casl 2012 final

Download Casl 2012 Final

Post on 14-Jul-2015




0 download

Embed Size (px)


  • Canadas Anti-Spam Legislation by

    David Polsky

  • Who we are

    Canadian-based Information Technology consulting company founded in 2003.

    Provides range of I.T. solutions -> Strategy through Implementation.

    Focused on mid-to-large size businesses

    Team comprised of I.T. practitioners with subject matter specializations & designations in all key areas of technology.

    Track record of client satisfaction on every engagement.

    Page 2

  • What we do

    Strategic Advisory

    IT Assessment

    IT Strategy

    Merger & Acquisition Due Diligence

    IT Management

    Security Solutions

    Information Security Health Check

    Threat Risk Assessment & Penetration Testing

    Information Security Program Development

    Enterprise Security

    Business Solution Implementation

    Vendor Selection

    ERP Optimization

    SharePoint Solutions

    Web Development

    Post-Merger Integration

    Infrastructure & Managed Services

    Managed Services & Hosting

    Page 3

  • Who we have helped


  • CASL - Bill C28

    Page 5

    What is it and whats in it?

    When is it in play?

    What does it really mean to Canadian Businesses?

    What are the top 5 things I should do about it if anything?

    What help is out there?

  • CASL - What is it and whats in it?

    Page 6

    CASL = Canada's Anti-Spam Legislation

    It is intended to target spam emails, malware, pharming, phishing and other malicious communications.

    New laws governing the use of CEMs, the alteration of transmission data and computer software installs. CEM is a new broader category greater than email.

    CEM = Commercial Electronic Message

    CEM includes any electronic message so email, SMS, instant messages and some social media postings all count as CEMs.

    The net is 6 New Laws enforced by CRTC, The Competition Bureau, and the Office of the Privacy Commissioner

    Governs any CEMs sent from inside Canada or any external CEMs sent into Canada

    Violations are not criminal offences

  • We all get more than we want!

    Page 7

  • CASL - What is it and whats in it? Cont

    Page 8

    Who does what in terms of enforcement?

    CRTC scope

    the sending of unsolicited commercial electronic messages

    the altering of transmission data

    installing a computer program with computer systems and networks without consent

    Competition Bureau Scope

    misleading and deceptive practices and representations online, including false or misleading headers and website content

    Office of the Privacy Commissioner scope

    take measures against the collection of personal information via access to a computer

    the unauthorized compiling or supplying of lists of electronic addresses

  • CASL The rules

    Page 9

    Senders of CEMs must identify themselves, indicate on whose behalf the message is being sent, provide up-to-date contact information, and access to an unsubscribe mechanism. The provided credentials must also be valid for 60 days.

    You need to have consent from the receiver to send a CEM

    The big question what is consent?

    Consent under the new law

    Express consent (opt ins) also see PIPEDA for more on consent

    Implied Consent (only for the transition period) Existing relationship with the recipient (business or non business) within 2 years

    Recipient published their address is a prominent manner

    Recipient provided their address directly to the sender

    We are the last of the G8 to enact this type of legislation

  • CASL The Penalties and reach

    Page 10

    Fines up to $1,000,000 per violation for individuals and up to $10,000,000 for organizations.

    Allows for private right of action (means people can sue violators)

    Enables the three agencies to work with their counterparts in other countries to enforce the laws.

    Purpose of penalties a stated is to promote compliance and not to punish

  • CASL - When is it in play?

    Page 11

    When was it Approved? It was approved Dec 15, 2010

    When is it Effective? No date set recent comments from Industry

    Minister Paradis indicate it will be coming into force in 2013.

    How much time after effective is compliance required?

    Implied consent lasts for three years after that express consent is required

  • CASL - What does it really mean to Canadian Businesses?

    Page 12

    Compliance is required for any businesses that send CEMs

    Large fines can be levied on businesses that are not compliant

    The net you need consent to send a CEM

    Need to have a central database of addresses and the consent status (consent given, consent implied, consent withheld)

    No more spreadsheets with email addresses in 20 different location!!!

    Need to offer opt-in and opt-out visibly and easily

  • CASL - What are the top 5 things I should do about it if anything?

    Page 13

    Conduct an internal Audit

    Change supplier requirements

    Governance in place create a CASL policy

    Platform to enforce governance

    Internal Training

  • Conduct an Internal Audit

    Page 14

    Where are the CEMs ?

    What are you sending?

    What mechanisms are you using? Does it support unsubscribe?

    Find all the channels!

    Assess existing contracts/relationships to determine implied consent

    Gain consent now while seeking consent is not a violation after the law comes into effect seeking consent is in itself in violation of the law.

    After the law comes into effect you will have three years to obtain express consent

  • Change your requirements for your suppliers

    Page 15

    Require any lists you buy to be clean (consent based)

    Make it part of the RFP process when engaging new vendors

    Make CASL compliance part of the minimum requirements particularly for eMail and Marketing vendors, but consider it for all vendor relationships.

    When you provide email addresses to third parties such as consultants and other outside entities make them agree to use those addresses in a CASL-compliant manner

  • Draft a CASL policy for your organization

    Page 16

    Create the governance policy and framework

    Communicate the policy

    Be in line with CASL organizationally

    Include maintaining a record of consent as a requirement

    Augment your new client in-take process to include documenting consent

    Should cover off all forms and procedures

  • Support and Enforce your policy

    Page 17

    Make sure all channels provide that visible opt-out

    Make sure the opt-out is enforced broadly across all channels and within 10 days of the opt-out action

    Make sure all outbound CEMs are sourced from the screened lists

    Define the consent basis and track it (given vs. implied vs. declined)

    If you dont have tools in place

    then get them and deploy them

  • Train your workforce

    Page 18

    Train your workforce on your policy, the governance and internal tools that you can provide them

    Make sure they understand CASL

    Make sure they know the rules so they can avoid violations

    This is part of your diligence


  • Diligence and Enforcement

    Page 19

    Do your diligence and we believe you have a reasonable position to defend any breaches of the law

    No one knows yet how aggressively this will be enforced

    They may draft and distribute guidelines when the law goes into effect

    We operate based on the assumption that the point of this law is not to interfere with the normal course of Canadian business.

    It isnt over though

    Many comments have been submitted and the delay in making the law take force may be due to the assessment of these comments.

    Many feel CASL is too strong and possibly even disruptive to business e.g. What about a start-up company where do they find new customers?

    Is mass email marketing really bad?

    Is CASL too broad?

  • Mini-FAQ

    Page 20

    What help is out there Its still early but companies are preparing offerings

    We can help you with Audits, Governance and Policy

    We can help you with technology deployments of tool sets

    How does this differ from the CAN-SPAM passed in the US in 2003? Broader in scope and definitions of spam

    CASL might actually be enforced

    CASL extends beyond Canadas borders

    Stiffer penalties

    More stringent consent required

    What is Commercial? Encourages some sort of commercial activity transaction or similar

    How will violators be caught? Spam Reporting Center

  • For more info

    Page 21

    The CASL web site -

    The CRTC regulations -

    Can-Spam wiki -

    PIPEDA -


    The laws -

    CRTC has already published their regulations under CASL in the Canada Gazette

    For questions and follow-up d