Canada's New Anti-Spam legislation is intended to deter damaging and deceptive forms of spam, such as identity theft, phishing and spyware from occuring in Canada. In this presentation, FMC's Margot Patterson gives an in-depth look at the legislation including: risks and implications for business, the scope, reach and liability of the liability of the legislation, regulations, software installation, violations and enforcement as well as a look at where the legislation is headed and what that means for your business.

1. Anti‐Spam 101:
Risks and Implications for Businesses
Complying with the new Canadian Anti‐Spam Law
Presented by: Margot Patterson
October 19, 2011
1

2. Minister of Industry, the Honourable Tony Clement, May 25, 2010:
The proposed (legislation) is intended to deter the most
damaging and deceptive forms of spam, such as identity theft,
phishing and spyware, from occurring in Canada and to help
drive spammers out of Canada.
2

3. CASL: Key Topics
1. Risks and implications: scope, reach, and liability
2. Anti‐Spam
3. Software Installation
4. Violations and Enforcement
5. Next steps
3

4. Risks and Implications
4

5. Risks and Implications: Scope
• Spam
• Malware and botnets
• Network re‐routing
• False or misleading representations online
• Address harvesting
• Spyware
5

6. Risks and Implications: Reach
• Who:
– Directors, officers, agents or mandataries of a corporation
– Employees acting within scope of employment
• Where:
– Activities outside Canada
• Spam: computer system in Canada used to send/access message
• Software installation: computer system receiving the program in
Canada (or if installer is in Canada or operating under direction of
person in Canada)
• Altering transmission data: computer system in Canada used to
send/route or access message
6

7. How CASL compares to U.S. Can‐Spam
• Broader application
• Greater territorial reach
• Higher standard for consent
• Higher penalties
7

8. Risks and Implications: Liability
• Administrative monetary penalties (AMPs)
• Vicarious liability
• Private right of action
8

9. Anti‐Spam
9

10. Anti‐Spam
• A word on the regulations:
– CRTC Regulations: parameters for CEMs (plus functions of computer
programs)
– Industry Canada Regulations: personal and family relationships,
memberships, conditions for use of consent
10

11. Anti‐Spam
• What is a “commercial electronic message”?
– Electronic message
•including text, sound, voice, image
– Electronic address
•including e‐mail, IM, phone or “any similar account”
– Encouraging participation in a commercial activity
•Transaction, act or conduct of a commercial character
– Whether or not in expectation of profit
11

12. Anti‐Spam
• CEMs can be sent if:
– You have the express or implied consent of the recipient,
or if consent is not required under CASL
and the message:
– Identifies the sender (including “sent on behalf of”);
– Includes the required contact information; and
– Includes an unsubscribe mechanism
12

13. Anti‐Spam
• Some exceptions to the consent requirement:
– Message between individuals with personal or family relationship
– An inquiry or application to a person engaged in a commercial activity
– Quote or estimate, requested by recipient
– Facilitating, completing or confirming a pre‐existing transaction
– Warranty, product recall or safety/security information
– Factual information regarding subscription, membership, account, loan
– Ongoing information about recipient’s employment or benefit plan
– Delivers a product, good or service, including updates/upgrades
13

14. Anti‐Spam
• Implied consent:
– Commercial transaction with the recipient OR
– Business, investment or gaming opportunity with recipient
within the previous two years
– Inquiry from the recipient in the previous six months about the above
– Written contract with the recipient, still in effect or expired within
previous two years
– Recipient has conspicuously published his or her electronic address,
and message is relevant to his or her business role or function
– Recipient has disclosed electronic address, and the message is relevant
to his or her business role or function
14

15. Anti‐Spam
• Getting express consent:
– Purpose for the consent
– Name
– Address, phone number, e‐mail and web address
– Unsubscribe statement
…subject to the CRTC regulations
15

16. Anti‐Spam
• What disclosure is required?
– Include in all CEMs
• In message itself, or clear and prominent one‐click link
– Sender
– Contact information
– Unsubscribe
16

17. Anti‐Spam
• Sending messages “on behalf of” partners
– When is a message “on behalf of” another?
– Best practices
– Requirements for partner CEMs
17

18. Software Installation
18

19. Software Installation
• Rule of thumb: no installation without consent
• A few exceptions:
– Cookie
– HTML code
– Java Scripts
– an operating system
– update/upgrade to a program previously installed with express consent
19

20. Software Installation: Consent
• “Minimum disclosure” – set out:
– the purpose for the consent, i.e. “to install [name of software]”; and
– a notice containing:
• name, address, customer service phone number, email address
and web address; and
• a statement that the user can withdraw consent by using the
above contact information; and
– a general description of the program’s function and purpose
20

21. Software Installation: Consent
• “Enhanced disclosure” where program does the following,
contrary to reasonable expectations:
– Collects personal information;
– Interferes with controls;
– Changes/interferes with settings, preferences or commands;
– Changes/interferes with data;
– Causes the computer system to communicate with another system
or device without the user’s permission; or
– Installs a program activated by a third party
21

22. Software Installation: Consent
… “Enhanced disclosure”:
• Describe program’s material elements, foreseeable impact.
– User must agree in writing.
• Caution: repercussions for inaccurate description
22

23. Violations and Enforcement
23

24. Violations and Enforcement
• CRTC: primary enforcement agency, including AMPs
– Maximum penalty is $10 million for an organization, per violation.
– Relevant factors:
• purpose of the penalty
• nature and scope of the violation
• history of violations
• financial benefit obtained from the violation
• ability to pay
24

25. Violations and Enforcement
• Directors and officers’ liability / Employers’ liability
• Importance of the “due diligence” defence
– No liability where due diligence taken to prevent the violation.
25

26. Violations and Enforcement
• Private Right of Action
– For an individual who has been affected by a contravention, to obtain
a court order for compensation
– Acts or omissions (e.g. relating to spam)
– Remedies include compensation for loss or damage suffered or
expenses incurred, and a maximum penalty of:
• $200 per contravention of anti‐spam;
• max $1 million per day for spam, malware, spyware, message routing, PI
harvesting, misrepresentation; and
• max $1 million per act of aiding, inducing, procuring breach of spam,
malware, spyware, message routing.
– Class Actions?
26

27. Next Steps
27

28. Next Steps: for CASL
• Regulations
• Entry into force
• New roles and responsibilities for:
– CRTC
– Competition Bureau
– Office of the Privacy Commissioner
• Domestic and International Cooperation
• Spam Reporting Centre
• Bulletins / Interpretive Guidelines?
28

29. Next Steps: for Businesses
• Three‐Year Transition Period
– For three years after entry into force of anti‐spam and computer
program update/upgrade provisions:
• Implied consent where existing business or non‐business relationship
– In all cases, recipient can still withdraw consent at any time
– Businesses must obtain express consent during the three‐year
transition period, to continue afterwards.
29

30. Next steps – for Businesses
• CASL Audit
– Conduct an audit of online communications with clients, prospects,
and third parties, including:
• processes for installation of software updates/upgrades;
• bulk email, automated messages, periodic client newsletters and updates
• CASL Checklist
– Develop a CASL checklist applicable to activities (e‐mail, software
installation):
• consent, unsubscribe, and disclosure requirements
• available exceptions
30

31. Next steps – for Businesses
• CASL Compliance Policy should:
– Cover off forms and procedures that document consent;
– Cover unsubscribe requirements and timeframes;
– Set out required information for software update/upgrade installation;
– Update existing customer service processes;
– Include information/training for employees, management and Board
of Directors;
– Address third‐party contract requirements (limitation of liability,
representations & warranties)
• Consider Insurance
31

32. Thank You. Questions?
Margot Patterson
margot.patterson@fmc‐law.com
(613) 783‐9693

33. The preceding presentation contains examples of the kinds of
issues companies dealing with anti-spam could face.
If you are faced with one of these issues, please retain
professional assistance as each situation is unique.