PRIVACY, ANTI-SPAM AND YOUR BUSINESS: WHERE DO WE STAND? Presented by: Cameron Mitchell B.A., LL.B.

Transcription

1 PRIVACY, ANTI-SPAM AND YOUR BUSINESS: WHERE DO WE STAND? Presented by: Cameron Mitchell B.A., LL.B.

2 Privacy The focus of my presentation will be on two thing that have made marketing and contacting clients a challenge in recent years -- Privacy and the new anti-spam law (referred to as CASL). Quick review of each, and then review recent cases and things that you should keep in mind to avoid problems in your business. Privacy falls under the Personal Information Protection and Electronic Documents Act ( PIPEDA ). PIPEDA applies to organizations engaged in commercial activities. It was enacted 15 years ago, so we have a good idea of how PIPEDA is enforced, primarily by the Privacy Commissioner. It governs how organizations collect, use and disclose personal information in the course of business. In the Financial Services Context, examples of information that you may come in contact with and that would likely constitute personal information of an individual include: Social Insurance Numbers, copies of Driver s Licence or Passport information bank account numbers, summaries, balances & transaction histories mortgage applications/renewals, tax returns and net worth credit reports and credit scores

3 A quick review of the highlights of PIPEDA requirements: PIPEDA Summary & Avoiding Risks Accountability: If you are governed by PIPEDA (most businesses) you have to appoint one person who is accountable for Privacy in your organization Identifying Purposes: You have to identify a purpose (have a good reason) for why the information is being collected. Consent You generally have to have the knowledge and consent of the individual to collect, use or disclose their personal information Limiting Collection: You can only collecting the information that you need this goes back to identifying the purpose. You can also only collect the information by fair and lawful means this is tied back into the consent point. Limiting Use, Disclosure and Retention: You cannot use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information can only be retained for as long as necessary for the fulfillment of those purposes. Safeguards, Openness, Access You must have safeguards in place to protect personal information. This can including limiting access to only those who truly require the information, passwords, and encryption. If you are asked, you must make information about your Privacy policies and practices available to a client Also, you have to make a copy of an individual s personal information available to them on request, and they can challenge you if it is not accurate or complete.

4 PIPEDA Best Practices and Avoiding Privacy Traps Have a privacy policy in place and know in general how you would respond to a question or challenge about your privacy policy and practices Securing information can be as simple locking a cabinet or a door to a home office You should secure any personal information that you have saved on computers: this can be done by passwords, encryption, and firewalls (speak with an IT consultant) Encryption: involves the placement of an encryption key or password on a file or document that must be entered before it can be read/accessed Have a policy or at least a general plan on how to respond to a request from the police, a lawyer or other party for your client s personal information

5 Recent Privacy Decisions 1) Supreme Court decision in Spencer: police request for information. Customer charged with possessing and distributing child pornography online. The police obtained the information use to convict without a warrant from his ISP. Supreme Court held that a warrant is required before such a request can be made and that Internet Service Providers cannot disclose to law enforcement information such as names, addresses and phone numbers of customers without a warrant (or subpoena). The decision in Spencer clarifies that the police do not have the authority to make warrantless requests of private companies for the personal information of customers. The case also says that businesses are subject to privacy laws that require knowledge or explicit consent of the customer before their personal information can be disclosed, with the exceptions including collection of a debt owed by the customer to the corporation and if they are required to comply with a warrant or subpoena. Key Takeaway: If you hold personal information of your clients and you are ever approached by the police or a lawyer asking for information, most of us would want to help the investigation or we would have a natural deference to a request from law enforcement. You have to be very careful in these situations even though a document may look like its been issued by a court, it may be a document that has only been created by the police or a law firm or stamped by a court clerk and not a judge. If you receive a request to disclose a client s personal information, the best first response is always something like thanks let me take it to review and I will get back to you. If you are in doubt, involve your head office (if you have one) or ask your lawyer (someone with experience with such matters) to review the warrant or subpoena and how best to respond to the party asking for the information. 2) Privacy Commissioner decision: Bell Canada s Relevant Advertising Program or RAP. Bell tracing the network usage, Internet browsing habits, and account information of its customers to allow profiles to be created enabling third parties to deliver targeted ads to those customers. The Privacy Commissioner received many complaints about the program and investigated, finding that it was in violation of PIPEDA. Specifically, it found that the amount and sensitivity of the information being collected under the RAP required Bell to obtain explicit/direct consent from its customers which it had not done. Bell initially resistant to Commissioner, and is now facing a $750 million class action lawsuit from affected customers for alleged breaches of privacy. Key Takeaway: The major focus of recent privacy and CASL decisions is on consent: like Canada s new CASL requirement of consent to send CEMs, the Privacy Commissioner seems to be focusing on the issue of companies seeking explicit consent before tracking the habits and personal information of customers.

6 What is CASL? CASL is short for Canadian Anti-Spam Legislation. The first phase of the new law came into effect about 1 year ago. As background, CASL s basic purpose is SPAM prevention by requiring that the recipient of the electronic message has given the sender their consent before receiving it. Under CASL a commercial electronic message (or CEM ) is defined as an electronic message that encourages participation in a business transaction or activity, regardless of whether there is an expectation of profit. This could include s, text messages, and instant messages being sent for a commercial purpose. The challenging part about CASL is that it casts a wide net the new law doesn t distinguish between a SPAM coming from a server in Russia, or your company s legitimate announcing an anniversary celebration. If it s a commercial message, you must have the required consent.

7 HAS CASL AFFECTED YOUR BUSINESS? CASL has likely already affected the way you interact and market with your clients and prospects. Until CASL, using was the cheapest, easiest way to conduct a marketing campaign. Now under CASL you have to have either express or implied consent to send someone a commercial electronic message or CEM. If you don t obtain consent to send electronic messages, your business could become the subject of a complaint to the Office of the CRTC, or subject to fines (in the worst case up to $10 million per occurrence). Such a complaint could come from a disgruntled customer or a competitor. So for you as a business owner or manager, the main thing you want to avoid are the complaints to the CRTC. Any complaint that goes to either the CRTC for CASL or the Privacy Commissioner for PIPEDA will be *very* time and cost consuming. If you can set up an effective compliance program, it will greatly reduce the chance of your company becoming the target of a complaint.

8 TYPES OF CONSENT A. Express Consent: Under CASL, if the sender of a CEM does not have implied consent, express consent is required to send a CEM. Express consent is where you say Can I send you s about my business? and the other person says Yes. Note that a request for express consent sent by would be considered to be a CEM. B. Implied Consent: There are certain circumstances under CASL in which consent can be implied in other words where consent does not have to be expressly or directly obtained. Here are some of the more common situations where consent can be implied: 1. The sender and the recipient share an existing business relationship, arising from: a. The purchase, lease or bartering of a product or service in the prior two years; b. Acceptance by the recipient of a business opportunity offered by the sender in the prior two years; c. A written contract between the recipient and the sender, if in force or expired within the prior two years, that does not relate to the purchase, lease or bartering of a service or product or the acceptance of a business opportunity; d. An inquiry or application within the prior six-month period, in respect of the purchase, lease or bartering of a product or service or the acceptance of a business opportunity; 2. The recipient has conspicuously published their electronic address and the publication is not accompanied by a statement that the recipient does not wish to receive unsolicited CEMs and the CEM is relevant to the recipient s business; 3. The recipient has given the sender the electronic address without indicating a wish not to receive unsolicited CEMs and the CEM is relevant to the recipient s business (the so-called business card exception ). NOTE THOUGH: that there are complications with relying on implied consent. If you feel that a relationship with a client is an ongoing and regular one and you will be in contact with them at least once every two years, then you could rely on implied consent periods going forward. Note though that CASL states that if you are relying on implied consent that was obtained before July 1, 2014 and there is no additional contact with that client, the implied consent will terminate as of July 1, The complexity with tracking and proving implied consent is why many large organizations are sending out s now (before July 1, 2014) and asking for express consent to send CEMs.

9 EXCEPTIONS The CASL rules do not apply to every CEM or every relationship. The most relevant Exceptions to the Consent and Content Requirements (content being the requirement for sender information and an unsubscribe option) are: 1. A question sent by a potential client; 2. CEMs between employees, representatives, consultants or franchisees of an organization, or of two organizations that have a relationship, concerning the recipient organization; and 3. A response to a request, inquiry or complaint or otherwise solicited by the recipient. Exceptions to the Consent Requirement Only (Content Requirements Still Apply) 1. A quote or estimate of a good or service, if requested by the recipient; 2. Facilitating a transaction that the recipient previously agreed to enter into; 3. Warranty or product recall information about a good or service that the recipient has purchased; 4. Information about ongoing use of a product or service under a subscription, membership, account, or loan; 5. Information related to an employment relationship or related benefit plan; 6. Delivering a product or a service that the recipient is entitled to receive under the terms of a transaction; and 7. Referrals under certain circumstances, if the CEM includes certain prescribed information specific to this exception.

10 OTHER PRACTICAL TIPS: If you haven t already done so, you may have to change the way your business collects and maintains client consent for CEMs. For example, if a customer has not purchased anything from your company within 2 years, and you haven t had any contact with them in the last 6 months, then your business no longer has that customer s implied consent under CASL because it is no longer considered an existing business relationship. Businesses will have to figure out how to automate getting consent once the prior implied consent has expired. This may be challenging, especially for small businesses. Update your customer records. These records should include an inventory of what kinds of CEMs you send out, to whom, and when consent was obtained and whether it was implied or express. Determine how to collect express consent, and when you can rely on implied consent. There may be some marketing software or website tools that can aid in tracking customer consent, like mailchimp.com. You may have received s last year from some companies asking you to re-confirm if you want to keep receiving their s, and the kind of s you want to receive. As long as the website or software you re using to do this keeps track of when the consent was obtained, this is a very good way of being able to show that you had the customer s consent. Show them benefits. Tell recipients what benefits they will receive for opting in to the subscription perhaps they will receive special promotions or exclusive news. It s one effective way of deterring consumers from clicking the unsubscribe option that senders will be required by law to provide, and will perhaps diminish the possible effects of the new laws. Consider: if you want to rely on any of the exemptions or implied consent, remember that you have to be able to have records of the reasons giving rise to the exemption or implied consent. So if you are saying that a recipient should fall under implied consent because they are an existing client, you have to be able to prove you ve done business with them in the last two years.

11 Best Practices and Avoiding CASL Traps Snail Mail: Consider using snail mail for marketing campaigns, which have virtually no rules other than avoiding misleading marketing. Records: Obtain and keep good records of how consent was obtained, whether it is express or implied. Ensure that implied consent has not expired. Unsubscribe Link (Key Takeaway): Most importantly, if you engage in marketing and send CEMs, have a prominent and properly working unsubscribe mechanism in your CEMs.

12 HOW HAS CASL BEEN ENFORCED? AND ARE THERE LESSONS? So far the CRTC has concluded two investigations, both announced in March. Compu-Finder, a Quebec firm, was fined $1.1 million for spams pitching its training courses. The unsubscribe link in the s didn t do anything. The CRTC said Compu-Finder accounted for a quarter of the 250,000 complaints its SPAM reporting centre received since beginning operation last year. The CRTC has confirmed that Compu-Finder was not responsive to the complaints and it did not submit representations to challenge the penalty. Then later in March, the CRTC announced a settlement with Plenty of Fish Media, a Vancouver-based dating website, to pay a $48,000 fine. The amount was apparently much lower because the company moved quickly to bring itself into compliance and was generally cooperative. The key take-away from these cases is that you must have an effective unsubscribe link or button in any CEM (and especially mass-marketing s sent to a large number of recipients). Also, if you are the subject of a complaint, don t be difficult to reach or deal with it just makes the regulator angry. The CRTC says that other complaints are being investigated but they won t say how many or what type.

13 COMPUTER PROGRAMS CASL also applies to the installation of computer PROGRAMS. Without going into a whole lot of detail, CASL also contains rules on how computer programs can be downloaded onto a user s computer system. This is meant to prohibit things like malware or spyware, but like the CEM parts of CASL, it has a wide reach. The rules do not apply to a download carried out by a user directly. In January of 2015, provisions covering the unauthorized installation of software came into force. CASL says that a business must not install or cause to be installed a computer program on any other person s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the business has obtained the express consent of the owner and explained clearly what the program does. The request for consent cannot be buried in general terms and conditions of use or sale. Computer Programs include apps and updates. Programs like cookies, Java Scripts, and operating systems do not fall under the CASL requirements. Computer system is broadly defined and could include: servers, PCs, smartphones, tablets, the Cloud, websites, and even things like appliances, autos, and other consumer products.

14 WHAT S NEXT WITH CASL? The next aspect of CASL comes in July 2017 it is the section allowing someone to sue for damages connected with SPAM or unauthorized Malware. Its unclear what impact the private right of action will have after it takes effect. We expect that most of these claims will be of the nuisance variety there is a minimum $200 statutory damages (where the plaintiff doesn t have to prove actual harm as long as the judge finds a CASL violation). There may be an increase in the number of class action lawsuits started for this kind of situation.

15 Useful Links and Contact Information The government has created a CASL website (fightspam.gc.ca) where you can read FAQs and the full text of the Act and its regulations can be viewed. The Canadian Chamber of Commerce also has an excellent CASL area on their website the address is chamber.ca/resources/casl/ The website of Office of the Privacy Commissioner has several useful links and tools at its website (priv.gc.ca) And of course I would be happy to help. If you have any questions about preparing for CASL, my address is [email protected] -- just no SPAM please.

16 Thank you!

17 SorbaraLaw is one of the largest and most respected full service regional law firms in Ontario. We welcome comments & enquiries on this presentation or any other matter. At SorbaraLaw, we strive to deliver value & truly useful service to every client, on every matter. 300 Victoria Street North Kitchener, ON N2H 6R Woolwich Street Guelph, ON N1H 3X Union Street East Waterloo, ON N2J 1B This presentation is intended only to inform and educate about general matters. It is not legal advice. Be sure to contact a lawyer to obtain legal advice on any specific matter.