing?In a “phishing” attack, an attacker uses an email sent to a broad group of recipients (and not targeted to a specific group) to impersonate a company or business in an effort to get you to reveal personal information or login IDs/passwords, or to install malware or exploit a security hole on your computer.  It generally uses an official-looking email and website to gather information, and often contains the logo(s) of the company it is impersonating.

What is “Spear Phishing?In a “spear phishing” attack, an attacker uses an email tailored for a specific group of recipients (e.g., a group of employees at a specific business), often impersonating an individual such as someone from your own company or business, in an effort to get you to reveal personal information, login IDs/passwords, to steal money or data, or to install malware or exploit a security hole on your computer.

How do I spot a phishing or spear phishing email?Look for one or more of these key indicators that an email in your inbox is actually a phishing or spear phishing attack.

  • The email has spelling or grammatical errors. A phishing or spear phishing email often contains spelling or grammatical errors, and does not appear to be written by a business professional.
  • You do not recognize the sender’s email address. If you get an email asking you to click on a link or open an attachment, look carefully at the email address of the sender.  Be especially alert for email addresses that are similar to, but not the same as, your company’s email address (e.g., “joe.johnson@microsoft.co” instead of “joe.johnson@microsoft.com”).
  • The email contains links that don’t go where they say they do. Before you click on a link in an email you don’t recognize, “hover” your mouse cursor over the link. A pop-up will appear showing you where the link will go.  If they don’t match, it’s probably a phishing or spear phishing attempt.  In this example, this innocuous-looking link actually goes to a malicious website:

Bad link sample

  • The email asks you to open an attachment you don’t recognize. Many spear phishing emails ask you to open an attachment or click on a link.  If an email you don’t recognize asks you to open an attachment you weren’t expecting or that doesn’t look familiar, or to click on a link you don’t recognize, don’t click on it or open it, and check with your IT or Security department if you want to know for sure.
  • The email seems to be a security-related email, or asks you to take immediate action. Watch out for emails that state that your account will be suspended; ask you to reset, validate or verify your password, account information or personal information, or otherwise ask you to take immediate action to prevent something from happening.
  • The email relates to a current news event. Many phishing emails use a current news event, such as a natural disaster or security breach, to get you to provide information, click a link or open an attachment.
  • The email contains information from your social media accounts or other public information. Spear phishing attackers will often look at your public social media accounts (e.g., your Facebook feed, LinkedIn profile, tweets, etc.) and other public sources (e.g., Google searches) and use information about you or your friends to make a spear phishing email seem authentic.  If an email contains personal information about you other than your name and email address, take a close look to ensure it’s not a spear phishing attempt.

If you think an email you received is a phishing or spear phishing attempt, (1) do NOT click or open any links or attachments in the email, (2) if you are at work, immediately contact your Security or IT department to report it, especially if you clicked on an attachment or link or otherwise took action before you realized this (failing to report it will be much worse, so don’t be embarrassed); and (3) delete the email immediately.

Demystifying Text Marketing and Double Opt-In

Sending advertisements and promotions through SMS text messages to mobile devices is a compelling digital marketing method for a good reason — the incredibly vast number of mobile devices.  Apple announced last week that it sold a mind-boggling 74.5 million iPhones worldwide in the fourth quarter of 2014.  That’s 33,740 iPhones every hour, 24 hours a day, for 3 months. And an estimated 300 million Android phones were sold worldwide in the same calendar quarter.  Diving into the world of text marketing poses many challenges given the myriad of laws and rules to follow, and stringent compliance requirements such as “double opt-in.”  However, it isn’t really as daunting as it seems at first glance.

The many rules of text marketing.A number of laws, rules and guidelines govern text marketing:

  • Text marketing messages are communications distributed over the cellular phone network, and fall under the laws, rules and regulations governing wireless carriers and mobile phone calls. This includes the Telephone Consumer Protection Act (TCPA). The Federal Communications Commission (FCC) enforces the TCPA.
  • CAN-SPAM, the law and associated rules that govern commercial email messages, also governs commercial emails sent to a mobile phone, e.g., 9525551212@vtext.com. The Federal Trade Commission (FCC) enforces CAN-SPAM, as well as laws and rules governing deceptive and unfair trade practices which apply to all marketing.
  • Mobile carriers can have their own rules around text marketing through their systems.
  • Industry groups have published best practice guidelines for companies engaged in text marketing, such as the Mobile Marketing Association (MMA)’s Consumer Best Practices for Messaging.
  • CTIA, the wireless trade association which operates the “Short Code” system used by many companies for text marketing (the “12345” in “Text ABC to 12345”), publishes the Short Code Monitoring Handbook. The Handbook contains rules governing SMS marketing campaigns that use Short Codes. SMS marketers found to be in violation of CTIA rules may be reported to wireless carriers by CTIA, potentially resulting in temporary or permanent suspension of the ability to run text marketing campaigns through those carriers.

Compared to email marketing or even print marketing, the rules governing US text marketing can seem downright draconian. For example, In US email marketing under CAN-SPAM, you can market to someone who hasn’t opted-in as long as you follow CAN-SPAM’s rules, including offering them the right to unsubscribe from further marketing emails, and consent for CAN-SPAM purposes can be oral or written. In US text marketing, to send a commercial text message to a mobile device you must have the unambiguous written consent of the mobile device owner, and “written” means “documented and saved.”  In email marketing, you can purchase opt-in lists; in text marketing, purchasing opt-in lists is not allowed.

Why is text marketing different?  There are three primary reasons.  First, unlike marketing emails, text messages aren’t free.  Consumers directly pay for text messaging services, regardless of whether it’s a flat monthly fee or a per-message charge. Consumers don’t directly pay to receive email marketing messages (the cost of Internet access is an indirect cost).  Second, text messages are viewed as more personal than other types of digital marketing, as they come right to a consumer’s mobile device and not to a device-independent email account. Third, text marketing messages are sent through already heavily-regulated cellular phone networks, and fall under many of the same stringent requirements that have been adapted or expanded to cover SMS – they’re considered on par with (and just as regulated as) a phone call. Keeping spam off the cellular phone networks has been a long-time focus of the FCC and mobile carriers.

Double Opt-In.One of the more misunderstood concepts in text marketing is the “double opt-in.”  Many believe that written consent from a consumer on a paper or web form is all that’s needed to send commercial text messages to that consumer.  However, remember that in text marketing, you need the unambiguous written consent of a mobile device owner before sending text marketing messages to that mobile device.  Don’t just focus on the consent being unambiguous – the consent must unambiguously be provided by the mobile device owner.

  • If you get written consent via an SMS text from a mobile device itself (a “device opt-in”), you have the written consent of the mobile device owner, and since it came from the mobile device itself it’s pretty clear, for consent purposes that the mobile device owner gave the consent.  (You still have to send a welcome email with certain information, such as message frequency and how to stop future text messages.)
  • However, if you get written consent through another method, such as a paper or web form (a “non-device opt-in”), it’s not clear that the person giving consent is the mobile device owner.   Even a statement on the paper or web form that “I own the device associated with this mobile number” is likely not sufficient – you can’t demonstrate conclusively that it’s true.  You don’t have unambiguous written consent unambiguously provided by the mobile device owner, and that’s where a second opt-in comes in.

The CTIA and MMA rules require that in addition to a non-device opt-in, a marketer must send a single text message to the mobile number provided through the non-device opt-in, asking the mobile device owner to text a response to start receiving marketing text messages for a campaign (e.g., “text ‘Y’).  If the mobile device owner sends the correct reply text (“Y”), he/she is confirming they want to receive marketing text messages (you still have to then send the welcome email noted above).  This confirmation – the “double opt-in” – removes any ambiguity around who provided the original non-device opt-in, turning it into unambiguous written consent unambiguously provided by the mobile device owner. The double opt-in isn’t to confirm the initial consent is valid – it’s to unambiguously confirm that the mobile device owner was the one that gave the consent.  (It’s important to note that double opt-in is a recommended best practice for device opt-ins too.)

The laws, rules and requirements around text marketing can seem daunting, but the potential rewards and ROI from well-executed text marketing campaigns can be quite significant for businesses.  Many service providers provide turnkey text marketing solutions designed for compliance with the various rules and regulations around text marketing.  And partnering with a digital marketing attorney focused on helping you achieve your business objectives while managing legal risk can help ensure you are on the right path as you move through the thicket of text marketing.

Why do in-house lawyers get so “lawyerly” sometimes?

It’s no secret that lawyers have been stereotyped as evil, stuffy, lying, legalese-spouting, risk-averse ambulance chasers. As the joke goes, “what’s the difference between a lawyer and a catfish?  One’s a scum-sucking bottom dweller, the other’s a fish.”  William Shakespeare’s famous line in Henry VI, Part 2 – “the first thing we do, let’s kill all the lawyers,” found everywhere from t-shirts to Eagles song lyrics – is commonly referenced to bash lawyers. (It was actually meant in the play as praise for lawyers as guardians of justice and keepers of law and order.)

You have an in-house attorney whom you view as a valued business partner.  While having lunch together, you ask him about an employee issue on your team and ask him for a short email summarizing his thoughts.  It can be confusing and frustrating when an hour later he sends you an email laden with designations of “ATTORNEY/CLIENT COMMUNICATION – PRIVILEGED AND CONFIDENTIAL” copying the head of Human Resources; pronouncements of potentially dire consequences for the company if you move forward with firing the employee; requests that you obtain approval from someone higher in your reporting structure; confirmations of something you have already discussed with him in person and said you would do; and warnings about forwarding the email on to others.  What’s going on?  Why do in-house lawyers get so lawyerly sometimes?

First, remember who your in-house attorneys represent.  Their client is the company that employs them – not you, or your supervisor, or management, or the CEO, or the Board of Directors.  (If you have wondered why in-house attorneys can’t advise employees on personal matters such as tax issues, family law issues, real estate issues, and wills & trusts, that’s the reason.)  In most cases in-house counsel can provide legal advice to you about company matters as you are an employee (and representative) of its client, but only where the matters fall within the scope of your official duties. This is why attorneys sometimes remove people from an email thread when they need to provide potentially privileged advice. Unlike many other employees, in-house attorneys must have a valid license in order to practice their craft, and are bound by a detailed code of professional ethics, which includes protecting their clients and their interests.

When outside counsel (attorneys at law firms retained by companies) provide advice to a client, that advice is generally presumed to be legal advice. Legal advice from an attorney to a client is generally considered confidential, and protected from disclosure to third parties, by what’s known as the “attorney-client privilege.” A company has a right to private communications with its legal counsel, and can refuse to disclose attorney-client privileged communications.  Unlike outside counsel, in-house attorneys dispense business advice as well as legal advice, or in some cases just business advice.  Because of this, there is no presumption that advice provided by in-house attorneys to their client and its representatives (employees) is legal advice and therefore protected by the attorney-client privilege.  They have to clearly demonstrate that the advice they are providing is protected legal advice and not unprotected business advice if they hope to assert an attorney-client privilege in the communication.

Additionally, part of an in-house attorney’s central role within a company is risk management.  Whether explicit or implicit in a Legal department’s mission statement, part of their job is to facilitate the company’s business objectives while at the same time managing risk to within the company’s stated risk tolerance level.  As I explained in my Risk Management 101 blog entry, any risk management decision comes down to some combination of accepting, mitigating, shifting, or avoiding risk.  To ensure risk is properly managed, in-house attorneys strive to ensure that business decision-makers understand the pros and cons of a business decision before making a risk management decision.  Lawyers often perform a risk management analysis as part of providing legal advice – they identify the potential risks and benefits of a particular course of action (and provide a suggested or recommended course of action if asked or expected to do so), and identify the person or role who needs to make the risk management decision, so that decision-maker can make an informed risk management decision on what to do about the identified risks.

Protecting the attorney/client privilege and managing risk while facilitating business objectives are the two primary reasons why in-house lawyers get “lawyerly” at times – they are doing their job representing and protecting the company and its interests while driving business forward.  When an in-house attorney provides legal advice, he/she “puts on their legal hat” and may seek to preserve attorney-client privilege in the advice to prevent its disclosure in later litigation or other proceedings, which could hurt the client.  This is why legal advice from an in-house attorney is clearly marked as being attorney-client privileged, why attorneys limit the number of recipients on emails or memos containing potentially privileged advice, and why in-house attorneys sometimes state that the email or memo should not be forwarded without their permission. If an in-house attorney formally asks you to do something in an email or memo that you have already discussed with them, this too is to help preserve privilege by ensuring you are acting at the direction of or under the supervision of counsel.

With respect to the legal advice itself, the attorney’s email may seem like “doom and gloom” by pointing out the risks (as well as the benefits) of a course of action, but the role of in-house counsel is not to accentuate the positive and eliminate the negative – our job is to facilitating the company’s business objectives while managing risk.  A good attorney does not say “yes” or “no” to a particular course of action (unless it’s illegal of course), but instead points out all the material pros and cons, provides an opinion if asked, and then lets the appropriate decision-maker call the ball on what to do about the risk.  In-house attorneys strive to ensure that decision-makers are making informed business risk management decisions based on a solid analysis of the pros and cons, not a quick decision based only on the potential benefits of doing (or not doing) something.

The next time your in-house lawyer starts sounding more lawyerly than normal, there’s likely a good reason they’re doing it — so suppress that urge to follow Shakespeare’s suggestion.

Moving on up (North) – Bringing your App, Website or Product to Canada

“We want to start selling our [app/product/service] in Canada,” says your Digital business executive.  “Any legal problems we should know about?”   Selling an app, product or service in Canada can seem like an easy way for a US company to expand the market for, and revenues generated from, something developed for the US market.  However, there are a number of considerations to consider, both from a legal and business perspective.  Some of them include:

  • Localize for the Canadian Market. As an American, I imagine that Canadians can easily tell whether a product is one designed for the US market being offered in Canada, or is one designed for the Canadian market.  Apps, websites, and services should be localized for the Canada market.  Canadian English is different than US English, and localization something that should not be overlooked.  If there is address information collected or displayed through an app or corresponding website, they should support provinces, Canadian postal codes, etc.  Localization is more than just translation; the app, website or service should be reviewed (ideally by one or more Canadian employees) to identify any pages, language, or content that may need adjusting for a Canadian audience.
  • Bilingual Requirements. The official language of Quebec is French, and many other provinces recognize both English and French as official languages. Websites (and apps) in Quebec are required to be bilingual.  Even without that requirement, it’s a good idea for websites and apps to be bilingual in Canada given the significant number of French Canadian speakers in the country.  Consider translating your license/services agreement and policies into French.  If you make your agreements bilingual, consider using a “dual-column” format so the English and French versions appear next to each other.  Ensure any bilingual agreements contain a provision stating that the parties agree that controlling version of the agreement shall be in the English language.
  • Data Privacy.From a legal perspective, Canada has a much more stringent national data privacy law than the US does.  Under Canada’s national data privacy laws, affirmative consent is generally required by consumers for a company to process personal information from Canadian consumers. Many provinces have their own privacy laws for private entities and public bodies. In addition, certain provinces also have provincial data privacy laws that can impact US companies.  For example, British Columbia’s data privacy law governing public bodies prevents any public body in BC from using a cloud-based service that stores data outside of Canada. (This law dates to 2004 and was a backlash against US government access to data under the USA PATRIOT Act of 2001.)  While many BC entities, such as schools, have complained about this law, it’s still on the books in British Columbia.
  • Marketing Communications. In addition, sending commercial electronic messages can be trickier in Canada due to a more complex Canadian law called CASL (Canada’s Anti-Spam Law) that governs commercial electronic messages (not just emails).  We’d want to look at that to see if it had an impact.  For more information, see my earlier post on preparing for CASL compliance.
  • Branding and IP. Companies should look at their branding, trademarks, and other IP used in or in connection with their app, websites, and services.  US trademark registrations don’t help in Canada if someone else is already using an identical or similar brand name in Canada. Dropping your US-branded app into the Canadian market could result in a cease-and-desist letter, or a lawsuit brought in Canadian courts. Patent protection in the US are not enforceable in Canada; you’d need to file Canadian registrations to obtain similar protections.
  • Other Considerations. Other considerations include looking at whether there are any export requirements or restrictions on exporting your product to Canada; whether NAFTA (the North American Free Trade Agreement) comes into play if there are any physical goods being sent to Canada; and ensuring you are complying with any local, provincial, or national tax requirements that may apply.

Before moving on up north, business teams should consider performing a cost/benefit analysis of the potential ROI of entering the Canadian market, evaluating these and other factors, to determine if adapting an app, website and/or service to the Canadian market is a sound business decision.