Upload
matt-vernhout
View
2.789
Download
0
Embed Size (px)
Citation preview
Electronic marketing under Bill C-28,
the Fighting Internet and Wireless
Spam Act
Shaun Brown – Counsel, Law Office of Kris Klein
Matthew Vernhout – Director, Delivery and ISP
Relations, Thindata 1:1
Goals
• General understanding of the legislation
– Substantive requirements
– Enforcement regime– Enforcement regime
• Practical guidance
• Address potential fears
How we got here
• May 2004 - IC establishes Task Force on Spam
• May 2005 – Task Force presents final report to IC
• April 24, 2009 – Bill C-27, the Electronic Commerce Protection • April 24, 2009 – Bill C-27, the Electronic Commerce Protection
Act (FISA) introduced in the HoC
• November 30, 2009: passed House with unanimous support;
amended as a result of consultation and committee meetings
• December 15, 2009: passed 2nd reading in Senate
• December 30, 2009: Parliament prorogued
• May 25, 2010 – reintroduced as the Fighting Internet and
Wireless Spam Act
Fighting Internet and
Wireless Spam Act
FIWSA
Fy-za
Why anti-spam legislation?
• Last G8 country to enact anti-spam legislation
• Spam costs time and money
– Spam is well over 90% of all email (Microsoft - Security Intelligence Report, version 8 - April 2010)
• Canada is a ‘spam haven’ – 10th in the world in terms of spam production (Spamhaus)
• Establish trust and confidence in the use of e-marketing – benefits those who play by the rules
FISA: overview
• Standalone legislation (FISA), and amendments to:
PIPEDA; Competition Act; Telecommunications Act;
CRTC Act CRTC Act
• Regulatory regime that applies to commercial
activity: based on general branch of the Federal
Trade and Commerce Power (91(2))
Substantive violations
• Section 7: regime for sending a commercial electronic
message (CEM)
• Section 8: prohibition against unauthorized altering of
transmission datatransmission data
• Section 9: prohibition against installation of computer
programs without consent
• False and misleading information (content or sender info)
• PIPEDA amendments: address harvesting; dictionary attacks;
collection of personal information through unauthorized
access to a computer systems
Section 7 - commercial electronic message
regime: Overview • Based on experiences and best practices
• CEM broadly defined to include any message with any semblance of commercial activitysemblance of commercial activity
• More than email: IM; SMS; social media; voice*, etc.
• General rule: Consent (opt-in) required to send CEM
• Other requirements: identification; contact information; unsubscribe mechanism
• Certain messages exempted altogether: family or personal relationship; business inquiry
• No minimum # to be classified as spam
• Message to request consent deemed to be CEM
Section 7 - commercial electronic message
regime: Implied (deemed) consent • No true implied consent clause
• Consent is deemed in a number of circumstances:
1. Existing business relationship1. Existing business relationship
2. Existing non-business relationship
3. Conspicuous publication of electronic address
4. Recipient has provided electronic address to the sender
• No implied consent for referrals
• In most cases implied consent last for 2 years – window of
opportunity to obtain express consent
Section 7 - commercial electronic message
regime: no consent required• Quotes or estimates, if requested
• Facilitates commercial transaction
• Warranty or safety information• Warranty or safety information
• Information about ongoing subscription, membership, etc.
• Information related to employment relationship or benefit plan
• Delivers good or service
Questions for compliance, re: consent
1. Does section 7 apply?
2. If so, do I need consent (other requirements still
apply)?apply)?
3. If not, can I rely on implied consent?
4. If not, how do I obtain opt-in (express) consent?
Jurisdiction
• Section 12: “A person contravenes section 6 only if a
computer system located in Canada is used to send
or access the electronic message.”or access the electronic message.”
• Thus, FISA applies to US (International) senders who
send messages into Canada
Defining Sent
• FISA states that an electronic message is considered to have been sent once its transmission has been initiated and that it is irrelevant if the intended initiated and that it is irrelevant if the intended recipient address exists or if message reaches its intended destination.
This reference makes bounce management even
more important for mailers to monitor and clean
from your list.
Identification Requirements
• All messages being sent must;– Clearly identify the person who sent the message
• Add your physical postal address and company name to all emails
– The messages must provide a method where the recipient can readily contact the person(s) responsible for sending the message
• Set replies to go to your customer service, stop using
• MUST be active for 60 days after the messages was sent
– Provide a working unsubscribe mechanism that removes an address within 10 days
Managing Unsubs
• The unsubscribe mechanism must specify an
electronic address to which the unsubscribe notice
may be sent or provide a hyperlink by means of may be sent or provide a hyperlink by means of
which the recipient can provide their opt-out notice.
Providing both options: an email unsubscribe and a
web enabled unsubscribe is highly recommended
Oversight and enforcement: 3 Agencies• Canadian Radio-television and Telecommunications Commission (CRTC)
– Primary enforcement agency
– Can make preservation demands on TSPs
– Administrative monetary penalties (AMPS): up to $1 million for individuals and $10 million in all other cases per violation
– Administrative monetary penalties (AMPS): up to $1 million for individuals and $10 million in all other cases per violation
• Competition Bureau
– False and misleading representations online
– Deceptive marketplace practices including false headers and website content
– AMPS regime already exists in the Competition Act: $750,000 for individuals and $10 million for corporations
• Office of the Privacy Commissioner (OPC)
– Enforcement of provisions in PIPEDA (address harvesting; dictionary attacks; collection of personal information through unauthorized access to a computer systems)
– No AMPS
Oversight and enforcement: Private Right
of Action (PRA)• PRA can be exercised by any person affected by a
violation of FISA as well as provisions in Competition
Act and PIPEDA Act and PIPEDA
• Remedies:
– Damages suffered and expenses incurred
– Statutory damages of $200 per violation, up to $1 million
per day
Oversight and enforcement: Protection for
‘Honest Mistakes’Three mechanisms:
1. Undertakings & Compliance (s.22)1. Undertakings & Compliance (s.22)– At any time– Restricts all other action (notice of violation and PRA)
2. Due Diligence Defence and Common Law Principles (s.34)– Cannot be found liable– Justification or excuse consistent with the Act
3. Factors to be Considered re: AMPs (s.21)– Nature and scope of violation– Financial benefit– Any relevant factor
Oversight and enforcement: Domestic and
International Cooperation
• Coordination and consultation between 3 enforcement agencies responsible for compliance
• Information sharing and consultation between the three agencies and their international equivalents
• A broadly defined Canadian link which stipulates that FISA would apply to electronic messages sent to, through or from Canada
FISA vs. CAN-SPAM: Similarities
• Requirement to accurately identify sender
• Prohibition false and misleading transmission • Prohibition false and misleading transmission data/subject lines
• Requirement for unsubscribe mechanism
• Liability for brands who knowingly allow spam to be sent on their behalf
FISA vs. CAN-SPAM: Key Differences
FISA CAN-SPAM
Addresses broad range of Internet issues
(spam, spyware, pharming, etc.)
Addresses spam only
(spam, spyware, pharming, etc.)
Applies to all forms of electronic
messaging (email, SMS, IM, etc.)
Applies only to email
Primarily opt-in; permission based Opt-out; you can technically mail any
person at least once
PRA available to anyone (individuals,
businesses, etc.
PRA available only to ISPs
FISA and Social Networks
• Most social networks are self directed opt-in/out
solutions that allow individuals to manage their own
preferencespreferences
– Follow/Unfollow
– Friend/Un-friend
– Like/Unlike
Why prepare now?
• Most marketing programs are planned several
months in advance, don’t be caught of guard
• Plan your changes now and get them into your • Plan your changes now and get them into your
project development plans
• Your Email Service Provider needs to plan as well
– Work with your third party vendors to get any necessary
changes on their road map for development
Why Marketers Need Not Fear
• International laws are already being followed by most
– Identification (Postal address), 10 day Unsubscribe, No – Identification (Postal address), 10 day Unsubscribe, No misleading information
• PIPEDA already requires consent to collect PI
– Email, Name, Phone numbers, etc…
• Important exemptions
– Personal communications with family, friends and replies to inbound inquiries
• Protection for honest mistakes
Questions?
Shaun Brown
Law Office of Kris Klein
Matthew Vernhout, CIPP/C
Thindata 1:1
[email protected] [email protected]
Twitter: @emailkamra