IoT Security – Should consumers bear any responsibility?

A recent article in CSO (Australia edition) advised data security executives that “Users’ poor home IoT security could become your next headache”.

This raises and interesting question. Where should we draw the line between a consumer’s responsibility  to become technologically literate, including protect the security of the their home network and devices, and the developer’s and manufacturer’s responsibility for the security of those devices throughout their life-cycle? The question will eventually have to be answered — and probably in court. Manufacturers facing a class action for security defects in an IoT device will undoubtedly raise a defence of contributory negligence.

In this post, I’ll focus on some observations about what we know about consumer behaviour in addressing defects in products they use. On Thursday, I’ll offer some thoughts on Canadian consumer protection laws and how that might affect suppliers and manufacturers attempting to limit liability for IoT security defects.

The evidence suggests that consumers are aware that there are security risks with their IoT devices. CISCO reported in December 2017 that consumers have a low level of trust in the security of their data flowing through IoT devices. What is less clear is whether consumers believe that they have a significant role to play in ensuring that those devices are secure.

The “plug-and-play” consumer culture does not help instill a sense of responsibility in consumers for managing and maintaining electronic devices. Consumers tend to re-use passwords, leave default passwords on routers, fail to update firmware on devices ranging from routers to smart TVs, and fail to deploy updates. Consumers may gamble that their poor password, virus protection, and software update practices won’t lead to or contribute to the loss of the data. However, the issue in IoT is not only an issue of privacy. It is an issue of the availability and integrity of the data, which could lead to consequences that affect the safe operation of those devices.

Consumers are also poor at quantifying risks and responding to those risks. How bad could it get? Consider automobiles. According to Carfax, one in five vehicles in the United States had open recalls – that is, unfixed issues that in many cases could result in serious safety risks. Researchers continue to try to figure out ways to nudge consumers to respond appropriately to the risks.

Research by the U.S. National Highway Traffic Safety Administration (NHTSA) presented to Congress in 2017 suggests that there are potentially a number of issues at play that affect how consumers respond to risks.

For example, of completion for open recalls decreased with the age of the vehicle. Consumers may simply not invest in much in the maintenance of older vehicles and this may affect the amount of information they receive about open recalls and whether they take the time to have them fixed. Vehicle owners may be more likely to visit a dealership during a new vehicle warranty period. It is more likely they will learn about the open recalls and will be nudged into having them fixed (or appear irresponsible). Older vehicles may not be serviced unless there is a serious problem.

The NHTSA research also showed that the type of component involved affected recall completion rates. It may be that consumers need a better framework for understanding the risk in some cases. Is it possible that a consumer may apply a lower discount to the chances of harm coming from a defective fuel system that could cause a spontaneous fire because they have a limited role in the likelihood of the event? By contrast, might a consumer apply a greater discount to the risk of a defective air bag or seat, if the harm would only apply in the case of a motor vehicle accident.  The risk of a motor vehicle accident may already seem rare to the consumer. The consumer may also overestimate their abilities as a defensive driver to prevent the accident. 

Whatever the psychological reasons, the statistics do not bode well for consumers taking responsibility for IoT devices, particularly when we consider the myriad types of IoT devices such as wall plugs, lightbulbs and other devices that individually or cumulatively could cause significant security or safety issues. It may be that these devices could be configured to receive remote updates; however, there will still be numerous use-cases where the update itself (if not managed by the consumer) could result in a security or safety issue, particularly if the device must shut down. So some consumer prompt will be required.

So, while a manufacturer may have a legitimate defence of contributory negligence if consumers do not take reasonable care in the operation of their IoT devices and the security of their network, the actual standard of care of consumers should not give public policy wonks any comfort. We will need another solution than the hard edge of tort law.

Read more!

You can find the NHTSA report here.

Genetic discrimination laws: Where is Canada?

On Tuesday, I wrote about the use of evidence of genetic predisposition in Canadian disability law. In this post, I examine where Canada stands on genetic discrimination.

Federal and provincial governments in Canada have slowly expanded the list of characteristics that cannot be used to differentiate between individuals in a way that causes harm to the individual with that characteristic. However, only the federal government has expressly included “genetic characteristics” as a prohibited ground in human rights legislation. In 2017, Parliament passed the Genetic Non-Discrimination Act. The Act prohibits a person from requiring an individual to have a genetic test or to disclose the results of a genetic test as a condition of (a) providing goods or services to that individual, (b) entering into or continuing a contract or agreement with that individual, or (c) offering or continuing specific terms or conditions in a contract or agreement with that individual.

The real kicker for the insurance industry was (c). Essentially, that provision prohibits insurers from reflecting genetic predisposition risks – even those that are known to the individual because the individual has had genetic testing – in the premiums or terms (exclusions) offered to the individual.

After the bill was passed, Quebec took umbrage. It quickly moved to challenge these provisions of the Genetic Non-Discrimination Act as unconstitutional because it intruded on its jurisdiction to regulate the practices of provincially-regulated insurers and other affected businesses. The case is still pending before the courts. I personally wouldn’t place a bet on its outcome. The federal government has not fared well when trying to legislate in the area of private contracts. It seems the government has resorted to trying to criminalize asking for genetic testing to bolster its assertion of jurisdiction.

So where does that leave ordinary Canadians? The Genetic Non-Discrimination Act also amended the Canadian Human Rights Act to prevent discrimination based on genetic characteristics. The provision in the Canadian Human Rights Act protects individuals who voluntarily submit to genetic tests or disclose their genetic characteristics or submit to tests or make disclosure under duress. Discrimination because of a refusal to submit to or provide the results of a genetic test is deemed to be discrimination based on genetic characteristics.

The Canadian Human Rights Act provides protection when individuals deal with federal government bodies and federally regulated companies, such as banks and airlines. However, the vast majority of Canadian businesses are not federally-regulated. Moreover, provincial governments are not subject to this legislation.

Ontario Liberal MPP Natalie Des Rosiers introduced a private members’ bill (Bill 164) to amend the Ontario Human Rights Act to prohibit discrimination based on genetic characteristics (as well as immigration status, police records and social condition). However, the Liberal government suffered a humiliating defeat and it seems unlikely that the new Conservative government under Rob Ford will take up the cause of genetic discrimination. In Manitoba, an NDP private members’ bill (Bill 225) was brought before the legislature in May. Its fate is uncertain. So, the issue of genetic discrimination seems, at least for the time-being, to be one that is largely within the concern of private members rather than governments in Canada.

Does this matter? It is unclear. The evidence supporting a need for a broad law to protect individuals from discrimination on the basis of genetic characteristics is sparse. If the federal legislation stands, then the issue will be largely settled, except, perhaps, in the case of voluntary non-coerced disclosure. Those instances could possibly still fall into a grey zone unless provinces enacted amendments to human rights legislation similar to those in the Canadian Human Rights Act.

Genetic predisposition and the law

This spring, concerns that Canadians may be inadequately protected against genetic discrimination bubbled up again. The Canadian Broadcasting Corporation reported on a commentary in the Canadian Medical Association Journal warning of risks if Canada’s Genetic Non-Discrimination Act was overturned. The CBC story ran with the headline of “Door will open to genetic discrimination if act protection Canadians is overturned, genomics expert says.” The story referred to a legal challenge to the constitutionality of the Act that is before the Quebec courts. On Thursday, I will post more about the Genetic Non-Discrimination Act.

News reports and opinion pieces on genetics and the law tend to focus on the potential for insurers and employers to use genetic information to make decisions about individuals in a manner that advocates consider to be unfair. What is interesting is that scant attention is paid to how genetic information is already being used in the adjudication of legal rights. Genetic information is frequently used in the adjudication of worker’s compensation claims. What we see in those cases is a complex relationship between genetic information and legal fact-finding.

It seems that genetic predisposition can be used either as a sword or a shield. Genetic predisposition can be used to try to tip the balance of probabilities that some external act (e.g. exposure to raw milk at work) combined with a genetic predisposition (say to Chron’s disease) to result in a workplace injury (the manifestation of Chron’s disease) in order to argue for workplace disability benefits.

By contrast, genetic predisposition can sometimes be used as a shield to show that the plaintiff’s injury was from a separate cause. The defendant doesn’t need to compensate the plaintiff for the negative effects of a pre-existing condition (e.g. genetic predisposition of hip problems) that casts doubt on whether there is a connection between the harm (hip injury) and the individual’s employment because the individual would have likely experienced that injury irrespective of the individual’s employment.

A great summary of cases can be found in a 2013 article published in the McGill Journal of Law and Health titled “Understanding the Use of ‘Genetic Predisposition’ in Canadian decisions.” In that article, the authors suggest that evidence of genetic predisposition was used to “fill in the connection” where the causal factor leading to the injury is not clear. What the authors found in the case of workplace disability claims is that genetic information is often used to tip the scales one way or the other where other evidence casts doubt as to the link between the workplace exposure or event and the worker’s condition. Genetic predisposition either assists in justifying refusal of the claim based on the possibility that the condition had an alternative cause (genetics used as a shield) or to support the plausibility of the connection (genetics used as a sword). The authors state:

“This occurs because scientific uncertainty in light of the multiple risk factors and mechanisms of disease, combined with the general principle that the burden of proof rests with one of the parties on a balance of probabilities, render it sufficient (and economical) to resolve the issue of disease causation without thoroughly examining the genesis of the condition in question. The resolution of claims in this way leaves open the possibility that genetics will stand in for “hidden causes” of disease.”

I did a quick test to see if there has been any change in the last year in how genetic predisposition has been used, following the methodology in the 2013 study. The 2013’s findings seem to continue to be relevant.

It should be noted, however, that the authors were concerned with the “geneticization of health and disability”, which leads to overemphasizing genetic factors and ignoring or reducing attention to other socio-economic determinants of health.

 

 

Should your cloud computing provider report suspected security breaches?

Earlier this week, I wrote about new Alberta breach reporting obligations in the Alberta Health Information Act. This post considers how distinctions between suspected, probable, unconfirmed and confirmed data breaches matter in cloud computing agreements.

Not every security incident is a security breach, and not every suspected security breach turns out to be an actual breach exposing personal data. I would argue that Canadian breach reporting laws generally focus on actual breaches; but, I would also argue that this doesn’t necessarily mean that the breach must be confirmed. For example, Canada’s new federal breach reporting law in the Personal Information Protection and Electronic Documents Act defines a “breach of security safeguards” as:

“the loss of, unauthorized access to or unauthorized disclosure of a personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

It would be a stretch to interpret the words “the loss” etc. and “resulting from” as actually meaning “the suspected loss” or “possibly resulting from”. On the other hand, it is unlikely that a breach must be confirmed in the sense of there being no reasonable doubt. Courts find facts based on the balance of probabilities. It is very likely, therefore, that a court would conclude that probable breaches fall within the definition of a “breach of security safeguards”. This isn’t a foregone conclusion. It still requires the court to read into the provision a threshold that the court may be reluctant to do. On the other hand, “confirmed” may be too high a test once the court has access to information about how difficult it is in some instances to confirm a breach to the level of “no reasonable doubt”.

Ontario’s Personal Health Information Protection Act is similar. PHIPA imposes a reporting obligation to notify an individual if:

“personal health information about an individual … is stolen or lost or if it is used or disclosed without authority…”

It would be challenging to read “is” as “may have been”. On the other hand, it would substantially weaken the protections of this provision if “is” were to be read as requiring confirmation that puts the breach beyond reasonable doubt.

So, what is the right test for contractual breach reporting obligations in a cloud computing agreement? Should cloud service providers report anything less than a probable or confirmed breach? Should every security incident be reported? There may be good reasons to request reporting of security incidents that are only suspected breaches. Arguably, reporting on all security incidents might provide users of cloud computing services with additional data that can be used to exercise oversight and ongoing due diligence of the cloud service provider. Reporting of suspected breaches may be appropriate if the organization expects or wants to be involved in the investigation to determine whether a breach occurred.

However, I’d argue that information on all security incidents or even just suspected breaches has minimal relevance when dealing with public cloud computing services and can be misleading as to the overall risk profile of those services. What is more meaningful is to understand how the cloud service provider investigates security incidents and classifies them. Ideally, users of cloud services would obtain information during due diligence and contractual commitments that would provide users with assurance that investigations into security incidents are and will be properly resourced and auditable and that these investigations are and will be timely and effective in resulting in establishing whether the incident involved a confirmed breach or, if not fully confirmed, sufficiently probable that the incident should be treated as a breach.

What do you think? DM me on Twitter – @TM_Banks.

 

Cloud computing update: Alberta Health Privacy Breach Provisions

On August 31st, new provisions in Alberta’s Health Information Act will come into force that have important implications for users and providers of cloud computing services.

These provisions impose new breach reporting obligations on healthcare service providers and other individuals and entities subject to the Health Information Act.

However, it is important for cloud computing service providers to know that they also have a statutory duty to report certain types of breaches to their custodians – irrespective of what the cloud computing contract says and irrespective of whether the breach is a result of an error or omission by the cloud computing service provider.

What happens on August 31st?

Beginning on August 31st, custodians in Alberta that are covered by the Health Information Act will be required to report certain privacy breaches to the Office of the Information and Privacy Commissioner of Alberta (OIPC), the Minister of Health, and affected individuals. In addition, an affiliate of a custodian (such as an information manager) will have a duty to report certain privacy breaches to the custodian. In each case, the report must be made as soon as practicable.

What are the penalties for noncompliance?

Failure to comply with the new breach reporting provisions is a provincial offence. Fines for noncompliance range between $200,000 and $500,000 for organizations and between $2,000 and $10,000 for individuals. Alberta has a track record of prosecuting Health Information Act offences.

Who are custodians?

Custodians include a wide-range of healthcare service providers and stakeholders in the Alberta healthcare sector. Custodians include regulated health professionals (like doctors, pharmacists, and dentists), healthcare service delivery organizations (like hospitals, nursing homes, and ambulance operators) as well as other governmental bodies involved in the healthcare sector (like provincial health boards, regional health authorities and community health councils).

What do cloud service providers have to do?

A cloud service provider may be an “affiliate” under the Alberta Health Information Act. Cloud service providers should obtain legal advice as to whether they fall under the definition of “affiliate” in the Health Information Act and, if they operate outside of Alberta, whether they are subject to Alberta’s jurisdiction when they provide services to Alberta entities.

Beginning August 31, affiliates have direct obligations under the Health Information Act to notify the custodian of any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian. Reports must contain prescribed information and be made as soon as is practicable.

An “affiliate” includes (among others) “information service managers” and other individuals and entities that perform a service for a custodian under a contractual relationship. An “information service manager” is an individual or organization that does any of the following:

  • processes, stores, retrieves or disposes of health information,
  • strips, encodes or otherwise transforms individually identifying health information to create non‑identifying health information, or
  • provides information management or information technology services.

What do custodians have to do?

Custodians should ensure that they have implemented policies, procedrues and training to meet their new statutory obligation to give notice of any loss of individually identifying health information or unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian if there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure. The notice must be given as soon as practicable and contained certain prescribed information.

Custodians should ensure that their cloud service providers are aware of their broad obligation to report privacy breaches in accordance with these new provisions. Custodians should review their contracts to make sure that the terms relating to breach notification are broad enough to cover the scope of what is reportable under the Health Information Act. This is particularly important if there is an argument that the cloud service provider is beyond Alberta’s jurisdictional reach.

In addition, custodians should ensure that all individually identifying health information is encrypted at rest and in transit. Effective encryption is a factor that may avoid having a reportable breach. The Regulations provide that if a custodian is able to demonstrate that the information was encrypted and could not be accessed or would be unintelligible, the custodian is not required to give notice of the loss or unauthorized access or disclosure to the OIPC, the Ministry or the individual.

Do these provisions only cover unauthorized access by to or disclosure of health information to third parties?

No, the provisions are not limited to access by or disclosure to third parties. Unauthorized internal access and unauthorized disclosure between custodians are subject to the breach reporting provisions.

Do cloud service providers only have to report breaches where there is a risk of harm?

No, the risk of harm analysis test does not apply to cloud service providers. Whether there is a risk of harm is for the custodian to decide.

What factors can the custodian consider when evaluating a risk of harm?

The Regulations set out a non-exhaustive list of factors to be considered by the custodian when considering whether there is a risk of harm to an individual. These factors include (but are not limited to) whether:

  • the information has been or may be accessed and/or disclosed
  • the information has been misused or will be misused;
  • the information could be used for the purpose of identity theft or to commit fraud;
  • the information could cause embarrassment or physical, mental or financial harm to or damage to the reputation of the affected individual;
  • the breach has adversely affected or will adversely affect the provision of a health service to the individual;
  • the information was encrypted or otherwise secured in a manner that would prevent the information from unauthorized access or render the information unintelligible by a person who is not authorized to access the information;
  • the information was lost in circumstances in which the information was destroyed or rendered inaccessible or unintelligible;
  • the information was not accessed before it was recovered if it was recovered; and
  • any access or disclosure was only to a custodian or an affiliate and (i) that person is subject to confidentiality policies and procedures that meet the requirements of the Act, (ii) the person accessed the information in a manner that is in accordance with the person’s duties as a custodian or affiliate and not for an improper purpose, and (iii) the individual did not use or disclose the information except in determining that the information was accessed by or disclosed to the person in error and in taking any steps reasonably necessary to address the unauthorized access or disclosure.

Read more!

Find the amendments to the Health Information Act here.

The amendments to the Regulations can be found here.

Free trials and deceptive trade practices

Earlier this week, I wrote about an interesting development in Quebec regarding the interpretation of section 230(c) of the Quebec Consumer Protection Act. A Quebec court concluded that this provision did not require a merchant to obtain the fresh agreement of a consumer at the end of a free trial or introductory rate period before rolling the consumer over into a regular rate plan if the consumer expressly agreed to the regular rate plan when signing-up for the free trial or introductory rate period. You can read my blog post here.

As mentioned in that post, the court’s interpretation of section 230(c) remains open to debate given that the plaintiff filed an appeal. Although the court’s judgment appears to be consistent with explanatory material from the Quebec Office of Consumer Protection (at least at the time of writing), the Court of Appeal is not bound to give deference to that material. It is still possible that the Quebec Court of Appeal might conclude that the policy behind the law is simply to outlaw these types of inducements unless the merchant obtains the positive agreement of the consumer to continue the subscription during or after the free trial or introductory rate period.

So what are the policy considerations that might support a bright line approach prohibiting automatic rollover into full rate plans without the consumer’s fresh consent?

The most compelling reason for a bright line rule is the frequency with which free trial and introductory rate offers are used as deceptive marketing practices. A bright-line approach makes enforcement easier. The U.S. Federal Trade Commission enforcement shows a robust history of enforcement action against marketers using free trials as part of a deceptive marketing plan. A particularly egregious example is detailed in an FTC complaint against a teeth whitening product marketer. Consumers who enrolled in a supposed low introductory offer actually agreed to an on-going full rate monthly charge. The agreement was buried in the fine print. You can read the FTC complaint here. Arendt Fox has a quick summary that you can find here.

Another reason has to do with the psychology of the consumer. Free trials and introductory rate offers emphasize the “no risk” or “free” or “low price” aspect of the offer. Marketers do not give equal prominence to the true cost of the goods or services. The consumer is induced to enroll on the basis that they can change their mind. The consumer may be less apt to comparative shop or reflect on whether the value of the product or service is reflected in the true “after deal” price.

Finally, the effectiveness of free trial and introductory rate offers depends, in part, on consumer inaction. This is the heart of the “negative option billing” issue. While it may be paternalistic for governments to effectively “save” the consumer from doing something as theoretically simple as sending a cancellation notice, all consumer protection law is intended to relieve the consumer of what would otherwise be the outcome of freedom to contract.

Notwithstanding the arguments in favour of a bright-line approach, a prohibition against free trials and reduced rate offers that automatically roll over into full rate plans seems heavy-handed for online contracts.

While there are policy options to support this approach, governments have other policy options available to them. Most Canadian consumer protection laws require the merchant to deliver a copy of the consumer agreement formed online to the consumer in a form that can be retained and containing specific details. Theoretically, the government could simply require merchants to provide an easy and effective online method to opt-out that is promimently displayed at the beginning of that agreement, followed by a notice to the consumer prior to the full-rate plan kicking in. 

 

Free trials, introductory offers and negative option billing

An interesting decision of the Quebec Superior Court of Justice came out this year throwing cold water on a class action by consumers in Quebec against well-known telecommunication companies and online media service providers. The case is interesting because it clarifies that the use of free-trials as consumer incentives is not prohibited by the negative option billing prohibitions in section 230(c) of the Quebec Consumer Protection Act. The decision has been appealed though. So, it is possible it will be overturned.

What is negative option billing?

Negative option billing involves requiring a consumer to specifically reject goods and services or be forced to pay for them. The supplier of the goods or services relies on the fact that the consumer accepts receipt of the goods or services as forming an agreement by the consumer to pay for those goods or services.

Periodically, examples of negative option billing have made headlines and led to consumer backlash. For example, in 1995, there was a backlash against Rogers Cablesystems and other cable television providers when they altered their cable packages to add new specialty channels. Consumers received these channels for a short period of time for free. If they did not change their packages to remove these channels, Rogers and other telecommunications providers would begin charging extra for them. There was broad outrage, and Rogers and other industry players relented.

Negative option billing laws in Canada

There are many laws that prohibit negative option billing in Canada. I won’t address all of them here. A few examples will be enough. Section 13 of the Ontario Consumer Protection Act, 2002 and section 12 of the British Columbia Business Practices and Consumer Protection Act state that a consumer has no legal obligation with respect to unsolicited goods or services (with limited exceptions). Unsolicited goods or services includes goods and services provided to a consumer who did not request them. A change to a good or service may result in the goods being unsolicited if the change is material.

The Alberta Consumer Protection Act is stricter than Ontario and British Columbia’s laws. Section 20 of the Alberta Consumer Protection Act deems an unsolicited enhancement of a service to be a negative option if the consumer is required to send a notice that it does not wish to pay for the goods or services. Alberta expressly prohibits suppliers from supplying goods or services to a consumer using a negative option practice.

Federally, the government enacted the Negative Option Billing Regulations in 2012, which apply to federally regulated financial institutions.

How is Quebec different?

The negative option billing provisions in Section 230 of the Quebec Consumer Protection Act appear to cover a broader set of practices than those in other provinces. Section 230(a) contains the usual prohibition against unsolicited goods. Section 230(c) goes further and says that a merchant cannot provide free trials or discounted services to a consumer for a fixed period and then automatically roll the consumer over to the higher price if the consumer does not send a notice stating that the consumer does not want the service.

230. No merchant, manufacturer or advertiser may, by any means whatever,

(a)   charge any sum whatever for any goods or services that he has sent or rendered to a consumer without the consumer having ordered them;

(b)   give any reason as a pretext for soliciting the sale of goods or the provision of services;

(c)   require that a consumer to whom he has provided services or goods free of charge or at a reduced price for a fixed period send a notice at the end of that period indicating that the consumer does not wish to obtain the services or goods at the regular price.

In Benabu c. Vidéotron, the class action plaintiff sued several telecommunication companies and online media service providers for violations of section 230(c). The plaintiff’s theory was that section 230(c) prohibited all forms of free trials or introductory rate offers if the supplier was not required to obtain consent from the consumer at the end of the free trial or introductory rate period. The court disagreed.

The defendants offered a free trial or introductory rates for a limited period when a consumer signed up for month-to-month services for an indefinite term. The court said that the monthly rate was clearly set out in the contract. The court also said that the consumer clearly knew at the time of entering into the contract that this rate would be charged after the initial free trial or introductory rate period. The consumer could cancel the contract at anytime – either before or after the initial free trial or introductory rate period. In these circumstances, the court thought it was absurd that the consumer would have to reaffirm the contract at the end of the free trial or introductory rate period.

Is the Benabu decision sound?

The Benabu decision is under appeal. There are arguments that the decision might not survive the appeal.

Section 230(a) of the Quebec Consumer Protection Act is like provisions in the Ontario, British Columbia and Alberta legislation. If the consumer did not request the services, the consumer would not be required to pay. Like the provisions of other provinces, section 230(a) would not prohibit the use of free trials or introductory rates as an incentive when the consumer signed up. Arguably, section 230(a), like the provisions in other provinces, would apply to “add-ons” such as the specialty channel add-ons that caused problems for Rogers in 1995.

So, if section 230(c) doesn’t require a consumer to expressly agree – at the end of a free trial or introductory rate period – to the continuation of the contract, what is its purpose? The court took some guidance from the Quebec Office of Consumer Protection. In each case, the Office of Consumer Protection seemed to indicate that the consumer could agree in advance to the ongoing purchase of the product following the free trial.

The court noted that the text of section 230(c) uses the past tense “to whom he has provided services or goods free of charge or at a reduced price for a fixed period”. Although the court did not say so, this would support the idea that the provision is intended to prohibit a deceptive sales practice of having the consumer sign up for a free trial period without telling the consumer that he or she must provide a notice to cancel before the free trial period has ended or the consumer will be forced into an ongoing agreement.

Caution: The Benabu decision is one of the few cases dealing with section 230 of the Quebec Consumer Protection Act. Other judges or the Court of Appeal could disagree. The status of free trials in Quebec is far from completely settled.

Read Benabu c. Vidéotron here.