Living with Canadas Anti Spam Legislation Portfolio Management - - PowerPoint PPT Presentation

Living with Canada’s Anti‐Spam Legislation Portfolio Management Association of Canada Toronto Compliance Forum

Adam Kardash Partner, Privacy and Data Management Osler, Hoskin & Harcourt LLP akardash@osler.com 416.862.4703

September 23, 2014

CASL Overview

2

 Federal legislation imposing strict consent, notice

and content requirements for “commercial electronic messages”.

 Applies to a broad range of messages (marketing, B2B,

customer service, referrals, job applications, etc.)

 Impacts organizations in all sectors.  Potentially severe penalties for contravention of

the statute.

 Applies to messages sent from or accessed by a

computer system in Canada.

Status of CASL

3

 Enacted in December 2010.

 Commercial Electronic Message provisions in force July 1, 2014  Computer programming provisions in force January 15, 2015  Private right of action in force July 1, 2017

 Details of CASL set out in 2 regulations:

 CRTC Regulations finalized in March 2012.  Industry Canada Regulations finalized in December 2013.

 CRTC Guidelines released in October 2012

 Guidelines on the Interpretation of the Electronic Commerce

Protection Regulations (CRTC)

 Guidelines on the use of Toggling as a means of Obtaining

Express Consent under CASL

 CRTC FAQs and guidance released in June & July

2014

Penalties for Non‐Compliance

4

 Administrative Monetary Penalties

 Up to $1 million per violation for individuals and $10

million for businesses.

 Private Right of Action

 Statutory damages up to $200 for each violation of the

prohibition against unsolicited commercial electronic messages up to $1 million for each day on which the violation occurred.

 A single email or text message is contravention of CASL =

violation.

 Over 105,000 complaints received thus far.

Application of CASL

5

 Applies to any “Commercial Electronic Message”

 Any means of telecommunication, including text, sound, voice

• r image messages.

 Reasonable to conclude that, among its purposes, the message

is aimed at encouraging participation in a commercial activity.

 Examples of commercial electronic messages:

 emails  text messages  refer‐a‐friend  emerging forms of messaging  an email or text message that hyperlinks to content “aimed at

encouraging participation in a commercial activity”

General Requirements

6

 Prohibited to send, or cause or permit to be sent, a

commercial electronic message (CEM) to an electronic address unless the recipient has provided express or implied consent.

 Most CEMs must also meet certain specified

content requirements, including an unsubscribe mechanism.

CASL Exceptions

7

 Certain CEMs are not subject to the consent and

content/unsubscribe requirements

 Messages to those with whom there is a personal or

family relationship.

 Defined in Industry Canada Regulations  Personal Relationship: Sender and recipient have had direct,

voluntary, two‐way communication, and it would be reasonable to conclude that they have a personal relationship

 Messages that are sent to an individual engaged in

commercial activity and consists solely of an inquiry or application related to that activity.

 Messages sent between organizations or within

• rganizations concerning the activities of the
• rganization.

 Messages sent in response to a request, inquiry

complaint or is otherwise solicited.

 Messages sent to satisfy legal obligations.

CASL Exceptions (cont’d)

8

 Certain CEMs are not subject to the consent and

content/unsubscribe requirements (cont’d.)

 Platforms: Messages sent or received on electronic

messaging service.

 Information and unsubscribe mechanism required under the Act

must be conspicuously published and readily available through the user interface

 Person consents to receive it either expressly or by implication

 Closed Messaging Systems: Messages sent to a limited‐

access secure and confidential account to which messages can only be sent by the person who provides the account.

 Messages sent or caused or permitted to be sent by a

person who reasonable believes the message will be accessed in a set of listed foreign states and the message conforms to the law of the foreign state that addresses spam.

 116 countries listed in the Industry Canada Regulations

Express Consent Requirements

9

 Generally express consent is required to send a CEM

 Express consent may be obtained orally or in writing  Positive or explicit indication of consent required (i.e. no

pre‐checked boxes)

 Requests for express consent must include notice about

the following:

 The purpose for which consent is sought.  The name of the person seeking consent.  Certain prescribed contact information including the mailing address, and

either a telephone number, email address or web address of the sender.

 A statement indicating that the person whose consent is sought can

withdraw their consent.

Express Consent Requirements (cont’d)

10

 Additional requirements when obtaining consent

• n behalf of named and unnamed third‐parties

(e.g. marketing partners or affiliates)

 E.g. “[ ] Check here if you would like to receive offers

and promotions from our marketing partners”.

 Unnamed third party (e.g. marketing partner) must

identify person who obtained consent in CEM

 Recipients must be able to unsubscribe from all lists  Centralized management of consents across unaffiliated

marketing partners required

Express Consent Requirements (cont’d)

11

 Express consent is not required under the Act in

certain circumstances, such as where there is deemed to be “implied consent.”

Implied Consent

12

 Example: Existing Business Relationships

 There is implied consent where the sender and recipient

have an “existing business relationship” based on, for example:

 Purchase or lease of a product, goods, service  A written contract  An inquiry or application

 Implied consent is time‐limited:

 may only be relied upon for 2 years after a purchase,

2 years after the expiration of the contract or 6 months after an inquiry or application.

Implied Consent (cont’d)

13

 Example 2: Business‐to‐Business

 There is implied consent where the recipient has:

 conspicuously posted their electronic address, and  the publication is not accompanied by an indication

that he or she does not wish to receive unsolicited messages, and

 the message is relevant to the recipient’s business,

role, functions or duties in a business or official capacity.

 or where the recipient has:

 disclosed their electronic address to the sender

without indicating a wish not to receive unsolicited messages, and

 the message is relevant to their business, role,

functions or duties in a business or official capacity.

Transactional Messages

14

 Certain CEMs are not required to comply with consent

requirement

 For example, CEMs that solely:

 Provide a quote or estimate  Facilitate, complete or confirm a commercial transaction  Provide warranty information, product recall information or

safety or security information

 Provide notification of factual information  Deliver a product, goods or service

 Messages still must comply with content/unsubscribe

requirements

Referrals

15

 There is also an exception to the consent

requirement for referral‐based communications.

 A commercial electronic message may be sent the purpose of

contacting the recipient following a referral by any individual who has an existing business relationship, an existing non‐ business relationship, a family relationship or a personal relationship with the sender and recipient.

 The message must disclose the full name of the referral source

and state that the message is sent as a result of the referral.

 Only applies to the first message sent.

 Messages still must comply with

content/unsubscribe requirements

Scope of Computer Program Rules

16

 Apply to a person who:

 installs a computer program (no malware threshold) on

another person’s computer system OR

 causes an electronic message to be sent from a

computer system on which the person installed a computer program IF

 the computer system is located in Canada or the person

is in Canada

Consent Requirement

17

 Express consent

 Same general rules as for CEMs

 Written acknowledgment of “invasive” functions

Disclosure Requirement

18

• General function and purpose of the computer

program

• Enhanced function‐specific information (to be

disclosed separate and apart from licence agreement) if:

 enumerated “invasive” function

AND

 knowledge and intent that computer will operate

contrary to reasonable expectations of user or

• wner
• Contact information for assistance in removal of

“invasive” programs (if inaccurate description of “invasive” program)

Invasive Functions

19

• collecting personal information stored on the computer system
• interfering with the owner’s or an authorized user’s control of the

computer system

• changing or interfering with settings, preferences or commands

already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system

• changing or interfering with data that is stored on the computer

system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system

• causing the computer system to communicate with another

computer system, or other device, without the authorization of the

• wner or an authorized user of the computer system
• installing a computer program that may be activated by a third

party without the knowledge of the owner or an authorized user of the computer system

• performing any other function specified in the regulations

Exceptions

20

 Updates and upgrades

 Requires CASL compliant consent to installation or

use AND update program

 Does not provide relief from enhanced

disclosure/written acknowledgment rules

 Deemed consent

 Specified categories of computer programs  If conduct makes it reasonable to believe consent

to installation given

Deemed consent software categories

21

a cookie HTML code Java Scripts an operating system program executable only through

program installed/used under express consent

some network updates (by telecom

service providers)

software corrections

Compliance Steps ‐ CEMs

22

 Develop inventory of electronic messages that you currently

(or intend to) send, cause or permit to be sent

 Determine whether CASL applies to electronic messages  If CASL applies to the messages:

 Determine whether and what type of consent will be required  Determine whether CASL’s identity, contact and unsubscribe rules

apply

 Develop templates for requesting written consent and scripts

for requesting oral consent

 Develop email templates that comply with CASL  Ensure unsubscribe mechanism meets the requirements

under CASL

 Confirm approach to existing databases and determine if

“fresh” consent is required

Compliance Steps – CEMs

(cont’d)

23

 Develop approach for acquiring and using third party mailing

lists (if applicable)

 Develop approach for refer‐a‐friend marketing programs (if

applicable)

 Develop protocol for participating in or running affinity

programs (if applicable)

 Develop protocol for complying unnamed third party rules (if

applicable)

 Review/update database management practices to

demonstrate compliance with CASL (e.g. process for recording express consent, tracking implied consent timelines, etc.)

 Review and update external notices (e.g., privacy policy)  Review and update relevant internal policies  Develop and implement training and education plan (e.g.

employee, staff, consultant, etc.)

Compliance Steps – Computer Programs

24

 Key compliance steps include (in addition to

previous slides)

 Inventory/review of all computer programs  Inventory computer updates and upgrades, and “invasive

functions”

 Review/revise all notices  More broadly, consider steps to establish “due diligence”

for compliance

 Internal compliance policies and procedures