The Competition Bureau settled a privacy case against Facebook in 2020 -- five years before the Privacy Commissioner’s case reached the Supreme Court. The 2024 amendments to the Competition Act mean that was just the beginning. In The Governance Gap , the foundational document for The Privacy Briefing , I argued that the defining operational risk of the AI decade is the distance between what organizations have adopted and the governance they have in place. That gap is where liability accumulates -- quietly, until it doesn’t. This series applies that framework to a specific convergence most executives and boards have not mapped: the intersection of privacy law and competition law. The Competition Act amendments of 2022–2024 have turned privacy notices and programs into competition enforcement targets, and algorithmic pricing into a joint privacy-competition exposure. The governance gap, in this context, is the space between a privacy program that satisfies PIPEDA and a compliance architecture that accounts for the Competition Act’s parallel authority over the same conduct. The Facebook Precedent: Enforcing Privacy Promises In May 2020, Facebook paid $9.5 million to settle a Competition Bureau investigation into misleading privacy claims. The Bureau concluded that Facebook told users they could control who accessed their personal information -- while sharing that information with third-party developers in ways that contradicted those claims. The consent agreement imposed a 10-year compliance monitoring regime and required senior management to personally acknowledge the commitments. The Office of the Privacy Commissioner investigated the same conduct. That case -- Canada (Privacy Commissioner) v. Facebook, Inc., now before the Supreme Court of Canada (docket 41538) -- is still being litigated in 2026. The Federal Court of Appeal overturned the trial court in September 2024, finding that Facebook failed to obtain meaningful consent under PIPEDA. Oral arguments were heard on March 19, 2026. The contrast is instructive. The Competition Bureau achieved enforceable compliance outcomes on privacy misrepresentations -- financial penalty, structural remedies, personal accountability for senior management -- while the Privacy Commissioner spent six years establishing the evidentiary standard for meaningful consent. This is not a criticism of the OPC. It is an outcome of our current privacy law and its enforcement architecture. What is Changing – Competition Law comes to the Fore Between 2022 and 2024, Parliament overhauled the Competition Act through three rounds of amendments -- the most significant changes since the modern Act replaced the Combines Investigation Act in 1986. Three changes matter for boards, executives and privacy and AI practitioners: Private rights of action. Since June 20, 2025, private parties can bring applications to the Competition Tribunal for civil deceptive marketing, anti-competitive agreements, and abuse of dominance. The threshold to seek leave to commence an action is low. The Commissioner has encouraged the Tribunal to apply a “liberal” interpretation that screens out only clearly frivolous claims. Competitors, consumer groups, and plaintiffs’ counsel no longer need to wait for the Bureau to act. Amplified penalties. Administrative monetary penalties for civil misleading representations now reach the greater of $10 million or three times the value of the benefit derived from the conduct -- or 3% of annual worldwide gross revenues if the benefit cannot be determined. For abuse of dominance, the ceiling is $25 million on the first contravention. Previously, no monetary penalties existed for many of these civil provisions. Broader scope. Section 90.1 now covers commercial agreements between non-competitors where any part of the agreement has a significant purpose of preventing or lessening competition. This catches vertical agreements -- including data-sharing arrangements, platform terms, and vendor contracts -- for the first time. Your Privacy Notice Is Now a Competition Law Document The Facebook settlement established a principle that many outside the privacy profession have not internalized: privacy representations are commercial representations. The Competition Act’s prohibition on false or misleading claims (ss. 74.01, 74.011) applies to statements about data collection, use, and disclosure the same way it applies to statements about product quality or price. The Bureau’s Commissioner said it plainly: the Bureau will not hesitate to act on misleading claims about personal data, whether the company is a multinational or a small business. This is not revolutionary – the FTC in the United States has long relied upon s. 5 of the FTC Act to prevent unfair and deceptive practices; Canada is just catching up. Privacy and cybersecurity governance is not a new liability for directors and management -- it is a new expression of a duty that has always existed. The same principle applies here. The Competition Act’s authority over misleading representations is not new. What is new is the recognition that privacy claims are commercial representations within its scope -- and there is an enforcement architecture to act on that recognition. The analysis may run deeper still. In a recent paper , Thibault Schrepel argues that AI recommendation architectures do not merely distort consumer preferences — they may constitute them. A consumer whose information environment is shaped by an AI system does not have suppressed preferences waiting to be recovered through better disclosure. The preferences themselves are constructed through the interaction. If Schrepel is right, the 'general impression' test under the Competition Act may need to extend beyond the privacy notice itself to the architecture the notice purports to describe. A notice that says 'you are in control' while the underlying system determines what the consumer sees, wants, and pays is not just a misleading representation about privacy. It is a misleading representation about the consumer's entire decision-making environment. The Bureau's own investigation into algorithmic pricing in the rental housing market illustrates the point — the question was not just whether RealPage's tool coordinated individual rent recommendations, but whether landlords who subscribed to it were participating in a market structure from which competitive exit became progressively harder The operative test is the “general impression” of the representation -- not just its literal meaning. A privacy notice that is technically accurate in its individual clauses but creates a misleading overall impression about user control is exposed. The FCA’s decision in the OPC action reinforced this from the Privacy side: lengthy privacy policies have limited value in establishing meaningful consent. Individual autonomy -- the ability to make informed decisions about personal data -- requires more than disclosure buried in 4,500 words of terms of service. From the competition side, the same wordiness creates a misleading impression about the simplicity and effectiveness of user controls. What changes the equation fundamentally is the private right of action. A company that competes by being transparent about its data practices now has standing that did not exist before June 2025 to challenge a rival whose privacy notice overstates protections it doesn’t deliver. Not Just a Big-Company Problem Competition law carries a reputation as a large-enterprise concern. The amended Act dismantles that assumption. The private right of action is available regardless of the respondent’s market share. The expanded s. 90.1 applies to agreements between businesses of any size. The deceptive marketing provisions have always applied to “free” digital products — including those of startups and SMEs. Consider the following examples: · a mid-size e-commerce company that tells customers it “never sells your data” while sharing browsing behaviour with a third-party advertising network. · a SaaS platform whose privacy notice describes “anonymized analytics” while feeding identifiable usage patterns into a pricing optimization algorithm. These are the kinds of discrepancies between privacy notice language and operational reality that privacy audits can uncover and remediate. Under the amended Competition Act, they are also potential grounds for a Tribunal application by any directly and substantially affected party. The Pending Supreme Court Decision The SCC’s pending decision in Facebook v. Privacy Commissioner will shape both regimes simultaneously. If the Court upholds the FCA’s objective “reasonable person” standard for meaningful consent, it raises the bar for privacy notices across the board. Every notice that falls short constitutes both a PIPEDA compliance failure and a potential misleading representation under the Competition Act. Facebook’s reply factum argues that PIPEDA reflects a “self-regulatory model” requiring “flexibility, common sense.” The OPC and interveners -- including the OIPC-BC, the CCLA, and CIPPIC -- argue that meaningful consent is a substantive requirement that cannot be satisfied by lengthy, unread policies. The Competition Act, however, has always tested against the general impression received -- not the effort made. The Governance Gap: Competition & Privacy The Governance Gap warns that accountability has accelerated faster than most governance structures have adapted. The Competition Act amendments are a case study. Privacy officers and in-house counsel have assumed that privacy compliance is a problem of privacy law. That assumption is the governance gap in practice. A privacy notice reviewed only against PIPEDA, provincial statutes, and perhaps the GDPR carries an unmanaged competition-law risk: A data-sharing arrangement may create exposure under s. 90.1. An AI governance disclosure that uses aspirational language without evidence to back it up, invites challenge under the deceptive marketing provisions. The structural point is simple: the Competition Act provides enforcement tools that privacy commissioners do not which include penalties linked to worldwide revenues, and private rights of action. While the original Facebook settlement prompted some expectations that the Competition Tribunal would flex an FTC-like muscle, that did not transpire – but now the tools are in the hands of the private sector. In Part 2, we will examine where AI-driven pricing -- including dynamic pricing, personalized pricing, and algorithmic recommendations -- creates competition exposure at the intersection of AI, Data Provenance, and Sovereignty.

The Competition Bureau settled a privacy case against Facebook in 2020 -- five years before the Privacy Commissioner’s case reached the Supreme Court. The 2024 amendments to the Competition Act mean that was just the beginning. In The Governance Gap , the foundational document for The Privacy Briefing , I argued that the defining operational risk of the AI decade is the distance between what organizations have adopted and the governance they have in place. That gap is where liability accumulates -- quietly, until it doesn’t. This series applies that framework to a specific convergence most executives and boards have not mapped: the intersection of privacy law and competition law. The Competition Act amendments of 2022–2024 have turned privacy notices and programs into competition enforcement targets, and algorithmic pricing into a joint privacy-competition exposure. The governance gap, in this context, is the space between a privacy program that satisfies PIPEDA and a compliance architecture that accounts for the Competition Act’s parallel authority over the same conduct. The Facebook Precedent: Enforcing Privacy Promises In May 2020, Facebook paid $9.5 million to settle a Competition Bureau investigation into misleading privacy claims. The Bureau concluded that Facebook told users they could control who accessed their personal information -- while sharing that information with third-party developers in ways that contradicted those claims. The consent agreement imposed a 10-year compliance monitoring regime and required senior management to personally acknowledge the commitments. The Office of the Privacy Commissioner investigated the same conduct. That case -- Canada (Privacy Commissioner) v. Facebook, Inc., now before the Supreme Court of Canada (docket 41538) -- is still being litigated in 2026. The Federal Court of Appeal overturned the trial court in September 2024, finding that Facebook failed to obtain meaningful consent under PIPEDA. Oral arguments were heard on March 19, 2026. The contrast is instructive. The Competition Bureau achieved enforceable compliance outcomes on privacy misrepresentations -- financial penalty, structural remedies, personal accountability for senior management -- while the Privacy Commissioner spent six years establishing the evidentiary standard for meaningful consent. This is not a criticism of the OPC. It is an outcome of our current privacy law and its enforcement architecture. What is Changing – Competition Law comes to the Fore Between 2022 and 2024, Parliament overhauled the Competition Act through three rounds of amendments -- the most significant changes since the modern Act replaced the Combines Investigation Act in 1986. Three changes matter for boards, executives and privacy and AI practitioners: Private rights of action. Since June 20, 2025, private parties can bring applications to the Competition Tribunal for civil deceptive marketing, anti-competitive agreements, and abuse of dominance. The threshold to seek leave to commence an action is low. The Commissioner has encouraged the Tribunal to apply a “liberal” interpretation that screens out only clearly frivolous claims. Competitors, consumer groups, and plaintiffs’ counsel no longer need to wait for the Bureau to act. Amplified penalties. Administrative monetary penalties for civil misleading representations now reach the greater of $10 million or three times the value of the benefit derived from the conduct -- or 3% of annual worldwide gross revenues if the benefit cannot be determined. For abuse of dominance, the ceiling is $25 million on the first contravention. Previously, no monetary penalties existed for many of these civil provisions. Broader scope. Section 90.1 now covers commercial agreements between non-competitors where any part of the agreement has a significant purpose of preventing or lessening competition. This catches vertical agreements -- including data-sharing arrangements, platform terms, and vendor contracts -- for the first time. Your Privacy Notice Is Now a Competition Law Document The Facebook settlement established a principle that many outside the privacy profession have not internalized: privacy representations are commercial representations. The Competition Act’s prohibition on false or misleading claims (ss. 74.01, 74.011) applies to statements about data collection, use, and disclosure the same way it applies to statements about product quality or price. The Bureau’s Commissioner said it plainly: the Bureau will not hesitate to act on misleading claims about personal data, whether the company is a multinational or a small business. This is not revolutionary – the FTC in the United States has long relied upon s. 5 of the FTC Act to prevent unfair and deceptive practices; Canada is just catching up. Privacy and cybersecurity governance is not a new liability for directors and management -- it is a new expression of a duty that has always existed. The same principle applies here. The Competition Act’s authority over misleading representations is not new. What is new is the recognition that privacy claims are commercial representations within its scope -- and there is an enforcement architecture to act on that recognition. The analysis may run deeper still. In a recent paper , Thibault Schrepel argues that AI recommendation architectures do not merely distort consumer preferences — they may constitute them. A consumer whose information environment is shaped by an AI system does not have suppressed preferences waiting to be recovered through better disclosure. The preferences themselves are constructed through the interaction. If Schrepel is right, the 'general impression' test under the Competition Act may need to extend beyond the privacy notice itself to the architecture the notice purports to describe. A notice that says 'you are in control' while the underlying system determines what the consumer sees, wants, and pays is not just a misleading representation about privacy. It is a misleading representation about the consumer's entire decision-making environment. The Bureau's own investigation into algorithmic pricing in the rental housing market illustrates the point — the question was not just whether RealPage's tool coordinated individual rent recommendations, but whether landlords who subscribed to it were participating in a market structure from which competitive exit became progressively harder The operative test is the “general impression” of the representation -- not just its literal meaning. A privacy notice that is technically accurate in its individual clauses but creates a misleading overall impression about user control is exposed. The FCA’s decision in the OPC action reinforced this from the Privacy side: lengthy privacy policies have limited value in establishing meaningful consent. Individual autonomy -- the ability to make informed decisions about personal data -- requires more than disclosure buried in 4,500 words of terms of service. From the competition side, the same wordiness creates a misleading impression about the simplicity and effectiveness of user controls. What changes the equation fundamentally is the private right of action. A company that competes by being transparent about its data practices now has standing that did not exist before June 2025 to challenge a rival whose privacy notice overstates protections it doesn’t deliver. Not Just a Big-Company Problem Competition law carries a reputation as a large-enterprise concern. The amended Act dismantles that assumption. The private right of action is available regardless of the respondent’s market share. The expanded s. 90.1 applies to agreements between businesses of any size. The deceptive marketing provisions have always applied to “free” digital products — including those of startups and SMEs. Consider the following examples: · a mid-size e-commerce company that tells customers it “never sells your data” while sharing browsing behaviour with a third-party advertising network. · a SaaS platform whose privacy notice describes “anonymized analytics” while feeding identifiable usage patterns into a pricing optimization algorithm. These are the kinds of discrepancies between privacy notice language and operational reality that privacy audits can uncover and remediate. Under the amended Competition Act, they are also potential grounds for a Tribunal application by any directly and substantially affected party. The Pending Supreme Court Decision The SCC’s pending decision in Facebook v. Privacy Commissioner will shape both regimes simultaneously. If the Court upholds the FCA’s objective “reasonable person” standard for meaningful consent, it raises the bar for privacy notices across the board. Every notice that falls short constitutes both a PIPEDA compliance failure and a potential misleading representation under the Competition Act. Facebook’s reply factum argues that PIPEDA reflects a “self-regulatory model” requiring “flexibility, common sense.” The OPC and interveners -- including the OIPC-BC, the CCLA, and CIPPIC -- argue that meaningful consent is a substantive requirement that cannot be satisfied by lengthy, unread policies. The Competition Act, however, has always tested against the general impression received -- not the effort made. The Governance Gap: Competition & Privacy The Governance Gap warns that accountability has accelerated faster than most governance structures have adapted. The Competition Act amendments are a case study. Privacy officers and in-house counsel have assumed that privacy compliance is a problem of privacy law. That assumption is the governance gap in practice. A privacy notice reviewed only against PIPEDA, provincial statutes, and perhaps the GDPR carries an unmanaged competition-law risk: A data-sharing arrangement may create exposure under s. 90.1. An AI governance disclosure that uses aspirational language without evidence to back it up, invites challenge under the deceptive marketing provisions. The structural point is simple: the Competition Act provides enforcement tools that privacy commissioners do not which include penalties linked to worldwide revenues, and private rights of action. While the original Facebook settlement prompted some expectations that the Competition Tribunal would flex an FTC-like muscle, that did not transpire – but now the tools are in the hands of the private sector. In Part 2, we will examine where AI-driven pricing -- including dynamic pricing, personalized pricing, and algorithmic recommendations -- creates competition exposure at the intersection of AI, Data Provenance, and Sovereignty.