New Canadian Anti-Spam LegislationRobert Lipson – April 8, 2014

Overview An Act to promote the efficiency and adaptability of the

Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (the “Act”)

Overview Governs all Commercial Electronic Messages (CEMs)

Comes into effect July 1 2014

Intended to combat malicious spam

You are liable for spam if you: “send or cause to be sent”

Overview Most stringent anti-spam regulations in the entire world.

While we are not the target, we and all other commercial entities in Canada are within the scope.

There is a lot of ambiguity with the law which will be tested and clarified in the courts in the coming years.

We don’t want to be part of that.

Overview The vast majority of members will never even be aware that

this legislation exists.

There will be a minority who are very ‘hawkish’ about privacy and spam.

If an individual or group wants to cause trouble for us we don’t want to give them an opportunity.

Overview Penalties can include incarceration

Fines of up to $10 Million per violation

A violation is one day of behaviour that violates the law

CEMs Commercial Electronic Message

Message must be of “commercial character”

Offers to purchase or sell goods and products Offers to provide a business, investment or gaming opportunity Advertisements and promotions

Even a generally non-commercial message with a corporate logo or link to the website on it would be a CEM

CEMs This law only affects electronic messages

E-Mail SMS / Text Messaging Direct Messaging on any service

It does not affect other forms of communication Telephone Calls Postal Mail

CEMs Social Media

There are exemptions for social media when the person elects to ‘follow’ your profile and you post general public updates there.

Sending direct messages / private messages to individuals or groups on a social platform is covered by the law.

Required Content All CEMs must contain specific content in a clear and visible

way.

Disclosures: Sender’s Name (Legal or Doing Business) Name of the person on whose behalf the message is sent (if

applicable) Sender’s contact information including mailing address and one

of: e-mail, phone number with voicemail, or website Can be provided on the message or via a link to a web page

Required Content Unsubscribe Mechanism:

Every CEM provide the opportunity for the recipient to stop receiving CEMs

Must be clearly presented and easy to use.

After receiving an unsubscribe request we have up to 10 business days to make sure they are unsubscribed before we are in violation.

Consent The key to protecting ourselves is consent

People generally fall into one of four categories:

Express Consent Implied Consent No Consent Express Opt Out

Express Consent The gold standard of consent.

They must actively give us express consent, we cannot have them default to consent with the option to remove it.

When obtaining express consent we must clearly indicate the types of messages they might receive and that they always have the option to withdraw their consent.

Can go with a single opt-in statement that covers all CEMs.

Implied Consent Implied Consent allows us to send messages to certain

people even if we don’t have Express Consent.

If they withdraw consent / opt-out / unsubscribe we can no longer claim Implied Consent.

Professional Associations such as ours meet several of the criteria for Implied Consent.

Implied Consent CPA meets several standards for Implied Consent:

Existing business relationship in the last 2 years

Existing Non-business relationship in the last 2 years

E-Mail address was provided to us without consent being explicitly withdraw

These are good as a safety net but should not be relied upon. Express consent is better.

No Consent This is related to Implied Consent.

If we do not have any sort of consent from someone we need to determine whether we have Implied Consent or not in order to send them a CEM.

If we do not have qualify for Implied Consent we cannot send them any CEM.

Express Opt-Out If someone explicitly opts out of receiving CEMs then that

overrides any Implicit Consent.

We can only send messages that are exempt from consent rules.

We cannot even contact them electronically to ask why they withdrew consent. We would have to postal mail or call them.

Obtaining Consent Our current opt-in/outs are not valid under this new law.

We can either have granular opt-ins or fewer broad ones.

We must have a message indicating that some messages can not be opted out of and are part of membership.

Exemptions There are a lot of common sense exemptions to

consent/CEM rules:

Messages replying to an inquiry from someone. Messages in response to commercial activity initiated by the

recipient. Messages sent internally in the company Messages sent to fulfill a legal obligation or provide legal notice

Providing information about an ongoing membership.

Charities Charities are exempt from a lot of these rules.

They have effective implied consent for a lot of their activities, especially fund raising.

They must still provide an unsubscribe option and must respect if a person explicitly opts-out.

So what are we doing? We are revising our current Opt-In/Out options

We will be requiring all new and renewing members to clearly give us express consent (or not)

We will need to review the select criteria for all of the bulk mail lists to make sure they respect the consent.

We will need to create separate lists for Express Consent vs. Implied Consent and understand when to use each.

So what are we doing? We will have to create a new footer for all bulk mail we send

that meets the required consent standards.

We will have to work with the components to ensure that they are also compliant with the new legislation.

We will have to work with any 3rd parties who contact members on our behalf to make sure they are compliant.