Crawford Chondon &Partners LLP Present Is your Business Ready for Canada s Anti Spam Law? By: Michael MacLellan
Overview 1. What is Canada s Anti-Spam Legislation, and how will it apply? 2. What does CASL Require and Prohibit? 3. Are there any Exemptions to CASL? 4. What are the Penalties? 5. What should I do before July 1, 2014? 2
3 1. What is Canada s Anti Spam Legislation, and how will it apply?
The Act An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23 4
CASL - Background Canada is the 116 th country to enact Anti-Spam legislation. The law was passed in December 2010, and will come into force on July 1, 2014 That gives you three months to become compliant. 5
CASL - Background CASL regulates a broad range of activities: Spam emails or other electronic messages Hacking, malware, spyware Phishing, fraudulent and misleading transmissions Invasion of Privacy over your computer Email address harvesting collecting email addresses without consent 6
CASL - Background Out of 116 countries, CASL is considered the toughest Anti-Spam Legislation in the world. Three bodies will cooperate to administer and enforce CASL: Canadian Radio-Television and Telecommunications Commission (CRTC) Competition Bureau The Office of the Privacy Commissioner 7
CASL - Background Form and Content of Commercial Electronic Messages (CEMs) Requirements for express consent for CEMs, alteration of transmission data, and installation of computer programs. See Information bulletins: 2012-548 Guidelines on the interpretation of the CRTC Regulation 2012-549 Guidelines on the use of toggling as a means of obtaining express consent under CASL 8
CASL - Application Does CASL apply to my organization? Very broad application, with narrow exemptions. If the message, transmission, or activity has a commercial purpose, CASL applies. 9
2. What does CASL Require and Prohibit? Three (four) types of prohibitions: Section 6 Unsolicited Electronic Messages Section 7 Altering Transmission Data Section 8 Installation of a Computer Program (Section 9 Aiding the violation of ss. 6-8) 10
Definitions See section 1 Commercial Activity Electronic Address Electronic Message Commercial Electronic Message 11
commercial activity Definitions means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada. [emphasis added] 12
electronic address Definitions means an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account. 13
Definitions electronic message means a message sent by any means of telecommunication, including a text, sound, voice or image message. 14
Definitions Commercial Electronic Message ( CEM ) an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so. 15
CEMs Requirements and Prohibitions CASL prohibits sending CEMs unless: 1) The Recipient has provided consent 2) The Sender complies with the CEM information requirements in CASL 3) There is an unsubscribe mechanism 16
CEMs Requirements and Prohibitions Consent CEMs cannot be sent to a recipient who has not provided consent. Two types of consent: 1. Express Consent 2. Implied Consent 17
Consent Express Consent Request for consent must clearly set out: - Purpose(s) for which consent is sought - Prescribed information identifying the sender 18
Express Consent Consent Express consent can be obtained orally or in writing, or a combination thereof Request for consent must set out: - Identification of the sender - Sender s contact information - Statement that the person can later withdraw their consent 19
Consent Express Consent Consent is opt-in and not opt-out - CASL requires a positive or explicit indication of consent. (eg. Providing electronic address, selecting toggle box, etc.) 20
21 Example: Pre-checked toggle box is opt-out request for consent, and does not comply with CASL
22 Example: Opt-in Consent by checking the toggle box, or providing electronic address
23 Example: Multiple Consents for Multiple Items
Express Consent Consent Sender bears onus of proving consent - Oral consent can be verified by independent third party or unedited audio recording - Written consent may be recorded on paper or electronically and should indicate: date, time, purpose, and manner of consent 24
Implied Consent Consent Three types of Implied Consent: 1. There is an existing business relationship, or existing nonbusiness relationship; 2. Recipient has a conspicuously published electronic address and the CEM is relevant to the recipient s role; 3. Recipient has disclosed an electronic address to the sender and the CEM is relevant to the recipient s role or duties in their business or organization. 25
Implied Consent Consent 1. There is an existing business or non-business relationship; - Existing Business Relationship means basically that the sender and recipient have been in a client/customer type of relationship in the last two years, the recipient has made an inquiry in the last 6 months. 26
Implied Consent Consent 1. There is an existing business or non-business relationship; - Existing Non-Business Relationship : Donation or gift by the recipient to the sender in the past two years, if the sender is a registered Canadian charity under the Income Tax Act, or a political party or candidate; The recipient volunteered for, or attended a meeting with, the sender, in the past two years if the sender is a registered charity, political party, or candidate; The recipient was a member of a club, association of volunteer group as defined in the Regulations, in the past two years. 27
Consent Implied Consent 2. Conspicuously Published electronic address - This can include a webpage - Content must be relevant to recipient s business role 28
29 Consent Example: Conspicuously Published
Implied Consent Consent 3. Business Card Consent - Consent to send CEMs relevant to a recipient s role or duties in business or official capacity - Can be implied if recipient has provided their electronic address to the sender 30
Consent Transitional Period The first kind of implied consent (existing business or non-business relationship) is not indefinite There will be a three year transition period 31
CEMs Requirements and Prohibitions Information Content Requirements: CEM must clearly identify the sender ; CEM must contain contact information for the sender; and CEM must contain and Unsubscribe mechanism as required by s.11(1) 32
CEMs Requirements and Prohibitions Unsubscribe Mechanism Must be clearly and prominently included in every CEM, and able to be readily performed Must allow recipient to withdraw consent to receive further CEMs Unsubscribe function must be no cost to recipient Must specify an electronic address or link to which the indication can be sent - That address must be valid for 60 days after the CEM is sent Unsubscribe must take effect within 10 days of the indication being sent back to sender 33
CEMs Requirements and Prohibitions Example: 34
3. CASL Exemptions CASL does not apply to: Person to person telephone calls Facsimile transmissions Voicemail messages 35
CEMs - Exclusions Some prescribed CEMs are exempt from CASL Some CEMs are exempt only from the consent requirement 36
CEMs - Exclusions CASL prescribes some exclusions: CEM sent by an individual, to an individual, if there is a personal or family relationship, as defined; or CEM sent to an individual engaged in a commercial activity, and the CEM is only an inquiry of or application for that commercial activity. 37
CEMs - Exclusions Excluded CEMs: Messages sent internally within a business by an employee, representative, consultant or franchisee, where the CEM concerns the activities of the business. Messages sent between business if they have a business relationship and the message concerns the activities of the recipient business. 38
CEMs - Exclusions Excluded CEMs: Sent to enforce a legal right or obligation; Sent to limited-access secure and confidential account, to which only the person providing the account has access (eg. Banks); Sent to an electronic address believed to be accessed in a foreign state, if it otherwise complies with similar laws in that foreign state. 39
CEMs - Exclusions Excluded CEMs: Sent from a registered Canadian charity where the primary purpose is fundraising for the charity; Sent from a political party, organization, or candidate, to raise funds. 40
CEMs - Exclusions CEMs excluded from Consent requirement: Providing a quote or estimate if one was requested; First CEM following a referral; Delivering products, updates, upgrades the recipient is entitled to receive under the terms of a previouslyentered transaction; Confirming, completing, or facilitating a commercial transaction, if the recipient previously agreed to the transaction. 41
CEMs - Exclusions CEMs excluded from Consent requirement Providing warranty information, or safety and security information for goods or services purchased by the recipient; Providing factual information regarding ongoing purchase, subscription, membership, accounts, etc.; Providing information regarding an employment relationship or related benefit plan if recipient is currently enrolled. 42
4. What are the Penalties? Administrative Monetary Penalties (AMP) Every person who contravenes CASL sections 6, 7, 8, or 9 are liable to pay an AMP assessed by CRTC. Maximum AMP for an individual is $1,000,000. For any other person (company, corporation) it is $10,000,000. 43
Penalties and Enforcement Private Rights of Action Court can order that the offender pay: compensation for actual losses plus: - $200 for each contravention of section 6, to a maximum of $1,000,000 per day; - $1,000,000 per day of violation for violations of sections 7 or 8; - $1,000,000 per day of violation for violations of section 9. 44
Penalties and Enforcement Consultation and Disclosure of Information The CRTC, Competition Bureau, Office of the Privacy Commissioner, will co-operate for purposes of enforcing CASL, the Competition Act, PIPEDA, and the Telecommunications Act. They can also share information with the governments of foreign states with similar anti-spam legislation for offences similar to those under sections 6-9 of CASL. 45
Spam Reporting Centre (SRC) Consumers, businesses and other organizations will be able to report the following messages to the SRC via fightspam.gc.ca once Canada's anti-spam legislation (CASL) is in force on July 1, 2014: - commercial electronic messages sent without consent; and/or - commercial electronic messages with false or misleading content. This information will be used by the three enforcement agencies (the CRTC, Competition Bureau, and Office of the Privacy Commissioner) under CASL. 46
Penalties and Enforcement Defence There will be no violation if a person can establish that they exercised due diligence. 47
What Should I Do Before July 1 st? Some suggestions: Audit your electronic communications and identify CEMs; Ensure CEMs have the required identifying information (eg. use e-mail signature lines); Ensure CEMs have unsubscribe mechanisms; 48
What Should I Do Before July 1 st? Audit recipients to determine if you have any implied consent; Audit recipients to determine if you have any express consent; Ensure proper recording of all consent and unsubscribe requests; 49
What Should I Do Before July 1 st? Review CASL requirements with third party service providers and amend service contracts if necessary (due diligence); Review CASL requirements with employees to ensure any CEMs are compliant (due diligence); Amend or institute company e-mail, technology, communications policies as needed (due diligence); 50
What Should I Do Before July 1 st? Incorporate requests for express consent into client or customer agreements; Obtain consent electronically NOW - As of July 1, 2014, it will be an offence to seek requests for consent via CEMs. Contact CCPartners for specific inquiries. 51
Important Dates July 1, 2014 CEM provisions come into effect. January 15, 2015 Installation of Computer Programs provisions come into effect. July 1, 2017 Private Right of Action provisions come into effect. July 1, 2017 No more Implied Consent for existing business or non-business relationships. 52
53 THANK YOU!