Canada's New Anti-Spam legislation is intended to deter damaging and deceptive forms of spam, such as identity theft, phishing and spyware from occuring in Canada. In this presentation, FMC's Margot Patterson gives an in-depth look at the legislation including: risks and implications for business, the scope, reach and liability of the liability of the legislation, regulations, software installation, violations and enforcement as well as a look at where the legislation is headed and what that means for your business.
2. Minister of Industry, the Honourable Tony Clement, May 25, 2010:
The proposed (legislation) is intended to deter the most
damaging and deceptive forms of spam, such as identity theft,
phishing and spyware, from occurring in Canada and to help
drive spammers out of Canada.
2
3. CASL: Key Topics
1. Risks and implications: scope, reach, and liability
2. Anti‐Spam
3. Software Installation
4. Violations and Enforcement
5. Next steps
3
6. Risks and Implications: Reach
• Who:
– Directors, officers, agents or mandataries of a corporation
– Employees acting within scope of employment
• Where:
– Activities outside Canada
• Spam: computer system in Canada used to send/access message
• Software installation: computer system receiving the program in
Canada (or if installer is in Canada or operating under direction of
person in Canada)
• Altering transmission data: computer system in Canada used to
send/route or access message
6
10. Anti‐Spam
• A word on the regulations:
– CRTC Regulations: parameters for CEMs (plus functions of computer
programs)
– Industry Canada Regulations: personal and family relationships,
memberships, conditions for use of consent
10
11. Anti‐Spam
• What is a “commercial electronic message”?
– Electronic message
•including text, sound, voice, image
– Electronic address
•including e‐mail, IM, phone or “any similar account”
– Encouraging participation in a commercial activity
•Transaction, act or conduct of a commercial character
– Whether or not in expectation of profit
11
12. Anti‐Spam
• CEMs can be sent if:
– You have the express or implied consent of the recipient,
or if consent is not required under CASL
and the message:
– Identifies the sender (including “sent on behalf of”);
– Includes the required contact information; and
– Includes an unsubscribe mechanism
12
13. Anti‐Spam
• Some exceptions to the consent requirement:
– Message between individuals with personal or family relationship
– An inquiry or application to a person engaged in a commercial activity
– Quote or estimate, requested by recipient
– Facilitating, completing or confirming a pre‐existing transaction
– Warranty, product recall or safety/security information
– Factual information regarding subscription, membership, account, loan
– Ongoing information about recipient’s employment or benefit plan
– Delivers a product, good or service, including updates/upgrades
13
14. Anti‐Spam
• Implied consent:
– Commercial transaction with the recipient OR
– Business, investment or gaming opportunity with recipient
within the previous two years
– Inquiry from the recipient in the previous six months about the above
– Written contract with the recipient, still in effect or expired within
previous two years
– Recipient has conspicuously published his or her electronic address,
and message is relevant to his or her business role or function
– Recipient has disclosed electronic address, and the message is relevant
to his or her business role or function
14
15. Anti‐Spam
• Getting express consent:
– Purpose for the consent
– Name
– Address, phone number, e‐mail and web address
– Unsubscribe statement
…subject to the CRTC regulations
15
16. Anti‐Spam
• What disclosure is required?
– Include in all CEMs
• In message itself, or clear and prominent one‐click link
– Sender
– Contact information
– Unsubscribe
16
20. Software Installation: Consent
• “Minimum disclosure” – set out:
– the purpose for the consent, i.e. “to install [name of software]”; and
– a notice containing:
• name, address, customer service phone number, email address
and web address; and
• a statement that the user can withdraw consent by using the
above contact information; and
– a general description of the program’s function and purpose
20
21. Software Installation: Consent
• “Enhanced disclosure” where program does the following,
contrary to reasonable expectations:
– Collects personal information;
– Interferes with controls;
– Changes/interferes with settings, preferences or commands;
– Changes/interferes with data;
– Causes the computer system to communicate with another system
or device without the user’s permission; or
– Installs a program activated by a third party
21
24. Violations and Enforcement
• CRTC: primary enforcement agency, including AMPs
– Maximum penalty is $10 million for an organization, per violation.
– Relevant factors:
• purpose of the penalty
• nature and scope of the violation
• history of violations
• financial benefit obtained from the violation
• ability to pay
24
26. Violations and Enforcement
• Private Right of Action
– For an individual who has been affected by a contravention, to obtain
a court order for compensation
– Acts or omissions (e.g. relating to spam)
– Remedies include compensation for loss or damage suffered or
expenses incurred, and a maximum penalty of:
• $200 per contravention of anti‐spam;
• max $1 million per day for spam, malware, spyware, message routing, PI
harvesting, misrepresentation; and
• max $1 million per act of aiding, inducing, procuring breach of spam,
malware, spyware, message routing.
– Class Actions?
26
28. Next Steps: for CASL
• Regulations
• Entry into force
• New roles and responsibilities for:
– CRTC
– Competition Bureau
– Office of the Privacy Commissioner
• Domestic and International Cooperation
• Spam Reporting Centre
• Bulletins / Interpretive Guidelines?
28
29. Next Steps: for Businesses
• Three‐Year Transition Period
– For three years after entry into force of anti‐spam and computer
program update/upgrade provisions:
• Implied consent where existing business or non‐business relationship
– In all cases, recipient can still withdraw consent at any time
– Businesses must obtain express consent during the three‐year
transition period, to continue afterwards.
29
30. Next steps – for Businesses
• CASL Audit
– Conduct an audit of online communications with clients, prospects,
and third parties, including:
• processes for installation of software updates/upgrades;
• bulk email, automated messages, periodic client newsletters and updates
• CASL Checklist
– Develop a CASL checklist applicable to activities (e‐mail, software
installation):
• consent, unsubscribe, and disclosure requirements
• available exceptions
30
31. Next steps – for Businesses
• CASL Compliance Policy should:
– Cover off forms and procedures that document consent;
– Cover unsubscribe requirements and timeframes;
– Set out required information for software update/upgrade installation;
– Update existing customer service processes;
– Include information/training for employees, management and Board
of Directors;
– Address third‐party contract requirements (limitation of liability,
representations & warranties)
• Consider Insurance
31