2. Who we are
• Canadian-based Information Technology consulting company founded in 2003.
• Provides range of I.T. solutions -> Strategy through Implementation.
• Focused on mid-to-large size businesses
• Team comprised of I.T. practitioners with subject matter specializations &
designations in all key areas of technology.
• Track record of client satisfaction on every engagement.
Page 2
3. What we do
Strategic Advisory Business Solution Implementation
• IT Assessment • Vendor Selection
• IT Strategy • ERP Optimization
• Merger & Acquisition Due Diligence • SharePoint Solutions
• IT Management • Web Development
• Post-Merger Integration
Security Solutions Infrastructure & Managed Services
• Information Security Health Check • Managed Services & Hosting
• Threat Risk Assessment & Penetration
Testing
• Information Security Program
Development
• Enterprise Security
Page 3
5. CASL - Bill C28
• What is it and what’s in it?
• When is it in play?
• What does it really mean to Canadian Businesses?
• What are the top 5 things I should do about it if
anything?
• What help is out there?
Page 5
6. CASL - What is it and what’s in it?
CASL = Canada's Anti-Spam Legislation
• It is intended to target spam emails, malware, pharming, phishing and other
malicious communications.
• New laws governing the use of CEMs, the alteration of transmission data and
computer software installs. CEM is a new broader category greater than email.
CEM = Commercial Electronic Message
• CEM includes any electronic message… so email, SMS, instant messages and some
social media postings all count as CEMs.
The net is 6 New Laws enforced by CRTC, The Competition Bureau, and the Office of
the Privacy Commissioner
• Governs any CEMs sent from inside Canada or any external CEM’s sent into Canada
• Violations are not criminal offences
Page 6
8. CASL - What is it and what’s in it? – Con’t
• Who does what in terms of enforcement?
CRTC scope
• the sending of unsolicited commercial electronic messages
• the altering of transmission data
• installing a computer program with computer systems and networks without
consent
Competition Bureau Scope
• misleading and deceptive practices and representations online, including false or
misleading headers and website content
Office of the Privacy Commissioner scope
• take measures against the collection of personal information via access to a
computer
• the unauthorized compiling or supplying of lists of electronic addresses
Page 8
9. CASL – The rules
Senders of CEMs must identify themselves, indicate on whose behalf the message is
being sent, provide up-to-date contact information, and access to an unsubscribe
mechanism. The provided credentials must also be valid for 60 days.
You need to have consent from the receiver to send a CEM
• The big question – what is consent?
Consent under the new law
• Express consent (opt ins) – also see PIPEDA for more on consent
• Implied Consent (only for the transition period)
– Existing relationship with the recipient (business or non business) within 2 years
– Recipient published their address is a prominent manner
– Recipient provided their address directly to the sender
We are the last of the G8 to enact this type of legislation
Page 9
10. CASL – The Penalties and reach
• Fines up to $1,000,000 per violation for individuals and up to $10,000,000 for
organizations.
• Allows for private right of action (means people can sue violators)
• Enables the three agencies to work with their counterparts in other countries to
enforce the laws.
• Purpose of penalties a stated is to “promote compliance … and not to punish”
Page 10
11. CASL - When is it in play?
• When was it Approved?
– It was approved Dec 15, 2010
• When is it Effective?
– No date set – recent comments from Industry
Minister Paradis indicate it will be coming
into force in 2013.
• How much time after effective is
compliance required?
– Implied consent lasts for three years – after
that express consent is required
Page 11
12. CASL - What does it really mean to Canadian Businesses?
• Compliance is required for any businesses that send CEM’s
• Large fines can be levied on businesses that are not compliant
• The net – you need consent to send a CEM
• Need to have a central database of addresses and the consent
status (consent given, consent implied, consent withheld)
• No more spreadsheets with email addresses in 20 different
location!!!
• Need to offer opt-in and opt-out visibly and easily
Page 12
13. CASL - What are the top 5 things I should do about it if
anything?
• Conduct an internal Audit
• Change supplier requirements
• Governance in place – create a CASL policy
• Platform to enforce governance
• Internal Training
Page 13
14. Conduct an Internal Audit
• Where are the CEMs ?
• What are you sending?
• What mechanism’s are you using? Does it support
unsubscribe?
• Find all the channels!
• Assess existing contracts/relationships to determine implied
consent
• Gain consent now while seeking consent is not a violation –
after the law comes into effect seeking consent is in itself in
violation of the law.
• After the law comes into effect you will have three years to
obtain express consent
Page 14
15. Change your requirements for your suppliers
• Require any lists you buy to be “clean” (consent based)
• Make it part of the RFP process when engaging new vendors
• Make CASL compliance part of the minimum requirements –
particularly for eMail and Marketing vendors, but consider it
for all vendor relationships.
• When you provide email addresses to third parties such as
consultants and other outside entities make them agree to
use those addresses in a CASL-compliant manner
Page 15
16. Draft a CASL policy for your organization
• Create the governance policy and framework
• Communicate the policy
• Be in line with CASL organizationally
• Include maintaining a record of consent as a
requirement
• Augment your new client in-take process to include
documenting consent
• Should cover off all forms and procedures
Page 16
17. Support and Enforce your policy
• Make sure all channels provide that visible opt-out
• Make sure the opt-out is enforced broadly across all
channels and within 10 days of the opt-out action
• Make sure all outbound CEM’s are sourced from the
screened lists
• Define the consent basis and track it (given vs.
implied vs. declined)
• If you don’t have tools in place
then get them and deploy them
Page 17
18. Train your workforce
• Train your workforce on your policy, the governance
and internal tools that you can provide them
• Make sure they understand CASL
• Make sure they know the rules so they can avoid
violations
• This is part of your diligence
defence
Page 18
19. Diligence and Enforcement
• Do your diligence and we believe you have a reasonable position to defend any
breaches of the law
• No one knows yet how aggressively this will be enforced
• They may draft and distribute guidelines when the law goes into effect
We operate based on the assumption that the point of this law is not to interfere with
the normal course of Canadian business.
It isn’t over though…
• Many comments have been submitted and the delay in making the law take force
may be due to the assessment of these comments.
• Many feel CASL is too strong and possibly even disruptive to business – e.g. What
about a start-up company –where do they find new customers?
• Is mass email marketing really bad?
• Is CASL too broad?
Page 19
20. Mini-FAQ
• What help is out there
– It’s still early but companies are preparing offerings
– We can help you with Audits, Governance and Policy
– We can help you with technology deployments of tool sets
• How does this differ from the CAN-SPAM passed in the US in 2003?
– Broader in scope and definitions of spam
– CASL might actually be enforced
– CASL extends beyond Canada’s borders
– Stiffer penalties
– More stringent consent required
• What is Commercial?
– Encourages some sort of commercial activity – transaction or similar
• How will violators be caught?
– Spam Reporting Center
Page 20
21. For more info…
The CASL web site - http://www.ic.gc.ca/eic/site/030.nsf/eng/home
The CRTC regulations - http://www.crtc.gc.ca/eng/archive/2012/2012-183.htm
Can-Spam wiki - http://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003
PIPEDA - http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html
TB PIPEDA - http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/course1/mod2/mod2-3-eng.asp
The laws - http://lois-laws.justice.gc.ca/eng/AnnualStatutes/2010_23/FullText.html
CRTC has already published their regulations under CASL in the Canada Gazette –
http://www.gazette.gc.ca/rp-pr/p2/2012/2012-03-28/pdf/g2-14607.pdf
For questions and follow-up david.polsky@litcom.ca
Page 21