Anti-Spam Requirements, Privacy, and Online Behavioural Advertising Chris Oates, Associate, Gowling Lafleur Henderson LLP Presented at the 6th Annual Advertising

Anti-Spam Requirements, Privacy, and Online Behavioural Advertising

Chris Oates, Associate, Gowling Lafleur Henderson LLP

Presented at the 6th Annual Advertising and

Marketing Law Forum, December 10, 2013

Outline

• Canada’s anti-spam law.• To what does the law apply?• How do you ask for consent?• What do electronic messages need to contain?

• Privacy protection framework – your obligations under federal and provincial law.• Collecting consumer information.• Using and disclosing personal information.• Responding to data security breaches.

• Online behavioural advertising. • Canadian Self-Regulatory Principles for Online Behavioural

Advertising.

2

Canada’s Upcoming Anti-Spam Legislation

4

Canada’s Anti-Spam Legislation

Legislative Background:CASL comes into force on July 1, 2014 and will take a prohibitive approach to “Commercial Electronic Messages”, prohibiting all but those messages that comply with its requirements.

In some cases, existing, valid consent may not survive when CASL is in force.

Under CASL: • Electronic messages require consent from the

recipient, either express or implied;• The message must contain prescribed

disclosure; and• The message must contain an

unsubscribe mechanism in prescribed form.

5


To which messages does CASL apply?

Commercial Electronic Messages - a message sent by any means of telecommunication, including a text, sound, voice or image message, to an “electronic address”:

• an electronic mail account;• an instant messaging account;• a telephone account; or • any similar account.

CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit.

6


Is the Electronic Message Commercial?

CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit.

• Messages that offer to sell a product; • Messages that advertise a product; • Messages that promote a person or corporation; • Messages that seek to gather consumer or market

information; • Messages that seek consent to send further messages.

7


What is not a Commercial Electronic Message?

CASL will not apply to several classes of message:

• Interactive two way voice communications;• Messages sent via facsimile to telephone accounts; and• Voice recordings sent to a telephone account.

These messages are currently subject to the CRTC’s oversight via the Telecommunications Act and the Do Not Call List.

CASL contains a provision that permits the government to repeal this exception AND the National Do Not Call List at a later date. If exercised, this would make unsolicited commercial telephone calls subject to the CASL requirements.

8


Which messages will be exempt?

The Regulations provide exceptions for the following message classes: • messages sent between employees of an organization relating to the affairs

of the organization, and messages sent between two organizations with a relationship, where the message relates to their affairs

• messages that respond to an inquiry, complaint, or other solicitation• fundraising messages sent by a registered charity• messages where the person sending the message reasonably expects it to

be received in a foreign state listed in the Regulations, and the message complies with the law of that state

• messages sent to a secure account that to which only the person providing the account may send messages

• messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements.

• messages sent to satisfy a legal obligation

9

Penalties

Administrative monetary penalties for violations: • A fine of up to $1,000,000 for a violation by an individual. • A fine of up to $10,000,000 for a violation by a corporation.

CASL also creates a private right of action for persons who allege they have been affected by a violation. If the action is successful in court, the court may order:

• Compensation equal to the actual loss or damage suffered; and

• $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred.

The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017.

10

Express Consent Under CASL

Requirements for a Request for Express Consent

1. Provide the purpose for which the consent is sought;

2. Provide the name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business;

3. If applicable, identify which person is seeking consent, and on whose behalf consent is sought;

4. Provide the mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought

5. State that consent may be withdrawn.

The CRTC’s Position on Express Consent

• The CRTC takes the position that express consent must be “positive or explicit”.

11

The CRTC’s Position on Express Consent

• “Assumed” consent through a pre-checked box or an opt-out system would not be accepted.

12

13

Implied Consent under CASL:

An “existing business relationship” will exist where the recipient had purchased a product within the two years prior to the message being sent, where the recipient has certain forms of existing written contract with the person who sends the message, or where the recipient made an inquiry or application within the six months prior to the message.

The provision for “non-business relationships” primarily relates to non-profit organizations and charities.

Implied Consent Under CASL

Requirements for Implied Consent

1.There is an existing business or non-business relationship between the sender and the recipient, or

2.The recipient has conspicuously published their address, or has disclosed it to the sender and: • has not indicated they do not wish to receive commercial messages; and,• the message is relevant to the recipient’s business, role, functions or duties

14

Exceptions to the Need for Consent

CASL creates an exception to the need for consent for certain “transactional” messages. This exception will apply to messages that solely:

• provide a quote or estimate for the supply of a product or service;• facilitate, complete or confirm a previously agreed upon

commercial transaction; • provide warranty information, product recall information or safety

or security information about a product the recipient uses or had purchased;

• provide notification of factual information about the ongoing use by recipient of a product or a service offered under a subscription, membership, account, loan or similar relationship by the sender.

15

Message Content under CASL

Commercial Electronic Message Content under CASL:

Message Content

1.Identify the person who sent the message and, if applicable, the person on whose behalf it was sent;

2.Provide prescribed contact for one of these persons; and

3.Include an unsubscribe mechanism.

The required contact information must remain current for a minimum of 60 days after the message is sent.

16

Message Content under CASL

Prescribed Disclosure Requirements for Electronic Messages

1. The name of the person sending the message and the person, if different, on whose behalf it is sent and the names by which those persons carry on business;

2. If applicable, an indication which person sent the message and on whose behalf it was sent; and

3. The mailing address, and one (or more) of a telephone number, website, or email address of either the person sending the message, or if different, the person on whose behalf it is sent.

The Regulations do not make any exceptions for service providers sending electronic messages on behalf of third parties.

17

Third Party Mailing Lists

CASL expressly provides for consent obtained on behalf of an unknown third party; however, it limits how this consent may be obtained and used:

• The party that seeks consent is required to comply with the standard CASL requirements for obtaining consent, including stating the purpose for the collection, and providing their name and contact information.

• A person who relies on such a consent must meet additional disclosure requirements for the message content.

18

Third Party Mailing Lists

Message content when consent is obtained from a third party.

When a consumer list is purchased from a third party, it is essential that such a list be used separately from the company’s own opt-in lists, as messages sent pursuant to such consent are subject to additional disclosure requirements:

• The message must identify the person who obtained the original consent as well as the person who sent the message.

• The unsubscribe mechanism must allow the recipient to remove consent from both the person who sent the message, the person who obtained the original consent or any other person authorized to use the consent.

19

Exceptions to the Disclosure Requirements

The General Exception

“If it is not practicable to include the information (…) in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.”

This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email.

20

The Family and Personal Relationship Exception

“Family” “Personal relationship” Marriage; A common-law partnership; A legal parent/child relationship;

where: Those persons have had a

direct voluntary two way communication.

Must have had direct, voluntary two way communications;

Must be reasonable to conclude the relationship is personal considering relevant factors.

Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent by or “on behalf” of a person who has a “personal” or “family” relationship with the recipient.

This exception will only apply in unusual cases. Examples we have seen include refer-a-friend type promotions, and customizable holiday greeting cards.

21

Referral Messages

The Regulations include an exception that permits a single referral message to be sent where: • The referral is made by an individual who has an existing business relationship, existing non-business relationship, family, or personal relationship with the message recipient; • The referrer has one of those relationships with the sender of the message;• The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral

22

Maintaining Contact Lists

CASL will narrow the ability to rely on Implied Consent

CASL expressly provides for reliance on implied consent only in cases of existing “business relationships” or “non-business relationships”.

These are defined categories that are much more narrow than the ability to rely on the “reasonableness” test for implied consent under PIPEDA.

• Under PIPEDA, where a consumer sends a request for information by email, it would be reasonable to conclude that you have their implied consent to respond using their email address.

• Under CASL, a consumer question would constitute an “existing business relationship”, provided a response is sent within six months from the date of the question. A response (as opposed to other commercial messages) would also be subject to an exception in draft regulations.

23

Maintaining Contact Lists

The regulatory impact statement for the Regulations confirms Industry Canada’s position that valid express consent obtained before CASL comes into force “will be recognized as being compliant with CASL”.

However, Industry Canada also expressly noted that in some cases email addresses that may be used under the current privacy legislation may no longer be used under CASL.

This is most likely to occur where an organization is relying on ‘implied’ consent under PIPEDA- implied consent under CASL is much more narrow.

Organizations should consider the manner in which their current email list had been established to assess the ability to continue to use it after CASL comes into force. Prior to July 1, 2014, there will be an opportunity to seek to express consent in cases where implied consent is currently relied on.

24

Transitional Provisions

When CASL comes into force on July 1, 2014, there will be an extended period of three years during which implied consent will survive in cases of “existing business relationships”, as defined in CASL that include the sending of commercial messages.

• After this period, the existing business relationships will survive for two years following a purchase, or six months following an inquiry.

• The transitional period provides an extended timeline for perfecting existing implied consent (as defined in CASL) by seeking express consent.

• Any attempts to perfect consent within this period would need to be carried out in compliance with CASL.

25

Application

Compliance with CASL will become a legal requirement on July 1, 2014.

Organizations should be bringing their electronic marketing practices into compliance now, both due to the magnitude of the potential penalties, and to help establish an express consent list that will survive the coming into force of the Act.

Privacy Protection Framework

27

Regulatory Framework

The Personal Information Protection and Electronic Documents Act (“PIPEDA”)

• Regulates the collection, use and disclosure of personal information in the private sector.

• PIPEDA applies to the collection, use and disclosure of “personal information” by federal works, undertakings and businesses, and by all private sector organizations in provinces that do not have “substantially similar” private sector privacy legislation.

• PIPEDA also applies to private organizations in any province in cases where personal information is transferred across provincial or national borders.

2828


What is ‘Personal Information’?

“Personal information” is broadly defined in PIPEDA to include any “information about an identifiable individual”, whether public or private, with limited exceptions.

The Privacy Commissioner has repeatedly held personal information includes email addresses, even business email addresses.

28

29

A note on ‘Anonymous’ Information

Personal Information must be thoroughly de-identified before it is no longer “personal information”. The standard is high, and care must be taken that it is no longer possible to link the information back to an individual.

A decision under PIPEDA has held:• Personal information that has been de-identified does not qualify as

anonymous information if it is still possible to link the de-identified data back to an identifiable individual.

• Information will be about an identifiable individual if there is a serious possibility that someone could identify the available information. It is not necessary (…) to demonstrate that someone would (…) actually do so.

• (…) de-identified data will not constitute “truly anonymous information” when it is possible to subsequently link the de-identified data back to an identifiable individual.


30


A note on ‘Public’ Information

Personal Information that can be accessed from a ‘public’ source remains subject to the requirement for consent in most cases.

PIPEDA provides only limited exceptions:

• A name, address and telephone number in a telephone directory

• A name, title, address and telephone number in a professional or business directory

• A registry collected under statutory authority or a record/document of a judicial body

• A publication including a magazine, book or newspaper available to the public, where the individual provided the information.

If the individual can refuse to have their information in the directory.

If the information is used for the purpose for which it appears in the directory.

If the information is used for the purpose for which it appears in the registry or document.

31


Provincial Privacy Legislation

Alberta and British Columbia have enacted privacy legislation (in both, the Personal Information Protection Act (“PIPA”)), which applies generally to private sector entities.

Québec’s private sector privacy legislation, an Act respecting the protection of personal information in the private sector, is similar in principle to PIPEDA; however, there are important differences in detail.

• The Québec Privacy Act applies to all private sector organizations with respect to collection, use and disclosure of personal information (not just with respect to commercial activities) and to employee information.

• Also applies to private sector collection, use and disclosure of personal health information.

31

32

Key Principles

The four key private-sector statutes apply similar principles to comply with these obligations. Privacy legislation:

1. States that personal information may only be collected, used or disclosed with the knowledge and consent of the individual;

2. Limits the collection of personal information to what is necessary for purpose(s) identified; and

3. Requires that personal information be collected by fair and lawful means.

33

Key Principles

PIPEDA sets out 10 principles that are key to compliance:

1. Consent

2. Accountability

3. Identifying Purposes

4. Limiting Collection

5. Limiting Use, Disclosure and Retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual Access

10. Challenging Compliance

Alberta’ s PIPA Declared Unconstitutional

34

SUPREME COURT OF CANADA

Between:Information and Privacy Commissioner

of AlbertaAppellant

andUnited Food and Commercial Workers,

Local 401Respondent

AND BETWEEN:

Attorney General of AlbertaAppellant

andUnited Food and Commercial Workers,

Local 401Respondent

Date 2013-11-15

“The scope of PIPA is, however, considerably broader than that of PIPEDA. Unlike PIPEDA, PIPA’s limitations on the collection, use and disclosure of personal information are not restricted to those activities undertaken for commercial purposes.”

“What is of the utmost significance in our view is that PIPA prohibits the collection, use, or disclosure of personal information for many legitimate, expressive purposes related to labour relations”

“PIPA… is in breach of s. 2(b) of the Charter and cannot be justified under s. 1. ”

Alberta’ s PIPA Declared Unconstitutional

• At the request of the Privacy Commissioner and Government of Alberta, the Supreme Court of Canada (SCC) declared the entire Act invalid.

• The SCC suspended the declaration of invalidity for 12 months to enable amendments to PIPA.

• This decision may have significant consequences for all provincial privacy legislation. In particular, the B.C. PIPA is highly similar to the Alberta PIPA.

35

Collecting, Using and Disclosing Personal Information

37

Collecting Personal Information

The overarching principles of privacy law apply regardless of where personal information is collected:

Generally, Canadian privacy law is technology neutral. Always:• Disclose the purposes for which you collect information; • Obtain consent to these purposes; • Use personal information only in accordance with the purposes

disclosed;• Provide adequate security for the information you collect,

proportionate to its sensitivity.

38

Collecting Personal Information

Consider: • What information are you collecting?

• More sensitive information requires clearer consent, and increased disclosure.

• Beware of over collection from loose coding in third party applications.

• How are you obtaining consent? • Remember, consent must be in relation to the purposes

you disclose to the individual. • How are you disclosing your privacy policy? Can it be easily

accessed in the manner it is presented, in particular in mobile applications?

39

Challenges in Social Media

Consider what social media site are you using:

Different sites will have different terms that apply to the information that users share on them: • Facebook prohibits using user information obtained from

Facebook in advertisement, and prohibits any use of information obtained from a Facebook Ad, except on an aggregate basis to assess Ad performance.

• Facebook permits the use of user information provided directly to a developer IF the user is provided with clear notice and provides their consent.

• YouTube users provide a flow-through license for other users to “use, reproduce, distribute, display and perform” their content as permitted under the YouTube Terms.

Enforcement Action

41

Enforcement Action

The Privacy Commissioner Weighs In On Social Media

In April 2012, the Commissioner released findings on Facebook:• Facebook added an application that allowed users to upload an

email address for a non-user. • The non-user would then be sent an invitation to join Facebook. • The invitations may contain suggested “friends” for the non-user

based on whether other users had added their address to their contact list.

42

Enforcement Action

The Commissioner held: • Facebook could reasonably rely on existing users to obtain

consent of non-users to an invitation. • However, non-users did not consent to the use of their

address to generate suggested “friends”.• Facebook amended its invitation program to send friend

suggestions only on follow up “reminder” messages, only after it had provided the non-user with clear information regarding this and providing an opportunity to opt-out.

With increased disclosure and a clear opt-out, Facebook was allowed to rely on implied knowledge and consent to use email addresses to generate friend suggestions.

43

Enforcement Action

In March 2012, the Commissioner released findings on Nexopia, a social media site targeted primarily at youths. The Commissioner found: • Nexopia did not require users to confirm that they had consent

from non-users to send invitations. As such, it did not exercise due diligence in establishing that the non-user had consented to the use of their information.

• The privacy policy was not drafted in a manner that allowed young users to understand and consent to it.

• A mere link to the privacy policy at the bottom of the application form was not adequate for young users. Requiring users to click a check box to agree to the privacy policy was adequate where the policy was available via a link.

44

Enforcement Action

The Privacy Commissioner encouraged Nexopia to “go further and explore more innovative methods of presenting its Privacy Policy, e.g. presenting it in theme-based pieces and in an incremental manner, so that users can click after reading small portions of the Policy”.

Take away: one size does not fit all when it comes to privacy disclosure. It is necessary to consider your audience in determining whether you have informed consent in line with their reasonable expectations.

Minors warrant special attention in seeking informed consent.

Enforcement Action

In 2013, the Commissioner issued findings on WhatApp, a mobile messaging platform. The Commissioner found WhatsApp: • Retained the personal information of non-users longer than needed for its disclosed purpose of identifying network users. • Did not use appropriate encryption to safeguard personal information.

45

Enforcement Action

The Commissioner has continued to take a proactive approach to assess the online privacy compliance of Canadian organizations.

• In an initial 2012 investigation, the Commissioner assessed “web-leakage” which resulted in the inappropriate disclosure of personal information to third parties.• Of 25 sites tested, 6 were found to have significant privacy

concerns, and a further 5 raised questions. • In 2013 the Commissioner conducted a “privacy sweep” to assess the privacy policies of major Canadian websites.• Clear, uncluttered policies that clearly explained website features

and that addressed online and offline privacy were praised.• Failing to provide contact information, simply replicating the

privacy principles in PIPEDA, or not having a policy at all was criticised.

46

47

Data Protection and Transfers

PIPEDA requires organizations to implement physical, organizational and technological measures to ensure adequate safety.

• In an increasingly digitized world, technological measures are key to compliance. These may include data encryption, passwords, and access keys.

• Organizational data protection measures will include ensuring that only certain personnel have access, or the access keys, to personal information.

• Physical data protection mechanisms may include restricting access to secure locations.

48


Third Party Service Providers

Organizations are responsible for personal information in their possession or custody, including information that has been transferred to a third party.

An organization must consider the activities of the companies it retains to store personal information, to build platform integrations or applications, to moderate content, advertising agencies, and public relations companies.

Be aware that the legal onus is on an outsourcing organization to ensure that service provider to whom personal information is transferred complies with Canadian privacy laws.

49


Breach Notification

The federal Privacy Commissioner has published voluntary guidelines regarding responding to security breaches. The guidelines state four key steps when responding to a breach:

1. Contain the breach by taking immediate steps to stop any further information from being disclosed. Undertake a preliminary assessment of the situation;

2. Evaluate the risk associated with the breach by considering the sensitivity of the information involved, whether it was encrypted, how it may be used, and the risks to the individual resulting from that use;

3. Notifying the individuals if the privacy breach creates a risk of harm to the individual; and

4. Develop a plan for the prevention of future breaches.

50

Mitigating Risk

Mitigating Risk :

Ensure your privacy compliance program addresses your actual collection, use and disclosure of personal information.

• Ensure your privacy policy identifies the purpose for any collection, use, or disclosure of personal information, seeks consent for these activities, and addresses the need to protect personal information. • Depending on the circumstances, additional measures should

be taken. Compliance in the mobile space and when engaging in behavioural tracking is particularly challenging.

• Ensure your employees, as well as your service providers, are aware of your policies, how to apply them, and the consequences of failing to do so.

• Reconsider your compliance policy when you change your practices or purpose for the collection, use, or disclosure of personal information.

Online Behavioural Advertising

52

Behavioural Advertising

Behavioural Advertising and Tracking

“Tracking consumers’ online activities over time in order to deliver advertisements targeted to their inferred interests”

The Privacy Commissioner has issued guidelines: • Behavioural advertising CAN comply with PIPEDA,• The overall requirements to identify your purposes and

obtain informed consent apply,• The form of consent can vary- opt-in or opt-out

consent may be acceptable, considering the sensitivity of the information,

• As a best practice, children should not be tracked,• Behavioural advertising should not be a condition of

service.

53

Behavioural Advertising

Behavioural Advertising and Tracking

Privacy Commissioner Guidelines for opt-out consent: • The individual must be made aware of the purposes for

which you are collecting personal information. • The individual must be informed at the time or

before information is collected and informed of the parties involved.

• There must be an easily available opt-out, that takes effect immediately and is persistent.

• The information is not sensitive. • The information is de-identified or destroyed as soon as

possible.

A clause buried in a privacy policy would not be adequate!

YourAdChoices.ca

• The Digital Advertising Alliance of Canada (DAAC), made up of leading national advertising and marketing trade associations, launched an industry self-regulation program for OBA in September, 2013.

• YourAdChoices.ca serves as the main portal for DAAC and provides information resources for consumers and industry on OBA.

• The portal also outlines the new Canadian Self-Regulatory Principles for Online Behavioural Advertising.

54

Canadian Self-Regulatory Principles for OBA

The principles highlight:• Education: calls for the launch of a consumer-focused

educational campaign; • Notice and Transparency: provide clear, meaningful and

prominent notice of data collection and practices;• Consumer control: consumers are to have a choice over

whether they are tracked & offered OBA;• Accountability: The ASC is to monitor compliance with the

principles and establish complaint mechanisms;• Sensitive Data: Organizations should not collect personal

information for OBA from children under 13.

55

montréal · ottawa · toronto · hamilton · waterloo region · calgary · vancouver · moscow · london

Thank YouChris OatesAssociateGowling Lafleur Henderson [email protected]

QUESTIONS?