Canada s New Anti-Spam Regime: Practical Compliance Tips and Guidance for Your Organization Eloïse Gratton, Partner Janine MacNeil, Partner February 6, 2014
Overview 1) Introduction 2) CASL Requirements 3) CASL Top Challenges 4) Next steps: Compliance Check List 2
1) Introduction 3
Canada, spam and policy E-commerce Group, 1999 E-mail marketing: Consumer Choices and Business Opportunities, 2003 Canadian Code of Practice for Consumer Protection in e-commerce, 2003 Anti-Spam Action Plan, 2004 Stopping Spam, creating a stronger, safer Internet (Task Force on Spam), May 2005 CASL, 2010 («opt-in» model), in effect in July 2014. 4
2) CASL Requirements 5
Canada s Anti-Spam Law (CASL) Enacted December 2010 Two categories of regulations: i. CRTC (form and content requirements) Electronic Com m erce Protection Regulations (CRTC) March 28, 2012 ii. Industry Canada (exceptions, exemptions) Electronic Com m erce Protection Regulations Registered December 4, 2013 Most of CASL will be in force on July 1, 2014, with software provisions in force January 15, 2015 and private right of action in force July 1, 2017 CRTC Telecom Regulatory Policy 2012-183, Compliance and Enforcement Information Bulletins (October 2012 - #548, 549), FAQs and IC RIAS and Order SI-TR 81000-2-1795 provide guidance on interpretation and application of CASL 6
CASL Overview Key Provisions CASL application, exceptions, exemptions (CASL, ss. 6(5) 6(8)) CEM content requirements (CASL, s. 6(2)): i. Sender contact information; ii. Unsubscribe mechanism Consent is required (CASL, s. 6(1)(a)) and must be express, or fall within a defined implied consent category (CASL, s. 10(9)) Requests for consent content requirements (CASL, s. 10(1) and (3)) Transitional provisions (CASL, s. 66) Penalties, Private Right of Action 7
CASL Application: What is a CEM? CEM is a message, the purpose of which is to encourage participation in a commercial activity Applies to the sending of all commercial electronic messages (CEMs) (CASL, s. 12(1)) i. by any person within Canada; ii. by any person outside of Canada to a person within Canada CEMs include emails, non-broadcast tweets, text messages, website interactions, other electronic communications (including voice) and include requests for consent Currently, telephone communications (2-way voice, fax and auto-recorded/robo-calls) are excepted from the CASL rules (CASL, s. 6(8)) and governed only by the Do Not Call rules 8
Exceptions to All CEM Requirements Consent, content, and unsubscribe requirements do not apply to CEMs (CASL, s. 6(5)): i. sent within personal or family relationships (defined, but revised within the IC ECPR) ii. that make an inquiry or application sent to a business iii. other categories as may be prescribed (expanded within the IC ECPR) 9
Exceptions to All CEM Requirements Consent, content, and unsubscribe requirements do not apply to CEMs (CASL, s. 6(5)): i. sent within personal relationships: no requirement for a face-to-face, in person meeting any, rather than all, of the CASL criteria may be considered in the context of whether a personal relationship exists limited to close relationships between individuals actual identity of the person claiming a personal relationship must be known by the person claiming a personal relationship (knowledge of an alias, virtual identity is not sufficient) merely liking, following or voting for someone via a social media platform is likely insufficient to construe a personal relationship for purposes of CASL 10
Exceptions to All CEM Requirements Consent, content, and unsubscribe requirements do not apply to CEMs sent (IC ECPR, s. 3): a) Intra-Business: by an employee, representative, consultant or franchisee of an organization to an employee, representative, consultant or franchisee of the same organization that concern the activities of the organization b) Inter-Business: by an employee, representative, consultant or franchisee of an organization to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the CEM concerns the activity of the organization to which the message is sent 11
Exceptions to All CEM Requirements Consent, content, and unsubscribe requirements do not apply to CEMs sent (IC ECPR, s. 3): c) Requests, inquiries or complaints: in response to a request, inquiry or complaint or otherwise solicited by the person to whom the CEM is sent d) Legal rights: to satisfy a legal obligation or enforce or provide notice of existing or pending legal rights e) Closed messaging systems: and received on an electronic messaging service (e.g. social media platform) OR to limited access secure and confidential accounts (e.g. secure portals, online banking message centre) that meet certain requirements 12
Exceptions to All CEM Requirements Consent, content, and unsubscribe requirements do not apply to CEMs sent (IC ECPR, s. 3): f) Foreign jurisdictions: by a person who reasonably believes the CEM will be accessed in a foreign state (IC ECPR, Schedule 1) where the CEM conforms to the foreign state s law that addresses substantially similar conduct to that prohibited under CASL g) Registered charities: by or on behalf of a registered charity as defined in the ITA and the primary purpose of the CEM is to raise funds for the charity h) Political candidates or organizations: by or on behalf of a political party, organization, or candidate for publicly elected office and the message has as its primary purpose soliciting a contribution as defined in the CEA 13
Exceptions to the Consent Requirements Consent is not required, but the content and unsubscribe requirements still apply if a CEM solely (CASL, s. 6(6)): a) Provides a quote or estimate for supply of a good, product or service requested by the recipient b) Facilitates, completes or confirms a commercial transaction between the parties that was agreed to by the recipient c) Provides warranty, recall, safety or security information about a product, good or service the recipient uses, has used or has purchased d) Notifies of factual information relating to the ongoing use or purchase of a product, good or service under an established relationship; 14
Exceptions to the Consent Requirements Consent is not required, but the content and unsubscribe requirements still apply if a CEM solely (CASL, s. 6(6)): e) Provides information relating to an employment relationship, including a benefit plan in which the recipient is currently involved, participating or enrolled; f) Delivers a product, goods or service including product updates/upgrades; or g) Is sent for a purpose specified in the regulations: Third party referrals (IC ECPR, s. 4) 15
CEM Content - Sender Contact Information All CEMs must clearly and prominently disclose: i. Identity of sender and, if applicable, sender s principal (e.g. email provider/client) ii. Description of relationship between sender and principal (as applicable) iii. Any carrying-on-business names iv. Contact information for sender and principal (as applicable): mailing address, and one of: telephone number with active response voicemail; email address web address If it is impractical to include all of this in a CEM, the information may be provided on a web page via a readily accessible, no-cost link within the email 16
CEM Content Unsubscribe Mechanism Must be set out clearly and prominently to enable recipient to request removal from CEM list, as sent by sender or its principal Using same or, if that is not practical, other equivalent electronic media Must provide electronic address or a link to a web page, to which unsubscribe message may be sent Address/web page must be valid for 60 days Sender/principal must give effect to unsubscribe request within 10 business days 17
Express Consent Not defined within CASL, but CRTC has provided guidance (Information Bulletins CRTC IB 2012 548, 549) and requests for express consent must comply with form and content requirements (CASL, s.10(1), (3)) Must be a positive (i.e. opt-in) act May be either oral (but if oral, need to be able to verify) or in writing (includes paper and electronic forms of writing) Must be sought separately from other consents (ECPR (CRTC), s. 4, CRTC IB 2012-548) and not subsumed in or bundled with requests for consent to other things (e.g. a request for consent to terms and conditions of use cannot be bundled with a request for consent to receive CEMs) Pre-checked boxes not acceptable, but may use a click-on response email 18
Requests for Express Consent Content and form requirements (CASL, s.10(1) and (3), ECPR (CRTC), s. 4) A request for consent may be oral or in writing (ECPR (CRTC), s.4) Must include: o purpose(s) for which consent is sought o identify requester, any principal and relationship (e.g. client and email provider) o o o any other business names contact information (address/po Box and one of: telephone number, email address, web address) a statement that the person can withdraw consent Note: Requests for consent made prior to the CASL in-force date do not need to comply with CASL s form and content requirements but do need to meet CRTC criteria for an acceptable express consent 19
Implied Consent Specifically defined (i.e. is not open-ended) Exists only: If the sender and recipient have an existing business relationship or existing non-business relationship; or under the conspicuous publication or business card exemptions; or in circumstances defined by regulation (s. 10(9)) Existing business relationship and existing non-business relationship are (exhaustively) defined terms (ss. 10(10), 10(13)) essentially, any relationship not more than 2 years old, or a (business) inquiry within the last 6 months 20
Transitional Provisions Section 66 Extend the time periods for all existing business and non- business relationships to 3 years from the CASL in-force date if on that date there exists such a relationship, without regard to the time period otherwise applicable, the relationship includes CEMs, and the recipient has not withdrawn consent earlier Means that any relationship that exists now or existed at any time in the past including CEMs will qualify however, the onus is on the sender to prove (CASL, s. 13) Enables senders to continue to seek express consents for the next 3 years with implied consent, if any of the otherwise defined relationships exist or have existed 21
Penalties Administrative monetary penalties of up to $1,000,000 (individuals); $10,000,000 (other persons) Factors taken into account: o Purpose of the penalty o Financial benefit o Nature/scope of the violation o Ability to pay o Prior violations o Voluntary compensation Violations can be addressed via an undertaking Directors and officers are liable for violations if they directed, authorized, assented to, acquiesced or participated Employers are responsible for acts of their employees Due diligence defence 22
Private Right of Action Comes into effect July 1, 2017 (Will the private right of action apply to pre-july 1, 2017 CASL violations?) A person affected by a breach can seek compensation Court can order compensation equal to the loss or damage suffered and expenses incurred plus up to $200 per violation to a maximum of $1,000,000 per day Not available if an undertaking has been agreed to or notice of violation issued Same factors taken into account as with violations Due diligence defence 23
3) Top challenges with CASL 24
New online businesses: How do you market online? 25
Implied consent : a lot of uncertainty 26
Implied Consent 10. (9) Consent is implied for the purpose of section 6 only if: (b) the person to whom the message is sent has conspicuously published, or has caused to be conspicuously published, the electronic address to which the message is sent: the publication is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address; and the message is relevant to the person s business, role, functions or duties in a business or official capacity;
- Can Porter Airlines contact me to promote special deals on Toronto-Montreal flights? - Can a ticket dealer contact me to sell me tickets for a hockey game?
Implied Consent 10. (9) Consent is implied for the purpose of section 6 only if: (c) the person to whom the message is sent has disclosed, to the person who sends the message, the person who causes it to be sent or the person who permits it to be sent, the electronic address to which the message is sent: without indicating a wish not to receive unsolicited commercial electronic messages at the electronic address, and the message is relevant to the person s business, role, functions or duties in a business or official capacity;
-Can a conference organizer contact me to promote an upcoming event not directly related to my practice? - Can a software provider contact me to promote his services for the law firm s security system?
B2B and consent requirements: Also uncertainty 31
B2B relationships and consent 32
B2B relationships and consent Scenario No 4: Exclusions for Employees and Business types of Email Messages (IC regulations, s. 3 (a)) CEMs are excluded if sent by an employee, representative, contractor or franchisee of an organization to: another employee, representative, contractor or franchisee of the organization and that concerns the affairs of the organization, or to an employee, representative, contractor or franchisee of another organization if the organizations have a relationship at the time the message was sent and the message concerns the activities of the organization. Uncertainty as to how the wording if the organizations have a relationship and the message concerns the activities of the organization will be interpreted by the CRTC or the relevant courts 33
Can exempted messages include some type of promotions? 34
Exemptions Exempt from consent if a CEM solely (CASL, s. 6(6)): a) Provides a quote or estimate for supply of a good, product or service requested by the recipient b) Facilitates, completes or confirms a commercial transaction between the parties that was agreed to by the recipient c) Provides warranty, recall, safety or security information about a product, good or service the recipient uses, has used or has purchased d) Notifies of factual information relating to the ongoing use or purchase of a product, good or service under an established relationship; 35
CAN-SPAM Act * Source: Federal Trade Commission, CAN-SPAM Act: A Compliance Guide for Business, available at http://www.business.ftc.gov/documents/bus61-can-spam-act-complianceguide-business.
Dealing with new types of business models (referrals) 37
38
Government of Canada, Canada Gazette, Electronic Commerce Protection Regulations Vol. 147, No. 1 January 5, 2013. Third-party referrals Paragraph 6(1)(a) of CASL does not apply to the first commercial electronic message that is sent by an individual for the purpose of contacting the individual to whom the message is sent following any referral by one or more individuals who have an existing business relationship, an existing non-business relationship, a personal relationship or a family relationship with the individual who sends the message as well as any of those relationships with the individual to whom the message is sent and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral 39
Forward to a Friend messages Test: Has the merchant offered to pay the forwarder or give the forwarder some other benefit?
Setting up Email Marketing Databases 41
Obtaining Express Consent 42
Obtaining express consent 43
Obtaining express consent 44
Obtaining Consent: Implied vs. Express 45
Obtaining consent 46
Managing risks 47
Managing risks Directors and officers are liable for violations if they directed, authorized, assented to, acquiesced or participated; Employers are responsible for acts of their employees: Employee privacy training? Which departments? 48
Managing provincial anti-spam laws 49
CASL and conflict of provisions 2. In the event of a conflict between a provision of this Act and a provision of Part 1 of the Personal I nform ation Protection and Electronic Docum ents Act, the provision of this Act operates despite the provision of that Part, to the extent of the conflict. 4. This Act is binding on any corporation that is expressly declared by or under any Act of Parliament or of the legislature of a province to be an agent of Her Majesty, when the corporation is acting as such in the course of any commercial activity. 50
Dealing with anti-spam provisions in the Quebec private sector data protection law 51
Anti-spam laws vs. Requirements for messages : Opt-out mechanism to include and to comply with (with diligence in Québec an within 10 days in Canada) Opt-out mechanism must be valid at least 60 days after the email is sent (not a requirement in Québec) Obtaining consent: Implied consent if there is already a relationship. Express consent if there is no relationship (In Québec: not clear because the term client is not defined) Selling lists of email addresses (3 conditions)
Ensuring Compliance when Purchasing Lists from Data Brokers 53
OfficeMax privacy breach 54
Data brokers selling sensitive information 55
Complying with foreign anti-spam laws 56
Facebook vs. Montreal spammer In February 2009, facebook obtained a default judgment (U.S. court of justice) against a Montreal spammer Adam Guerbuez (Atlantis Blue Capital). He gained access to facebook accounts and users and sent over 4 million spam messages through the facebook network over a period of two months, some being of a sexual nature. The U.S. court sentenced him to $ 873-million: $ 436.6 million in statutory damages and $ 436.6 million in aggravated statutory damages for violations of the U.S. CAN-SPAM Act. The sentence was found to being enforceable in October 2010 by the Superior The sentence was found to being enforceable in October 2010 by the Superior Court of Montreal. It was a simple formality (possibility to oppose if the judgment is against public order).
4) Next Steps: Compliance Checklist 58
Compliance Checklist 1. Use internal survey / questionnaire tool to gather information on existing databases 2. Conduct an inventory of email contacts categorized by: o o o Main purposes of email communications Existing customer/prospect/donor relationships Express consent NOTE: Filter for Canadian/non-Canadian addresses due diligence issue 3. If existing database does not qualify by CASL categories, upgrade as appropriate 4. Develop strategies, procedures for capturing express consent (e.g. email response, website sign up, applications, agreements, email policies) 5. Develop consent request template 6. For contacts in existing database that cannot be CASL-qualified, initiate email opt-in consent program immediately (i.e. prior to Act coming into force) 7. Develop CASL compliance procedures, policies, and controls including for third party service providers 8. Develop CEM template 9. Conduct training 59
McMillan LLP Brookfield Place 181 Bay Street, Suite 4400 Toronto, Ontario M5J 2T3 For further information please contact: Eloïse Gratton Direct: 514.987.5093 eloise.gratton@mcmillan.ca Janine MacNeil Direct: 416.307.4124 janine.macneil@mcmillan.ca 60