On December 3, 2020 we hosted a live webinar, “Platforms Are the New Cloud: Marketplaces, Delivery Services, Consumer Finance, and More”, where we discussed more in-depth the topics in this blog post. If you would like receive a link to watch a recording of this webinar or for more information, please e-mail [email protected].
The accelerated shift toward e-commerce has resulted in an uptick in the adoption of platforms of all kinds for businesses to market and sell products and interact with their customers. From online marketplaces, to last-mile fulfilment and delivery, to consumer financial services, digital e-commerce platforms are fast becoming a leading model for product and service delivery globally. By allowing each actor to focus on the functions they perform best, while relying on the strength of others to fill the gaps, platforms can seamlessly drive up efficiency for everyone involved.
Though platforms provide powerful solutions, they also give rise to numerous risks and liabilities, and introduce a complex web of relationships that can be challenging to manage. In this two-part blog series, we help unravel some of the admittedly untidy issues that commonly arise in platform delivery models. We also highlight possible ways to maximize the benefits of e-commerce platforms while limiting exposure.
Here in Part I, we identify some key platform considerations related to contracting and liability, privacy and data protection, and taxation. Part II follows with a look at issues in trade and product compliance, competition law and consumer protection. While much of the discussion in these posts will center around online marketplaces, most of the principles and considerations are equally relevant to other types of platforms.
Contracting and liability
A transaction conducted on a typical platform introduces many relationships – both contractual and extra-contractual, and often over-lapping. Where a transaction was once solely between the seller and the customer, with the introduction of a marketplace platform there could now be:
- a transaction between the seller and the customer;
- a services arrangement between the platform operator and the seller;
- terms of service between the customer and the platform operator;
- agreements between the courier and the platform operator; and
- interactions between the courier and numerous parties (e.g. the seller, the customer, the public at large).
This web introduces a lot of questions. Who is making the sale? What amounts are being paid, and between which actors? What services are being provided and by whom? Who is responsible for product issues? Who is responsible for legal compliance – and for which laws? Who deals with customer service? To what extent is one actor responsible for the malfeasance of another actor?
While the answers to these questions were generally straightforward in a traditional delivery model, there is no simple answer in a platform model and the answer will vary from one case to the next. Too often in the rush of negotiations these fundamental questions are ignored, and the resulting risks and liabilities are not adequately appreciated or managed – a recipe for unwelcome surprises down the road.
Actors can better position themselves for success by taking stock, at the outset, of the relationships involved, the governing contracts and the actors’ respective roles and responsibilities. Achieving a clear understanding of each of these elements will make it possible to put in place appropriate mechanisms to address the resulting risks and liabilities, including through customer notices, contractual indemnities, and internal operating policies and procedures.
Privacy and data security
When it comes to data, platform operators and sellers have a lot to think about. There are risks, such as data breaches and ever-increasing fines, and rewards, such as being able to understand and respond to customer needs in ways not possible for brick and mortar stores or single-seller e-commerce websites. Against a vibrant background of evolving privacy legislation, platform operators and sellers must start thinking about data on day one.
Both seller and operator will bear some responsibility for cybersecurity. Practically, the operator is in a better position to maintain the platform’s overall security, but sellers can be a source of risk, too. For example, if a hacker obtains a seller’s login credentials and then takes advantage of an error in the platform, the hacker could move across the platform to get information about other sellers and their customers. The seller might notice its own credentials were hacked, but fail to inform the operator. In this example, one can see how failures on both the part of both operator and seller can lead to data breaches.
While data breaches had been the central risk associated with personal information, a second risk is now on the horizon: Canada is poised to introduce administrative monetary penalties that could exceed $10 million, and for more serious violations, fines that could reach upwards of $25 million.
These penalties are a serious risk for both platform operators and sellers, especially given the fact that two or more businesses on a platform may have access to the personal information of the same individuals, thereby making multiple businesses potential controllers of that information. This overlap can also generate serious confusion when determining who has responsibility to respond to individuals’ personal information requests. Since failure to comply with such requests can attract fines, the platform services agreement should allocate responsibilities appropriately, while recognizing that platforms and sellers operate in multiple jurisdictions with different privacy law regimes.
Operators have access to data across multiple customers, while sellers will, at most, have access to their own customers’ data. In certain cases, operators will limit the data available to customers (for example, excluding email addresses if the operator provides communications tools). While less data flowing between fewer parties reduces the risk of data breach, it also limits a seller’s ability to understand its customers. Conversely, the operator may be able to gain a much deeper understanding of the platform’s customers than any one seller could. The benefit of that understanding might be something the operator can share with sellers without actually providing personal information, such as by providing information about trends and overall customer preferences. The scope of access to personal information should be a consideration when choosing a platform, and thought should also be given to what ancillary services the operator may provide based on its detailed understanding of its customers.
In terms of Canadian sales tax, non-resident platforms are among the main players targeted by a heavy legislative trend towards taxing supplies made from abroad to Canadian consumers. Several provinces have enacted legislation in recent years that requires non-resident suppliers (which includes both platform operators and sellers, depending on the circumstances) to register for the purposes of collecting and remitting tax on supplies purchased by consumers in such provinces. This obligation exists even if platforms do not otherwise meet the historical test of carrying on business in the jurisdiction or having a physical presence in the given province. Unsurprisingly, provincial governments see imposing registration and collection obligations on these actors as an efficient way to raise tax revenues. Many Canadian businesses do welcome these developments as it levels the playing field for local businesses who already have the legal obligation to charge and collect taxes on like transactions.
In particular, in Québec, a new parallel Québec sales tax (“QST”) regime was adopted in the context of the 2018-2019 budget to require non-resident “specified suppliers” and operators of a “specified digital platform” to register and collect QST on supplies made to “specified Québec consumers.” Such new registration obligations were generally effective on January 1, 2019. For more details on these measures, see here.
Saskatchewan has also attempted to broaden its tax basis recently and now requires certain marketplace facilitators and operators of online accommodation platforms to register and collect provincial sales tax (“PST”). The changes, announced on June 15, 2020, became law on July 3, 2020 and have retroactive effect to January 1, 2020. For more details on these measures, see here.
In British Columbia, while registration requirements have historically involved some sort of inventory held in the province, or solicitation and delivery into the province, the government announced in February 2020 new PST registration requirements so that Canadian sellers of goods and Canadian and foreign sellers of software and telecom services will generally be required to register to collect PST. It was announced on September 2, 2020 that the implementation of these changes is postponed, and will become effective on April 1, 2021.
These are major changes to the tax landscape for platforms operating in Canada. Platforms, like other marketplace operators and businesses operating from abroad, should generally review their activities in Canada and determine whether they have the obligation to register, when they should do so and if their systems enable invoicing, collection and disclosure of taxes that are compliant with the recently enacted legislation. This obligation no longer revolves around whether a business has a physical presence in or is carrying on business in any given province. Further developments are expected, as there are indications that GST/HST may be headed in the same direction.
Shortly after drafting this article, the largely anticipated important new GST/HST measures regarding supplies made by non-resident persons in Canada were released. Please find more details on such measures here.
More to come…
As noted above, Part II on this topic will follow with a look at issues in trade and product compliance, competition law and consumer protection.
By Jonathan Bitran, Jade Buchanan, Gregory Corosky, Nicolas Désy Carmen Francis, Michael Scherman and Shauvik Shah
Latest posts by McCarthy Tétrault LLP (see all)
- IIROC Publishes Notice Regarding Ransomware Attacks - March 29, 2021
- CPPA: De-identifying provisions - March 22, 2021
- Clarification on cross-border transfers of personal information - February 24, 2021