Living with Canadas Anti Spam Legislation Portfolio Management - PowerPoint PPT Presentation

Living with Canada’s Anti ‐ Spam Legislation Portfolio Management Association of Canada Toronto Compliance Forum Adam Kardash Partner, Privacy and Data Management Osler, Hoskin & Harcourt LLP akardash@osler.com 416.862.4703 September 23, 2014

CASL Overview  Federal legislation imposing strict consent, notice and content requirements for “commercial electronic messages”.  Applies to a broad range of messages (marketing, B2B, customer service, referrals, job applications, etc.)  Impacts organizations in all sectors.  Potentially severe penalties for contravention of the statute.  Applies to messages sent from or accessed by a computer system in Canada. 2

Status of CASL  Enacted in December 2010.  Commercial Electronic Message provisions in force July 1, 2014  Computer programming provisions in force January 15, 2015  Private right of action in force July 1, 2017  Details of CASL set out in 2 regulations:  CRTC Regulations finalized in March 2012.  Industry Canada Regulations finalized in December 2013.  CRTC Guidelines released in October 2012  Guidelines on the Interpretation of the Electronic Commerce Protection Regulations (CRTC)  Guidelines on the use of Toggling as a means of Obtaining Express Consent under CASL  CRTC FAQs and guidance released in June & July 2014 3

Penalties for Non ‐ Compliance  Administrative Monetary Penalties  Up to $1 million per violation for individuals and $10 million for businesses.  Private Right of Action  Statutory damages up to $200 for each violation of the prohibition against unsolicited commercial electronic messages up to $1 million for each day on which the violation occurred.  A single email or text message is contravention of CASL = violation.  Over 105,000 complaints received thus far. 4

Application of CASL  Applies to any “Commercial Electronic Message”  Any means of telecommunication, including text, sound, voice or image messages.  Reasonable to conclude that, among its purposes, the message is aimed at encouraging participation in a commercial activity.  Examples of commercial electronic messages:  emails  text messages  refer ‐ a ‐ friend  emerging forms of messaging  an email or text message that hyperlinks to content “aimed at encouraging participation in a commercial activity” 5

General Requirements  Prohibited to send, or cause or permit to be sent, a commercial electronic message (CEM) to an electronic address unless the recipient has provided express or implied consent .  Most CEMs must also meet certain specified content requirements, including an unsubscribe mechanism. 6

CASL Exceptions  Certain CEMs are not subject to the consent and content/unsubscribe requirements  Messages to those with whom there is a personal or family relationship.  Defined in Industry Canada Regulations  Personal Relationship: Sender and recipient have had direct, voluntary, two ‐ way communication, and it would be reasonable to conclude that they have a personal relationship  Messages that are sent to an individual engaged in commercial activity and consists solely of an inquiry or application related to that activity.  Messages sent between organizations or within organizations concerning the activities of the organization.  Messages sent in response to a request, inquiry complaint or is otherwise solicited.  Messages sent to satisfy legal obligations. 7

CASL Exceptions (cont’d)  Certain CEMs are not subject to the consent and content/unsubscribe requirements (cont’d.)  Platforms: Messages sent or received on electronic messaging service.  Information and unsubscribe mechanism required under the Act must be conspicuously published and readily available through the user interface  Person consents to receive it either expressly or by implication  Closed Messaging Systems: Messages sent to a limited ‐ access secure and confidential account to which messages can only be sent by the person who provides the account.  Messages sent or caused or permitted to be sent by a person who reasonable believes the message will be accessed in a set of listed foreign states and the message conforms to the law of the foreign state that addresses spam.  116 countries listed in the Industry Canada Regulations 8

Express Consent Requirements  Generally express consent is required to send a CEM  Express consent may be obtained orally or in writing  Positive or explicit indication of consent required (i.e. no pre ‐ checked boxes)  Requests for express consent must include notice about the following:  The purpose for which consent is sought.  The name of the person seeking consent.  Certain prescribed contact information including the mailing address, and either a telephone number, email address or web address of the sender.  A statement indicating that the person whose consent is sought can withdraw their consent. 9

Express Consent Requirements (cont’d)  Additional requirements when obtaining consent on behalf of named and unnamed third ‐ parties (e.g. marketing partners or affiliates)  E.g. “[ ] Check here if you would like to receive offers and promotions from our marketing partners ”.  Unnamed third party (e.g. marketing partner) must identify person who obtained consent in CEM  Recipients must be able to unsubscribe from all lists  Centralized management of consents across unaffiliated marketing partners required 10

Express Consent Requirements (cont’d)  Express consent is not required under the Act in certain circumstances, such as where there is deemed to be “implied consent.” 11

Implied Consent  Example: Existing Business Relationships  There is implied consent where the sender and recipient have an “existing business relationship” based on, for example:  Purchase or lease of a product, goods, service  A written contract  An inquiry or application  Implied consent is time ‐ limited:  may only be relied upon for 2 years after a purchase, 2 years after the expiration of the contract or 6 months after an inquiry or application. 12

Implied Consent (cont’d)  Example 2: Business ‐ to ‐ Business  There is implied consent where the recipient has:  conspicuously posted their electronic address, and  the publication is not accompanied by an indication that he or she does not wish to receive unsolicited messages, and  the message is relevant to the recipient’s business, role, functions or duties in a business or official capacity.  or where the recipient has:  disclosed their electronic address to the sender without indicating a wish not to receive unsolicited messages, and  the message is relevant to their business, role, functions or duties in a business or official capacity. 13

Transactional Messages  Certain CEMs are not required to comply with consent requirement  For example, CEMs that solely:  Provide a quote or estimate  Facilitate, complete or confirm a commercial transaction  Provide warranty information, product recall information or safety or security information  Provide notification of factual information  Deliver a product, goods or service  Messages still must comply with content/unsubscribe requirements 14

Referrals  There is also an exception to the consent requirement for referral ‐ based communications.  A commercial electronic message may be sent the purpose of contacting the recipient following a referral by any individual who has an existing business relationship, an existing non ‐ business relationship, a family relationship or a personal relationship with the sender and recipient.  The message must disclose the full name of the referral source and state that the message is sent as a result of the referral.  Only applies to the first message sent.  Messages still must comply with content/unsubscribe requirements 15

Scope of Computer Program Rules  Apply to a person who:  installs a computer program (no malware threshold) on another person’s computer system OR  causes an electronic message to be sent from a computer system on which the person installed a computer program IF  the computer system is located in Canada or the person is in Canada 16

Consent Requirement  Express consent  Same general rules as for CEMs  Written acknowledgment of “invasive” functions 17

Disclosure Requirement • General function and purpose of the computer program • Enhanced function ‐ specific information (to be disclosed separate and apart from licence agreement) if:  enumerated “invasive” function AND  knowledge and intent that computer will operate contrary to reasonable expectations of user or owner • Contact information for assistance in removal of “invasive” programs (if inaccurate description of “invasive” program) 18