An informative presentation outlining the steps for Canada's Anti-Spam Legislation (CASL) compliance, the consequences of violation, and clarifying issues surrounding consent requirements – including exceptions to the rules.
1. IS THERE SPAM IN YOUR
CASTLE?
A Discussion of Canada’s Anti-Spam Legislation
Tamara Hunter, David Spratley and Chris Bennett
January 15, 2014
2. THE PLAN
Background (Dave)
Penalties (Tamara)
Anti-Spam Rules (Chris)
Exceptions (Tamara)
Computer Programs (Dave)
Altering Transmission Data (Dave)
How to Prepare (Tamara)
Questions (You)
2DLA Piper (Canada) LLP
3. BACKGROUND
Seriously?
An Act to promote the efficiency and adaptability of the Canadian
economy by regulating certain activities that discourage reliance on
electronic means of carrying out commercial activities, and to amend
the Canadian Radio-television and Telecommunications Commission
Act, the Competition Act, the Personal Information Protection and
Electronic Documents Act and the Telecommunications Act
AA PEACE RADREM COCAA CRTCACA PIPEDATA
3DLA Piper (Canada) LLP
5. BACKGROUND
What?
Legislation to regulate certain activities that discourage reliance on
electronic means of carrying out commercial activities, of course
Commercial electronic messages (spam)
Malware
Spyware
Message routing
Misrepresentations
Automatic collection
5DLA Piper (Canada) LLP
6. BACKGROUND
Why?
To minimize receipt of unsolicited electronic messages, whether in
the form of e-mail, text messages, social media or other means of
telecommunication, that are sent for commercial reasons
To reduce electronic threats to commerce, including “phishing”,
“pharming”, “malware” and “spyware”
6DLA Piper (Canada) LLP
8. BACKGROUND
When?
Enacted in December 2010
To come into force when both CRTC Regulations and Industry
Canada Regulations finalized
CRTC Regulations finalized March 2012
Industry Canada Regulations finalized December 2013
8DLA Piper (Canada) LLP
9. BACKGROUND
So, when?
July 1, 2014: majority of CASL in force, except:
January 15, 2015: computer program rules in force, and
July 1, 2017: private right of action in force
9DLA Piper (Canada) LLP
10. PENALTIES
So, what?
Broad application and hefty fines!
“Administrative Monetary Penalties” can be levied by CRTC
As high as $1 M for individuals and $10 M for businesses
10DLA Piper (Canada) LLP
11. PENALTIES
So, what?
CRTC can issue a Notice of Violation with the $ AMP set out
Your organization can then challenge whether violation happened
and whether amount of $ penalty is appropriate
Penalties may be charged per violation and violations may be
separately assessed for each day of non-compliance
11DLA Piper (Canada) LLP
12. PENALTIES
So, what?
Individuals may bring a private civil action for any damages caused
by a contravention of CASL
The Court may award damages for actual loss/harm proven AND
may award a separate monetary sum per violation (e.g. $200 per
violation for a s. 6 violation - sending a CEM without prior consent
(which doesn’t fall w/i an exception) and/or without the required
disclosures/unsubscribe mechanism)
12DLA Piper (Canada) LLP
13. PENALTIES
So, what?
The right to bring a civil claim for a breach of CASL will not become
effective until July 1, 2017
Once the right to bring a civil claim does become effective, it cannot
be used if the CRTC has already taken action against the
organization in relation to the contravention
13DLA Piper (Canada) LLP
14. PENALTIES
There are risks other than penalties…
Having your organization publicly identified as a violator of anti-spam
law can harm your brand and reduce customer and public trust and
customer loyalty
Reputational risk
What organization wants to be known as a “spammer”?
14DLA Piper (Canada) LLP
15. ANTI-SPAM RULES
CEM = EM + Purpose
Encouraging participation in a commercial activity
Consider content, links and contact information in the message
15DLA Piper (Canada) LLP
16. ANTI-SPAM RULES
16DLA Piper (Canada) LLP
Commercial Electronic MessagesCommercial Electronic Messages
Electronic Messages
• Email
• Text/instant messages
• Social Media
Electronic Messages
• Email
• Text/instant messages
• Social Media
Commercial Activity
• Sale/lease of product/service
• Investment/business opportunity
• Promote individuals
• Requests for consent!
Commercial Activity
• Sale/lease of product/service
• Investment/business opportunity
• Promote individuals
• Requests for consent!
18. ANTI-SPAM RULES
18DLA Piper (Canada) LLP
If it’s a Commercial Electronic Message, then…
CEM
Consent
Express
Oral
Written
Implied
Business
Relationship
Non-Business
Relationship
Published
Info
Content
Disclosures
Unsubscribe
19. ANTI-SPAM RULES
19DLA Piper (Canada) LLP
Consent
Express
Oral
Written
Implied
Business
Relationship
Non-Business
Relationship
Published
Info
20. ANTI-SPAM RULES
20DLA Piper (Canada) LLP
Express Consent
Required info
Purposes
Name of requester
Name of third party recipient
Contact info
Statement that consent can be withdrawn
21. ANTI-SPAM RULES
21DLA Piper (Canada) LLP
Express Consent
Need separate consents for CEMs, data and programs
Can’t bundle
Can’t toggle
Should send confirmation
26. ANTI-SPAM RULES
26DLA Piper (Canada) LLP
Existing Business
Relationship
• Purchase/lease
• Acceptance
• Contract
• Inquiry
Existing
Non-Business
Relationship
• Donation/gift
• Volunteer work
• Membership
Published Address
• Didn’t say no
• Is relevant to
business/duties
Implied Consent
27. ANTI-SPAM RULES
27DLA Piper (Canada) LLP
CEM
Consent
Express
Oral
Written
Implied
Business
Relationship
Non-Business
Relationship
Published
Info
Content
Disclosures
Unsubscribe
29. ANTI-SPAM RULES
29DLA Piper (Canada) LLP
Disclosures
• Sender
• Agent
• Contact info
Unsubscribe
• No cost
• Same means
• Address/Link
• Takes effect within
10 days
Alternative
• Post disclosure
info on web page
• Provide clear link
Required Consent
32. EXCEPTIONS TO ANTI-SPAM RULES
Exceptions to Consent Requirement - Examples
CEM solely provides a requested quote or estimate for the supply of
goods/services
CEM solely facilitates/confirms a previously agreed-to commercial
transaction
CEM solely provides warranty, product recall or safety info about a
purchased product/service
DLA Piper (Canada) LLP 32
33. EXCEPTIONS TO ANTI-SPAM RULES
Exceptions to Consent Requirement - Examples
CEM solely provides factual info about a subscription, membership,
account or similar relationship
CEM solely provides info directly related to an employment
relationship or related benefit plan
CEM solely delivers a product, including updates or upgrades
pursuant to a transaction
DLA Piper (Canada) LLP 33
34. EXCEPTIONS TO ANTI-SPAM RULES
Exceptions to the Prohibitions
CEM sent to an individual with whom the sender has a “personal or
family relationship”
CEM sent to a person engaged in a commercial activity and consists
solely of an inquiry or application related to that activity
(above exceptions are set out in the legislation itself)
DLA Piper (Canada) LLP 34
35. EXCEPTIONS TO ANTI-SPAM RULES
Additional Exceptions (in IC Regulations)
The Industry Canada regulations contain several additional
exceptions to the Key Prohibitions:
Any CEM sent in response to a request, inquiry, complaint or
otherwise solicited by the recipient
CEMs sent between employees, representatives, etc. of an
organization concerning that organization’s affairs
DLA Piper (Canada) LLP 35
36. EXCEPTIONS TO ANTI-SPAM RULES
Additional Exceptions, cont’d
CEMs sent by an employee (representative etc.) of one organization
to an employee (representative etc.) of another organization in
circumstances where the organizations have a business relationship
and the message concerns the affairs of the organization to which
the message is sent
Any CEM sent to satisfy a legal obligation or enforce a legal right,
court order, etc.
DLA Piper (Canada) LLP 36
37. EXCEPTIONS TO ANTI-SPAM RULES
Exception to Consent Requirement - 3rd Party Referrals
A single CEM sent to someone without consent, based on a 3rd
party’s referral, so long as the sender discloses the name of the
person making the referral and so long as there is an existing
business, non-business, personal or family relationship between the
person making the referral and each of the sender and the recipient
DLA Piper (Canada) LLP 37
38. EXCEPTIONS TO ANTI-SPAM RULES
Exception to Consent Requirement - 3rd Party Referrals
Example:
Susan, a friend of Joe, could suggest to her accountant that the
accountant send an e-mail to Joe offering the accountant’s services.
So long as the accountant sends one unsolicited e-mail only to Joe
and states in the e-mail that Susan referred the accountant to Joe,
the accountant will not have violated CASL
DLA Piper (Canada) LLP 38
39. EXCEPTIONS TO ANTI-SPAM RULES
Newly Added Exceptions to the Prohibitions
A CEM sent/received on an EM service if the disclosure/unsubscribe
mechanism are conspicuously published and readily available on the
user interface, and the person receiving the message has given
express/implied consent to receive it (e.g. BB Messenger, WhatsApp)
A CEM sent to a limited-access and confidential account to which
messages can only be sent by the account provider to the receiver
(e.g. messages sent by a financial institution to a customer through
an on-line banking account)
DLA Piper (Canada) LLP 39
40. EXCEPTIONS TO ANTI-SPAM RULES
Newly Added Exceptions to the Prohibitions
A CEM sent by a person who reasonably believes the CEM will be
accessed in a foreign state (listed in schedule to Regs) and the
message conforms to the anti-spam law of the foreign state
A CEM sent by or on behalf of a registered charity where primary
purpose is to raise funds for the charity
A CEM sent by or on behalf of a political party/candidate and primary
purpose is soliciting a contribution
DLA Piper (Canada) LLP 40
41. EXCEPTIONS TO ANTI-SPAM RULES
IC Regulations re: “Personal Relationship”
Persons who have had a “direct, voluntary, two-way communication”
will qualify as having a personal relationship where it is reasonable to
conclude that the relationship is personal based on all relevant
factors, including the sharing of interests, experiences and opinions,
the frequency of communications, the length of time since the parties
communicated and whether the parties have met in person.
The proposed definition of “personal relationship” would allow
relationships formed solely on electronic communications (e.g.
Facebook) to potentially qualify for an exception to the Key
Prohibitions
DLA Piper (Canada) LLP 41
42. COMPUTER PROGRAMS
Malware and Spyware: CASL s.8
8 (1) A person must not, in the course of a commercial activity, install
or cause to be installed a computer program on any other person’s
computer system or, having so installed or caused to be installed a
computer program, cause an electronic message to be sent from that
computer system, unless
(a) the person has obtained the express consent of the owner or an
authorized user of the computer system and complies with subsection
11(5); or
(b) the person is acting in accordance with a court order
DLA Piper (Canada) LLP 42
44. COMPUTER PROGRAMS
The Prohibitions - Key Points
“Computer program” and “computer system” incorporate broad
definitions from Criminal Code not just limited to malware and
spyware
“Installing” is not defined
DLA Piper (Canada) LLP 44
45. COMPUTER PROGRAMS
Consent
Requires express consent, not implied (requirements for express
consent as discussed previously)
Must clearly and simply describe, in general terms, the computer
program’s function and purpose
DLA Piper (Canada) LLP 45
46. COMPUTER PROGRAMS
More Consent - s.10(5) - Computer Programs
If computer program performs certain specified functions, must
clearly and prominently, separately from the licence agreement:
describe the program’s material elements that perform the function,
including the nature and purpose of those elements and their reasonably
foreseeable impact on the operation off the computer system, and
bring those elements to the person’s attention
DLA Piper (Canada) LLP 46
47. COMPUTER PROGRAMS
More Consent - Computer Programs - CRTC Regs
Bring those material elements to the person’s attention separately
from any other information provided in a request for consent
Get written acknowledgement that the person understands and
agrees that the program performs the specified functions
DLA Piper (Canada) LLP 47
48. COMPUTER PROGRAMS
More Consent - Computer Programs
Any of these functions that the person seeking consent knows and
intends will cause the computer system to operate in a manner that is
contrary to the owner’s or authorized user’s reasonable expectations:
collecting personal information stored on system
interfering with control of the system
changing or interfering with settings, preferences, etc., without owner’s
knowledge
DLA Piper (Canada) LLP 48
49. COMPUTER PROGRAMS
More Consent - Computer Programs, cont’d
changing or interfering with stored data in a way that obstructs, interrupts
or interferes with lawful access to or use of the data
causing system to communicate with another system or device without
authorization
installing a program that may be activated by a third party without
knowledge
any other prescribed function
DLA Piper (Canada) LLP 49
50. COMPUTER PROGRAMS
Deemed Consent - 10(8)
A person is deemed to have expressly consented to
installation of listed computer programs (e.g., cookies, HTML
code, operating systems) if person’s conduct is such that it is
reasonable to believe that the person consents to the
installation
DLA Piper (Canada) LLP 50
51. COMPUTER PROGRAMS
Deemed Consent - 10(8)
IC regs allow telecom service providers to install programs on
customers’ computers / devices to:
protect network security
update / upgrade network
prevent failure of computer system or program
DLA Piper (Canada) LLP 51
52. COMPUTER PROGRAMS
Cookie Conundrum?
10(8) specifically mentions cookies -- are they therefore “computer
programs” and subject to CASL?
IC: cookies are not programs -- they are not executable, cannot carry
viruses and cannot install malware
CRTC: cookies are programs … but cannot be “installed” and so not
subject to CASL
DLA Piper (Canada) LLP 52
53. COMPUTER PROGRAMS
Updates / Upgrades
No consent required for update/upgrade if:
express consent to the installation and use of original program
person who gave consent is entitled to receive the update/upgrade under
the terms of the express consent
update/upgrade is installed in accordance with those terms
DLA Piper (Canada) LLP 53
54. COMPUTER PROGRAMS
Withdrawal of Consent - 11(5)
Person who receives express consent for installation of program must:
for 1 year after installation, ensure that the consenting person is provided
with an electronic address through which to request program’s removal or
disabling
if consent based on inaccurate description program’s material elements,
on receipt of that request within the 1-year period assist the person in
removing or disabling the program as soon as feasible, without cost to the
person
DLA Piper (Canada) LLP 54
55. COMPUTER PROGRAMS
Computer Programs - Timing
Effective: January 15, 2015
Transition: if program already installed before, consent to update /
upgrade implied until earlier of:
consent withdrawn
January 15, 2018 (3 years after s. 8 in force)
DLA Piper (Canada) LLP 55
56. ALTERING TRANSMISSION DATA
Pharming: CASL s.7
Cannot in the course of commercial activity alter or cause to be
altered the transmission data in an EM so that it is delivered to a
destination other than or in addition to that specified by sender,
unless:
express consent
court order
DLA Piper (Canada) LLP 56
57. ALTERING TRANSMISSION DATA
Pharming Prohibition: Purpose
To combat “pharming”: using electronic measures to redirect traffic to
a fraudulent site
Does not apply to alterations by telecom service providers for
network management purposes
DLA Piper (Canada) LLP 57
58. ALTERING TRANSMISSION DATA
Pharming Prohibition: Consent
Same express requirement rules as discussed above
If you have express consent to alter transmission data:
must provide an electronic address to which person may sent notice of
withdrawal of consent
give effect to notice of withdrawal of consent without delay, and in any
event within 10 business days after notice
DLA Piper (Canada) LLP 58
59. HOW TO PREPARE
Time is on our side … but not for too long!
Coming-into-force is now 6 months away
Then transition period implied consent arising from existing
business relationship will work until earlier of:
Person withdrawing consent
3 years after CASL in force
DLA Piper (Canada) LLP 59
60. HOW TO PREPARE
Raise Awareness and Establish Compliance Team
Raise awareness with senior management (deadlines, penalties and
risks, preparation will be complex)
Develop compliance team
Team should include sales/marketing, customer support,
communications, privacy, legal, risk management, IT, and HR
DLA Piper (Canada) LLP 60
61. HOW TO PREPARE
Assess CEMs
Consider and identify what kinds of CEMS your organization
currently sends and what CEMs it is likely to want to send going
forward
Develop an inventory of all CEMs
DLA Piper (Canada) LLP 61
62. HOW TO PREPARE
Develop CEM Inventory
Develop an inventory and identify within inventory, which CEMs fall
within an exception or a time-limited implied consent - e.g. an
existing business relationship that will “expire” after two years)
Develop “stop send” mechanisms that will kick in when appropriate
(e.g. on date when two years will expire for existing business
relationships or when customer expressly withdraws consent)
DLA Piper (Canada) LLP 62
63. HOW TO PREPARE
Consider Upgrading to Express Consent
CASL creates a complex web of requirements and exceptions
Difficult to determine which exception, if any, might apply in what
circumstances
CASL clearly allows sending CEMs with prior consent -- so consider
using available time to get consent rather than worrying about fitting
into an exception
DLA Piper (Canada) LLP 63
64. HOW TO PREPARE
Upgrading to Express Consent
Upgrade to express consent where possible and, when express
consent obtained, develop mechanism to reflect this in
spreadsheets/system (to override the “stop send” that would
otherwise kick in)
Express consent does not expire (but can be withdrawn expressly)
DLA Piper (Canada) LLP 64
65. HOW TO PREPARE
CEM Management - Ongoing
Use spreadsheets and a coordinated internal communications and
training plan to make all of this work
Review and update inventory every six months
Training is not a one-time event – refreshers will be required
DLA Piper (Canada) LLP 65
66. HOW TO PREPARE
Unsubscribe Mechanisms
Make sure unsubscribe mechanisms and notices are in place and
meet all existing requirements
Make sure organization can comply with unsubscribe requests in
specified time frames
DLA Piper (Canada) LLP 66
67. HOW TO PREPARE
Internal Education and Compliance
Implement policies, guidelines, training, procedures, controls, etc., as
necessary to make sure your organization is CASL-ready
DLA Piper (Canada) LLP 67
69. Disclaimer
This publication is intended to provide our general comments on
developments in the law. It is not intended to be a comprehensive
review nor is it intended to provide legal advice. Readers should not act
on information in the publication without first seeking specific advice on
a particular matter. Readers should consult a qualified health
professional before consuming actual canned meat.
DLA Piper (Canada) LLP 69
70. Contact
Tamara Hunter
604 643 2952
tamara.hunter@dlapiper.com
David Spratley
604 643 6359
david.spratley@dlapiper.com
Chris Bennett
604 643 6308
chris.bennett@dlapiper.com
DLA Piper (Canada) LLP 70