Presentation from IAPP Canada 2011 Conference.
Presented by Shaun Brown - (http://nnovation.com), and Matthew Vernhout (http://www.transcontinental-interactive.com).
1. e-Marketing Policy-Building
Workshop
Shaun Brown – nNovation LLP
Matthew Vernhout – Transcontinental
Interactive
IAPP Canada Privacy Symposium
May 4-6, 2011
2. Roadmap
1. Why this matters
2. Brief overview of requirements under CASL, Competition
Act and PIPEDA
3. Practical implementation issues
4. Key considerations in developing e-marketing policies
3. Why e-marketing policy matters: legal
• CASL applies to anyone who sends, causes, permits, aids,
induces, or procures a CEM to be sent.
• Vicarious liability for employees and agents
• Liability for officers/directors of corporations
• Significant penalties:
– Administrative monetary penalties (AMPs) of up to $10 million
per violation
– Private right of action allows any person affected by a violation
to sue for actual and statutory damages
• Privacy legislation applies to use of electronic addresses
4. Why e-marketing policy matters: non-
legal
• Protecting your brand and relationship with
customers
• Delivering campaigns that are effective
• Protecting your relationship with partners
• Deliverability
5. Canada’s Anti-Spam Legislation (CASL)
• Establishes permission-based regime for sending
commercial electronic messages (CEM)
• Applies to any message sent from or accessed by a
computer located in Canada (applies to American senders!)
• More than email: IM; SMS; social media; etc.
• Voice, fax currently excluded (covered by DNCL)
• Competition Act amendments: False and misleading
information (content, sender info, locators)
• PIPEDA amendments: address harvesting; dictionary
attacks; collection of personal information through
unauthorized access to a computer systems
6. Commercial Electronic Message
• Broadly defined to include any message with any
semblance of commercial activity
– Product or service
– Business opportunities
– Promotes an individual who does any of the above
• Message to request consent deemed to be CEM
8. 1. Consent: exemptions
• Family or personal relationship (to be defined in
regs)
• Business inquiry
9. 1. Consent: no consent required
• Quotes or estimates, if requested
• Facilitates commercial transaction
• Warranty or safety information
• Information about ongoing subscription, membership, etc.
• Information related to employment relationship or benefit
plan
• Delivers good or service
*Other requirements still apply
10. 1. Consent: implied consent
• Consent is deemed in four circumstances:
1. Existing business relationship
2. Existing non-business relationship
3. Conspicuous publication of electronic address
4. Recipient has disclosed electronic address to the sender
• No implied consent for referrals
• In most cases implied consent last for 2 years – window of
opportunity to obtain express consent
• Transitional period for implied consent – 3 years for existing
bus and non-bus rel’ps at coming into force
11. 1. Consent: checklist
1. Does section 6 apply (see exemptions)?
2. If so, do I need consent (other requirements still apply)?
3. If not, can I rely on implied consent?
4. If not, how do I obtain express consent?
12. 2. Identification
• Identify sender as well as person on whose behalf message
is sent
– Provide postal address
• Contact information for either of above
13. 3. Unsubscribe mechanism
• Must be functional for 60 days
• No cost
• Same means unless impracticable
• Include either electronic address or link
• Must process without delay (no messages sent after unsub
sent)
14. Defining “sent”
• Message is sent once transmission has been initiated
• Does not matter whether
– Message reaches destination
– electronic address exists
15. Enforcement
Combination of public and private enforcement:
1. Regulatory enforcement – including administrative
monetary penalties (AMPs)
– Administrative as opposed of criminal
2. Private Right of Action
16. Protection for ‘honest mistakes’
1. Undertakings & Compliance (s.21)
– At any time
– Restricts other action (notice of violation and statutory damages under
PRA)
2. Due Diligence Defence and Common Law Principles (s.33)
– Cannot be found liable
– Justification or excuse consistent with the Act
3. Factors to be Considered re: AMPs (s.20)
– Nature and scope of violation
– Financial benefit
– Any relevant factor
17. Interaction with PIPEDA
• E-marketing already captured by PIPEDA; CASL creates
more specific rules
• PIPEDA additionally applies to:
– Sale and purchase of personal information (e.g., email
addresses)
– Failure to properly secure personal information (think about
recent ESP data breaches)
– Collection of personal information for purposes of targeting
18. Express consent: requirements
• Must clearly explain purposes
– E.g., “I would like to receive emails about offers from
[company]”.
• Sender must identify themselves when obtaining consent
(and other(s) where applicable)
19. Express consent: considerations
• What is “express” consent?
– Opt-in vs. Opt-out; single opt-in, notified opt-in, double opt-in
• Best practice: double opt-in
• Also, think about reminding recipients why they are
receiving your messages
20. Building your list: risky ideas
• Purchasing
• Email append
• Rental without assurance that lists are in compliance
• If it sounds too good to be true....
21. Leveraging your (others) list
• Renting not necessarily a violation, but potentially risky
• There are proper ways to send third party offers to your
(others) subscribers
• Considerations
– Relevance
– Ensuring subscribers know who is sending
– Consent allows for third party offers; e.g. “I would like to hear
about offers from [company] and its partners.”
22. Organic growth is key
• Organic growth allows you to control your lists to be sure
they are compliant
• 3 common ways to gain subscribers:
– Online registration/sale
– Inbound call centers
– In-store points of sale
• Take advantage of interactions with your brand
• Implied consent provisions can be useful, but obtain
express consent up front
24. Forwarding (FTAF, SWYN)
• Offering incentives to forward could result in liability
– Section 9: is prohibited to aid, induce, procure or cause to be
procured the doing of any act contrary to section 6
• Impose limits on forwards (how many, to whom)
– Exemption under 6(5): CASL does not apply to messages sent
between people with personal or family rel’p
• Share to social – does CASL apply?
– CASL only applies to CEM sent to an electronic address
25. B2B considerations
• No general exemption for B2B
• Implied consent:
– Conspicuous publication
– Recipient discloses electronic address to sender
• Relevance will be a key issue
• Electronic addresses from web must be collected
manually (address harvesting prohibited)
26. What about existing subscribers?
• Good time to consider quality of existing lists
• Do you have evidence of express consent?
• If express consent is required, get creative
– Response to reconfirmation messages low
– Offer incentives, new campaign features, etc.
27. Unsubscribe - considerations
• Applies once the unsub is sent, not received
• Must be implemented without delay, i.e., no
messages can be sent after an unsubscribe is
sent
• Pros and cons of allowing people to reply directly
to message as well as link to unsub
– Will have to ‘eat’ spam
– Miss out on opportunity to ask why
28. ePrivacy Policies
• Key considerations
– Length of and complexity of your policy
– Consider the language used based on your audience
• Include vendor and third parties that you work with and the
types of data shared
29. Analytics
• List your current analytics program
– Google Analytics, AWStats, etc…
• List what you track
– Pages, time on site, What brought you to the site, etc…
• List what you don’t track
– IP address, etc…
30. Other considerations
• Responsibility for the actions of marketing dep’t
• Upper mgmt should be involved in developing
policies
• Be clear about what marketing dep’t is authorized
to do
• Incentives for marketing dep’t
31. E-marketing policies: summary
• Agreements with 3rd parties
– Affiliates
– Email service providers
• Focus on more than just the rules
– Best practices
– Provide value –make subscribers look forward to your
announcements
• Ensure that PI is collected in compliance with PIPEDA
• Policies and procedures for ‘honest mistakes’ (e.g., contact
CRTC, notify subscribers)