canada's anti-spam legislation (casl)
DESCRIPTION
Davis LLP's Chris Bennett and Bill Hearn explain what's required under Canada's new anti-spam legislation and share tips on how businesses can prepare for compliance.TRANSCRIPT
What will the legislation regulate?
Commercial Electronic Messages
Installation of computer software
Alteration of transmission data
When?
• July 1, 2014: anti-spam & data transmission rules
• January 15, 2015: computer program rules
• July 1, 2017: private right of action
What’s the risk?
• Penalties: up to $10 million for businesses
• may be charged per violation
• violations may be assessed separately for each day of
non-compliance
• Officers, directors and agents can be liable
• Individuals can sue for damages suffered, plus a
separate monetary sum per violation
• Reputational damage
Commercial Electronic Messages
CEM = EM + Purpose
• Encouraging participation in a commercial activity
• Consider content, links and contact information in the
message
Commercial Electronic Messages
Electronic Messages
• Text / instant messages
• Social Media
Commercial Activity
• Sale/lease of product/service
• Investment/business opportunity
• Promote individual
• Requests for Consent!
Commercial Electronic Messages
If it’s a Commercial Electronic Message, then…
CEM
Consent
Express
Oral
Written
Implied
Business Relationship
Non-Business Relationship
Published / Disclosed Info
Content
Disclosures
Unsubscribe
Consent
Express
Oral
Written
Implied
Business Relationship
Non-Business Relationship
Published / Disclosed Info
Express Consent
• Required info
• Purposes
• Name of requester
• Name of third party recipient
• Contact info
• Statement that consent can be withdrawn
Express Consent
• Need separate consents for CEMs, data and programs
• Can’t bundle
• Can’t toggle
• Should send confirmation
Implied Consent
Existing Business Relationship
• Purchase/lease
• Acceptance
• Contract
• Inquiry
Existing Non-Business
Relationship
• Donation/gift
• Volunteer work
• Membership
Published / Disclosed Address
• Didn’t say no
• Is relevant to business/duties
Transition Period
• Implied consent is extended to 3 years from July 1 if:
• Existing Business Relationship or Non-Business
Relationship as of July 1; and
• Relationship included communicating by CEMs
CEM
Consent
Express
Oral
Written
Implied
Business Relationship
Non-Business Relationship
Published / Disclosed Info
Content
Disclosures
Unsubscribe
Required Content
Disclosures
• Sender
• Agent
• Contact Info
Unsubscribe
• No cost
• Same means
• Address/Link
• 10 days
Alternative
• Post on web page
• Clear link
Exceptions to Consent Requirement
• CEM solely provides a requested quote or estimate for
the supply of goods/services
• CEM solely facilitates/confirms a previously agreed-to
commercial transaction
• CEM solely provides warranty, product recall or safety
info about a purchased product/service
• CEM solely provides factual info about a subscription,
membership, account or similar relationship
Exceptions to Consent Requirement
Exceptions to Consent Requirement
• CEM solely provides info directly related to an
employment relationship or related benefit plan
• CEM solely delivers a product or service, including
updates or upgrades pursuant to a transaction
Exceptions to Consent Requirement -
3rd Party Referrals
• A single CEM sent to someone without consent, based
on a 3rd party’s referral, so long as the sender discloses
the name of the person making the referral and so long
as there is an existing business, non-business, personal
or family relationship between the person making the
referral and each of the sender and the recipient
Family Relationship
• marriage, common-law, parent-child relationship
• with direct, voluntary, two-way communications
Personal Relationship
• reasonable to conclude that the relationship is personal
based on all relevant factors, including:
• sharing of interests, experiences and opinions
• frequency of communications
• length of time since the parties communicated
• whether the parties have met in person
• with direct, voluntary, two-way communications
Inquiries, Requests, Etc.
• response to a request, inquiry, complaint or
solicitation by the recipient
• CEM which is solely an inquiry or application related
to the recipient’s commercial activities
Employees, Etc. (the “B2B Exemption”)
• CEMs sent between employees, representatives, etc. of
an organization concerning that organization’s affairs
• CEMs sent by employees, representatives, etc. of one
organization to an employee, representative etc. of
another organization if:
• organizations have a relationship and
• message concerns the activities of the recipient
Legal Obligations, Etc.
• Any CEM sent to satisfy a legal obligation or enforce a
legal right, court order, etc.
Electronic Messaging Service (EMS)
• CEM sent and received on an EMS if:
• disclosure and unsubscribe mechanism are
conspicuously published and readily available on the user
interface, and
• recipient of the message has given their express/implied
consent to receive it
Secure Accounts
• CEM sent to a limited-access, secure and confidential
account to which messages can only be sent by the
person who provides the account to the person who
receives the message
Foreign States
• CEM sent by a person who reasonably believes it will be accessed
in certain foreign states, and the CEM conforms to the anti-spam
law of the foreign state
Charities
• A CEM sent by or on behalf of a registered charity where primary
purpose is to raise funds for the charity
Political Parties
• A CEM sent by or on behalf of a political party/candidate where
primary purpose is soliciting a contribution
Two Further “Exceptions”
to Consent and Content Requirements • Interactive 2-Way Voice Communications, Fax Calls or Voice
Recordings Sent to Telephone Account - as covered by other
regimes - e.g., the CRTC’s National Do Not Call List and
Unsolicited Telecommunications Rules for telemarketers
• Telecommunications Service Provider (TSP) - requirements
don’t apply to a TSP merely because it provides a
telecommunications service that enables transmission of the CEM
Raise Awareness and Establish Committee
• Raise awareness: only two months to prepare for July
1st in-force date (but note 3-year transition period)
• Establish Committee (e.g., sales/marketing, customer
support, communications, privacy, legal, risk
management, IT, HR)
Conduct Inventory of CEMs
• What kind of CEMs do you send? Why? How?
• Do you have express consents from any recipients?
• Do you have implied consents from recipients?
Inventory Consents that Will Expire
• For example: existing business relationship that will
expire after two years if no longer a current customer
• Develop “stop send” mechanisms that will kick in before
the consent expires, or when recipient withdraws
consent
Upgrade to Express Consent
• Be careful - exceptions are complicated and implied
consent can expire
• Can request it via CEM until July 1
• Create mechanism to get express consents after July 1
Unsubscribe Mechanisms
• Make sure unsubscribe mechanisms and notices are in
place and meet all existing requirements
• Make sure organization can comply with unsubscribe
requests in specified time frames
Internal Education and Compliance
• Due diligence defence
• Implement policies, guidelines, procedures, controls
• Train employees and service providers
• Monitor compliance
WHAT CAN YOU DO NOW?
• Before 1 July 2014
• Update and assess your contact list for CASL exceptions or
implied consent qualifications
• Be prepared for low response rates to requests for express
consent … and there may even be some “unsubscribes”
WHAT CAN YOU DO NOW?
• Through to 1 July 2017
• Execute a consent qualification strategy building progressively
on existing consents
• Be sure to comply with CASL’s minimum content requirements
• Follow organization’s templates
• Strive to get CASL-compliant express consents
• Consider including both “[ ] Yes, I consent.” and “[ ] No, I
don’t consent.” options to strengthen position that “no
reply” leaves implied consent still valid
WHAT CAN YOU DO NOW?
• Dial back the anxiety - Compliance is not that tough
• Sure CASL’s reach is broad, its rules a complex mash-up, and
the potential liability nasty … but
• The CRTC, at public information sessions in February 2014,
said its enforcement approach will be on a “compliance
continuum” - i.e., it will pursue “real spammers”*, not legitimate
marketers; it will focus on obtaining compliance as opposed to
seeking big AMPs
*Hopefully as defined by Government’s FightSpam website materials. See links at last slide of presentation.
WHAT CAN YOU DO NOW?
• Dial back the anxiety - Compliance is not that tough
• The “broken” PRA (i.e., possibly retroactive to 1 July 2014,
notwithstanding the Government’s stated three-year transition
period) will likely be fixed by 1 July 2017
WHAT SHOULD YOU DO NOW?
• Just Do It
• Again, CASL contains a number of tools that can ease
transition to full compliance
• Moreover, CASL provides for a “due diligence” defence
• CRTC is mindful of the short time allowed before CASL comes
into force (business asked for at least 12 months, Government
gave only 7 months) and will likely respect diligent, good faith
efforts to comply
WHAT SHOULD YOU DO NOW?
• Just Do It
• Thoughtful judgement calls will have to be made (especially in
the early days given CASL’s ambiguities and the lack of
guidance from the CRTC)
• The decision-making process should be documented, with
privilege protected, to ground the due diligence defence
especially if the CEM sender is departing from the CRTC’s
guidance that is not law - e.g., the CRTC’s two Guidelines
dated October 10, 2012 and its FAQs and Information Session
Summaries
WHAT SHOULD YOU DO NOW?
• Just Do It
• The onus of proving consent rests on the CEM sender
• Each organization will have to develop a standard of proof of
consent and retain relevant records
• Consent should be documented at least via a “business record”
(ideally made at the time consent is obtained) and that record
should be storable, searchable and retrievable
• But see CRTC Guidelines on Interpretation of Electronic
Commerce Protection Regulations , October 10, 2012
Some CASL Resources
• Federal Government’s FightSpam Website • http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00230.html
• Davis LLP’s CASL Resource Centre • http://www.davis.ca/en/publication/anti-spam/
• Canadian Marketing Association, Member Guide to CASL, April
2014 • http://www.the-cma.org/regulatory/code-and-guidelines/cma-guide-to-canada-anti-spam-law
• Davis LLP’s CASL Compliance Team including Chris Bennett, Bill
Hearn, Tamara Hunter and Dave Spratley
The “Real Spammers” and the “Real Threats”
From Government’s FightSpam Website http://fightspam.gc.ca/eic/site/030.nsf/vwimages/WorriedItsSpam_Card2-eng.jpg/$file/WorriedItsSpam_Card2-eng.jpg
http://fightspam.gc.ca/eic/site/030.nsf/vwimages/WorriedItsSpam_Card1-eng.jpg/$file/WorriedItsSpam_Card1-eng.jpg
Email Spam Statistics Videographic http://www.youtube.com/watch?v=nvBmyAZTt_M
QUESTIONS?
Chris Bennett
416.365.3427
Bill Hearn
416.369.5298