Privacy and Anti-Spam Compliance in Social Media

Chris Oates, Associate, Gowling Lafleur Henderson LLPPresented at the Fifth Annual Social Media Law ConferenceLexpert, June 8, 2015

Canada’s Anti-Spam Law

3

Canada’s Anti-Spam Legislation

Canada’s Anti-Spam Legislation, “CASL”, creates a strict regime for sending electronic messages and installing computer programs.Conceptually, CASL compliance rests on three pillars:

1. Obtain Consent (Express or Implied)2. Provide the Required Disclosure3. Allow people to unsubscribe from

commercial messages or uninstall programs

4

Canada’s Anti-Spam Legislation

To which messages does CASL apply? CASL applies to Commercial Electronic Messages (“CEMS”) that are sent by telecommunication to an “electronic address”:

• an electronic mail account (e.g. email);• an instant messaging account (e.g. text messaging and SMS);• a telephone account; or • any similar account

Canada’s Anti-Spam Legislation

Is Social Media Caught? “Any similar account” captures certain new forms of communication, such as social media and BBM. The key question is whether the message is sent to something akin to an “electronic address”. Messages that are not sent to an “electronic address” are not subject to CASL.

Tweets and Facebook wall postings appear to be published rather than sent to an address, and are therefore not caught by CASL (Note Privacy Law applies even if a person’s privacy settings are low).

‘Direct messages’ sent directly to a social media account do appear to go to an address and are therefore subject to CASL.

5

6

Canada’s Anti-Spam Legislation

Is the Electronic Message Commercial? CASL only applies to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit.

• Messages that offer to sell or advertise a product or service;

• Messages that promote a person or corporation; • Messages that seek to gather consumer or market

information in a commercial context; • Messages that seek consent to send further messages.

7

Canada’s Anti-Spam Legislation

Which messages are exempt? The Regulations provide that the following message classes are exempt from both the consent and in message disclosure requirements:

• messages sent between employees of an organization relating to the affairs of the organization;

• messages sent between employees of two organizations with a relationship, where the message relates to the affairs of the recipient organization;

• messages that respond to an inquiry, complaint, or other solicitation from the recipient;

The exception for “responses” to solicitations is often relied on for messages that are sent solely to administer social media contests.

8

Canada’s Anti-Spam Legislation

Which messages are exempt? The Regulations provide that the following message classes are exempt from both the consent and in message disclosure requirements:

• fundraising messages sent by or on behalf of a registered charity;• messages where the person sending the message reasonably expects it to

be received in a foreign state listed in the Regulations, if the message complies with the law of that state;

• messages sent to a secure account to which only the person providing the account may send messages;

• messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements;

• messages sent to satisfy a legal obligation.

9

Express Consent Under CASL

Requirements for a Request for Express Consent 1. Provide the purpose for which the consent is sought;

2. Provide the name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business;

3. If applicable, identify which person is seeking consent, and on whose behalf consent is sought;

4. Provide the mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought;

5. State that consent may be withdrawn.

The CRTC’s Position on Express Consent

• The CRTC takes the position that express consent must be “positive or explicit”.

• Note that a check box is not specifically required, other mechanisms that amount to an explicit indication of consent may be used.

10

11

Implied Consent Under CASL

Requirements for Implied Consent

1.There is an “existing business” or “existing non-business relationship” between the sender and the recipient, or2.The recipient has “conspicuously published” their address, or has “disclosed it to the sender” and: • has not indicated they do not wish to receive commercial messages; and,• the message is relevant to the recipient’s business, role, functions or duties

Note: Publication and disclosure only apply if the message relates to the business of the recipient. They would not apply to a consumer address collected from a social media profile; however, they may apply in some cases to professional information collected from LinkedIn.

12

An “Existing Business Relationship” is where the recipient of the message:

• Purchased a good or service from the message sender within the prior two years;

• Accepted a business opportunity from the message sender within the prior two years;

• Has a written contract with the message sender in respect of a matter other than a purchase, lease, or business opportunity, or such a contract that expired in the prior two years;

• Made an inquiry or application to the message sender regarding a purchase, lease, or business opportunity within the six months prior the message

Implied Consent- “Existing Relationships”

Note: The “Existing Business Relationships” definitions all turn on the relationship between the sender of the message (or the person on whose behalf the message was sent) and the recipient. They do not extend “implied consent” to related third parties.

13

Message Content Under CASL

Prescribed Disclosure Requirements for Electronic Messages

1. The name under which the person sending the message and the person on whose behalf the message is sent, if different, carry on business, if different from their names, if not their names;

2. If applicable, an indication which person sent the message and on whose behalf it was sent;

3. The mailing address, and one (or more) of a telephone number, web address, or email address of either the person sending the message, or if different, the person on whose behalf it is sent; and

4. An unsubscribe mechanism.

Service providers sending electronic messages on behalf of third parties who do not have material control over the message content or recipient list would not need to be identified.

The required contact information must remain current for a minimum of 60 days after the message is sent.

14

Exceptions to the Disclosure Requirements

The General Exception“If it is not practicable to include the information… and the unsubscribe mechanism… in a commercial electronic message, that information may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message.”

This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email.

15

Unsubscribe Mechanism

CASL requires CEMs to set out an unsubscribe mechanism that allows the message recipient to indicate at no cost, the wish to unsubscribe from all CEMs or a specified class of CEMs. This mechanism must: • Use the same electronic means as the message, or if not

practicable, other electronic means;• Give an electronic address or a web link for unsubscribe

requests;• Be set out clearly, and be able to be “readily” performed;• Be effective “without delay”, and no later than 10 business

days

16

The Family and Personal Relationship Exception

Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent “by” or “on behalf” of a person who has a “personal” or “family” relationship with the recipient.

Note: Both family relationships and personal relationships are between individuals. A corporation could not have a personal relationship under CASL; however, the exception applies to messages that are sent “by” or “on behalf” of such individuals.

The Family and Personal Relationship Exception

Under CASL, Facebook “Friends” may not be your “friends”… but your brother and sister are not your family.

17

“Family” “Personal Relationship” Marriage; A common-law partnership; A legal parent/child relationship;

where: Those persons have had a

direct voluntary two way communication.

Must have had direct, voluntary two way communications;

Must be reasonable to conclude the relationship is personal considering all relevant factors.

When soliciting individuals to share content on social media, the instructions should be to only share with persons falling into these classes.

18

Referral Messages

The Regulations include an exception that permits a single referral message to be sent where: • The referral is made by an individual who has an existing

business relationship, existing non-business relationship, family, or personal relationship with the message recipient;

• The referrer has one of those relationships with the sender of the message; and

• The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral.

The referral message must also comply with the standard CASL message disclosure requirements.

19

Maintaining Contact Lists

Both Industry Canada and the CRTC have taken the position that valid express consent obtained before CASL came into force remains valid under CASL.

However, both regulators have expressly noted that in some cases email addresses that could be used under the privacy legislation can no longer be used under CASL.

Previously usable email addresses most likely to be unusable under CASL are where an organization had relied on ‘implied’ consent under PIPEDA in a situation that does not fall into one of the defined categories of implied consent in CASL.

There is a transitional period in CASL that lasts from July 1, 2014 ending July 1, 2017. During this time, “implied consent” will survive for three years in cases of “existing business relationships”, as defined in CASL, that predate CASL and that included the sending of commercial messages when CASL came into force.

20

Penalties

Administrative monetary penalties for violations: • A fine of up to $1,000,000 for a violation by an individual. • A fine of up to $10,000,000 for a violation by a corporation.

CASL also creates a private right of action for persons who allege they have been affected by a violation. If the action is successful in court, the court may order:

• Compensation equal to the actual loss or damage suffered; and

• $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred.

The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017. The CRTC may still seek to impose administrative monetary penalties prior to this.

Enforcement To Date

Since CASL came into force, the CRTC has received over 245,000 complaints, and continues to receive almost 1,000 complaints per day. The CRTC has indicated it will review these complaints, and take action where appropriate.

On March 6, 2015 the CRTC issued the first Notice of Violation under CASL, imposing a $1.1 million penalty on Quebec company Compu-Finder. The CRTC alleges Compu-Finder:

• “Scoured the internet” for business email address and sent emails promoting its training services without appropriate consent, and • Used unsubscribe mechanisms that did not function

The CRTC noted that Compu-Finder accounted for 26% of all complaints in its industry sector, and “flagrantly violated the basic principles of the law”.

21

Enforcement To Date

On March 25, 2015, the CRTC announced its second enforcement action, entering into an undertaking in which dating website operator Plentyoffish Media agreed to pay a fine of $48,000.Plentyoffish is alleged to have sent CEMs to its registered users, which:

• included an unsubscribe mechanism that was not “clearly and prominently set out”; and

• that could not be “readily performed”

22

The CRTC has stated that a number of additional investigations are currently underway.

Consent for Installing Computer Programs

23

CASL also creates a requirement to obtain express consent to install a “computer program” on a person’s computer system. Similar to requests for consent to send messages, a request for consent to install a computer program must state: 1. The purpose for which the consent is sought including providing a simple description of

the of the function and purpose of the program;2. The name under which the person seeking consent carries on business, and if

different, the name under which the person on whose behalf consent is sought carries on business;

3. If applicable, which person is seeking consent, and on whose behalf consent is sought; 4. The mailing address, and one (or more) of a telephone number, website, or email

address of either the person seeking consent, or if different, the person on whose behalf consent is sought;

5. That consent may be withdrawn.

Additional information is required if the program carries out certain unexpected functions, such as harvesting information on the computer.

Consent for Installing Computer Programs

24

NOTE: Consent to install a computer program must be sought separately from consent to send commercial messages.

Remember: Your request for consent should expressly include consent to future upgrades of the program!

Corporate Compliance Programs

For compliance with CASL, it is essential for organizations to audit their practices regarding commercial electronic messages, program installation, and the validity of their consents:

• Determine where you are sending CEMs or installing programs;

• Identify the channels through which you send CEMs;• Assess if you have implied or express consent to send

CEMs or install programs or if an exemption applies;• If you conclude you have consent, assess your ability to prove

it in the face of a challenge;• Develop a plan to obtain any required consents. This plan

should address both the treatment of current lists, managing unsubscribed, as well as how the organization will continue to acquire consent in compliance with CASL

25

Corporate Compliance Programs

• Ensure your CEMs contain the content required by CASL, except where an exception applies;

• Ensure your requests for consent to send CEMs or install computer programs contain the content required by CASL, except where an exception applies;

• Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs;

• Revise your policies, processes and systems as required;

• Keep an audit trail, since CASL contains a “due diligence” defense.

26

Privacy and Social Media

2828

Regulatory Framework

What is ‘Personal Information’?

“Personal information” is broadly defined in PIPEDA to include any “information about an identifiable individual”, whether public or private, with limited exceptions.

The Privacy Commissioner has repeatedly held personal information includes email addresses, even business email addresses.

28

29

Collecting Personal Information

The overarching principles of privacy law apply to the collection of personal information in social media. Always:• Disclose the purposes for which you collect information; • Obtain informed consent to these purposes; • Use personal information only in accordance with the purposes

disclosed; • Limit the collection of personal information to what is necessary for

purpose(s) identified

Note: In 2014, the Commissioner held giving a “Permission” to an App does not necessarily entail giving it permission to use all personal information associated with the “permission”. For example, a permission to transmit voice recordings to the App operator when activating voice commands would be restricted to transmitting recordings for the disclosed purpose of voice commands, not all conversations the App may technically be capable of recording.

30

Collecting Personal Information

Consider: • What information are you collecting?

• More sensitive information requires clearer consent, and increased disclosure.

• Beware of over collection from loose coding in third party applications.

• How are you obtaining consent? • Remember, consent must be in relation to the purposes you

disclose to the individual. • How are you disclosing your privacy policy? Can it be easily

accessed in the manner it is presented, in particular in mobile applications?

31

Personal Information In Social Media

‘Public’ Information Personal Information that can be accessed from a ‘public’ source remains subject to the requirement for consent in most cases. PIPEDA provides only limited exceptions:

• A name, address and telephone number in a telephone directory

• A name, title, address and telephone number in a professional or business directory

• A registry collected under statutory authority or a record/document of a judicial body

• A publication including a magazine, book or newspaper available to the public, where the individual provided the information.

If the individual can refuse to have their information in the directory.

If the information is used for the purpose for which it appears in the directory.

If the information is used for the purpose for which it appears in the registry or document.

Just because you can see it does not mean you can take it!

32

Enforcement Action

The Privacy Commissioner Weighs In On Social MediaThe Privacy Commissioner has frequently applied PIPEDA to social media, taking enforcement action against Facebook, Nexopia and WhatsApp. In 2014, the Commissioner considered a popular child directed website from a toy manufacturer, and concluded: • When dealing with a child under 13, they should be explicitly

directed to involve a parent and the consent of the parent should be obtained.

• Where a privacy policy applies to multiple sites, it should explain in simple terms how information is collected, used, and disclosed from site to site.

• Organizations should take “appropriate, systematic and regular” efforts to ensure ad networks and other third parties are not setting tracking cookies on their site.

Enforcement Action

In 2013, the Commissioner issued findings on WhatApp, a mobile messaging platform. The Commissioner found WhatsApp: • Retained the personal information of non-users longer than needed for its disclosed purpose of identifying network users. • Did not use appropriate encryption to safeguard personal information.

33

34

Enforcement Action

In an earlier decision, the Privacy Commissioner encouraged Nexopia to “go further and explore more innovative methods of presenting its Privacy Policy, e.g. presenting it in theme-based pieces and in an incremental manner, so that users can click after reading small portions of the Policy”.

Take away: one size does not fit all when it comes to privacy disclosure. It is necessary to consider your audience in determining whether you have informed consent in line with their reasonable expectations.

Clear, uncluttered policies that clearly explained website features and address online and offline privacy are encouraged.

Replicating the privacy principles in PIPEDA is discouraged.

35

Data Protection and Transfers

PIPEDA requires organizations to implement physical, organizational and technological measures to ensure adequate safety.Organizations are responsible for personal information in their possession or custody, including information that has been transferred to a third party.An organization must consider the activities of the companies it retains to store personal information, to build platform integrations or applications, to moderate content, advertising agencies, and public relations companies. Be aware that the legal onus is on an outsourcing organization to ensure that service provider to whom personal information is transferred complies with Canadian privacy laws.

36

Data Protection and Transfers

Breach Notification

The federal Privacy Commissioner has published voluntary guidelines regarding responding to security breaches. The guidelines state four key steps when responding to a breach:

1. Contain the breach by taking immediate steps to stop any further information from being disclosed. Undertake a preliminary assessment of the situation;

2. Evaluate the risk associated with the breach by considering the sensitivity of the information involved, whether it was encrypted, how it may be used, and the risks to the individual resulting from that use;

3. Notifying the individuals if the privacy breach creates a risk of harm to the individual; and

4. Develop a plan for the prevention of future breaches.

37

Behavioural Advertising

Behavioural Advertising and Tracking

“Tracking consumers’ online activities over time in order to deliver advertisements targeted to their inferred interests”

Privacy Commissioner Guidelines for opt-out consent: • The individual must be made aware of the purposes for

which you are collecting personal information. • The individual must be informed at the time or before

information is collected and informed of the parties involved. • There must be an easily available opt-out, that takes effect

immediately and is persistent. • The information is not sensitive. • The information is de-identified or

destroyed as soon as possible.

A clause buried in a privacy policy would not be adequate!

Canadian Self-Regulatory Principles for OBA

Ad Choices: The Digital Advertising Alliance Of Canada (DAAC)The DAAC, made up of leading national advertising and marketing trade associations, operates an industry self-regulation program.• Education: organizations should educate individuals about OBA; • Notice and Transparency: provide clear, meaningful and prominent notice

of data collection and practices;• Consumer control: consumers are to have a choice over whether they

are tracked & offered OBA;• Accountability: The ASC is to monitor compliance with the principles and

establish complaint mechanisms;• Sensitive Data: Organizations should not collect

personal information for OBA from children under 13.

38

montréal · ottawa · toronto · hamilton · waterloo region · calgary · vancouver · moscow · london

Thank YouChris OatesAssociateGowling Lafleur Henderson LLPchris.oates@gowlings.com416-369-7333

QUESTIONS?