Living with Canada’s Anti ‐ Spam Legislation Portfolio Management Association of Canada Toronto Compliance Forum Adam Kardash Partner, Privacy and Data Management Osler, Hoskin & Harcourt LLP akardash@osler.com 416.862.4703 September 23, 2014
CASL Overview Federal legislation imposing strict consent, notice and content requirements for “commercial electronic messages”. Applies to a broad range of messages (marketing, B2B, customer service, referrals, job applications, etc.) Impacts organizations in all sectors. Potentially severe penalties for contravention of the statute. Applies to messages sent from or accessed by a computer system in Canada. 2
Status of CASL Enacted in December 2010. Commercial Electronic Message provisions in force July 1, 2014 Computer programming provisions in force January 15, 2015 Private right of action in force July 1, 2017 Details of CASL set out in 2 regulations: CRTC Regulations finalized in March 2012. Industry Canada Regulations finalized in December 2013. CRTC Guidelines released in October 2012 Guidelines on the Interpretation of the Electronic Commerce Protection Regulations (CRTC) Guidelines on the use of Toggling as a means of Obtaining Express Consent under CASL CRTC FAQs and guidance released in June & July 2014 3
Penalties for Non ‐ Compliance Administrative Monetary Penalties Up to $1 million per violation for individuals and $10 million for businesses. Private Right of Action Statutory damages up to $200 for each violation of the prohibition against unsolicited commercial electronic messages up to $1 million for each day on which the violation occurred. A single email or text message is contravention of CASL = violation. Over 105,000 complaints received thus far. 4
Application of CASL Applies to any “Commercial Electronic Message” Any means of telecommunication, including text, sound, voice or image messages. Reasonable to conclude that, among its purposes, the message is aimed at encouraging participation in a commercial activity. Examples of commercial electronic messages: emails text messages refer ‐ a ‐ friend emerging forms of messaging an email or text message that hyperlinks to content “aimed at encouraging participation in a commercial activity” 5
General Requirements Prohibited to send, or cause or permit to be sent, a commercial electronic message (CEM) to an electronic address unless the recipient has provided express or implied consent . Most CEMs must also meet certain specified content requirements, including an unsubscribe mechanism. 6
CASL Exceptions Certain CEMs are not subject to the consent and content/unsubscribe requirements Messages to those with whom there is a personal or family relationship. Defined in Industry Canada Regulations Personal Relationship: Sender and recipient have had direct, voluntary, two ‐ way communication, and it would be reasonable to conclude that they have a personal relationship Messages that are sent to an individual engaged in commercial activity and consists solely of an inquiry or application related to that activity. Messages sent between organizations or within organizations concerning the activities of the organization. Messages sent in response to a request, inquiry complaint or is otherwise solicited. Messages sent to satisfy legal obligations. 7
CASL Exceptions (cont’d) Certain CEMs are not subject to the consent and content/unsubscribe requirements (cont’d.) Platforms: Messages sent or received on electronic messaging service. Information and unsubscribe mechanism required under the Act must be conspicuously published and readily available through the user interface Person consents to receive it either expressly or by implication Closed Messaging Systems: Messages sent to a limited ‐ access secure and confidential account to which messages can only be sent by the person who provides the account. Messages sent or caused or permitted to be sent by a person who reasonable believes the message will be accessed in a set of listed foreign states and the message conforms to the law of the foreign state that addresses spam. 116 countries listed in the Industry Canada Regulations 8
Express Consent Requirements Generally express consent is required to send a CEM Express consent may be obtained orally or in writing Positive or explicit indication of consent required (i.e. no pre ‐ checked boxes) Requests for express consent must include notice about the following: The purpose for which consent is sought. The name of the person seeking consent. Certain prescribed contact information including the mailing address, and either a telephone number, email address or web address of the sender. A statement indicating that the person whose consent is sought can withdraw their consent. 9
Express Consent Requirements (cont’d) Additional requirements when obtaining consent on behalf of named and unnamed third ‐ parties (e.g. marketing partners or affiliates) E.g. “[ ] Check here if you would like to receive offers and promotions from our marketing partners ”. Unnamed third party (e.g. marketing partner) must identify person who obtained consent in CEM Recipients must be able to unsubscribe from all lists Centralized management of consents across unaffiliated marketing partners required 10
Express Consent Requirements (cont’d) Express consent is not required under the Act in certain circumstances, such as where there is deemed to be “implied consent.” 11
Implied Consent Example: Existing Business Relationships There is implied consent where the sender and recipient have an “existing business relationship” based on, for example: Purchase or lease of a product, goods, service A written contract An inquiry or application Implied consent is time ‐ limited: may only be relied upon for 2 years after a purchase, 2 years after the expiration of the contract or 6 months after an inquiry or application. 12
Implied Consent (cont’d) Example 2: Business ‐ to ‐ Business There is implied consent where the recipient has: conspicuously posted their electronic address, and the publication is not accompanied by an indication that he or she does not wish to receive unsolicited messages, and the message is relevant to the recipient’s business, role, functions or duties in a business or official capacity. or where the recipient has: disclosed their electronic address to the sender without indicating a wish not to receive unsolicited messages, and the message is relevant to their business, role, functions or duties in a business or official capacity. 13
Transactional Messages Certain CEMs are not required to comply with consent requirement For example, CEMs that solely: Provide a quote or estimate Facilitate, complete or confirm a commercial transaction Provide warranty information, product recall information or safety or security information Provide notification of factual information Deliver a product, goods or service Messages still must comply with content/unsubscribe requirements 14
Referrals There is also an exception to the consent requirement for referral ‐ based communications. A commercial electronic message may be sent the purpose of contacting the recipient following a referral by any individual who has an existing business relationship, an existing non ‐ business relationship, a family relationship or a personal relationship with the sender and recipient. The message must disclose the full name of the referral source and state that the message is sent as a result of the referral. Only applies to the first message sent. Messages still must comply with content/unsubscribe requirements 15
Scope of Computer Program Rules Apply to a person who: installs a computer program (no malware threshold) on another person’s computer system OR causes an electronic message to be sent from a computer system on which the person installed a computer program IF the computer system is located in Canada or the person is in Canada 16
Consent Requirement Express consent Same general rules as for CEMs Written acknowledgment of “invasive” functions 17
Disclosure Requirement • General function and purpose of the computer program • Enhanced function ‐ specific information (to be disclosed separate and apart from licence agreement) if: enumerated “invasive” function AND knowledge and intent that computer will operate contrary to reasonable expectations of user or owner • Contact information for assistance in removal of “invasive” programs (if inaccurate description of “invasive” program) 18
Recommend
More recommend
