Upload
camilla-howard
View
216
Download
0
Embed Size (px)
Citation preview
“When Canada’s anti-spam legislation (CASL) comes into force July 1, it’s going to affect far more than the purveyors of viruses, Viagra and vanquished Nigerian fortunes.”
Vancouver Sun, “Anti-Spam Legislation Has Businesses Scrambling to Comply”, May 26, 2014
Canada’s Anti-Spam Legislation (CASL)
Toughest anti-spam/malware legislation in the world
Establishes rules for the sending of commercial electronic messages (CEMs) and the installation of computer programs (ie. cookie tracking software, address harvesting)
Prohibits the unauthorized alteration of transmission data
What Is It?
Main focus of anti-spam provisions is to prevent transmission of CEMs without consent and without proper formalities
If you don’t have consent to send CEMs or messages do not have required content, risk significant liability
Staggered implementation
◦ July 1, 2014 – commercial electronic messages◦ January, 2015 – installation of software◦ July, 2017 – private right of action for damages
Who Does CASL Apply To?
Everyone – incorporated and unincorporated businesses, not for profits, individuals, partnerships, trade associations, etc.
The exemptions are registered charities and political parties seeking donations
Commercial Electronic Messages (CEMs)
A message that encourages participation in a commercial activity (advertising, promotions, etc.)
o If you send a message that entices someone to buy something or use your services – it’s a CEM
o If you send a message asking someone for permission to send a CEM - it’s a CEM
After July 1, 2014, need consent to send CEMs unless the message falls under exemption
Not Just Emails
Applies to texts, SMS messages, social network messages
“Electronic message” is a message sent by any means of telecommunication including text, sound, voice or image
Excludes two-way voice communications, and fax messages and voice recordings to a telephone account
What Does It Mean?
CRTC decides what is “commercial content” on a case by case basis – no real definitions
If it is a CEM, you must have consent to send it unless it falls under one of the exemptions
No exceptions – if it has commercial content it is a CEM, but there are exemptions as to when the rules apply
What Are the Exemptions?
Even if it is a CEM, you do not need consent to:
◦ Send a quotation upon request
◦ Complete a transaction
◦ Provide warranty, safety or recall information
• You must still include the prescribed information and an unsubscribe mechanism
Business to Business Exemptions
CASL does not apply (consent will not be required) for messages sent:
◦ Within an organization◦ Between organizations that have a relationship◦ To satisfy a complaint◦ To respond to an inquiry◦ To satisfy a legal obligation
• No requirement to include prescribed information or unsubscribe mechanism in these messages
What Is Consent?
If it does not fall under an exemption, you must have consent ahead of time from anyone who receives a CEM from you
Two types of consent:
◦ Express – someone actively gives you their permission to send a CEM
◦ Implied – reasonable to assume you have permission based on prior relationships
• You cannot send an electronic message after July 1st asking for this permission
Express Consent
An active indication that someone gives you permission to send them CEMs
Cannot be “opt-out” like US CAN-SPAM
Can be done through sign-up on website, sign-up at point of sale, snail mail consent form, etc.
Oral consent can be given but onus is on sender of CEM to prove consent
Express Consent Samples
“I agree to receive ABC Company’s newsletter containing news, updates and promotions regarding ABC Company’s products. You can withdraw your consent at any time.”
“Enter your email below to receive ABC Company’s newsletter containing news, updates and promotions regarding ABC Company’s products. You can withdraw your consent at any time.”
Obtaining Express Consent
Clearly describe the purpose for requesting consent
Provide the name of the person seeking consent and identify on whose behalf consent is sought, if different
Provide contact information (physical mailing address and either phone number or email address) of the party seeking consent
Indicate that the recipient can unsubscribe at any time
Separate Consents
Cannot “bundle” consents into one for CEMs, installation of software and altering of transmission data.
Can be included in one form of consent (email, consent form, etc.) but recipient has to provide consent for each
Implied Consent
Consent will be implied in the following situations:
◦ Family relationships
◦ Personal relationships
◦ Business or non-business relationships (within 3 year transition)
• Must be evidence of two-way communication over time
Consent Wrap-Up
Express is always best - burden of proof is on you to show consent was obtained
You must have a record of how consent was acquired
◦ For express, any records (electronic database, paper records, audio recordings) to show date, time and permission of receiver
◦ For implied, a record of the nature of the relationship and records of two-way communications
Prescribed Information
All CEMs must contain the following information:
◦ the name of the person seeking consent and identify on whose behalf consent is sought, if different
◦ contact information (physical mailing address and either phone number or email address) of the party seeking consent
◦ a mechanism that allows the recipient to unsubscribe easily at no cost
Penalties
AMPs (administrative monetary penalties) are a maximum of $1 million for individuals and $10 million for organizations
Directors and officers can be held personally liable for breaches of CASL
Companies are vicariously liable for their employees
Due diligence is a defence so developing and implementing a compliance program is essential
Enforcement
Primarily by CRTC, but also Competition Bureau and the Office of the Information and Privacy Commissioner
CASL amends Competition Act to prohibit false or misleading representations in any part of a CEM
CASL amends PIPEDA to prohibit the use of computer programs known as “address harvesters”
Other Stages in CASL
July, 2017
◦CASL creates a private right of action that allows a person to commence a civil action against anyone who violates CASL
• January, 2015
CASL prohibits the installation of computer programs without the permission of the computer’s user or owner
Transition Period
3 year transition period in which some consents remain valid (eg. express consents that do not conform to prescribed requirements)
Implied consent for business and personal relationships that may not meet the criteria, but seems likely express consent will be required during this time.
How to Prepare
1. Review Your Processes
Who are you sending messages to?
What is the content of these messages?
Do you have the proper consents?
How are you going to prove you have consent?
How will you handle unsubscribe requests?
Are your staff properly trained?
How to Prepare
2. What you can do now
Get consent for your current mailing lists if you are not sure they’re covered
Start keeping records of consents (determine how records will be managed)
Appoint a lead or team to manage compliance and to review as needed
Update your privacy policy (if required)
How to Prepare
3. As of July 1st
Start including prescribed information in your CEMs unless exemption applies
Stop sending electronic messages as first point of contact
Stop sending CEMs without consent