As a cross-border business technology and privacy lawyer working with clients in Canada and the United States, I understand how overwhelming it can be for businesses to navigate the constantly evolving landscape of privacy laws.
In this brief video, I’ll highlight the key lessons from 2024 that every business should be aware of.
Lesson number one, Avoid dark patterns
Dark patterns are deceptive design tactics used to manipulate users into making choices about their privacy that they would not otherwise have made. The Office of the Privacy Commissioner of Canada, the OPC, recently highlighted five common types of dark patterns:
- Privacy notices with complex language;
- user interfaces that are confusing;
- nagging, which are repeated prompts specific actions;
- obstruction, which is inserting unnecessary steps between users and the privacy goals; and,
- forced action, which is tricking users into disclosing extra personal information.
Avoiding these practices ensures a clear, trustworthy user experience.
Lesson number two, Deepfakes are being used more in cybercrime
Deepfakes, which are A.I. generated or altered videos and audio, are increasingly being used in cybercrime.
Recently, the FBI warned about scams involving voice and video cloning. For example, in February 2024, CNN reported that a finance worker was tricked into transferring $25 million after criminals use deepfake technology to impersonate the company’s CFO during a live video call. That’s scary. Businesses must stay vigilant and adopt measures to protect against these threats.
Additionally, I would recommend checking with your insurance broker to ensure you’re covered for business email fraud and other types of cyber insurance.
Lesson number three, watch out for upcoming A.I. Laws
Canada’s proposed Artificial Intelligence and Data Act, aimed at regulating AI systems, is stalled in parliament. However, Ontario recently amended the Employment Standards Act to require businesses to disclose A.I. use in hiring.
In contrast to Canada, the United States has seen more progress. This suggests that Canada will be forced to catch up soon. Colorado, California and Utah are leading the way, while some other states have focused A.I. laws on specific employment applications, just like in Ontario.
Lesson number four, Privacy law keeps on changing
While Canada’s proposed privacy law remains stalled, just like the artificial intelligence law and Ontario’s Privacy White Paper may not have evolved into a proposed law yet. Privacy laws are changing elsewhere. For example, Quebec’s Law 25 now includes data portability provisions requiring businesses to transfer an individual’s data to another organization under certain conditions.
In contrast to Canada’s stalled privacy environment, seven U.S. states have passed comprehensive privacy laws in 2024.
Additionally, both Canada and the U.S. have seen a surge in child centric privacy laws. If your business handles children’s data, you should stay informed about these proposed and evolving laws.
And lastly, lesson number five, don’t lie on your privacy notices
Privacy notices are public documents that disclose your businesses privacy practices, which help individuals understand how their personal information will be collected, used, disclosed or retained, and allows those individuals to provide informed consent.
In 2024, many businesses faced scrutiny from a variety of Canadian and American privacy regulations, including the OPC, the FTC and the FCC for having deceptive privacy notices or unfair privacy practices that harmed consumers.
That wraps up the most important privacy lessons for businesses in 2024.
To stay informed and protect your business. Subscribe to our Cybersecurity and Privacy blog post. This includes our Privacy Policy, a blog series dedicated to regular insights and legislative updates from the Privacy, Cyber and Data Governance team.
Have questions about Privacy Laws that may affect your business? We can help.
If you have any questions related to this Article’s content, you may reach out to any lawyer in Siskinds’ Privacy, Cyber & Data Governance Team. You can also reach out to the author, Savvas Daginis — a Canadian and American Business, Technology, and Privacy Lawyer — at savvas.daginis@siskinds.com if you have any questions.