Canadas Anti-Spam Legislation: What It Means to Hit Send Presented - - PowerPoint PPT Presentation

Canada’s Anti-Spam Legislation: What It Means to Hit Send

Presented to the Canadian Vintners Association by Wendy Mee May 28, 2014

Overview

• Key Dates
• Overview of the Law
• Liability and Penalties
• Compliance Strategies

Key Dates

• Main anti-spam provisions

July 1, 2014

• Installation of computer

programs without consent

January 15, 2015

• Private Right of Action

July 1, 2017

Overview of the Law

• Key prohibitions

– sending unsolicited commercial electronic messages (CEMs) to an electronic address – altering transmission data without express consent – installing computer programs without express consent – making false and misleading representations in e-message – collecting e-addresses using computer programs without consent – collecting personal information through unauthorized access to a computer system

• A. CEM Prohibition
• What is prohibited?

– sending a commercial electronic message to an electronic address, unless: Consent (express or implied) has been obtained and Form and content requirements are met

• A. CEM Prohibition (cont’d)
• What is a CEM?

– message sent by any means of telecommunication (e.g., text, sound, voice or image) that has as its purpose, or one of its purposes, to encourage participation in a commercial activity – CEMs include electronic messages that request consent to send a CEM

• A. CEM Prohibition (cont’d)
• What qualifies as an “electronic address”?

– an email account @ – an instant messaging account – a telephone account ☎ – any similar account …

• social media?

• B. Consent Requirements
• How is express consent obtained?

– requires active “opt-in” – may be obtained orally or in writing – request for express consent must set out clearly and simply:

• purpose(s) for which consent is being sought
• specific information about the person seeking consent and, if

applicable, the person on whose behalf consent is being sought

• statement that the person can withdraw their consent

• B. Consent Requirements (cont’d)

Example used in Compliance and Enforcement Information Bulletin CRTC 2012-549

• C. Form and Content Requirements
• What information must be provided in a CEM?

– specific information that identifies the sender or person on whose behalf the CEM is sent – statement indicating which person is sending the CEM and which person on whose behalf the message is being sent, if applicable – information enabling the recipient to contact the sender of the CEM, valid for 60 days – a functional unsubscribe mechanism that meets prescribed requirements

Example used in Compliance and Enforcement Information Bulletin CRTC 2012-548

• C. Form and Content Requirements

(cont’d)

• D. When Consent is Implied
• When is consent implied?

– existing business relationships

• Where the sender and recipient have engaged in certain specified types of

businesses together:

• Within 2 years preceding day on which message was sent, recipient:
• Purchased, leased or bartered for a product, goods, service, land or an interest or

right in land

• Accepted a business, investment or gaming opportunity
• Entered into a written contract (not in respect of a purchase, lease, barter or

acceptance listed above) that is in existence or expired within the 2 year period

• Within 6 months preceding day on which message was sent, recipient made an

inquiry or application in respect of any of the matters mentioned above

– existing non-business relationships – conspicuous publications – voluntary disclosures

• E. Full Exemption from CASL
• What types of messages are generally exempt from the

application of the law?

– personal and family relationships – inquiries sent to a person engaged in a commercial activity in relation to such activity – intra-business messages as long as certain conditions are met – inter-business messages as long as certain conditions are met – responses to individual requests, inquiries or complaints – messages sent to satisfy certain legal obligations

• E. Full Exemption from CASL

(cont’d)

– messages sent and received on an electronic messaging service as long as certain requirements are met – messages sent to a limited-access secure and confidential account where messages can only be sent by the person who provides the account – messages that the sender reasonably believes will be accessed in a listed foreign state and that comply with the foreign law that addresses substantially similar conduct – messages sent by a registered charity for primary purpose of fundraising – messages sent by a political party, organization or candidate for the primary purpose of soliciting a contribution

• F. Exemption from Consent
• Certain messages are exempt from the requirement of
• btaining consent (must still comply with form and content

requirements) if they solely:

− provide a requested quote or estimate − facilitate or confirm a previously agreed-upon commercial transaction − provide warranty/safety information − provide factual information about an ongoing subscription/membership etc… − provide information related to an employment relationship etc… − deliver a product, good or service under a prior transaction

• F. Exemption from Consent (cont’d)
• First messages sent through a third-party “referral” are

exempt if certain conditions are met

• G. Transitional Provision
• Three-year transitional provision if:

− existing business relationship or existing non-business relationship exists (without regard to the time limits that normally apply) − relationship includes the communication of CEMs

Liability and Penalties

Violation Penalty Private Right of Action

Sending unsolicited CEMs (or aiding and abetting) Maximum per breach: C $1-million for individuals C $10-million for corporations Maximum: C $200 per breach, not to exceed C $1-million per day

Liability and Penalties (cont’d)

• Note:

– an officer, director or other mandatory of a corporation can be held liable for a violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation – a person can be held liable for a violation by their employee/agent acting within the scope of their employment/authority

• Due diligence is a defence

Compliance Strategies

• 1. Conduct an audit
• 2. Assess which electronic messages are covered by

CASL

• 3. Identify any available exemptions
• 4. If no exemptions, determine type of consent required
• 5. Upgrade consents as needed

Compliance Strategies

• 6. Adopt internal policies and guidelines and training

programs

• 7. Ensure form and content requirements, including

unsubscribe, are complied with

• 8. Implement robust data management and operational

controls

• 9. Adjust and adapt contracts

10.Follow-up audit practices to ensure ongoing compliance

Questions?