Online reviews and privacy claims: Lessons from RateMDs v Bluler (BCCA)

 

Can a doctor claim a privacy violation because a website creates a profile for them using public information, hosts anonymous reviews, and ranks them against their peers?

The British Columbia Court of Appeal says no in RateMDs Inc. v. Bleuler, 2025 BCCA 329. Let’s walk through what happened — and what this means for privacy in Canada.

Let’s start with the background to this case.

RateMDs.com is a website where people can look up health professionals, read and post reviews, and compare ratings. You’ve probably seen it — you search for a physician, and you get their name, their contact information, their ratings, and often a long list of anonymous comments.

Dr. Ramona Bleuler, a BC physician, discovered that RateMDs had created a profile for her. She didn’t ask for it. She didn’t consent to it. And she couldn’t remove it.

The platform listed her name, her professional contact information, a list of reviews from anonymous users and a comparative ranking of doctors in her specialty and geographic region.

RateMDs also offers paid subscriptions that allow physicians to hide a limited number of reviews. Dr. Bleuler wanted to start a class action on her own behalf and on behalf of other physicians in Canada who had listings on RateMDs. 

Class actions – at least in Canada – have specific procedures, which require that the class action be certified before it can go ahead. There are a number of things the court must look at pursuant to the Class Proceedings Act, but the most important question for our analysis here is whether the pleadings disclose a cause of action. When you read the pleadings, and assume that the facts are true and provable, is there an actual legal claim there? This is a screening function to weed out any legal claims that are bound to fail, and the court is only supposed to examine the facts alleged in the statement of claim. 

This case principally turns on whether the legal claims made by the representative plaintiff are viable. 

So the plaintiff sued RateMDs and its parent company under the provincial Privacy Act. She said that by creating a profile for her, hosting reviews, and ranking her relative to her peers, RateMDs violated her privacy.

She wasn’t claiming that specific reviews contained private information. She wasn’t arguing defamation. Her claim was broader: she said the very act of aggregating, hosting, and ranking health professionals without their consent violated privacy law. In particular, the plaintiff was relying on the statutory privacy torts created by the legislatures of British Columbia, Saskatchewan, Manitoba and Newfoundland. The proposed class would be physicians who reside in those provinces. The plaintiff also tried to rely on Quebec’s privacy statute, but that part wasn’t allowed to proceed in the lower court. 

She relied on two sections of the British Columbia Privacy Act, and their equivalents in the other provinces.

First, section 1, which creates a tort — actionable without proof of damage — where a person ‘wilfully and without claim of right’ violates the privacy of another.

Violation of privacy actionable

1 (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

Second, section 3(2), which prohibits the unauthorized use of someone’s name or portrait for the purpose of advertising or promoting the sale of goods or services.

Unauthorized use of name or portrait of another

3 (2) It is a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services, unless that other, or a person entitled to consent on the other's behalf, consents to the use for that purpose.

Her argument was that RateMDs is a commercial enterprise. The profiles draw traffic, the reviews attract users, and the rankings keep people engaged. Because this commercial model depends on using doctors’ names and contact information, she said this amounted to both a privacy violation and commercial exploitation of identity.

The BC Supreme Court agreed the case should go forward. The judge certified the class action. I have to emphasize that this was only based on the pleadings and the court was essentially saying that the claims looked viable, but that didn’t mean the plaintiffs would win at any eventual trial. 

But RateMDs appealed. And at the Court of Appeal, everything changed.

The Court of Appeal approached the case by asking the basic but crucial question: Even assuming all the facts in the claim are true, is there a viable cause of action under the privacy statutes?

Again, this is a threshold question in class action certification. You don’t look at evidence. You look at the pleadings. You ask whether the claim has a reasonable chance of success.

A claim can be novel — that’s okay. But if it’s doomed to fail, the court must strike it.

Here’s the heart of the Court of Appeal’s reasoning:

At least for the purposes of a civil claim, privacy starts with identifying private information. And the claim failed at this starting point.

The Court of Appeal said:

●        A doctor’s name is not private.

●        Professional business contact information is not private.

●        Reviews written by patients about a doctor’s professional services are not private.

●        Rankings based on those reviews are not private.

The Court emphasized that privacy law protects reasonable expectations of privacy. And when someone is carrying out professional, public-facing work, the threshold for privacy protection is different.

The Court relied on earlier BC cases — including Niemela v. Malamas — which held that complaints about how a lawyer performs their work do not attract a reasonable expectation of privacy. Professional reputation is not the same thing as privacy.

The doctor tried to frame her privacy right as a right to control how information about her was used. But the Court said: control only exists if there’s a privacy interest in the underlying information. If the information is not private, there is nothing to control. Or at least privacy torts don’t leap in to give you that control. 

For privacy lawyers, this is an important clarification: The BC Privacy Act protects privacy, not reputation, and not personal preference about the use of publicly available professional information.

The Court concluded that because there was no reasonable expectation of privacy in the information posted on RateMDs, the privacy claim under section 1 was bound to fail.

The Court also noted an important distinction: This case wasn’t about whether any particular review contained sensitive information. The plaintiff expressly disclaimed that argument. She said the content didn’t matter — only the existence of the profile and the ranking system did.

The Court said that privacy law doesn’t work that way. You can’t claim a violation based on a website compiling publicly available information unless there’s some private content involved.

So the broad theory — that creating a profile and ranking professionals without their consent is itself a privacy violation — was rejected. There would have to be something more … and in this case, there was not.

The BC Supreme Court judge had relied in part on the rules governing how health professionals can advertise. For example, doctors can’t use testimonials. They can’t compare themselves to colleagues. The judge below thought this regulatory context created a privacy interest.

The Court of Appeal disagreed.

Those rules regulate doctors. They do not regulate third-party websites. They do not create privacy rights. And they do not convert publicly available information into private information. The Court of Appeal wrote at paragraph 98: “However, the interest of provincial regulators in restricting advertising by health professionals has no obvious connection to the respondent’s asserted privacy interest. The regulatory concern is to protect the public, not to protect the privacy of health professionals. That regulatory interest has nothing to do with the plaintiff’s reasonable expectation of privacy.”

So the regulatory framework could not be used to manufacture a privacy interest where none otherwise existed.

Next, the Court examined the claim under section 3(2) — unauthorized use of name or portrait for advertising.

This is the ‘misappropriation of personality’ tort. It typically covers: (a) using someone’s name or image in an ad, (b) using a person’s likeness to promote goods or services or (c) endorsements without consent.

RateMDs wasn’t using doctors’ identities to advertise or sell anything in the sense required by the statute. It was running a platform where reviews are posted and accessed. Running a commercial website that uses names in this manner doesn’t cut it. That’s not the kind of commercial exploitation section 3(2) is meant to capture.

So the Court of Appeal found that the claim under section 3(2) was also doomed to fail.

With both privacy causes of action rejected at the threshold stage, the Court of Appeal allowed the appeal, set aside the certification order and dismissed the action entirely. This was a complete win for RateMDs.

What are the broader implications?

First, the Court drew a clear boundary around privacy law: You can’t use privacy torts to challenge the existence of a professional review platform.

Second, the decision reinforces that privacy torts require a reasonable expectation of privacy in identifiable, specific information. That expectation must be grounded in: (a) the nature of the information, (b) the specific context, and (c) established privacy norms.

Third, platforms that rely on publicly available, professional information to generate profiles or rankings are, at least under BC’s statute and its equivalents, unlikely to face successful privacy claims — unless they publish actually private or sensitive data.

Fourth, the Court left open — deliberately — that if a review leaks confidential information or medical information, that could be a privacy violation. But that’s not what this case was about.

Finally, this is a reminder that privacy law is not a catch-all remedy for online reputational harm. Other legal avenues may exist such as defamation — but the privacy tort has a defined scope.

A last thing to note, which is important, is that this decision was made in the context of privacy torts – civil claims for invasion of privacy or use of image and likeness. Under our more general privacy statutes, such as the Personal Information Protection and Electronic Documents Act, whether information is “personal information” – and thus whether the statute applies to it – does not depend on whether the information is “private” or the “confidentiality” of the information.

A person’s name is subject to those laws, but may simply be less “sensitive”. Though a lot of the same principles may be in play, one should always be cautious about assuming that what a court says in the tort context will apply directly to our commercial privacy laws.