Key legal issues for the foodservice industry

By Chad Finkelstein

It is an exciting time to be a restaurant owner. Marketing options to reach customers are limitless. A carefully established brand has more resonance and power than ever before.  Emerging technologies in the area of mobile payment are keeping costs down and transactions moving faster. And the franchise model continues to show its strength, presenting bold options for brand expansion, and the dissemination of a restaurant’s goods and services both domestically and internationally.

So what’s on tap for the remainder of 2016? It is often a fool’s errand to offer predictions of this nature, but I am reasonably confident that the following three legal developments will have an impact on the Canadian restaurant industry through to the end of the year, and beyond.

Proliferation of restaurant aggregators

The last few years have seen the establishment of food delivery aggregators as a mainstream service for which the general public is prepared to pay a premium delivery fee. Now that we have become accustomed with the concept of ordering our meals from these sites and apps, restaurants and the developers behind the technologies are limited only by their imaginations with respect to what gets served to us next and how we order it. The innovations of JustEat and OrderIt have made way for the acceptance of UberEats, Foodora (formerly known as Hurrier), Platterz and others.

And while the fear of being left behind can feed the temptation to engage one of these services quickly, it is important to bear in mind that your restaurant will still be bound to a legal agreement, and those terms will govern your commercial relationship. The coming year will see the adoption of these technologies by more Canadian restaurants, and that adoption will lead to more innovation and a rush to be first-to-market if or when your restaurant is approached. When confronted with the decision to sign a contract with these platforms, it can be tempting to accept the standard legal terms and conditions, possibly without even reading them, since the service seems so obvious and intuitive.

Aggregators facilitate food ordering and are paid a service fee or commission by the restaurant, often as a percentage of the order. Frequently, the aggregator takes the payment itself at the time of ordering and remits the balance of the bill to the restaurant. But bill collections and accounts receivable are not common to the restaurant industry, and this requires a restaurant to somewhat change its corporate culture. Restaurants are accustomed to payment by a customer at the time of purchase, but engaging an aggregator will require restaurants to be more proactive in maintaining records of what is owed to them, and following up. In 2015, we witnessed the regional impact of the demise of a Toronto-based aggregator, and the restaurants who were all unsecured creditors had to get in line to recover what little, if any, of the company remained to be paid out.

Make sure you are keeping track of what is owed to you, and getting paid as soon as possible, but no later than what your contract calls for.

The continued importance of cybersecurity measures

You do not need me to tell you about the growing daily threat that data breaches present to your business and brand, nor do you need to read statistics about the overwhelming susceptibility of retail and restaurant businesses to hacks due to a combination of weak data protection measures, a huge volume of credit card transactions, a treasure trove of customers’ personal information and the very public profile of restaurants.

Theft of consumer, payment and proprietary data can be financially devastating to a brand, not to mention the reputational damage that follows in the court of public opinion.

But there are some legal consequences that Canadian restaurants may not be aware of, and the requirements that need to be complied with in order to avoid them. In June, 2015, the Digital Privacy Act came into effect, which implemented new mandatory data-breach notification rules. While these requirements are subject to regulations which have not yet been fully drafted, they impose substantial responsibilities on organizations in regards to data security breaches.

Under the DPA, organizations have an obligation to notify individuals (including customers and employees) when there has been a data breach, and to report the same to the Office of the Privacy Commissioner of Canada (the “Commissioner”) when it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. The definition of what constitutes “significant harm” has been left fairly broad and open-ended, including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.

When such a breach occurs, and an organization believes that it creates a real risk of significant harm, the organization must:

  • Report the breach to the Commissioner as soon as feasible, as well as any other organization or government institution that the notifying organization believes can reduce the risk or mitigate the harm consequent to the breach
  • Notify the affected individual unless prohibited by law from doing so. The notification must be “conspicuous,” must be given directly to the individual if feasible and must be given as soon as feasible
  • Provide sufficient information and use clear, simple language to allow the individual to understand the significance of the breach, how it may impact them and what steps he/she can take to reduce the harm that could result from it

Under the new regime, organizations are also now required to keep and maintain records of every breach of security safeguards involving personal information under their control. These records must be provided to the Commissioner upon request. To date, there has been little detail provided with respect to the specific retention periods that are required. However, failure to comply with the new data breach notification or record-keeping requirements can result in the imposition of fines up to $100,000.

Restaurant owners should also take particular care to ensure they are complying with the standards established by the Payment Card Industry (PCI) Security Council, which will vary on a case-by-case basis depending on the number of credit card transactions completed by each business.

Restaurants – choose your data security service providers carefully, and be aware of your statutory legal obligations in the event of a breach.

Amendments to Canada’s trademarks law

Brand strength is critical to the success of a restaurant, and one of the best and surest ways to protect that brand is by way of registering your trademarks (your restaurant name, logos and taglines) with the Canadian Intellectual Property Office. As a result of the massive free-trade agreement entered into between Canada and the European Union, Canada’s federal Trademarks Act is about to undergo an enormous (and, in many ways, overdue) retooling in order to harmonize our laws with those of the international community.

The law in Canada has always required that in order to get your trademark registered, one has to demonstrate that they are actually using the mark in commerce. But this “use” requirement is about to be eliminated, meaning that, so long as an applicant can demonstrate an intent to use the mark, proof of actual use would not be required in order to obtain trademark registration.

Why should Canadian restaurants care? Because if you have not taken or are not taking proactive steps to register and protect your trademark portfolio, you may very well find out that a squatter has filed a trademark application for the trademark most important to your brand, with no intention of ever using it, but rather holding it hostage and requiring you to pay a tidy sum to get the federal registration back.  You do not want someone else holding the federal rights to the use of your name and trademarks.

The new laws will not come into effect until 2018, but brand owners need to prepare well in advance and make sure they are taking steps to apply for their restaurant’s trademarks, before someone else does.

About the author:

Chad Finkelstein is a partner in the Franchise & Distribution Law group at Dale & Lessmann LLP in Toronto. He assists local and foreign restaurant owners with issues in the establishment and development of their franchise systems in Canada. He also helps restaurant owners in obtaining trademark registrations, drafting contest rules, running advertisements and promotions and navigating social media. For more information, call 416-369-7883 or email

Leave a Reply

Your email address will not be published. Required fields are marked *