Social Media & Internet Law.

There is no such thing as a risk-free presence in the social media space. For businesses, individuals, and organizations that operate on social platforms, whether as brand owners, content publishers, advertisers, or employers, the absence of well-crafted policies creates exposure across a broad range of legal disciplines. Three categories of policy address the most significant risks: posting policies, moderation policies, and employment policies. Each serves a distinct protective function, and collectively they form the legal foundation for any responsible online presence.

Posting Policies

A posting policy is a public-facing document that governs the rules of engagement for users who wish to contribute content to a social media website or page. It must clearly outline the rights and obligations of participating users. Because brand owners often resist burdening their audience with dense legal text, best practice is to display a brief summary on the main page, with a link to a more comprehensive policy, making it accessible without being intrusive.

A legally sound posting policy should address the following core elements:

• Right to moderate, reserve the express right to remove, edit, or otherwise modify any content at any time and at the operator's discretion, without explanation to the user;
• Community standards, enumerate categories of impermissible content, profanity, offensive language, derogatory characterizations of ethnic, racial, sexual or religious groups, endorsement of illegal activity, while making clear the list is not exhaustive;
• Intellectual property warranties, require participants to represent and warrant that they hold the right to share any submitted content, including trademarks and copyrighted material, and prohibit the posting of third-party materials without prior consent;
• Content licence, obtain a worldwide, royalty-free, non-exclusive licence to publish, display, reproduce, modify, and otherwise use any submitted content in any format, together with a waiver of all moral rights in that content;
• Disclaimer of liability, clearly communicate that the views of contributors do not represent those of the organization, and disclaim liability for third-party posts;
• Anti-spam provision, state that content containing advertisements, spam, or references to unrelated websites will be removed;
• Privacy reminder, remind participants that the page is public and caution them against submitting personal information such as addresses, phone numbers, or email addresses;
• Indemnity clause, obtain an indemnity from contributors in relation to any claims arising out of their submitted content; and
• Testimonial authenticity, require that any testimonials represent true and honest beliefs based on the contributor's genuine experience with the product or service.

Moderation Policies

Moderation in the social media space is a double-edged sword. Failing to moderate leaves defamatory, unlawful, or brand-damaging content visible to the public; over-moderating risks alienating users and creating the perception of censorship. The challenge is compounded by the fact that comments appearing on a brand's page, even with disclaimers, can appear to carry the brand's tacit endorsement.

A moderation policy must define: the categories of content that will be removed; the procedures by which removal decisions are made and escalated; and the persons responsible for each category of concern. A casual complaint about a product can typically be handled by a trained moderator. A sensitive political matter, a claim of health harm, or an allegation implicating the company in ongoing litigation should be escalated immediately to legal counsel or senior management. The policy must identify those escalation pathways explicitly, not merely in general terms.

Effective moderators must internalize several principles when engaging with users. Every response is public. Responses should be timely, personal, and written in plain language, avoiding legal terms, jargon, and cookie-cutter phrasing. Social media users place a premium on transparency and will disengage from pages perceived as heavily censored. At the same time, some content simply cannot remain online: harassment, defamatory statements, content infringing third-party intellectual property, and spam all warrant prompt removal.

Employment Policies

Social media communications made by employees, even on personal accounts and outside working hours, can cause significant reputational damage to an employer. An employee's casual post identifying their employer and voicing dissatisfaction, or a video uploaded by a staff member depicting workplace misconduct, can reach millions of viewers within hours. The penalties for employees can range from suspension and dismissal to criminal charges. For employers, the consequences can include damage to goodwill, regulatory scrutiny, and litigation.

A comprehensive employment policy governing social media use must address the following:

• Define what "social media" means and which activities and platforms the policy covers, including mention of specific platforms while not limiting coverage to them;
• Identify who is authorized to post official communications on behalf of the organization;
• Explain the durability and reach of electronic information, including the risk that content posted anonymously can often be traced;
• Specify the extent to which the policy applies to off-duty social media activity conducted on personal time and personal devices;
• Prohibit employees from disparaging the employer, co-workers, customers, or business partners on social media, at or outside the workplace;
• Remind employees of their confidentiality obligations and identify the categories of information whose disclosure constitutes grounds for termination for cause;
• Prohibit the unauthorized use of the employer's trademarks, logos, and slogans;
• Prohibit speaking on behalf of the employer, particularly on matters currently in the news;
• Advise employees of the consequences of policy violations, including that unlawful activity may be reported to authorities; and
• Provide alternative internal channels through which employees may raise workplace concerns.

Employment Contracts and Social Media

Appropriately drafted employment contracts and collective agreements provide the strongest available protection for an employer's interests in social media assets. A contract provision should expressly stipulate that all social media accounts created by the employee or employer for the purpose of carrying out the employer's business remain the exclusive property of the employer, both during and after the employment relationship. Such a provision can be incorporated within a broader clause addressing the ownership of employer-provided devices and the obligation to return company property at the end of employment.

In unionized workplaces, equivalent protections can be negotiated into the collective agreement. The benefit of addressing ownership in these instruments is twofold: it sets clear expectations at the outset of the relationship and provides a legal basis for enforcement in the event of a breach.

Background Checks

The use of social media in pre-employment background screening raises significant legal risks that employers must navigate carefully. The principal concern is that a review of a candidate's public social media profile will expose the employer to information about a prohibited ground of discrimination under the Ontario Human Rights Code, including disability, sexual orientation, ethnic origin, or family status, which could give rise to a human rights complaint if the candidate is not hired.

Where criminal background checks are required, Canadian arbitral and tribunal decisions have consistently held that such checks must be connected to a genuine and demonstrable occupational requirement. In Ottawa (City) v. Ottawa Professional Firefighters Association, arbitrator Picher held that an employer has no inherent entitlement to the criminal histories of its employees: the nature of the job must itself give rise to the requirement, such as roles involving close contact with children or vulnerable adults, or positions with access to sensitive financial or security systems.

When conducting social media background checks, employers should limit themselves to publicly available information, refrain from attempting to circumvent privacy settings or connect with candidates under false pretenses, and carefully document their screening process. The mere fact that an employee uses social media as part of their role is generally insufficient justification for mandatory criminal record checks.

Ownership of Social Media Accounts and Contacts

The ownership of social media accounts and the contacts associated with them, particularly LinkedIn connections and Twitter/X followers built during employment, is one of the most contentious emerging issues in Canadian employment law. Canadian courts have not yet definitively resolved this question, although the issue has been heavily litigated in the United States.Two U.S. decisions are routinely cited as the analytical reference points for this dispute. In PhoneDog v Kravitz (ND Cal 2011), an employee who built a Twitter following of approximately 17,000 under an employer-associated handle was sued for trade-secret misappropriation and unjust enrichment after he left the company and renamed the account; the employer valued the contact list at $42,500 per month and the case settled before judgment. In Eagle v Morgan (ED Pa 2013), a senior executive's LinkedIn account was accessed and locked by her former employer after termination; the court found that misappropriation-of-identity and privacy claims were made out but declined to award damages for want of proof of quantifiable loss. Neither decision binds a Canadian court, and Canadian doctrine on social-media account ownership remains undeveloped, but the U.S. cases reinforce a single practical lesson for both sides: contractual clarity at the start of the employment relationship is essential, because the doctrinal toolkit available after the fact (breach of confidence, conversion, unjust enrichment, breach of fiduciary duty) is unpredictable and slow.

In the absence of Canadian authority directly on point, the prudent approach for employers is to address account and contact ownership expressly in employment agreements, ensure that accounts used for business purposes are registered to the company and not to individual employees, and use role-specific email addresses (such as domainnameclerk@company.com) for all domain and account registrations.

What is a Domain Name?

A domain name is a memorable address that identifies a website or other location on the Internet, representing an Internet Protocol (IP) address in the Domain Name System (DNS). The DNS translates domain names into the corresponding IP addresses and routes Internet traffic accordingly. It also enables email delivery, connecting outgoing messages to their intended recipients. Because IP addresses are complicated strings of numbers that are difficult to remember, domain names function as mnemonic devices: rather than typing the raw IP address for a website, users type the domain name instead.

Domain names are divided into hierarchical parts. The component to the right of the final dot is the Top-Level Domain (TLD). Generic TLDs (gTLDs) include .com, .net, .org, and an expanding range of new extensions; country-code TLDs (ccTLDs) are assigned to particular jurisdictions, with .ca being Canada's ccTLD, administered by the Canadian Internet Registration Authority (CIRA). The second-level domain, the part immediately to the left of the TLD, is typically what registrants register. The domain name system is overseen globally by the Internet Corporation for Assigned Names and Numbers (ICANN), which has dramatically expanded the number of available TLDs in recent years.

Domain Names as Property

Registries and registrars have historically taken the position that domain names are not property. CIRA's Registrant Agreement, for instance, expressly states that a domain name registration does not create any proprietary right. However, Canadian courts have pushed back against this characterization in significant ways.The leading authority is Tucows.com Co v Lojas Renner SA, 2011 ONCA 548. The Ontario Court of Appeal held that a domain name shares the principal characteristics of personal property and qualifies as personal property under Ontario law. The Court reasoned that the registrant of a domain name has the right to direct traffic to the corresponding website exclusively and to exclude all others from using the same name, the same bundle of attributes that defines property at common law. The decision had two significant downstream consequences: it grounded jurisdiction over a foreign trademark holder by reference to the domain name as property situated in Ontario, and it opened the door to proprietary remedies (constructive trust, conversion, the use of Mareva-style preservation orders) where domain names are wrongly transferred or held. Subsequent Ontario decisions have applied Tucows to confirm that a domain name can be corporate property even if it was registered in the name of an individual employee or contractor, a frequent fact-pattern in start-up and dissolution disputes.

The characterization of domain names as property has important downstream consequences: it supports the use of proprietary claims in litigation, enables domain names to be treated as assets in corporate transactions, and provides a foundation for injunctive relief where domain names are transferred or used in breach of contract. Canadian courts have also held that a domain name can be corporate property even if it was registered in the name of an individual employee or contractor, a consideration that reinforces the importance of proper registration practices.

Registration Requirements and Portfolio Management

Domain names are generally available on a first-come, first-served basis. To register a domain name, the registrant must agree to the relevant registry's terms and conditions, which typically require: accurate contact information; a representation that the domain name and its proposed use will not violate applicable laws or third-party rights; and agreement to submit to the applicable dispute resolution policy in the event of a trademark conflict.

For .ca domain names, CIRA imposes Canadian Presence Requirements, restricting registrations to Canadian citizens, permanent residents, corporations incorporated in Canada, and certain other qualifying entities. This represents a material eligibility restriction that does not apply to gTLDs such as .com.

Sound portfolio management requires several disciplines:

• Register domain names in the name of the business entity, not individual employees, contractors, or web designers, a common source of expensive disputes on departure;
• Designate a domain name administrator and associate all registrations with a role-specific email address that the organization controls unconditionally;
• Register defensively across key TLDs (.com, .ca, and relevant new gTLDs) and common typographical variations that could be exploited by bad-faith registrants;
• Monitor registration renewal dates carefully, lapsed registrations are a frequent source of domain hijacking; and
• Register social media usernames on all major platforms simultaneously with domain names to prevent username squatting.

Domain Name Disputes: CDRP and UDRP

Where a domain name has been registered by a third party in bad faith, specialized dispute resolution mechanisms exist to reclaim it, often faster and less expensively than conventional litigation. For .ca domains, the CIRA Domain Name Dispute Resolution Policy (CDRP) is administered by CIRA and can result in transfer or cancellation of the registration, with a distinctly Canadian orientation reflecting CIRA's Canadian Presence Requirements. For most gTLDs (.com, .net, .org, and others), the Uniform Domain-Name Dispute-Resolution Policy (UDRP) is administered by ICANN-approved providers such as WIPO, NAF, and the ADNDRC, and operates as a global instrument applicable across participating gTLDs.

Under both the CDRP and the UDRP, the complainant must establish three elements to succeed: first, that the disputed domain name is identical or confusingly similar to a trademark or other right in which the complainant has an interest; second, that the registrant has no legitimate interest in the domain name; and third, that the domain name was registered and is being used in bad faith. The burden rests on the complainant throughout.

Under the CDRP, the complainant must hold a prior right that is recognized under Canadian law, which can include a registered trademark, a common law trademark arising from use in Canada, a personal name, or a trade name. The UDRP's scope is broader, operating as a global instrument applicable across participating gTLDs.

Cybersquatting

Cybersquatting is the bad-faith registration of a domain name that incorporates another party's trademark or name, typically with the intention of selling it to the legitimate owner at a premium, diverting Internet traffic, or tarnishing the brand. Classic examples include registering a well-known brand's name with a different TLD, registering deliberate misspellings of well-known domains (known as "typosquatting"), and registering domain names incorporating the personal names of prominent individuals.

Beyond the CDRP and UDRP, cybersquatting can give rise to trademark infringement claims, passing off claims, and, where the registered domain is used to publish defamatory content, defamation claims. Particularly where a cybersquatter is operating outside Canada or using multiple proxy registrations, early legal intervention, including injunctive relief, is often necessary to prevent ongoing damage to the brand.

Trademark law under the Trademarks Act, R.S.C. 1985, c. T-13 protects brand owners from the unauthorized use of their marks, from the use of confusingly similar marks, and from conduct that depreciates the value of a mark. In the social media and Internet environment, these principles are tested constantly, through username squatting, impersonation, metatag manipulation, and keyword advertising.

Unauthorized Use: Squatting and Impersonation

Unauthorized trademark use on social media takes several forms. Username squatting, also known as social media cybersquatting, occurs when a third party registers a username consisting of another party's trademark or personal name, preventing the legitimate owner from establishing a presence under that name. Unlike domain name disputes, most social media platform dispute mechanisms are governed by the platform's own terms of service rather than by ICANN-sanctioned policies. Brand owners must familiarize themselves with the intellectual property enforcement policies of each platform they use before taking enforcement action, as those policies may not align with Canadian trademark law.

Impersonation goes a step further: a user creates an account purporting to represent an individual or company, then publishes content under that false identity for defamatory or commercially harmful purposes. Some social media platforms have implemented verification systems to assist legitimate rights holders, but the effectiveness of these systems varies and platform-level enforcement is not a substitute for legal action where damages have already occurred.

Metatags

Metatags are HTML elements embedded in a webpage's code that are not visible to ordinary visitors but are read by search engine crawlers and used to index the page. Including a competitor's registered trademark in a webpage's metatags, without displaying that trademark on the page itself, raises the question of whether this constitutes trademark infringement or passing off.The leading Canadian authority is Red Label Vacations Inc (cob Redtag.ca) v 411 Travel Buys Ltd, 2015 FCA 290, affirming 2015 FC 19. Both the Federal Court and the Federal Court of Appeal held, on the facts of that case, that the defendant's invisible-to-users use of the plaintiff's registered trademarks in metatags did not, in isolation, create a likelihood of confusion sufficient to ground infringement under s 20 of the Trademarks Act or passing off under s 7(b). Critically, however, the Federal Court of Appeal declined to lay down a categorical rule. The Court expressly observed that inserting a registered trademark in a metatag may, depending on the surrounding circumstances, constitute advertising of services and so found a basis for an infringement claim. The decision is therefore best read as fact-specific rather than as immunising metatag use generally; what matters is how the metatag manifests in the search-results display the consumer actually encounters.

Keyword Advertising

Keyword advertising is the practice of purchasing search engine keywords, so that a business's advertisement appears when a user searches for a particular term, including, controversially, a competitor's trademark. The question is whether purchasing a competitor's trademark as a keyword constitutes passing off or trademark infringement.The leading Canadian authority is Vancouver Community College v Vancouver Career College (Burnaby) Inc, 2017 BCCA 41. The British Columbia Court of Appeal unanimously reversed the trial judge and held that the relevant moment of confusion in the keyword-advertising context is the consumer's first impression of the search-results page, not the moment the consumer arrives at the advertiser's landing page. That timing matters because consumers form lasting brand associations from the search-results display itself; an advertiser who has purchased a competitor's mark as a keyword and presents itself in a way that capitalises on that initial impression cannot cure the confusion by clarification on a later page. The Court granted a permanent injunction restraining the defendant's use of "VCC" and "VCCollege" online. The decision also confirms, however, that the bare act of bidding on a competitor's keyword is not, standing alone, passing off; the inquiry turns on how the advertiser presents itself once the consumer encounters the result. The Federal Court has acknowledged a related but unresolved tension between the metatag and keyword-advertising lines of authority in the hashtag context.

The Federal Court has taken a nuanced position on the related practice of using a competitor's trademark as a hashtag, acknowledging conflicting approaches between the metatag and keyword advertising lines of authority without resolving the tension. The practical takeaway is that businesses bidding on competitors' keywords must pay close attention to how their advertisements are presented in the resulting search display, particularly the first impression a consumer will form upon seeing the results page.

Trademark Monitoring and Best Practices

Proactive trademark protection in the social media and Internet environment requires a combination of registration, monitoring, and policy enforcement. Best practices include:

• Register usernames incorporating the brand on all major platforms (Facebook, Instagram, X/Twitter, LinkedIn, TikTok, YouTube) immediately upon developing a new trademark, before a competitor or bad-faith actor can;
• Be aware that some platforms (including X/Twitter) will deactivate accounts after extended inactivity, creating windows of vulnerability for legitimate brand owners;
• Engage a brand protection service to systematically "watch" social media platforms for unauthorized and brand-damaging use, a practice known in the industry as social media watching;
• Register trademarks with the Trademark Clearinghouse, a global repository that provides notice to domain name registrants of potential conflicts through the Trademark Claims Service and allows priority registration through the Sunrise Service before new TLDs are opened to general registration;
• Note that Canada has eliminated the historical requirement that a trademark be used prior to registration, creating heightened risk of trademark trolling, particularly in the online space where marks may be visible before being registered. Early filing is more important than ever; and
• Establish social media policies explicitly prohibiting employee use of third-party trademarks and intellectual property, which may assist in limiting employer liability for employee misconduct.

Worldwide Injunctions Against Search Engines

Canadian courts have demonstrated a willingness to grant injunctions with worldwide extraterritorial effect against search engines, a development of significant practical importance for brand and rights holders dealing with online infringement.The foundational authority is Google Inc v Equustek Solutions Inc, 2017 SCC 34, [2017] 1 SCR 824. Abella J for the majority of the Supreme Court upheld a worldwide interlocutory injunction requiring Google to delist specified websites from all of its search results globally (not merely from google.ca) where the defendant websites were selling counterfeit goods in violation of the plaintiff's trade-secret and intellectual-property rights. The Court rejected Google's argument that the British Columbia court lacked jurisdiction or was overreaching, holding that the court had in personam jurisdiction over Google because Google carried on business in the province, and that injunctive relief aimed at maintaining the rule of law is not necessarily limited to the parties to the litigation. The decision is the working source of authority for the proposition that Canadian courts can compel global search-engine de-indexing where case-by-case URL takedown produces an unmanageable "whac-a-mole" pattern. Following Equustek, the Federal Court has also issued orders requiring infringers to transfer social-media accounts incorporating registered trademarks to the rights holder, a remedy counsel should plan for from the outset of any contested online-IP enforcement file.

For businesses pursuing online intellectual property enforcement, the Equustek decision establishes that Canadian courts can compel search engines to take down not just specific URLs but categories of infringing content globally. Federal Court precedent also supports orders requiring parties using trademarks without authorization to transfer social media accounts incorporating those marks to the legitimate brand owner, a remedy that should be included in trademark litigation strategy from the outset.

Scope of Copyright

Copyright under the Copyright Act, R.S.C. 1985, c. C-42 is the sole right to produce, reproduce, perform, publish, or otherwise exercise specified rights in relation to original literary, dramatic, musical, and artistic works. Copyright arises automatically upon the creation of an original work, without registration. It encompasses not only reproduction rights but also moral rights, the right of an author to be or not to be associated with a work, and the right to the integrity of the work (i.e., the right to prevent modification or use in a manner prejudicial to the author's honour or reputation). Moral rights cannot be assigned but can be waived, and a copyright assignment does not operate as a waiver of moral rights.

In the social media context, virtually every piece of user-generated content, photographs, videos, written posts, graphic designs, musical compositions, is a copyright work as soon as it is created. The person who uploads content to a social media platform does not surrender copyright in that content simply by posting it; however, the platform's terms of service typically require the user to grant the platform a broad licence to host, display, reproduce, and distribute the content. The scope of that licence, and its interaction with Canadian copyright law, is a recurring area of dispute.

Fair Dealing: Parody, Satire, and User-Generated Content

The Copyright Act was significantly modernized in 2012 to expand the categories of activity qualifying as "fair dealing", exceptions to copyright infringement that operate as complete defences. The newly added fair dealing activities of direct relevance to social media are parody (the use of a copyrighted work to ridicule that work itself), satire (the use of a copyrighted work to mock something other than the original work itself, for example, using a song or image to make a political point), and non-commercial user-generated content (the so-called "mashup" or "YouTube exception", the creation of a new work incorporating an existing work for non-commercial purposes, with acknowledgment of the source, that does not have a substantial adverse effect on the original work's market).

To qualify as permissible non-commercial user-generated content, the Copyright Act requires that the activity: involve creation of a new work; use a published work in which the user reasonably believes no infringement is present; serve non-commercial purposes; acknowledge the source where reasonable; and not have a substantial adverse effect, financial or otherwise, on the exploitation of the underlying work, including by substituting for it in the market. The interaction between these statutory fair dealing provisions and platform-specific terms of use, which may be more or less permissive, requires careful analysis. A court may find copyright infringement notwithstanding that a platform's terms of use purport to permit a particular use.

Copyright Infringement Online

Canadian courts have awarded substantial damages for online copyright piracy and have developed the procedural tools necessary to identify infringing users.The substantive infringement test that frames these damages awards is set by the Supreme Court of Canada's decision in Cinar Corp v Robinson, 2013 SCC 73, [2013] 3 SCR 1168. McLachlin CJ for the Court confirmed that infringement is to be assessed using a qualitative and holistic approach, asking whether a substantial portion of the originality in the plaintiff's work has been copied, with substantial portion measured cumulatively across all copied features in the context of the whole original work rather than feature by feature. The Court drew an important distinction between perceptible similarities (those a viewer can directly observe) and intelligible similarities (structural, atmospheric, or experiential resemblances that emerge from analysis). Both categories count toward substantial copying. The Cinar framework has particular bite in the online environment, where infringement of website and mobile application interface design, of audiovisual content layout, and of game and platform mechanics is rarely a matter of pixel-for-pixel reproduction and often turns on the intelligible-similarity inquiry. Cinar also confirmed punitive damages and aggravated damages as available heads of recovery in serious copyright cases, a feature that has anchored the larger Federal Court damages awards in online piracy litigation. The Federal Court has awarded what is believed to be the largest copyright infringement damages award issued by Canadian courts, $10.5 million, including $10 million in statutory damages and $500,000 in punitive and exemplary damages, for unauthorized downloading, streaming, and copying of television episodes over the Internet, expressly citing the need for punishment and deterrence.

The Federal Court has also ordered Internet Service Providers (ISPs) to disclose subscriber information to rights holders pursuing claims against alleged infringers, subject to conditions designed to protect subscriber rights: the case must be specially managed; the plaintiff must pay the ISP's compliance costs; all correspondence must disclose the order and make clear that no court has yet ruled on the subscriber's liability; and subscriber information must remain confidential and not be disclosed publicly.

Technological Neutrality

The principle of technological neutrality holds that the Copyright Act should not be interpreted or applied to favour or discriminate against any particular method of delivering content to an end user. Where a new technology simply provides a more efficient means of doing something that was already legally permissible, it should not attract additional copyright royalties solely by virtue of using a different technological mechanism.

The technological neutrality principle has direct implications for Internet-based content delivery. The Supreme Court has confirmed that downloading a digital file is a reproduction, while streaming constitutes communication to the public by telecommunication, a distinction that affects which royalty regimes apply. The same logic applies to mobile applications, ringtone downloads, and other Internet-delivered content, and continues to be litigated as new delivery mechanisms emerge.

Patents under the Patent Act, R.S.C. 1985, c. P-4 grant the patentee the exclusive right to make, construct, use, and sell the subject matter of an invention in exchange for public disclosure of that invention. In the social media and Internet context, the most commercially significant categories of patents are software patents and business method patents, both of which remain areas of evolving and uncertain law in Canada.

Business Method Patents

A business method patent is intended to protect an innovative way of conducting business. The leading Canadian authority is the Federal Court of Appeal's decision in Canada (Attorney General) v. Amazon.com, Inc., 2011 FCA 328, which considered Amazon's "one-click" ordering system, an interface allowing a customer to purchase goods with a single mouse click by using stored payment and shipping information. The Court declined to determine definitively whether the one-click system was patentable subject matter, but its analysis strongly suggested that both business methods and software could be patentable in appropriate circumstances. CIPO ultimately issued Amazon's one-click patent following the decision.

Following Amazon, CIPO rescinded its earlier practice notice and issued two replacement practice notices clarifying its approach to business method and computer-implemented inventions. The Patent Office confirmed that it no longer assesses patentability based on notions of "substance", "inventive concept", or "inventive contribution", concepts that had been used to deny patents to software and business methods at the application stage.

Computer-Implemented Inventions

The patentability of computer-implemented inventions turns critically on whether the claimed invention amounts to something more than a mathematical calculation or an abstract idea. The Federal Court of Appeal's earlier decision in Schlumberger Canada Ltd. v. Commissioner of Patents (affirmed by Amazon) held that mathematical operations, as such, are not patentable. Patent Appeal Board decisions since Amazon have applied this framework in both directions: claims involving multi-node computer systems are more likely to constitute patentable subject matter than processes that occur entirely within a single computer.

The current test, as clarified by CIPO and the Patent Appeal Board, requires that a computer-implemented invention have a "physical existence" or "manifest a discernible effect or change", that is, something more than a well-known instrument such as a computer merely implementing an abstract method or performing mathematical calculations. Claims that are primarily mathematical in nature, even when implemented on a computer, face a significant patentability challenge. Applicants in this space should engage patent counsel early in the development process to assess whether the invention can be claimed in a manner that satisfies the physicality requirement and to evaluate the strategic business case for a patent application.

PIPEDA and the Federal Framework

The Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. PIPEDA applies federally, but it also applies to organizations operating in provinces that have not enacted substantially similar legislation, which includes Ontario. PIPEDA is built around ten Fair Information Principles drawn from the Canadian Standards Association's Model Code for the Protection of Personal Information: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

For organizations operating in the social media and Internet environment, PIPEDA's most consequential requirements include: the obligation to obtain meaningful consent before collecting, using, or disclosing personal information; the obligation to identify, in advance, the purposes for which personal information is being collected; the obligation to limit collection, use, and disclosure to those purposes; the obligation to safeguard personal information with security appropriate to its sensitivity; and the obligation to report to the Office of the Privacy Commissioner of Canada (OPC), and to notify affected individuals of, any breach of security safeguards that creates a real risk of significant harm. Failure to report a breach is itself an offence under PIPEDA, punishable by fines of up to $100,000 per violation.

Bill C-27, the proposed Consumer Privacy Protection Act (CPPA), was introduced to replace PIPEDA with a more modern regime that would, among other things, dramatically increase administrative monetary penalties (up to 5% of global gross revenue or $25 million, whichever is greater), introduce a private right of action for affected individuals, and give the Privacy Commissioner expanded order-making powers. Although Bill C-27 has not yet been enacted, organizations operating in the digital space should structure their privacy programs in anticipation of these heightened obligations.

CASL

Canada's Anti-Spam Legislation (CASL) regulates the sending of commercial electronic messages (CEMs) to electronic addresses in Canada. CASL is widely considered among the most stringent anti-spam regimes in the world. Its core requirements are: consent (express or implied) must be obtained before sending a CEM; identification of the sender (and the person on whose behalf the message is sent) must be clear within the message; and an unsubscribe mechanism that operates immediately and free of charge must be functional for at least 60 days after the message is sent.

Express consent requires an affirmative act, ticking a box, signing a form, providing an email address in response to a specific consent request. Pre-checked boxes and bundled consent (where consent to marketing is bundled with consent to terms of service) are not valid. Implied consent arises in limited circumstances, including an existing business relationship (a purchase within the preceding two years, an inquiry within the preceding six months) or where a business email address has been conspicuously published without a statement that the address holder does not wish to receive unsolicited messages.

Administrative monetary penalties under CASL can reach $1 million per violation for individuals and $10 million per violation for organizations. The Canadian Radio-television and Telecommunications Commission (CRTC) is the primary enforcement agency, but the Competition Bureau and the OPC have parallel enforcement roles for related conduct. CASL also creates a private right of action, which has been suspended by Order in Council but could be reinstated.

Privacy Obligations for Online Operators

Beyond the strict requirements of PIPEDA and CASL, Ontario businesses operating online face a range of privacy-related obligations that arise from a combination of statute, case law, and contractual obligation. These include:

• Privacy policy publication, a clear, comprehensive privacy policy must be readily accessible from every page of a website that collects personal information, identifying the types of information collected, the purposes of collection, third parties to whom information is disclosed, and the rights of individuals to access and correct their information;
• Cookie consent, although Canadian law has not adopted a U.S./EU-style explicit cookie consent regime, the OPC has issued guidance that consent to the use of cookies (particularly third-party advertising cookies) must be meaningful, which in practice often requires a cookie banner with affirmative acceptance;
• Cross-border transfers, where personal information is transferred outside Canada for processing (e.g., to a cloud service provider in the U.S.), individuals must be made aware of the transfer and the resulting risks, and the organization remains accountable for the protected information;
• Tort liability, the Ontario Court of Appeal recognized the tort of intrusion upon seclusion in Jones v. Tsige, 2012 ONCA 32, creating a private right of action for invasion of privacy in appropriate cases. The tort has been applied in social media and Internet contexts where an individual's personal information has been accessed or shared without authorization; and
• Class action exposure, large-scale privacy breaches involving personal information of multiple individuals create significant class action exposure, particularly where breach notification is delayed or inadequate.

The Electronic Commerce Act, 2000

Ontario's Electronic Commerce Act, 2000, S.O. 2000, c. 17 (ECA) provides the foundational legal framework for the use of electronic information and documents in Ontario. The ECA establishes two core principles that have made e-commerce legally workable: functional equivalence, the proposition that information or documents are not invalid or unenforceable simply because they exist in electronic form; and technological neutrality, the proposition that the law should not favour any particular technology for the creation, transmission, or storage of electronic information.

The ECA applies to electronic information and documents used in connection with any activity to which provincial law applies, with limited exceptions (wills, codicils, trusts created by wills or codicils, powers of attorney for personal care, and documents creating or transferring interests in land, the last of which has subsequently been opened to electronic signature through other legislation). The ECA addresses electronic contract formation, the legal effect of electronic signatures, the recognition of electronic records as written information, the timing and place of dispatch and receipt of electronic communications, and the use of electronic agents in contract formation.

Formation of Online Contracts

The core requirements for contract formation, offer, acceptance, consideration, intention to create legal relations, and certainty of terms, apply equally to online contracts as they do to traditional written or oral contracts. The ECA confirms that an offer or acceptance, or a contract more generally, may be expressed by means of electronic information or documents (s. 19). The same provision confirms that an electronic agent (an automated computer system) can be a party to contract formation; if no individual on the user's side reviewed the actions of the agent, that fact does not invalidate the contract.

The legal effect of online consent mechanisms has been refined through Canadian case law. There are three principal models:

• Clickwrap agreements require the user to take an affirmative action, typically clicking a button labelled "I agree" or "Accept", after being presented with the terms. Clickwrap is the most defensible form of online agreement and is consistently enforced by Canadian courts;
• Browsewrap agreements purport to bind users by their continued use of a website, with the terms accessible through a hyperlink at the bottom of the page or in the navigation menu. Browsewrap is significantly more difficult to enforce, as courts will scrutinize whether the user had reasonable notice of the terms and whether the manner of presentation was sufficient to constitute acceptance; and
• Hybrid models, sometimes called "sign-in-wrap" or "modified clickwrap", combine elements of both, for example, presenting terms above a registration button with a statement that the user accepts the terms by clicking the button. The enforceability of hybrid models depends on the specific implementation.

Terms of Use and Terms of Service

Terms of use (or terms of service) are the core contractual document governing the relationship between a website operator and its users. A comprehensive terms of use document should address: the scope of the licence granted to users; restrictions on user conduct; intellectual property ownership of site content and user-generated content; the operator's right to remove content and terminate accounts; disclaimers of warranties and limitations of liability; indemnity obligations; dispute resolution and choice of law; and provisions governing the amendment of the terms.

Particular attention should be paid to enforcement-related provisions, including arbitration clauses and class action waivers (which face heightened scrutiny in consumer contexts), forum selection clauses (which can be defeated where the consumer would be unduly burdened by litigating in a foreign jurisdiction), and limitation of liability clauses (which must comply with applicable consumer protection legislation). For consumer-facing websites, terms of use must be drafted with Ontario's Consumer Protection Act, 2002 firmly in mind, as that statute renders unenforceable a wide range of terms that purport to limit consumer rights.

Consumer Protection Online

The Consumer Protection Act, 2002, S.O. 2002, c. 30 (CPA) regulates a range of consumer transactions, including those conducted online. The CPA distinguishes between several categories of agreement, each subject to its own set of rules:

• Internet agreements, agreements formed by text-based Internet communication where the consumer pays at least a prescribed amount ($50), require the supplier to disclose specific information prescribed by regulation, provide an opportunity to accept or decline the agreement before its formation, and deliver a copy of the agreement within 15 days. Consumers can cancel within seven days of receiving the agreement copy, or up to one year later if the prescribed information was not provided;
• Distance agreements, agreements not formed in person at the supplier's place of business, including those formed by phone, mail, or fax, are subject to similar but distinct disclosure and cancellation rules; and
• Future performance agreements, agreements for goods or services to be delivered in the future and exceeding a prescribed amount, require specific written content and provide for cancellation if that content is not provided.

The CPA also prohibits "unfair practices", false, misleading, or deceptive representations and unconscionable representations. A consumer who has entered into an agreement after being misled by an unfair practice has a statutory right to rescind the agreement and to recover damages. Critically, the CPA renders unenforceable any term that purports to require a consumer to waive a right under the CPA or to submit a dispute to arbitration outside Canada. Compliance with these provisions is a frequent area of regulatory examination and class action exposure for online operators.

Defining Virtual Property

Virtual property refers to digital items that exist within networked computer systems, primarily online games, virtual worlds, and blockchain-based platforms. These items can include avatars, characters, in-game items (weapons, armor, vehicles, currency), virtual real estate, and unique identifiers such as usernames or web addresses. Canadian courts have not yet definitively classified virtual property within the traditional categories of property law, although the discussion of domain names as personal property in Tucows.com Co. v. Lojas Renner S.A., 2011 ONCA 548 (Chapter 3 above) provides important analytical guidance.

The legal characterization of virtual property has significant practical consequences: it affects the availability of property-based remedies (replevin, conversion, constructive trust), the tax treatment of transactions involving virtual property, the treatment of virtual property in matrimonial and estate proceedings, and the application of consumer protection legislation to virtual property transactions. As the commercial significance of virtual property continues to grow, particularly in the metaverse and Web3 contexts, these questions will become increasingly important.

Virtual Goods as a Market

The market for virtual goods has grown into a multi-billion-dollar global industry. Major game platforms generate substantial revenue from in-game purchases of virtual items, while secondary markets have developed where users buy, sell, and trade virtual goods (often in contravention of the platform's terms of service). The rise of non-fungible tokens (NFTs) has created a new category of virtual property, blockchain-recorded ownership rights in digital items, that operates somewhat outside traditional platform control.

Disputes arising from virtual goods transactions raise novel questions: When a player's account is suspended, what happens to the virtual goods accumulated in that account? When a platform shuts down, what rights do users have to virtual goods purchased on that platform? When a virtual good is "stolen" through phishing or hacking, what remedies are available? These questions are currently governed primarily by platform terms of service, which typically reserve broad discretion to the platform operator, but the enforceability of those provisions is increasingly being tested.

Crypto-Assets

Crypto-assets, including cryptocurrencies (such as Bitcoin and Ether), utility tokens, security tokens, and non-fungible tokens, present a distinct set of legal issues. The Canadian Securities Administrators (CSA) and Investment Industry Regulatory Organization of Canada (IIROC, now CIRO) have issued guidance clarifying that many crypto-assets are securities under Canadian law, particularly where they have characteristics of investment contracts, and that platforms facilitating their trading must comply with securities laws.

The application of Canadian securities law to crypto-asset trading platforms has been a significant area of regulatory focus. Several major crypto trading platforms have entered into settlement agreements with the Ontario Securities Commission, and other Canadian crypto trading platforms have ceased operations or restructured their offerings to comply with Canadian regulatory requirements. Operators in this space must structure their offerings carefully and obtain appropriate registrations or exemptions.

Taxation of Virtual Property

The Canada Revenue Agency (CRA) has issued guidance on the tax treatment of virtual goods and crypto-assets. The CRA generally treats cryptocurrencies as commodities rather than currency, with the result that dispositions of cryptocurrency, including using cryptocurrency to purchase goods or services, can trigger taxable transactions. Whether a particular disposition generates business income or a capital gain depends on the facts: factors include the frequency of transactions, the period of ownership, the intention at the time of acquisition, and the nature and quantity of crypto-assets held.

For taxpayers who hold significant crypto-asset portfolios, careful planning is essential. Issues that frequently arise include: maintaining adequate records of acquisition cost and disposition proceeds across multiple platforms and wallets; the treatment of mining and staking rewards as income; the GST/HST implications of using crypto in commercial transactions; and the application of the principal residence exemption to NFTs that purport to represent real-world residential real estate. The CRA has begun to use enhanced data-gathering tools, including audit demands directed at crypto trading platforms, to identify undisclosed crypto income. Voluntary disclosure may be appropriate in some cases.