Presentation from IAPP Canada 2011 Conference. Presented by Shaun Brown - (http://nnovation.com), and Matthew Vernhout (http://www.transcontinental-interactive.com).

1. e-Marketing Policy-Building
Workshop
Shaun Brown – nNovation LLP
Matthew Vernhout – Transcontinental
Interactive
IAPP Canada Privacy Symposium
May 4-6, 2011

2. Roadmap
1. Why this matters
2. Brief overview of requirements under CASL, Competition
Act and PIPEDA
3. Practical implementation issues
4. Key considerations in developing e-marketing policies

3. Why e-marketing policy matters: legal
• CASL applies to anyone who sends, causes, permits, aids,
induces, or procures a CEM to be sent.
• Vicarious liability for employees and agents
• Liability for officers/directors of corporations
• Significant penalties:
– Administrative monetary penalties (AMPs) of up to $10 million
per violation
– Private right of action allows any person affected by a violation
to sue for actual and statutory damages
• Privacy legislation applies to use of electronic addresses

4. Why e-marketing policy matters: non-
legal
• Protecting your brand and relationship with
customers
• Delivering campaigns that are effective
• Protecting your relationship with partners
• Deliverability

5. Canada’s Anti-Spam Legislation (CASL)
• Establishes permission-based regime for sending
commercial electronic messages (CEM)
• Applies to any message sent from or accessed by a
computer located in Canada (applies to American senders!)
• More than email: IM; SMS; social media; etc.
• Voice, fax currently excluded (covered by DNCL)
• Competition Act amendments: False and misleading
information (content, sender info, locators)
• PIPEDA amendments: address harvesting; dictionary
attacks; collection of personal information through
unauthorized access to a computer systems

6. Commercial Electronic Message
• Broadly defined to include any message with any
semblance of commercial activity
– Product or service
– Business opportunities
– Promotes an individual who does any of the above
• Message to request consent deemed to be CEM

7. Three primary rules
1. Consent (express or implied)
2. Identification
3. Unsubscribe

8. 1. Consent: exemptions
• Family or personal relationship (to be defined in
regs)
• Business inquiry

9. 1. Consent: no consent required
• Quotes or estimates, if requested
• Facilitates commercial transaction
• Warranty or safety information
• Information about ongoing subscription, membership, etc.
• Information related to employment relationship or benefit
plan
• Delivers good or service
*Other requirements still apply

10. 1. Consent: implied consent
• Consent is deemed in four circumstances:
1. Existing business relationship
2. Existing non-business relationship
3. Conspicuous publication of electronic address
4. Recipient has disclosed electronic address to the sender
• No implied consent for referrals
• In most cases implied consent last for 2 years – window of
opportunity to obtain express consent
• Transitional period for implied consent – 3 years for existing
bus and non-bus rel’ps at coming into force

11. 1. Consent: checklist
1. Does section 6 apply (see exemptions)?
2. If so, do I need consent (other requirements still apply)?
3. If not, can I rely on implied consent?
4. If not, how do I obtain express consent?

12. 2. Identification
• Identify sender as well as person on whose behalf message
is sent
– Provide postal address
• Contact information for either of above

13. 3. Unsubscribe mechanism
• Must be functional for 60 days
• No cost
• Same means unless impracticable
• Include either electronic address or link
• Must process without delay (no messages sent after unsub
sent)

14. Defining “sent”
• Message is sent once transmission has been initiated
• Does not matter whether
– Message reaches destination
– electronic address exists

15. Enforcement
Combination of public and private enforcement:
1. Regulatory enforcement – including administrative
monetary penalties (AMPs)
– Administrative as opposed of criminal
2. Private Right of Action

16. Protection for ‘honest mistakes’
1. Undertakings & Compliance (s.21)
– At any time
– Restricts other action (notice of violation and statutory damages under
PRA)
2. Due Diligence Defence and Common Law Principles (s.33)
– Cannot be found liable
– Justification or excuse consistent with the Act
3. Factors to be Considered re: AMPs (s.20)
– Nature and scope of violation
– Financial benefit
– Any relevant factor

17. Interaction with PIPEDA
• E-marketing already captured by PIPEDA; CASL creates
more specific rules
• PIPEDA additionally applies to:
– Sale and purchase of personal information (e.g., email
addresses)
– Failure to properly secure personal information (think about
recent ESP data breaches)
– Collection of personal information for purposes of targeting

18. Express consent: requirements
• Must clearly explain purposes
– E.g., “I would like to receive emails about offers from
[company]”.
• Sender must identify themselves when obtaining consent
(and other(s) where applicable)

19. Express consent: considerations
• What is “express” consent?
– Opt-in vs. Opt-out; single opt-in, notified opt-in, double opt-in
• Best practice: double opt-in
• Also, think about reminding recipients why they are
receiving your messages

20. Building your list: risky ideas
• Purchasing
• Email append
• Rental without assurance that lists are in compliance
• If it sounds too good to be true....

21. Leveraging your (others) list
• Renting not necessarily a violation, but potentially risky
• There are proper ways to send third party offers to your
(others) subscribers
• Considerations
– Relevance
– Ensuring subscribers know who is sending
– Consent allows for third party offers; e.g. “I would like to hear
about offers from [company] and its partners.”

22. Organic growth is key
• Organic growth allows you to control your lists to be sure
they are compliant
• 3 common ways to gain subscribers:
– Online registration/sale
– Inbound call centers
– In-store points of sale
• Take advantage of interactions with your brand
• Implied consent provisions can be useful, but obtain
express consent up front

23. Other tactics
• Sweepstakes
• Print/television/radio
• Forwarding (FTAF, SWYN)

24. Forwarding (FTAF, SWYN)
• Offering incentives to forward could result in liability
– Section 9: is prohibited to aid, induce, procure or cause to be
procured the doing of any act contrary to section 6
• Impose limits on forwards (how many, to whom)
– Exemption under 6(5): CASL does not apply to messages sent
between people with personal or family rel’p
• Share to social – does CASL apply?
– CASL only applies to CEM sent to an electronic address

25. B2B considerations
• No general exemption for B2B
• Implied consent:
– Conspicuous publication
– Recipient discloses electronic address to sender
• Relevance will be a key issue
• Electronic addresses from web must be collected
manually (address harvesting prohibited)

26. What about existing subscribers?
• Good time to consider quality of existing lists
• Do you have evidence of express consent?
• If express consent is required, get creative
– Response to reconfirmation messages low
– Offer incentives, new campaign features, etc.

27. Unsubscribe - considerations
• Applies once the unsub is sent, not received
• Must be implemented without delay, i.e., no
messages can be sent after an unsubscribe is
sent
• Pros and cons of allowing people to reply directly
to message as well as link to unsub
– Will have to ‘eat’ spam
– Miss out on opportunity to ask why

28. ePrivacy Policies
• Key considerations
– Length of and complexity of your policy
– Consider the language used based on your audience
• Include vendor and third parties that you work with and the
types of data shared

29. Analytics
• List your current analytics program
– Google Analytics, AWStats, etc…
• List what you track
– Pages, time on site, What brought you to the site, etc…
• List what you don’t track
– IP address, etc…

30. Other considerations
• Responsibility for the actions of marketing dep’t
• Upper mgmt should be involved in developing
policies
• Be clear about what marketing dep’t is authorized
to do
• Incentives for marketing dep’t

31. E-marketing policies: summary
• Agreements with 3rd parties
– Affiliates
– Email service providers
• Focus on more than just the rules
– Best practices
– Provide value –make subscribers look forward to your
announcements
• Ensure that PI is collected in compliance with PIPEDA
• Policies and procedures for ‘honest mistakes’ (e.g., contact
CRTC, notify subscribers)

32. Questions?
Shaun Brown, Counsel
nNovation LLP
sbrown@nnovation.com
Matthew Vernhout, Director, Delivery & ISP
Relations
Transcontinental Interactive
matthew.vernhout@transcontinental.ca

33. References
• Canada’s Anti-Spam Legislation:
http://www2.parl.gc.ca/HousePublications/Publication.aspx?Language=E&
Parl=40&Ses=3&Mode=1&Pub=Bill&Doc=C-28_4
• Personal Information Protection and Electronic Documents Act:
http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-
5.html
• Brown & Klein, A Complete Guide to e-Marketing Under Canada’s Anti-
Spam Legislation, (Toronto: Carswell, 2011)
• EmailKarma.net