PRIVACY, ANTI-SPAM AND YOUR BUSINESS: WHERE DO WE STAND? Presented by: Cameron Mitchell B.A., LL.B.



Similar documents
Crawford Chondon &Partners LLP. Is your Business Ready for Canada s Anti Spam Law?

Canada Anti-Spam Legislation: Obligations and Opportunity. Presenters: Matthew Wansink Chris Bakker

Privacy Law in Canada

Anti-Spam Toolkit February 2014

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Managing the message Canada s new anti-spam law sets a high bar

Canada s New Anti-Spam Regime: Guidance for Your Organization

Guidance on Canada s Anti-Spam Legislation (CASL) for REALTOR Members

A SIMPLIFIED EXPLANATION OF CANADA S NEW LAW ON SPAM

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

ChangeIt Privacy Policy - Canada

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

Taking care of what s important to you

EMERGING ISSUES THE CANADIAN ANTI-SPAM LEGISLATION. BDO Connections - The Canadian Anti-Spam Legislation Page 1

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

CASL Compliance: A Primer on Canada's Anti-Spam Legislation. Whitepaper by David O. Klein, Esq.

and Text Message Campaigns. Justine Young Gottshall Partner, InfoLawGroup

Quick help guide on upcoming antispam legislation and your parish

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

New Rules for Telemarketing and the National Do Not Call List Telecom Decision Important Implications for IIAC Members

Unsolicited Electronic Messages Act 2007

Privacy, Data Collection and Information Management Practice Team November 13, 2003

DESTINATION MELBOURNE PRIVACY POLICY

Privacy Law in Canada

1.1 Personal Information is information about an identifiable individual such as your name, address, telephone number and address.

M&T BANK CANADIAN PRIVACY POLICY

ANTI-SPAM POLICY JANUARY 2014

Personal Information Protection and Electronic Documents Act (PIPEDA)

Website Privacy Policy Statement

PRIVACY POLICY. Last updated February 2, 2009 INTRODUCTION

AN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown

Best Practices in Data Management - A Guide for Marketers -

1. TYPES OF INFORMATION WE COLLECT.

Website Privacy Policy Statement York Rd Lutherville, MD We may be reached via at

DATA AND PAYMENT SECURITY PART 1

ANTI-SPAM LAWS IN WESTERN COUNTRIES: A COMPARISON

Index All entries in the index reference page numbers.

THE CASL COUNTDOWN. Your week-by-week checklist to ensure your organization is CASL-ready for July 1st

AdvancedMD Online Privacy Statement

2. What personal information do we collect and hold?

privacy and credit reporting policy.

Marketing Workshop

IDT Financial Services Limited. Prime Card Privacy Policy

Measurabl, Inc. Attn: Measurabl Support 1014 W Washington St, San Diego CA,

NorthStar Alarm Services. Website Privacy Policy

We will not collect, use or disclose your personal information without your consent, except where required or permitted by law.

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

PRIVACY POLICY. Last Revised: June 23, About this Privacy Policy.

Maximum Global Business Online Privacy Statement

CANADA S ANTI-SPAM LEGISLATION THIRD PARTY CONTRACTS

ADDENDUM TO THE BLACKBERRY SOLUTION LICENSE AGREEMENT FOR BLACKBERRY BUSINESS CLOUD SERVICES FOR MICROSOFT OFFICE 365 ( the ADDENDUM )

We use such personal information collected through this Site for the purposes of:

Managing the message. Businesses brace for new digital marketing compliance requirements

Adaptive Business Management Systems Privacy Policy

1. Important Information

Zinc Recruitment Pty Ltd Privacy Policy

Data Protection Policy

Privacy Policy - LuxTNT.com

ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY COLLECTION AND USE OF INFORMATION FROM USERS

SUMMARY OF PUBLIC LAW THE CAN-SPAM ACT OF 2003

Frequently Asked Questions (FAQ) on Anti-Spam Legislation. What is the definition of a commercial electronic mail message?

LIDL PRIVACY POLICY. Effective Date: June 11, 2015

Zubi Advertising Privacy Policy

Best Practice Data Collection for Marketers

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Protecting your privacy

Privacy Policy. Ignite your local marketing

Transcription:

PRIVACY, ANTI-SPAM AND YOUR BUSINESS: WHERE DO WE STAND? Presented by: Cameron Mitchell B.A., LL.B.

Privacy The focus of my presentation will be on two thing that have made marketing and contacting clients a challenge in recent years -- Privacy and the new anti-spam law (referred to as CASL). Quick review of each, and then review recent cases and things that you should keep in mind to avoid problems in your business. Privacy falls under the Personal Information Protection and Electronic Documents Act ( PIPEDA ). PIPEDA applies to organizations engaged in commercial activities. It was enacted 15 years ago, so we have a good idea of how PIPEDA is enforced, primarily by the Privacy Commissioner. It governs how organizations collect, use and disclose personal information in the course of business. In the Financial Services Context, examples of information that you may come in contact with and that would likely constitute personal information of an individual include: Social Insurance Numbers, copies of Driver s Licence or Passport information bank account numbers, summaries, balances & transaction histories mortgage applications/renewals, tax returns and net worth credit reports and credit scores

A quick review of the highlights of PIPEDA requirements: PIPEDA Summary & Avoiding Risks Accountability: If you are governed by PIPEDA (most businesses) you have to appoint one person who is accountable for Privacy in your organization Identifying Purposes: You have to identify a purpose (have a good reason) for why the information is being collected. Consent You generally have to have the knowledge and consent of the individual to collect, use or disclose their personal information Limiting Collection: You can only collecting the information that you need this goes back to identifying the purpose. You can also only collect the information by fair and lawful means this is tied back into the consent point. Limiting Use, Disclosure and Retention: You cannot use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information can only be retained for as long as necessary for the fulfillment of those purposes. Safeguards, Openness, Access You must have safeguards in place to protect personal information. This can including limiting access to only those who truly require the information, passwords, and encryption. If you are asked, you must make information about your Privacy policies and practices available to a client Also, you have to make a copy of an individual s personal information available to them on request, and they can challenge you if it is not accurate or complete.

PIPEDA Best Practices and Avoiding Privacy Traps Have a privacy policy in place and know in general how you would respond to a question or challenge about your privacy policy and practices Securing information can be as simple locking a cabinet or a door to a home office You should secure any personal information that you have saved on computers: this can be done by passwords, encryption, and firewalls (speak with an IT consultant) Encryption: involves the placement of an encryption key or password on a file or document that must be entered before it can be read/accessed Have a policy or at least a general plan on how to respond to a request from the police, a lawyer or other party for your client s personal information

Recent Privacy Decisions 1) Supreme Court decision in Spencer: police request for information. Customer charged with possessing and distributing child pornography online. The police obtained the information use to convict without a warrant from his ISP. Supreme Court held that a warrant is required before such a request can be made and that Internet Service Providers cannot disclose to law enforcement information such as names, addresses and phone numbers of customers without a warrant (or subpoena). The decision in Spencer clarifies that the police do not have the authority to make warrantless requests of private companies for the personal information of customers. The case also says that businesses are subject to privacy laws that require knowledge or explicit consent of the customer before their personal information can be disclosed, with the exceptions including collection of a debt owed by the customer to the corporation and if they are required to comply with a warrant or subpoena. Key Takeaway: If you hold personal information of your clients and you are ever approached by the police or a lawyer asking for information, most of us would want to help the investigation or we would have a natural deference to a request from law enforcement. You have to be very careful in these situations even though a document may look like its been issued by a court, it may be a document that has only been created by the police or a law firm or stamped by a court clerk and not a judge. If you receive a request to disclose a client s personal information, the best first response is always something like thanks let me take it to review and I will get back to you. If you are in doubt, involve your head office (if you have one) or ask your lawyer (someone with experience with such matters) to review the warrant or subpoena and how best to respond to the party asking for the information. 2) Privacy Commissioner decision: Bell Canada s Relevant Advertising Program or RAP. Bell tracing the network usage, Internet browsing habits, and account information of its customers to allow profiles to be created enabling third parties to deliver targeted ads to those customers. The Privacy Commissioner received many complaints about the program and investigated, finding that it was in violation of PIPEDA. Specifically, it found that the amount and sensitivity of the information being collected under the RAP required Bell to obtain explicit/direct consent from its customers which it had not done. Bell initially resistant to Commissioner, and is now facing a $750 million class action lawsuit from affected customers for alleged breaches of privacy. Key Takeaway: The major focus of recent privacy and CASL decisions is on consent: like Canada s new CASL requirement of consent to send CEMs, the Privacy Commissioner seems to be focusing on the issue of companies seeking explicit consent before tracking the habits and personal information of customers.

What is CASL? CASL is short for Canadian Anti-Spam Legislation. The first phase of the new law came into effect about 1 year ago. As background, CASL s basic purpose is SPAM prevention by requiring that the recipient of the electronic message has given the sender their consent before receiving it. Under CASL a commercial electronic message (or CEM ) is defined as an electronic message that encourages participation in a business transaction or activity, regardless of whether there is an expectation of profit. This could include e-mails, text messages, and instant messages being sent for a commercial purpose. The challenging part about CASL is that it casts a wide net the new law doesn t distinguish between a SPAM email coming from a server in Russia, or your company s legitimate email announcing an anniversary celebration. If it s a commercial message, you must have the required consent.

HAS CASL AFFECTED YOUR BUSINESS? CASL has likely already affected the way you interact and market with your clients and prospects. Until CASL, using email was the cheapest, easiest way to conduct a marketing campaign. Now under CASL you have to have either express or implied consent to send someone a commercial electronic message or CEM. If you don t obtain consent to send electronic messages, your business could become the subject of a complaint to the Office of the CRTC, or subject to fines (in the worst case up to $10 million per occurrence). Such a complaint could come from a disgruntled customer or a competitor. So for you as a business owner or manager, the main thing you want to avoid are the complaints to the CRTC. Any complaint that goes to either the CRTC for CASL or the Privacy Commissioner for PIPEDA will be *very* time and cost consuming. If you can set up an effective compliance program, it will greatly reduce the chance of your company becoming the target of a complaint.

TYPES OF CONSENT A. Express Consent: Under CASL, if the sender of a CEM does not have implied consent, express consent is required to send a CEM. Express consent is where you say Can I send you emails about my business? and the other person says Yes. Note that a request for express consent sent by email would be considered to be a CEM. B. Implied Consent: There are certain circumstances under CASL in which consent can be implied in other words where consent does not have to be expressly or directly obtained. Here are some of the more common situations where consent can be implied: 1. The sender and the recipient share an existing business relationship, arising from: a. The purchase, lease or bartering of a product or service in the prior two years; b. Acceptance by the recipient of a business opportunity offered by the sender in the prior two years; c. A written contract between the recipient and the sender, if in force or expired within the prior two years, that does not relate to the purchase, lease or bartering of a service or product or the acceptance of a business opportunity; d. An inquiry or application within the prior six-month period, in respect of the purchase, lease or bartering of a product or service or the acceptance of a business opportunity; 2. The recipient has conspicuously published their electronic address and the publication is not accompanied by a statement that the recipient does not wish to receive unsolicited CEMs and the CEM is relevant to the recipient s business; 3. The recipient has given the sender the electronic address without indicating a wish not to receive unsolicited CEMs and the CEM is relevant to the recipient s business (the so-called business card exception ). NOTE THOUGH: that there are complications with relying on implied consent. If you feel that a relationship with a client is an ongoing and regular one and you will be in contact with them at least once every two years, then you could rely on implied consent periods going forward. Note though that CASL states that if you are relying on implied consent that was obtained before July 1, 2014 and there is no additional contact with that client, the implied consent will terminate as of July 1, 2017. The complexity with tracking and proving implied consent is why many large organizations are sending out emails now (before July 1, 2014) and asking for express consent to send CEMs.

EXCEPTIONS The CASL rules do not apply to every CEM or every relationship. The most relevant Exceptions to the Consent and Content Requirements (content being the requirement for sender information and an unsubscribe option) are: 1. A question sent by a potential client; 2. CEMs between employees, representatives, consultants or franchisees of an organization, or of two organizations that have a relationship, concerning the recipient organization; and 3. A response to a request, inquiry or complaint or otherwise solicited by the recipient. Exceptions to the Consent Requirement Only (Content Requirements Still Apply) 1. A quote or estimate of a good or service, if requested by the recipient; 2. Facilitating a transaction that the recipient previously agreed to enter into; 3. Warranty or product recall information about a good or service that the recipient has purchased; 4. Information about ongoing use of a product or service under a subscription, membership, account, or loan; 5. Information related to an employment relationship or related benefit plan; 6. Delivering a product or a service that the recipient is entitled to receive under the terms of a transaction; and 7. Referrals under certain circumstances, if the CEM includes certain prescribed information specific to this exception.

OTHER PRACTICAL TIPS: If you haven t already done so, you may have to change the way your business collects and maintains client consent for CEMs. For example, if a customer has not purchased anything from your company within 2 years, and you haven t had any contact with them in the last 6 months, then your business no longer has that customer s implied consent under CASL because it is no longer considered an existing business relationship. Businesses will have to figure out how to automate getting consent once the prior implied consent has expired. This may be challenging, especially for small businesses. Update your customer records. These records should include an inventory of what kinds of CEMs you send out, to whom, and when consent was obtained and whether it was implied or express. Determine how to collect express consent, and when you can rely on implied consent. There may be some marketing software or website tools that can aid in tracking customer consent, like mailchimp.com. You may have received emails last year from some companies asking you to re-confirm if you want to keep receiving their emails, and the kind of emails you want to receive. As long as the website or software you re using to do this keeps track of when the consent was obtained, this is a very good way of being able to show that you had the customer s consent. Show them benefits. Tell recipients what benefits they will receive for opting in to the subscription perhaps they will receive special promotions or exclusive news. It s one effective way of deterring consumers from clicking the unsubscribe option that e-mail senders will be required by law to provide, and will perhaps diminish the possible effects of the new laws. Consider: if you want to rely on any of the exemptions or implied consent, remember that you have to be able to have records of the reasons giving rise to the exemption or implied consent. So if you are saying that a recipient should fall under implied consent because they are an existing client, you have to be able to prove you ve done business with them in the last two years.

Best Practices and Avoiding CASL Traps Snail Mail: Consider using snail mail for marketing campaigns, which have virtually no rules other than avoiding misleading marketing. Records: Obtain and keep good records of how consent was obtained, whether it is express or implied. Ensure that implied consent has not expired. Unsubscribe Link (Key Takeaway): Most importantly, if you engage in e-mail marketing and send CEMs, have a prominent and properly working unsubscribe mechanism in your CEMs.

HOW HAS CASL BEEN ENFORCED? AND ARE THERE LESSONS? So far the CRTC has concluded two investigations, both announced in March. Compu-Finder, a Quebec firm, was fined $1.1 million for email spams pitching its training courses. The unsubscribe link in the emails didn t do anything. The CRTC said Compu-Finder accounted for a quarter of the 250,000 complaints its SPAM reporting centre received since beginning operation last year. The CRTC has confirmed that Compu-Finder was not responsive to the complaints and it did not submit representations to challenge the penalty. Then later in March, the CRTC announced a settlement with Plenty of Fish Media, a Vancouver-based dating website, to pay a $48,000 fine. The amount was apparently much lower because the company moved quickly to bring itself into compliance and was generally cooperative. The key take-away from these cases is that you must have an effective unsubscribe link or button in any CEM (and especially mass-marketing emails sent to a large number of recipients). Also, if you are the subject of a complaint, don t be difficult to reach or deal with it just makes the regulator angry. The CRTC says that other complaints are being investigated but they won t say how many or what type.

COMPUTER PROGRAMS CASL also applies to the installation of computer PROGRAMS. Without going into a whole lot of detail, CASL also contains rules on how computer programs can be downloaded onto a user s computer system. This is meant to prohibit things like malware or spyware, but like the CEM parts of CASL, it has a wide reach. The rules do not apply to a download carried out by a user directly. In January of 2015, provisions covering the unauthorized installation of software came into force. CASL says that a business must not install or cause to be installed a computer program on any other person s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the business has obtained the express consent of the owner and explained clearly what the program does. The request for consent cannot be buried in general terms and conditions of use or sale. Computer Programs include apps and updates. Programs like cookies, Java Scripts, and operating systems do not fall under the CASL requirements. Computer system is broadly defined and could include: servers, PCs, smartphones, tablets, the Cloud, websites, and even things like appliances, autos, and other consumer products.

WHAT S NEXT WITH CASL? The next aspect of CASL comes in July 2017 it is the section allowing someone to sue for damages connected with SPAM or unauthorized Malware. Its unclear what impact the private right of action will have after it takes effect. We expect that most of these claims will be of the nuisance variety there is a minimum $200 statutory damages (where the plaintiff doesn t have to prove actual harm as long as the judge finds a CASL violation). There may be an increase in the number of class action lawsuits started for this kind of situation.

Useful Links and Contact Information The government has created a CASL website (fightspam.gc.ca) where you can read FAQs and the full text of the Act and its regulations can be viewed. The Canadian Chamber of Commerce also has an excellent CASL area on their website the address is chamber.ca/resources/casl/ The website of Office of the Privacy Commissioner has several useful links and tools at its website (priv.gc.ca) And of course I would be happy to help. If you have any questions about preparing for CASL, my email address is cmitchell@sorbaralaw.com -- just no SPAM please.

Thank you! cmitchell@sorbaralaw.com www.sorbaralaw.com

SorbaraLaw is one of the largest and most respected full service regional law firms in Ontario. We welcome comments & enquiries on this presentation or any other matter. At SorbaraLaw, we strive to deliver value & truly useful service to every client, on every matter. 300 Victoria Street North Kitchener, ON N2H 6R9 519.576.0460 547 Woolwich Street Guelph, ON N1H 3X6 519.836.1510 31 Union Street East Waterloo, ON N2J 1B8 519.741.8010 This presentation is intended only to inform and educate about general matters. It is not legal advice. Be sure to contact a lawyer to obtain legal advice on any specific matter.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information