Transcript Brian Fraser, Partner, Gowling Lafleur Henderson LLP
Storming the CASL- Obligations Under Canada’s Anti-Spam Law
Brian Fraser, Partner, Gowling Lafleur Henderson LLP Chris Oates, Associate, Gowling Lafleur Henderson LLP Presented at the 7 th Annual Lexpert Advertising Law Conference, December 2, 2014
Canada’s Anti-Spam Legislation
Canada’s Anti-Spam Legislation, “CASL”, creates a strict regime for sending electronic messages and installing computer programs that is out of step with Canada’s major trading partners.
Conceptually, CASL compliance rests on three pillars: 1. Obtain Consent 2. Provide the Required Disclosure 3. Allow people to unsubscribe or remove programs
2
Canada’s Anti-Spam Legislation
The provisions of CASL regarding electronic messages came into force on July 1, 2014. CASL takes a prohibitive approach to “Commercial Electronic Messages”, prohibiting all but those that comply with its requirements.
In the post CASL world, companies must review the manner in which they seek consent to send messages, and must assess their ability to continue to rely on historical lists- if these steps have not already been taken. Under CASL: •
Electronic messages require consent
from the recipient, either express or implied; • Messages must contain prescribed disclosure; and • Messages must contain an unsubscribe mechanism in prescribed form.
3
Canada’s Anti-Spam Legislation To which messages does CASL apply?
CASL applies to Commercial Electronic Messages
(“CEMS”)
that are sent by any means of telecommunication, including a text, sound, voice or image message, to an “electronic address”: • an electronic mail account; • an instant messaging account; • a telephone account; or • any similar account.
“Any similar account” captures certain new forms of communication, such as social media and BBM. The key question is whether the message is sent to something akin to an “electronic address”. Messages that are not sent to an electronic address are not subject to CASL. Tweets and Facebook wall postings appear to be published rather than sent to an address, and are therefore not caught; however, ‘direct messages’ through social media appear to go to an address and are subject to CASL. 4
Canada’s Anti-Spam Legislation Is the Electronic Message Commercial?
CASL only applies to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit. • Messages that offer to sell a product or service; • Messages that advertise a product or service; • Messages that promote a person or corporation; • Messages that seek to gather consumer or market information in a commercial context; • Messages that seek consent to send further messages. 5
Canada’s Anti-Spam Legislation What is not a Commercial Electronic Message?
CASL does not apply to several classes of message: • Interactive two way voice communications (e.g. a telephone call); • Messages sent via facsimile to telephone accounts; and • Voice recordings sent to a telephone account. These messages are subject to the CRTC’s oversight via the
Telecommunications Act
and the
Unsolicited Telecommunications Rules
. CASL contains a provision that permits the government to repeal this exception AND the National Do Not Call List at a later date. If exercised, this would make unsolicited commercial telephone calls subject to CASL.
6
Canada’s Anti-Spam Legislation Which messages are exempt?
The Regulations provide that the following message classes are exempt from both the consent
and
in message disclosure requirements: • messages sent between employees of an organization relating to the affairs of the organization; • messages sent between employees of two organizations with a relationship, where the message relates to the affairs of the recipient organization; • messages that respond to an inquiry, complaint, or other solicitation from the recipient; • fundraising messages sent by or on behalf of a registered charity; 7
Canada’s Anti-Spam Legislation Which messages are exempt?
The Regulations provide that the following message classes are exempt from both the consent
and
in message disclosure requirements: • messages where the person sending the message reasonably expects it to be received in a foreign state listed in the Regulations, if the message complies with the law of that state; • messages sent to a secure account to which only the person providing the account may send messages; • messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements; • messages sent to satisfy a legal obligation 8
Penalties
Administrative monetary penalties for violations:
• A fine of up to $1,000,000 for a violation by an individual. • A fine of up to $10,000,000 for a violation by a corporation.
CASL also creates a private right of action for persons who allege they have been affected by a violation. If the action is successful in court, the court may order: • Compensation equal to the actual loss or damage suffered; and • $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred. The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017. The CRTC may still seek to impose administrative monetary penalties prior to this. 9
Express Consent Under CASL
Requirements for a Request for Express Consent
1. Provide the purpose for which the consent is sought; 2. Provide the name under which the person seeking consent carries on business,
and
if different, the name under which the person on whose behalf consent is sought carries on business; 3. If applicable, identify which person is seeking consent, and on whose behalf consent is sought; 4. Provide the mailing address,
and one
(or more) of a telephone number, website,
or
email address of either the person seeking consent,
or
if different, the person on whose behalf consent is sought; 5. State that consent may be withdrawn.
10
The CRTC’s Position on Express Consent
• The CRTC takes the position that express consent must be “positive or explicit”.
• Note that a check box is not specifically required, other mechanisms that amount to an explicit indication of consent may be used. 11
The CRTC’s Position on Express Consent
• “Assumed” consent through a pre-checked box or an opt-out mechanism would not be accepted. 12
Implied Consent Under CASL
Implied Consent under CASL: Requirements for Implied Consent
1.
There is an “existing business” or “existing non-business relationship” between the sender and the recipient, or 2.
The recipient has “conspicuously published” their address, or has “disclosed it to the sender” and: • has not indicated they do not wish to receive commercial messages; and, • the message is relevant to the recipient’s business, role, functions or duties o As messages to ‘published’ or ‘disclosed’ addresses must be relevant to the business of the recipient, it is less likely to apply to the origination of new clients. It may apply in other narrow contexts such as contacting journalists with news relevant to their business role, or following up with relevant business leads following a conference. 13
Implied Consent “Existing Relationships”
An
“Existing Business Relationship”
is where the recipient of the message: • Purchased a good or service from the message sender within the prior two years; • Accepted a business opportunity from the message sender within the prior two years; • Has a written contract with the message sender in respect of a matter other than a purchase, lease, or business opportunity, or such a contract that expired in the prior two years; • Made an inquiry or application to the message sender regarding a purchase, lease, or business opportunity within the six months prior the message
Note:
The “Existing Business Relationships” definitions all turn on the relationship between the sender of the message (or the person on whose behalf the message was sent) and the recipient. They do not extend “implied consent” to related third parties. 14
Implied Consent “Existing Relationships”
An
“Existing Non-Business Relationship”
is where the recipient of the message: • Made a donation or preformed volunteer work for the sender, which is a registered charity; • Has a Membership with the sender, and the sender is a
club, association or voluntary organization
that: • is a non-profit organization organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder (with an exception for amateur athletics)
Note:
The “Existing Non-Business Relationships” definitions also turn on the relationship between the sender of the message (or the person on whose behalf the message was sent) and the recipient. They will primarily apply to registered charities, political parties, and certain not-for-profits. 15
Exceptions to the Need for Consent
CASL creates an exception to the need for consent for certain “transactional” messages. This exception will apply to messages that solely:
• provide a quote or estimate for the supply of a product or service; • facilitate, complete or confirm a previously agreed upon commercial transaction; • provide warranty information, product recall information or safety or security information about a product the recipient uses or had purchased; • provide notification of factual information about the ongoing use by recipient of a product or a service offered under a subscription, membership, account, loan or similar relationship by the sender.
These messages remain subject to the message content requirements.
16
Message Content Under CASL
Prescribed Disclosure Requirements for Electronic Messages
1. The name under which the person sending the message and the person on whose behalf the message is sent, if different, carry on business, if different from their names, if not their names; 2. If applicable, an indication which person sent the message and on whose behalf it was sent; 3. The mailing address,
and one
(or more) of a telephone number, web address,
or
email address of either the person sending the message,
or
if different, the person on whose behalf it is sent; and 4. An unsubscribe mechanism.
Service providers sending electronic messages on behalf of third parties who do not have material control over the message content or recipient list would not need to be identified. The required contact information must remain current for a minimum of 60 days after the message is sent. 17
Unsubscribe Mechanism
CASL requires CEMs to set out an unsubscribe mechanism that allows the message recipient to indicate at no cost, the wish to unsubscribe from all CEMs or a specified class of CEMs. This mechanism must:
• Use the same electronic means as the message, or if not practicable, other electronic means; • Give an electronic address or a web link for unsubscribe requests; • Be set out clearly, and be able to be “readily” performed; • Be effective “without delay”, and no later than 10 business days 18
Exceptions to the Disclosure Requirements The General Exception
“If it is not practicable to include the information… and the unsubscribe mechanism… in a commercial electronic message, that information may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message.” This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email. 19
The Family and Personal Relationship Exception
Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent “by” or “on behalf” of a person who has a “personal” or “family” relationship with the recipient.
“Family”
Marriage; A common-law partnership; A legal parent/child relationship; where: Those persons have had a direct voluntary two way communication.
“Personal Relationship”
Must have had direct, voluntary two way communications; Must be reasonable to conclude the relationship is personal considering all relevant factors.
Note:
Both family relationships and personal relationships are between individuals. A corporation could not have a personal relationship under CASL; however, the exception applies to messages that are sent “by” or “on behalf” of such individuals. 20
Referral Messages The Regulations include an exception that permits a single referral message to be sent where:
• The referral is made by an individual who has an existing business relationship, existing non-business relationship, family, or personal relationship with the message recipient; • The referrer has one of those relationships with the sender of the message; and • The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral.
The referral message must also comply with the standard CASL message disclosure requirements. 21
Third Party Mailing Lists
CASL allows consent to obtained on behalf of unknown third parties such as list brokers. However, it limits how this consent may be obtained and used:
• The party that seeks consent is required to comply with the standard CASL requirements for obtaining consent, including stating the purpose for the collection, and providing their name and contact information. • A person who relies on such a consent must meet additional disclosure and unsubscribe mechanism requirements for the messages they send relying on this consent.
22
Third Party Mailing Lists Message content when consent is obtained from a third party, such as a list broker.
When an email list is purchased from a third party, messages sent pursuant to such consent are subject to additional disclosure requirements: • The message must identify the person who obtained the original consent as well as the person who sent the message, in addition to providing the standard prescribed contact information. • The unsubscribe mechanism must allow the recipient to remove consent from
both
the person who sent the message, the person who obtained the original consent
or
any other person authorized to use the consent. It is
essential
that such a list is used separately from the company’s own consent lists.
23
Maintaining Contact Lists
Both Industry Canada and the CRTC have taken the position that valid express consent obtained before CASL came into force remains valid under CASL. However, both regulators have expressly noted that in some cases email addresses that could be used under the privacy legislation can no longer be used under CASL. Previously usable email addresses most likely to be unusable under CASL are where an organization had relied on ‘implied’ consent under PIPEDA, in a situation that does not fall into one of the defined categories of implied consent in CASL.
Implied consent under CASL is narrow
- it exists only in certain cases such as existing “business relationships” or “non-business relationships”. Where an organization relied on “implied consent” under PIPEDA that is not recognized under CASL, it cannot continue to send CEMs to those addresses unless it is also able to establish express or implied consent as provided in CASL. 24
Transitional Provisions
There is a transitional period in CASL that lasts from July 1, 2014 ending July 1, 2017. During this time, “implied consent” will survive for
three years
in cases of “existing business relationships”,
as defined in CASL
, that predate CASL and that included the sending of commercial messages when CASL came into force. • Existing business relationships that are established after CASL will survive for two years following a purchase, or six months following an inquiry. • The transitional period provides an extended timeline for perfecting pre-existing implied consent (as defined in CASL) by seeking express consent. • Any attempts to perfect implied consent will need to be carried out in compliance with CASL. 25
Enforcement To Date
Since CASL came into force, the CRTC has received tens of thousands of complaints. While it has indicated it will review these complaints, and take action where appropriate, there has yet to be any formal enforcement of CASL. However, the CRTC has taken action to reduce spam without initiating formal proceedings under CASL. In early October, the CRTC announced that it received complaints from consumers that a large volume of spam was coming from a particular ISP. After investigating, it was able to identify a small business whose servers had unknowingly become infected with malware, causing them to join a botnet distributing spam. When contacted by the CRTC, the company promptly removed the malware. 26
Consent for Installing Computer Programs
On January 15, 2015, provisions requiring express consent to install a “computer program” on a person’s computer system will come into force. Similar to requests for consent to send messages, a request for consent to install a computer program must state: 1. The purpose for which the consent is sought including providing a simple description of the of the function and purpose of the program; 2. The name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business; 3. If applicable, which person is seeking consent, and on whose behalf consent is sought; 4. The mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought; 5. That consent may be withdrawn.
27
Consent for Installing Computer Programs
If the program performs one of the following functions, then these elements and their impact on the system must be brought to the person’s attention separately from any other information provided in the request for consent, and the person must acknowledge in writing they understand and • • • • • • agree to these functions: collecting personal information stored on the computer; interfering with the owner’s control of the computer; changing the settings, preferences or commands already installed or stored on the computer without the knowledge of the owner; changing the data stored on the computer in a manner that obstructs lawful access to or use of the data by the owner of the computer; causing the computer to communicate with another computer without the authorization of the owner; installing a computer program that may be activated by a third party without the knowledge of the owner 28
Consent for Installing Computer Programs
CASL deems a person to expressly consent to the installation of the following programs, if their behaviour makes that assumption reasonable: • Cookies • HTML Code • Java Scripts • Operating systems • A program that is executable only through the use of another program the person previously agreed to install • Programs installed by a TSP to protect network security • Programs installed to update a network by the TSP that operates the network • Programs installed solely to correct a failure in the operation of the computer system or a program installed on it 29
Consent for Installing Computer Programs
NOTE:
Consent to install a computer program must be sought separately from consent to send commercial messages.
Remember
: Your request for consent should expressly include consent to future upgrades of the program!
30
Installing Computer Programs
What does it mean to “Install” a Program? In its guidance, the CRTC suggests programs that are “self installed”, (e.g. buying an app in an app store, or installing a program from a CD) are not subject to the CASL consent requirements. Programs that are automatically or surreptitiously installed along with other programs are subject to the CASL express consent requirements.
NOTE:
This distinction is not expressly evident in the legislation. As CASL effectively prohibits the automatic installation of most programs by requiring express consent, it may be difficult to distinguish between a incorrectly drafted request for express consent, and a truly self installed program. In the absence of judicial consideration, a cautious approach is to draft all requests to install a computer program to comply with CASL. 31
Further Implications of CASL CASL has prohibitions that apply to actions other than sending CEMs and installing Programs:
1.
•
Anti-phishing
Altering or causing to be altered the transmission data in an electronic message so it’s delivered to a destination other than or in addition to that specified by sender
2. Amendments to the Competition Act
• Prohibited to make a false or misleading representation in a commercial electronic message • Prohibited to make a false or misleading representation in the subject line of a commercial electronic message 32
Does CASL Apply to Businesses Outside Canada?
•
CASL applies both when sending CEMs from a computer in Canada or where the CEMs are
received on a computer system in Canada
even if the sender is located outside of Canada.
•
This is also true for other CASL prohibitions, including those related to the installation of computer programs.
33
Corporate Compliance Programs
For compliance with CASL, it is essential for organizations to audit their existing practices regarding commercial electronic messages, program installation, and the validity of their consents: • Determine where you are sending CEMs or installing programs; • Identify the channels through which you send CEMs; • Assess if you have implied or express consent to send CEMs or install programs or if an exemption applies; • If you conclude you have consent, assess your ability to prove it in the face of a challenge; • Develop a plan to obtain any required consents. This plan should address both the treatment of current lists, as well as how the organization will continue to acquire consent in compliance with CASL; 34
Corporate Compliance Programs
• Ensure your CEMs contain the content required by CASL, except where an exception applies; • Ensure your requests for consent to send CEMs or install computer programs contain the content required by CASL, except where an exception applies; • Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs; • Revise your policies, processes and systems as required; • Keep an audit trail, since CASL contains a “due diligence” defense.
35
Corporate Compliance Programs
The CRTC recommends that CASL compliance policies should include: • Senior management involvement • A risk assessment in relation the actual practices of your business • A written compliance policy and adequate employee training • Appropriate record keeping- You bear the burden of proof!
• Ongoing compliance monitoring • A means to address complaints and contraventions
Remember:
An appropriate compliance program not only reduces the risk of an offence, but contributes toward establishing a due diligence defense. 36
QUESTIONS?
Thank You
Brian Fraser Partner Gowling Lafleur Henderson LLP [email protected]
416-862-4293 Chris Oates Associate Gowling Lafleur Henderson LLP [email protected]
416-369-7333
montr éal ottawa toronto hamilton waterloo region calgary vancouver moscow london