Canada’s Anti-Spam Legislation: What It Means to Hit Send Presented to the Canadian Vintners Association by Wendy Mee May 28, 2014
Overview • Key Dates • Overview of the Law • Liability and Penalties • Compliance Strategies
Key Dates • Main anti-spam provisions July 1, 2014 • Installation of computer January 15, 2015 programs without consent • Private Right of Action July 1, 2017
Overview of the Law • Key prohibitions – sending unsolicited commercial electronic messages (CEMs) to an electronic address – altering transmission data without express consent – installing computer programs without express consent – making false and misleading representations in e-message – collecting e-addresses using computer programs without consent – collecting personal information through unauthorized access to a computer system
A. CEM Prohibition • What is prohibited? – sending a commercial electronic message to an electronic address, unless: Consent (express or implied) has been obtained and Form and content requirements are met
A. CEM Prohibition (cont’d) • What is a CEM? – message sent by any means of telecommunication (e.g., text, sound, voice or image) that has as its purpose, or one of its purposes, to encourage participation in a commercial activity – CEMs include electronic messages that request consent to send a CEM
A. CEM Prohibition (cont’d) • What qualifies as an “electronic address”? – an email account @ – an instant messaging account – a telephone account ☎ – any similar account … • social media?
B. Consent Requirements • How is express consent obtained? – requires active “opt-in” – may be obtained orally or in writing – request for express consent must set out clearly and simply: • purpose(s) for which consent is being sought • specific information about the person seeking consent and, if applicable, the person on whose behalf consent is being sought • statement that the person can withdraw their consent
B. Consent Requirements (cont’d) Example used in Compliance and Enforcement Information Bulletin CRTC 2012-549
C. Form and Content Requirements • What information must be provided in a CEM? – specific information that identifies the sender or person on whose behalf the CEM is sent – statement indicating which person is sending the CEM and which person on whose behalf the message is being sent, if applicable – information enabling the recipient to contact the sender of the CEM, valid for 60 days – a functional unsubscribe mechanism that meets prescribed requirements
C. Form and Content Requirements (cont’d) Example used in Compliance and Enforcement Information Bulletin CRTC 2012-548
D. When Consent is Implied • When is consent implied? – existing business relationships Where the sender and recipient have engaged in certain specified types of businesses together: -Within 2 years preceding day on which message was sent, recipient: • Purchased, leased or bartered for a product, goods, service, land or an interest or right in land • Accepted a business, investment or gaming opportunity • Entered into a written contract (not in respect of a purchase, lease, barter or acceptance listed above) that is in existence or expired within the 2 year period -Within 6 months preceding day on which message was sent, recipient made an inquiry or application in respect of any of the matters mentioned above – existing non-business relationships – conspicuous publications – voluntary disclosures
E. Full Exemption from CASL • What types of messages are generally exempt from the application of the law? – personal and family relationships – inquiries sent to a person engaged in a commercial activity in relation to such activity – intra-business messages as long as certain conditions are met – inter-business messages as long as certain conditions are met – responses to individual requests, inquiries or complaints – messages sent to satisfy certain legal obligations
E. Full Exemption from CASL (cont’d) – messages sent and received on an electronic messaging service as long as certain requirements are met – messages sent to a limited-access secure and confidential account where messages can only be sent by the person who provides the account – messages that the sender reasonably believes will be accessed in a listed foreign state and that comply with the foreign law that addresses substantially similar conduct – messages sent by a registered charity for primary purpose of fundraising – messages sent by a political party, organization or candidate for the primary purpose of soliciting a contribution
F. Exemption from Consent • Certain messages are exempt from the requirement of obtaining consent (must still comply with form and content requirements) if they solely: − provide a requested quote or estimate − facilitate or confirm a previously agreed-upon commercial transaction − provide warranty/safety information − provide factual information about an ongoing subscription/membership etc… − provide information related to an employment relationship etc… − deliver a product, good or service under a prior transaction
F. Exemption from Consent (cont’d) • First messages sent through a third-party “referral” are exempt if certain conditions are met
G. Transitional Provision • Three-year transitional provision if: − existing business relationship or existing non-business relationship exists (without regard to the time limits that normally apply) − relationship includes the communication of CEMs
Liability and Penalties Violation Penalty Private Right of Action Maximum per breach: Maximum: Sending unsolicited CEMs C $1-million for individuals C $200 per breach, not to (or aiding and abetting) exceed C $1-million per day C $10-million for corporations
Liability and Penalties (cont’d) • Note: – an officer, director or other mandatory of a corporation can be held liable for a violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation – a person can be held liable for a violation by their employee/agent acting within the scope of their employment/authority • Due diligence is a defence
Compliance Strategies 1. Conduct an audit 2. Assess which electronic messages are covered by CASL 3. Identify any available exemptions 4. If no exemptions, determine type of consent required 5. Upgrade consents as needed
Compliance Strategies 6. Adopt internal policies and guidelines and training programs 7. Ensure form and content requirements, including unsubscribe, are complied with 8. Implement robust data management and operational controls 9. Adjust and adapt contracts 10.Follow-up audit practices to ensure ongoing compliance
Questions?
Recommend
More recommend
