report

Privacy class actions: expectation of privacy Privacy class actions: expectation of privacy

May 4, 2026 20 MIN READ
Download PDF

Home Insights Reports Osler Privacy Jurisprudence Review – Fifth Edition

Authors
Kristian Brabander

Partner, Disputes, Montréal

Robert Carson

Partner, Disputes, Toronto

Tommy Gelbman

Partner, Disputes, Calgary

Jessica Harding

Partner, Disputes, Montréal

Craig Lockwood

Partner, Disputes, Toronto

Julien Morissette

Partner, Disputes | Insolvency and Restructuring, Montréal

Authors
Kristian Brabander

Partner, Disputes, Montréal

Robert Carson

Partner, Disputes, Toronto

Tommy Gelbman

Partner, Disputes, Calgary

Jessica Harding

Partner, Disputes, Montréal

Craig Lockwood

Partner, Disputes, Toronto

Julien Morissette

Partner, Disputes | Insolvency and Restructuring, Montréal

Authors:
Kristian Brabander, Robert Carson, Tommy Gelbman, Jessica Harding, Craig Lockwood, Julien Morissette

Table of Contents

Privacy Jurisprudence Review

Read the full edition

Hvitved v. Home Depot of Canada Inc., 2026 BCCA 39

Read the case details

Facts

The plaintiff, Lasse Hvitved, alleged that Home Depot violated customers’ privacy rights by collecting their email addresses and purchase information — ostensibly provided for the purpose of receiving electronic receipts — and disclosing this information to Meta Platforms Inc.

The plaintiff sought to certify four claims: breach of privacy legislation (British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador); intrusion upon seclusion; unjust enrichment; and breach of contract. The chambers judge certified the breach of privacy claim but struck the remaining three causes of action.

The plaintiff appealed the decision to strike the breach of contract claim only, and Home Depot cross-appealed certification of the breach of privacy claim.

Decision

The Court of Appeal dismissed both the appeal and the cross-appeal.

With respect to Home Depot’s cross-appeal, the Court held:

  • The contextual nature of a privacy inquiry under subsection 1(1) of the Privacy Act, R.S.B.C. 1996, c. 373 (the B.C. Privacy Act) does not preclude a finding of commonality where there is some basis in fact for a common experience among class members. The Court found that in this case, the chambers judge had identified a common experience among class members, namely the type of purchasing information collected, how it was collected and the use made of it.
  • Non-Facebook users should not be excluded from the defined class. The Court found there was some basis in fact — on the face of the defendant’s own pleadings and evidence — that Home Depot shared information about most, if not all, of the proposed class members, and the mere fact of a transfer of personal information constituted a potential breach.
  • Corporations should not be excluded from the defined class. The Court agreed with the chambers judge that the question of whether a corporation can advance a claim under provincial privacy legislation in the absence of an express exclusion is best left for trial.

With respect to the plaintiff’s appeal, the Court confirmed that the pleading did not include material facts, including with respect to the formation of the contract, the contract’s form or scope, or specific contractual terms governing the collection, use, maintenance, protection and non-disclosure of personal information.

Key takeaways

This case demonstrates that B.C. courts are prepared to strike claims based on deficient pleadings, in this case, characterized as “boiler plate”. A warning to plaintiffs, claims that are not properly pleaded appear less likely to withstand scrutiny. A caution to defendants, this decision affirms that a contextual inquiry under provincial privacy statutes does not rule out commonality if there is some factual basis for a shared experience among class members. The decision leaves open the question of whether corporations may advance claims under the B.C. Privacy Act.

Lam v. Flo Health Inc., 2025 BCSC 993

Read the case details

Facts

Having been partially successful in her initial certification application, in Lam v. Flo Health Inc., 2024 BCSC 391, the plaintiff filed an amended pleading (the Amended FANOCC) and sought certification in respect of breach of express and implied contractual terms relating to the protection of personal information and breaches of the duty of good faith and honest performance.

The plaintiff alleges that the defendant, Flo Health Inc. (Flo), the company that operates the Flo Health & Period Tracker application (the App), intentionally disseminated highly sensitive personal information with which users had entrusted, including menstrual cycle dates, pregnancy status, and symptoms. To use the App, users had to consent to a standard-form agreement that incorporated Flo’s terms of use and privacy policy (the Privacy Policy). The Privacy Policy had been amended 13 times during the class period.

Decision

The Court certified the additional causes of action, together with corresponding common issues, finding as follows:

  • Lam adequately pleaded express and alternatively implied terms of the contract, relying on language in the Privacy Policy stating that personal information would “never be sold or rented out to third parties” as well as the presumed intentions of the parties that Flo would protect the personal information users input into the App as being necessary to give business efficacy to the contract. Lam also adequately pleaded breach of the duty of good faith and honest performance. Flo’s argument that the Privacy Policy permitted some disclosure effectively asked the Court to interpret the Privacy Policy at the certification stage, which would not be appropriate in the absence of an evidentiary record.
  • Lam’s claim that Flo breached the contract by failing to obtain meaningful consent to the disclosure was not bound to fail. The Amended FANOCC alleged that the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA), as mandatory legislation, governs whether Flo obtained proper consent to its data-sharing practices. Lam’s claim that any consent Flo argues they had to sharing of information was made without consent to the extent such consent was not compliant with PIPEDA, was novel but was not bound to fail.
  • It was not plain and obvious the remedy of disgorgement could not succeed. Lam pleaded that Flo used class members’ personal information for profit and to grow its business and revenues from targeted advertising. The Court accepted that class members may have a legitimate interest in preventing Flo from profiting from their personal information where they did not agree to its use in that manner.
  • On commonality under paragraph 4(1)(c) of the Class Proceedings Act, R.S.B.C. 1996, c. 50 (the CPA), the 13 iterations of the Privacy Policy did not preclude common resolution. Material differences between the policies would merely give rise to subclasses, which is not a bar to certification under section 7 of the CPA.

Key takeaways

The threshold to amending pleadings, even post-certification, remains low in B.C. Breach of contract claims in privacy class actions can survive certification where the plaintiff pleads specific express or implied contractual terms with sufficient particularity, rather than relying on generic assertions. The availability of disgorgement as a remedy in privacy-related breach of contract claims remains a live issue, particularly where users did not pay a fee for the service and compensatory damages may be minimal, but where the defendant allegedly profited from the very conduct constituting the breach.

Nagar c. Desjardins sécurité financière, Compagnie d’assurance-vie, 2025 QCCS 2720

Read the case details

Facts

The plaintiffs, Arielle Nagar (Nagar) and Giovana Feth (Feth) (collectively, the Plaintiffs), students at Concordia University and McGill University, respectively, were automatically enrolled in a group insurance plan and unknowingly paid the associated premiums. They sought authorization to institute a class action on behalf of all students enrolled in a CÉGEP or university who were automatically enrolled in a health, medical or dental insurance plan, for which they paid premiums either directly to the defendants or for the defendants’ benefit.

The proposed class action was brought against Desjardins Financial Security Life Insurance Company (the Insurer), Alliance pour la santé étudiante au Québec inc. (ASEQ), Concordia University (Concordia) and McGill University (McGill) (collectively, the Defendants).

In their application, the Plaintiffs raised five causes of action against the Defendants:

  • the illegality of automatic enrollment without the class members’ informed consent
  • failure to adequately inform students of the insurance’s optional nature and the opt-out mechanism
  • abusive and arbitrary opt-out deadlines
  • violations of the Québec Consumer Protection Act, C.Q.L.R., c. P-40.1 (the Québec CPA) and
  • communication of the class members’ personal information to the Insurer without consent, in violation of privacy rights

With regard to the privacy-related claim, the Plaintiffs alleged violations of section 5 of the Act respecting the protection of personal information in the private sector, C.Q.L.R., c. P-39.1 (the Québec Private Sector Act), asserting that the Defendants did not lawfully collect or communicate their personal information, and that class members never consented to its sharing with or between ASEQ and the Insurer. They also invoked that the Defendants’ conduct breached class members’ privacy rights under section 5 of the Charter of Human Rights and Freedoms, C.Q.L.R., c. C-12 (the Québec Charter).

Decision

The Superior Court of Québec authorized the class action and found that the Plaintiffs had arguable claims regarding the legality of automatic enrollment in group insurance, the adequacy of information provided about the opt-out right and related deadlines and the allegedly abusive nature of those deadlines. It also held that the Plaintiffs could invoke the Québec CPA against the universities under sections 228 and 230, alleging unsolicited insurance charges and inadequate disclosure on tuition invoices, and that ASEQ and the Insurer could plausibly be held extracontractually liable for their role in the automatic enrollment mechanism.

On the communication of class members’ personal information to the Insurer, the Court found a prima facie appearance of right, noting that this claim was inherently linked to the legality of automatic enrollment and the extent of ASEQ’s authority to act as a representative, even though the Plaintiffs did not allege specific damage resulting from the communication.

The Court also authorized the punitive damages claim under section 49 of the Québec Charter, finding that the Plaintiffs’ allegations — including the Defendants’ conduct regarding the class action and concerns raised by students — were sufficient in appearance to support the alleged intentional conduct.

On November 13, 2025, the Québec Court of Appeal granted leave to appeal the authorization judgment.

Key takeaways

This decision illustrates that a court may authorize a class action where the plaintiffs alleged that the communication of the class members’ personal information to a third party, without the class members’ prior consent, constitutes a violation of their privacy rights, even if the plaintiffs did not allege specific damage resulting from such communication.

It also highlights that businesses that collect and communicate personal information in the context of automatic enrollment or opt-out mechanisms, should ensure that informed consent is obtained before communicating personal information to third parties to limit litigation exposure.

Option Consommateurs c. Home Depot of Canada inc., 2026 QCCA 149

Read the case details

Facts

The appellant, Option Consommateurs, appealed a decision from the Superior Court of Québec partially authorizing a class action against Home Depot of Canada Inc. The dispute originated from the Home Depot’s alleged communication of clients’ personal information to Facebook and Meta Platforms Inc. (collectively, Meta).

During the relevant period, Home Depot collected clients’ email addresses to send an electronic receipt for in-store and online purchases. The plaintiff alleges that Home Depot then communicated hashed versions of these email addresses, along with purchase details, to Meta.

On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) published a report concluding that Home Depot had failed to obtain informed consent before disclosing client information.

The Superior Court authorized the class action solely for punitive damages under the Charter of Human Rights and Freedoms, C.Q.L.R., c. C-12 (the Québec Charter), denying authorization for compensatory damages on behalf of certain clients and individuals without a Facebook account. It also dismissed causes of action under the Québec Consumer Protection Act, C.Q.L.R., c. P-40.1 (the Québec CPA) and the Competition Act, R.S.C. 1985, c. C-34.

Decision

The Québec Court of Appeal partially granted the appeal.

On compensatory damages, the Court of Appeal held that the authorization judge erred in finding no demonstrated prejudice. It found that it was neither frivolous nor manifestly unfounded to argue that clients’ personal information had a value, which could give rise to compensation. While acknowledging limited allegations concerning the value of the personal information, and that, at first glance, Home Depot may have agreed to provide it without monetary compensation, the Court of Appeal emphasized that, at the authorization stage, Option Consommateurs needed only to demonstrate a mere “possibility” of success on the merits — not a “realistic” or “reasonable” one.

With regard to clients who purchased online, the Court of Appeal held that the authorization judge exceeded its role by assessing the probative value of the evidence and ruling on the intentional nature of the privacy violation, a question belonging to the merits. Noting that Home Depot’s privacy policy did not indicate that personal information could be shared with third parties for targeted advertising, the Court of Appeal expanded the class to include clients who purchased online. However, it upheld the exclusion of individuals without a Facebook account, as sharing a hashed email of such a person did not involve sharing personal information.

The Court of Appeal also found it unnecessary to address the Québec CPA claims, as compensatory and punitive damages claims were already defendable, reiterating that a single defensible claim on one legal basis suffices at the authorization stage. Nonetheless, it noted that the authorization judge erred in limiting sections 219 and 228 of the Québec CPA to the pre-contractual phase. The Court of Appeal also found that the authorization judge set an overly high threshold under the Competition Act and authorized claims against Home Depot for allegedly misleading customers about email use for commercial gain.

Key takeaways

This decision illustrates the low threshold for authorizing a privacy class action in Québec involving the alleged commercial use of personal information without consent. The Court of Appeal confirmed that it is arguable at the authorization stage that personal information communicated to third parties for commercial purposes has a monetary value, and that such claims should be left for the merits judge to decide. The decision also confirms that the authorization judge need only verify that at least one claim is arguable on one legal basis.

This decision further underscores that businesses sharing personal information with third parties for commercial purposes, including advertising measurement and targeted advertising, must obtain clear and informed consent, as vague or generic privacy policies may not meet that standard.

RateMDs Inc. v. Bleuler, 2025 BCCA 329

Read the case details

Facts

RateMDs.com hosts health professionals’ profiles — including contact information, anonymous ratings, reviews, and third party comments — and ranks them in comparison to other professionals offering similar health care services. The site generates revenue through paid subscriptions and third-party advertising.

The plaintiff, Dr. Ramona Bleuler, a B.C. physician, commenced a putative class action alleging that the website RateMDs.com, operated by the appellants RateMDs Inc., VerticalScope Holdings Inc. and VerticalScope Inc., violated the Privacy Act, R.S.B.C. 1996, c. 373 (the B.C. Privacy Act). She alleged RateMDs.com violated both section 1 of the B.C. Privacy Act (violation of privacy) and subsection 3(2) (unauthorized use of name or portrait of another). The proposed class included all health professionals in British Columbia and other provinces with statutory privacy torts who had a profile on RateMDs.com.

Dr. Bleuler alleged she discovered a profile had been created for her on RateMDs.com without her authorization; it contained numerous reviews. She pleaded that the appellants’ conduct violated her rights to be left alone and to be free from unwanted publicity; and health professionals have an expectation that information they provided to regulators or patients would not be exploited by a for-profit company. The chambers judge certified the action as a class proceeding (with the exclusion of Québec residents), finding it was not plain and obvious that Dr. Bleuler’s pleaded privacy claims could not succeed.

On appeal, the appellants challenged the judge’s certification decision. The respondent filed a cross-appeal contesting the exclusion of Québec residents from the class.

Decision

The Court of Appeal allowed the appeal, setting aside the certification order and dismissing the action. The Court held that Dr. Bleuler’s pleading did not disclose a cause of action for the privacy torts under the B.C. Privacy Act.

Regarding the claim for violation of privacy, the Court concluded that the plaintiff had not pleased material facts to establish that she had a reasonable expectation of privacy in respect of the information posted on RateMDs.com. The Court rejected Dr. Bleuler’s argument that her claim was based on “privacy as control” — the right of an individual to determine when, how and to what extent information about them is communicated. While acknowledging that the right to control the use of personal information is an aspect of the right to privacy, the Court held that this right arises only in respect of information that can properly give rise to a reasonable expectation of privacy.

Regarding the claim for unauthorized use of name, the Court held that it was plain and obvious the claim was bound to fail because there were no material facts pleaded to establish that the appellants had commercially exploited Dr. Bleuler’s identity to promote sales. Applying the “sales versus subject” distinction from Gould Estate v. Stoddart Publishing Co. (1996), 30 O.R. (3d) 520 (Gen. Div.), the Court found that health professionals are the “subject” of their profiles on RateMDs.com, in the same way that a biographical subject is the focus of a biography. The website provides information of value to the public about health professionals who provide a public service and does not use the health professionals’ names to commercially exploit their identities for the purpose of promoting sales.

Key takeaways

The right to control the use of personal information does not exist independently of a reasonable expectation of privacy in the underlying information. Professionals who offer services to the public cannot claim a reasonable expectation of privacy over publicly available information about their professional services simply because they do not wish to have that information compiled on a third-party website.

The decision clarifies that subsection 3(2) of the B.C. Privacy Act (unauthorized use of name or portrait of another) is not designed to capture any use of a plaintiff’s name or portrait by a defendant who expects to profit from that use. Depictions that serve a public interest in providing information about a plaintiff falls outside the scope of subsection 3(2).

Donegani v. Facebook Inc., 2025 ONSC 6020

Read the case details

Facts

The plaintiffs alleged that Facebook shared user data with various third-party applications and device makers. The plaintiffs sought certification of a national class. The Court’s decision followed the third certification hearing in this action. The Court had previously addressed the causes of action and common issues criteria in a December 2024 decision and directed the plaintiffs to propose a new class definition and to return for further argument on various criteria, including preferability.

Decision

The Court declined to certify the proceeding.

First, the proposed class definition was not workable. It was both over- and under-inclusive, and there was no evidentiary basis in the record that the underlying data would exist to construct the proposed Master Class List (an element of the plaintiffs’ proposed approach for identifying proposed class members with claims).

Second, a class proceeding was not the preferable procedure. The Court found that certifying a proceeding where the only remedy sought was nominal damages would not advance access to justice, behaviour modification, or judicial economy. The Court added that regulatory proceedings are a preferable mechanism for pursuing behaviour modification.

The Court also found that nominal damages could not be certified as a common issue because determining liability for nominal damages required individualized inquiries into which class members’ data had been shared.

Key takeaways

Ontario courts continue to find that a class proceeding seeking only nominal damages will typically not satisfy the preferable procedure criterion.

Trueman v. Rogers Communications Canada Inc., 2025 ONSC 5972

Read the case details

Facts

The plaintiff brought a proposed class action against Rogers Communications and Rogers Bank on behalf of approximately eight million customers in Ontario, Alberta and Québec. The plaintiff alleged that Rogers Communications assisted Rogers Bank in obtaining credit reports of Rogers Communications customers from Trans Union Canada Inc., a Canadian credit reporting agency, without those customers’ knowledge or consent. Rogers Bank, a separate legal entity from Rogers Communications, then used the credit checks to decide whether to promote its credit cards to Rogers Communications customers. The plaintiff discovered the practice when reviewing his credit report and complained to Rogers. The plaintiff also filed a complaint with the Office of the Privacy Commissioner of Canada, which launched an investigation.

Decision

The Court certified the class action on the basis of four asserted causes of action: breach of contract, breach of confidence, the tort of intrusion upon seclusion, and breaches of the Civil Code of Québec, C.Q.L.R., c. CCQ-1991, and the Québec Charter of Human Rights and Freedoms, C.Q.L.R., c. C-12. Justice Leiper held that the Office of the Privacy Commissioner of Canada’s complaint process did not represent a preferable alternative to a class proceeding, since the organization will not provide “substantive access to justice” to class members or address common law tort claims. Justice Leiper rejected the defendants’ argument that no compensable harm existed because the credit checks did not impact the credit scores of Rogers Communications customers. Justice Leiper held that general damages are available for an injury to an intangible interest such as a privacy right and noted that “the right to control one’s personal information is harmed by an intrusion whether there is any mental distress or upset, or even knowledge by the person concerned that the breach has taken place.”

The Court dismissed the defendants’ partial summary judgment motion seeking to enforce an exclusion clause in the Rogers Communications standard form consumer agreement that excluded certain categories of damages, including “breach of privacy” damages relating to its services “or any advertisements”. Justice Leiper applied the test related to the application of exclusion clauses from Tercon Contractors Ltd. v. British Columbia (Transportation and Highways), 2010 SCC 4, and found that the second and third elements of the test — related to the unconscionability and whether the clause should be unenforceable on public policy grounds — should be decided based on a complete record. Accordingly, he held that the case was not appropriate for summary judgment.

Key takeaways

This decision underscores that exclusion clauses in standard form agreements may face heightened scrutiny on grounds of unconscionability or public policy in cases where intentional statutory privacy violations are alleged. The court re-affirmed that the harm that can arise from the mere loss of control over personal information, even without tangible financial impact, is sufficient to ground a claim in a class action proceeding.  

Badji c. Zenleads inc., 2026 QCCS 5

Read the case details

Facts

The plaintiff, Cheikhou Badji (Badji), sought authorization to institute a class action on behalf of all Québec residents whose personal information was held, collected, used, communicated or commercialized without their consent by the defendant Zenleads Inc. (Zenleads), the operator of Apollo.io, a business intelligence platform.

Badji claimed that his Apollo.io profile disclosed personal information (including his full name, employer, job title, contact information and full professional history), along with a link to his LinkedIn profile, without his consent. Badji further claimed that Zenleads deploys a network of contributors to access client relationship management systems, email inboxes and electronic calendars to collect third-party personal information without knowledge or consent, intercepts electronic communications, uses a Google Chrome extension to circumvent LinkedIn privacy settings and engages in algorithmic profiling.

Badji alleged violations of the Act respecting the protection of personal information in the private sector, C.Q.L.R., c. P-39.1 (the Québec Private Sector Act), the Civil Code of Québec, C.Q.L.R., c. CCQ-1991 (the CCQ), and the Charter of Human Rights and Freedoms, C.Q.L.R., c. C-12 (the Québec Charter).

Zenleads contested the authorization of the class action, arguing that Apollo.io is a “business-to-business” platform for the exchange of digitalized business cards derived from public sources, and that the “professional information” exception under the Québec Private Sector Act applied.

Decision

The Superior Court of Québec authorized the class action and held that the information collected about Badji constituted personal information within the meaning of the Québec Private Sector Act and the CCQ and rejected Zenleads’ argument that the “professional information” exception applied. The Court further observed that Badji’s profile on Apollo.io could include extensive personal details, including a cellphone number and full professional history, and noted Zenleads’ admission that it did not obtain individual consent for profiles and that it profited commercially from this information.

The Court also found that disclosure of cellphone numbers and algorithmic profiling methods could plausibly violate privacy rights under the Québec Charter. However, the Court dismissed the claims based on professional secrecy as too hypothetical, and rejected reputation claims due to insufficient evidence of a personal violation.

The Court held that the allegations showed plausible harm from the commercial use of personal data, including loss of control and algorithmic profiling, warranting compensable damages. With respect to punitive damages, the Court concluded that the allegations were sufficient, noting that section 93.1 of the Québec Private Sector Act provides for punitive damages of at least $1,000 when unlawful and intentional violation causes prejudice.

Therefore, the Court authorized the class action regarding most of the claims for punitive and compensatory damages but dismissed certain claims under the Québec Charter.

The Québec Court of Appeal granted leave to appeal on March 6, 2026.

Key takeaways

This decision highlights the significant legal exposure associated with alleged unauthorized data collection, use and resale, particularly in an era where personal data is increasingly recognized as a valuable corporate asset.

Notably, the Court’s refusal to apply the “professional information” exception under the Québec Private Sector Act in the context of this matter reflects a restrictive interpretation, which could be an indication that information traditionally categorized as professional in nature may be subject to privacy protections when used for purposes that extend beyond the original business context.

SUBSCRIBE

Stay Informed

Subscribe to Osler Insights to stay informed on issues impacting your business

Subscribe

Osler is a leading business law firm practising internationally from offices across Canada and in New York. Our clients include industry and business leaders in all segments of the market and at various stages in the growth of their businesses. We have built our reputation on our commitment to our clients' success and the experience, expertise and collaborative approach for which we are recognized. We believe that our success is a reflection of our clients' success.