Canada's Anti-Spam Legislation (CASL)

Canada’s Anti-Spam Legislation

(CASL)

Chris Bennett and Bill Hearn

April 23, 2014

Background (Chris Bennett)

What will the legislation regulate?

Commercial Electronic Messages

Installation of computer software

Alteration of transmission data

When?

• July 1, 2014: anti-spam & data transmission rules

• January 15, 2015: computer program rules

• July 1, 2017: private right of action

What’s the risk?

• Penalties: up to $10 million for businesses

• may be charged per violation

• violations may be assessed separately for each day of

non-compliance

• Officers, directors and agents can be liable

• Individuals can sue for damages suffered, plus a

separate monetary sum per violation

• Reputational damage

Anti-Spam Rules (Chris Bennett)

Commercial Electronic Messages

CEM = EM + Purpose

• Encouraging participation in a commercial activity

• Consider content, links and contact information in the

message

Commercial Electronic Messages

Electronic Messages

• Email

• Text / instant messages

• Social Media

Commercial Activity

• Sale/lease of product/service

• Investment/business opportunity

• Promote individual

• Requests for Consent!

Commercial Electronic Messages

If it’s a Commercial Electronic Message, then…

CEM

Consent

Express

Oral

Written

Implied

Business Relationship

Non-Business Relationship

Published / Disclosed Info

Content

Disclosures

Unsubscribe

Consent

Express

Oral

Written

Implied

Business Relationship

Non-Business Relationship

Published / Disclosed Info

Express Consent

• Required info

• Purposes

• Name of requester

• Name of third party recipient

• Contact info

• Statement that consent can be withdrawn

Express Consent

• Need separate consents for CEMs, data and programs

• Can’t bundle

• Can’t toggle

• Should send confirmation

Image Source: CRTC

Image Source: CRTC

Image Source: CRTC

Image Source: CRTC

Implied Consent

Existing Business Relationship

• Purchase/lease

• Acceptance

• Contract

• Inquiry

Existing Non-Business

Relationship

• Donation/gift

• Volunteer work

• Membership

Published / Disclosed Address

• Didn’t say no

• Is relevant to business/duties

Transition Period

• Implied consent is extended to 3 years from July 1 if:

• Existing Business Relationship or Non-Business

Relationship as of July 1; and

• Relationship included communicating by CEMs

CEM

Consent

Express

Oral

Written

Implied

Business Relationship

Non-Business Relationship

Published / Disclosed Info

Content

Disclosures

Unsubscribe

Content

Disclosures

Unsubscribe

Required Content

Disclosures

• Sender

• Agent

• Contact Info

Unsubscribe

• No cost

• Same means

• Address/Link

• 10 days

Alternative

• Post on web page

• Clear link

Image Source: CRTC

Image Source: CRTC

Exceptions to Anti-Spam Rules (Bill Hearn)

Exceptions to Consent Requirement

Exceptions to Consent Requirement

• CEM solely provides a requested quote or estimate for

the supply of goods/services

• CEM solely facilitates/confirms a previously agreed-to

commercial transaction

• CEM solely provides warranty, product recall or safety

info about a purchased product/service

• CEM solely provides factual info about a subscription,

membership, account or similar relationship

Exceptions to Consent Requirement

Exceptions to Consent Requirement

• CEM solely provides info directly related to an

employment relationship or related benefit plan

• CEM solely delivers a product or service, including

updates or upgrades pursuant to a transaction

Exceptions to Consent Requirement -

3rd Party Referrals

• A single CEM sent to someone without consent, based

on a 3rd party’s referral, so long as the sender discloses

the name of the person making the referral and so long

as there is an existing business, non-business, personal

or family relationship between the person making the

referral and each of the sender and the recipient

Exceptions to Consent and Content Requirements

Family Relationship

• marriage, common-law, parent-child relationship

• with direct, voluntary, two-way communications

Personal Relationship

• reasonable to conclude that the relationship is personal

based on all relevant factors, including:

• sharing of interests, experiences and opinions

• frequency of communications

• length of time since the parties communicated

• whether the parties have met in person

• with direct, voluntary, two-way communications

Inquiries, Requests, Etc.

• response to a request, inquiry, complaint or

solicitation by the recipient

• CEM which is solely an inquiry or application related

to the recipient’s commercial activities

Employees, Etc. (the “B2B Exemption”)

• CEMs sent between employees, representatives, etc. of

an organization concerning that organization’s affairs

• CEMs sent by employees, representatives, etc. of one

organization to an employee, representative etc. of

another organization if:

• organizations have a relationship and

• message concerns the activities of the recipient

Legal Obligations, Etc.

• Any CEM sent to satisfy a legal obligation or enforce a

legal right, court order, etc.

Electronic Messaging Service (EMS)

• CEM sent and received on an EMS if:

• disclosure and unsubscribe mechanism are

conspicuously published and readily available on the user

interface, and

• recipient of the message has given their express/implied

consent to receive it

Secure Accounts

• CEM sent to a limited-access, secure and confidential

account to which messages can only be sent by the

person who provides the account to the person who

receives the message

Foreign States

• CEM sent by a person who reasonably believes it will be accessed

in certain foreign states, and the CEM conforms to the anti-spam

law of the foreign state

Charities

• A CEM sent by or on behalf of a registered charity where primary

purpose is to raise funds for the charity

Political Parties

• A CEM sent by or on behalf of a political party/candidate where

primary purpose is soliciting a contribution

Two Further “Exceptions”

to Consent and Content Requirements • Interactive 2-Way Voice Communications, Fax Calls or Voice

Recordings Sent to Telephone Account - as covered by other

regimes - e.g., the CRTC’s National Do Not Call List and

Unsolicited Telecommunications Rules for telemarketers

• Telecommunications Service Provider (TSP) - requirements

don’t apply to a TSP merely because it provides a

telecommunications service that enables transmission of the CEM

How to Prepare (Bill Hearn)

Raise Awareness and Establish Committee

• Raise awareness: only two months to prepare for July

1st in-force date (but note 3-year transition period)

• Establish Committee (e.g., sales/marketing, customer

support, communications, privacy, legal, risk

management, IT, HR)

Conduct Inventory of CEMs

• What kind of CEMs do you send? Why? How?

• Do you have express consents from any recipients?

• Do you have implied consents from recipients?

Inventory Consents that Will Expire

• For example: existing business relationship that will

expire after two years if no longer a current customer

• Develop “stop send” mechanisms that will kick in before

the consent expires, or when recipient withdraws

consent

Upgrade to Express Consent

• Be careful - exceptions are complicated and implied

consent can expire

• Can request it via CEM until July 1

• Create mechanism to get express consents after July 1

Unsubscribe Mechanisms

• Make sure unsubscribe mechanisms and notices are in

place and meet all existing requirements

• Make sure organization can comply with unsubscribe

requests in specified time frames

Internal Education and Compliance

• Due diligence defence

• Implement policies, guidelines, procedures, controls

• Train employees and service providers

• Monitor compliance

WHAT CAN YOU DO NOW?

• Before 1 July 2014

• Update and assess your contact list for CASL exceptions or

implied consent qualifications

• Be prepared for low response rates to requests for express

consent … and there may even be some “unsubscribes”

WHAT CAN YOU DO NOW?

• Through to 1 July 2017

• Execute a consent qualification strategy building progressively

on existing consents

• Be sure to comply with CASL’s minimum content requirements

• Follow organization’s templates

• Strive to get CASL-compliant express consents

• Consider including both “[ ] Yes, I consent.” and “[ ] No, I

don’t consent.” options to strengthen position that “no

reply” leaves implied consent still valid

WHAT CAN YOU DO NOW?

• Dial back the anxiety - Compliance is not that tough

• Sure CASL’s reach is broad, its rules a complex mash-up, and

the potential liability nasty … but

• The CRTC, at public information sessions in February 2014,

said its enforcement approach will be on a “compliance

continuum” - i.e., it will pursue “real spammers”*, not legitimate

marketers; it will focus on obtaining compliance as opposed to

seeking big AMPs

*Hopefully as defined by Government’s FightSpam website materials. See links at last slide of presentation.

WHAT CAN YOU DO NOW?

• Dial back the anxiety - Compliance is not that tough

• The “broken” PRA (i.e., possibly retroactive to 1 July 2014,

notwithstanding the Government’s stated three-year transition

period) will likely be fixed by 1 July 2017

WHAT SHOULD YOU DO NOW?

• Just Do It

• Again, CASL contains a number of tools that can ease

transition to full compliance

• Moreover, CASL provides for a “due diligence” defence

• CRTC is mindful of the short time allowed before CASL comes

into force (business asked for at least 12 months, Government

gave only 7 months) and will likely respect diligent, good faith

efforts to comply

WHAT SHOULD YOU DO NOW?

• Just Do It

• Thoughtful judgement calls will have to be made (especially in

the early days given CASL’s ambiguities and the lack of

guidance from the CRTC)

• The decision-making process should be documented, with

privilege protected, to ground the due diligence defence

especially if the CEM sender is departing from the CRTC’s

guidance that is not law - e.g., the CRTC’s two Guidelines

dated October 10, 2012 and its FAQs and Information Session

Summaries

WHAT SHOULD YOU DO NOW?

• Just Do It

• The onus of proving consent rests on the CEM sender

• Each organization will have to develop a standard of proof of

consent and retain relevant records

• Consent should be documented at least via a “business record”

(ideally made at the time consent is obtained) and that record

should be storable, searchable and retrievable

• But see CRTC Guidelines on Interpretation of Electronic

Commerce Protection Regulations , October 10, 2012

Some CASL Resources

• Federal Government’s FightSpam Website • http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00230.html

• Davis LLP’s CASL Resource Centre • http://www.davis.ca/en/publication/anti-spam/

• Canadian Marketing Association, Member Guide to CASL, April

2014 • http://www.the-cma.org/regulatory/code-and-guidelines/cma-guide-to-canada-anti-spam-law

• Davis LLP’s CASL Compliance Team including Chris Bennett, Bill

Hearn, Tamara Hunter and Dave Spratley

The “Real Spammers” and the “Real Threats”

From Government’s FightSpam Website http://fightspam.gc.ca/eic/site/030.nsf/vwimages/WorriedItsSpam_Card2-eng.jpg/$file/WorriedItsSpam_Card2-eng.jpg

http://fightspam.gc.ca/eic/site/030.nsf/vwimages/WorriedItsSpam_Card1-eng.jpg/$file/WorriedItsSpam_Card1-eng.jpg

Email Spam Statistics Videographic http://www.youtube.com/watch?v=nvBmyAZTt_M

QUESTIONS?

Chris Bennett

[email protected]

416.365.3427

Bill Hearn

[email protected]

416.369.5298