Transcript Slide 1

Canada’s Anti-Spam Law and
Privacy Compliance
WHAT YOU NEED TO KNOW
Chris Oates, Associate, Gowling Lafleur Henderson LLP
Lexpert Social Media Conference
June 2, 2014
Outline
Canada’s Anti-Spam Law (“CASL”):
• How do you request consent to send commercial
messages?
• What do messages need to contain?
• How do you handle your existing list?
• Collecting, using and disclosing personal
information online
• Your privacy obligations
• Information transfers and responding to privacy
breaches
2
Preparing for Compliance with
Canada’s Anti-Spam Law
Canada’s Anti-Spam Legislation
Legislative Background:
CASL comes into force on July 1, 2014 and will take a prohibitive
approach to “Commercial Electronic Messages”, prohibiting all
but those messages that comply with its requirements.
In some cases, existing, valid consent may not survive when
CASL is in force.
Under CASL:
• Electronic messages require consent from the
recipient, either express or implied;
• The message must contain prescribed
disclosure; and
• The message must contain an
unsubscribe mechanism in prescribed form.
4
Canada’s Anti-Spam Legislation
To which messages does CASL apply?
CASL applies to Commercial Electronic Messages (“CEMS”) that are
sent by any means of telecommunication, including a text, sound, voice
or image message, to an “electronic address”:
• an electronic mail account;
• an instant messaging account;
• a telephone account; or
• any similar account.
“Any similar account” may capture new forms of communication, such as social media
and BBM. The key question is whether the message is sent to something akin to an
“electronic address”. Messages that are not sent to an electronic address are not
subject to CASL.
Tweets and Facebook wall postings appear to be published rather than sent to an
address; however, ‘direct messages’ appear to go to an address.
5
Canada’s Anti-Spam Legislation
Is the Electronic Message Commercial?
CASL will only apply to electronic messages that are
“commercial”. This will include all messages that, based on their
content, including links, and contact information, have as one of
their purposes encouraging participation in commercial activity,
regardless of whether this is done with the expectation of profit.
•
•
•
•
Messages that offer to sell a product or service;
Messages that advertise a product or service;
Messages that promote a person or corporation;
Messages that seek to gather consumer or market
information;
• Messages that seek consent to send further messages.
6
Canada’s Anti-Spam Legislation
What is not a Commercial Electronic Message?
CASL will not apply to several classes of message:
• Interactive two way voice communications;
• Messages sent via facsimile to telephone accounts; and
• Voice recordings sent to a telephone account.
These messages are currently subject to the CRTC’s
oversight via the Telecommunications Act and the
Unsolicited Telecommunications Rules.
CASL contains a provision that permits the government to repeal this
exception AND the National Do Not Call List at a later date. If exercised, this
would make unsolicited commercial telephone calls subject to the CASL
requirements.
7
Canada’s Anti-Spam Legislation
Which messages will be exempt?
The Regulations provide that the following message classes are exempt
from both the consent and in message disclosure requirements:
•
•
•
•
messages sent between employees of an organization relating to the affairs
of the organization;
messages sent between employees of two organizations with a
relationship, where the message relates to the affairs of the recipient
organization;
messages that respond to an inquiry, complaint, or other solicitation from
the recipient;
fundraising messages sent by or on behalf of a registered charity;
8
Canada’s Anti-Spam Legislation
Which messages will be exempt?
The Regulations provide that the following message classes are exempt
from both the consent and in message disclosure requirements:
•
•
•
•
messages where the person sending the message reasonably expects it to
be received in a foreign state listed in the Regulations, if the message
complies with the law of that state;
messages sent to a secure account to which only the person providing the
account may send messages;
messages sent on a platform that includes compliant disclosure and an
unsubscribe mechanism in its interface are exempt from the message
requirements, but not the consent requirements;
messages sent to satisfy a legal obligation.
9
Penalties
Administrative monetary penalties for violations:
• A fine of up to $1,000,000 for a violation by an individual.
• A fine of up to $10,000,000 for a violation by a corporation.
CASL also creates a private right of action for persons who
allege they have been affected by a violation. If the action
is successful in court, the court may order:
• Compensation equal to the actual loss or damage suffered;
and
• $200 for each contravention, not exceeding $1,000,000 for
each day on which a contravention occurred.
The private right of action has a delayed coming into force date, and will not
be in place until July 1, 2017. The CRTC may seek to impose administrative
monetary penalties following July 1, 2014.
10
Express Consent Under CASL
Requirements for a Request for Express Consent
1. Provide the purpose for which the consent is sought;
2. Provide the name under which the person seeking consent carries
on business, and if different, the name under which the person on
whose behalf consent is sought carries on business;
3. If applicable, identify which person is seeking consent, and on
whose behalf consent is sought;
4. Provide the mailing address, and one (or more) of a telephone
number, website, or email address of either the person seeking
consent, or if different, the person on whose behalf consent is
sought;
5. State that consent may be withdrawn.
11
The CRTC’s Position on Express Consent
• The CRTC takes the
position that express
consent must be
“positive or explicit”.
• Note that a check box is
not specifically
required, other
mechanisms that
amount to an explicit
indication of consent
may be used.
12
The CRTC’s Position on Express Consent
• “Assumed” consent
through a pre-checked
box or an opt-out
mechanism would not
be accepted.
13
Implied Consent Under CASL
Implied Consent under CASL:
Requirements for Implied Consent
1.There is an “existing business” or “non-business relationship” between the
sender and the recipient, or
2.The recipient has conspicuously published their address, or has disclosed it
to the sender and:
• has not indicated they do not wish to receive commercial messages; and,
• the message is relevant to the recipient’s business, role, functions or duties
o As messages to ‘published’ or ‘disclosed’ addresses must be relevant to
the business of the recipient, it is less likely to apply to the origination of
new clients. It may apply in other narrow contexts such as contacting
journalists with news relevant to their specific business role.
14
Implied Consent- “Existing Relationships”
An “Existing Business Relationship” is where the recipient of the message:
• Purchased a good or service from the message sender within the prior two years.
• Accepted a business opportunity from the message sender within the prior two
years;
• Has a written contract with the message sender in respect of a matter other than a
purchase, lease, or business opportunity;
• Made an inquiry or application to the message sender regarding a purchase,
lease, or business opportunity within the six months prior the message
An “Existing Non-Business Relationship” is where the recipient of the message:
• Made a donation or preformed volunteer work for the sender, which is a registered
charity;
• Has a Membership with the sender, and the sender is a club, association or
voluntary organization that:
• is a non-profit organization organized and operated exclusively for social welfare, civic
improvement, pleasure or recreation or for any purpose other than personal profit, if no
part of its income is payable to, or otherwise available for the personal benefit of any
proprietor, member or shareholder (with an exception for amateur athletics)
15
Exceptions to the Need for Consent
CASL creates an exception to the need for consent for
certain “transactional” messages. This exception will
apply to messages that solely:
• provide a quote or estimate for the supply of a product or service;
• facilitate, complete or confirm a previously agreed upon
commercial transaction;
• provide warranty information, product recall information or safety
or security information about a product the recipient uses or had
purchased;
• provide notification of factual information about the ongoing use
by recipient of a product or a service offered under a subscription,
membership, account, loan or similar relationship by the sender.
These messages remain subject to the message content requirements.
16
Message Content under CASL
Prescribed Disclosure Requirements for Electronic Messages
1. The name under which of the person sending the message
and the person, if different, carry on business, if different from
their names, if not their names;
2. If applicable, an indication which person sent the message
and on whose behalf it was sent;
3. The mailing address, and one (or more) of a telephone
number, web address, or email address of either the person
sending the message, or if different, the person on whose
behalf it is sent; and
4. An unsubscribe mechanism.
Service providers sending electronic messages on behalf of third parties that do not have control over
the message content or recipient list would not need to be identified.
The required contact information must remain current for a minimum of 60 days after the message is
sent.
17
Unsubscribe mechanism
CASL requires CEMs to set out an unsubscribe
mechanism that allows the message recipient to
indicate at no cost, the wish to unsubscribe from all
CEMs or a specified class of CEMs. This mechanism
must:
• Use the same electronic means as the message, or if not
practicable, other electronic means;
• Give an electronic address or a web link for unsubscribe
requests
• Be set out clearly, must be able to be “readily” performed
• Be effective “without delay”, no later than 10 business days
The required contact information must remain current for a
minimum of 60 days after the message is sent.
18
Exceptions to the Disclosure Requirements
The General Exception
“If it is not practicable to include the information (…) in a
commercial electronic message, that information may be
provided by a link to a web page on the World Wide Web that is
clearly and prominently set out and that can be accessed by a
single click or another method of equivalent efficiency at no cost
to the person to whom the message is sent.”
This exception will be essential for electronic messages that are
subject to space restraints such as text messages. It is not likely
to apply to messages not subject to such restraints, such as
email.
19
The Family and Personal Relationship Exception
Neither the requirement to obtain consent, nor the requirement
to disclose information regarding the sender, will apply where
an electronic message is sent “by” or “on behalf” of a person
who has a “personal” or “family” relationship with the
recipient.
“Family”



Marriage;
A common-law partnership;
A legal parent/child relationship;
where:
 Those persons have had a
direct voluntary two way
communication.
“Personal relationship”


Must have had direct, voluntary
two way communications;
Must be reasonable to conclude
the relationship is personal
considering all relevant factors.
This exception will only apply to businesses in unusual cases. Examples I
have seen include refer-a-friend type promotions, and customizable
holiday greeting cards.
20
Referral Messages
The Regulations include an exception that permits
a single referral message to be sent where:
• The referral is made by an individual who has an existing
business relationship, existing non-business relationship,
family, or personal relationship with the message recipient;
• The referrer has one of those relationships with the sender of
the message; and
• The message states the full name of the person who made the
referral, and states that the message was sent as a result of
the referral.
The referral message must also comply with the standard CASL
message disclosure requirements.
21
Third Party Mailing Lists
CASL expressly allows consent to obtained on behalf
of unknown third parties. However, it limits how this
consent may be obtained and used:
• The party that seeks consent is required to comply with the
standard CASL requirements for obtaining consent,
including stating the purpose for the collection, and
providing their name and contact information.
• A person who relies on such a consent must meet
additional disclosure and unsubscribe mechanism
requirements for the messages they send.
22
Third Party Mailing Lists
Message content when consent is obtained from a
third party, such as a list broker.
When an email list is purchased from a third party, messages sent
pursuant to such consent are subject to additional disclosure
requirements:
• The message must identify the person who obtained the original
consent as well as the person who sent the message, in addition to
providing the standard prescribed contact information.
• The unsubscribe mechanism must allow the recipient to remove
consent from both the person who sent the message, the person
who obtained the original consent or any other person authorized
to use the consent.
It is essential that such a list be used separately from the company’s own opt-in lists.
23
Further implications of CASL
CASL has prohibitions that apply to actions
other than sending CEMs:
1.
Anti-phishing
• Altering or causing to be altered the transmission data in
an electronic message so it’s delivered to a destination
other than or in addition to that specified by sender
2. Anti-malware
• Cannot install a program on someone’s computer without
their prior express consent.
•
The provisions relating to computer program installation come
into force on January 15, 2015.
24
Does CASL apply to businesses outside Canada?
• CASL applies both when sending CEMs from
a computer in Canada or where the CEMs are
received on a computer system in Canada
even if the sender is located outside of
Canada.
• This is also true for other CASL prohibitions,
including those related to the installation of
computer programs.
25
Maintaining Contact Lists
The regulatory impact statement for the Regulations confirms Industry Canada’s
position that valid express consent obtained before CASL comes into force “will be
recognized as being compliant with CASL”. However, Industry Canada also expressly
noted that in some cases email addresses that may be used under the current
privacy legislation may no longer be used under CASL.
Email addresses are most likely to be unusable following July 1, 2014 where an
organization is relying on ‘implied’ consent under PIPEDA, and that consent does not
fall into one of the defined categories of implied consent in CASL.
Implied consent under CASL is much more narrow- it exists only in cases of existing
“business relationships” or “non-business relationships”.
Where an organization is relying on “implied consent” under PIPEDA that is not
recognized under CASL, it would not be able to send CEMs to those addresses
following July 1.
26
Maintaining Contact Lists
CASL places the burden of proving consent on the organization
claiming to have it. As such where an organization is unable to
prove it has express consent or valid implied consent in relation
to its current list, it may not be able to rely on it following July 1,
2014.
Organizations should consider the manner in which their current
email list had been established to assess the ability to continue
to use it after CASL comes into force. Prior to July 1, 2014,
there will be an opportunity to seek to express consent in cases
where implied consent is currently relied on.
27
Transitional Provisions
When CASL comes into force on July 1, 2014, there will be an
extended period of three years during which “implied consent”
will survive in cases of “existing business relationships”, as
defined in CASL, that predate CASL and that include the
sending of commercial messages when CASL comes into force.
• Existing business relationships that are established after
CASL will survive for two years following a purchase, or six
months following an inquiry.
• The transitional period provides an extended timeline for
perfecting pre-existing implied consent (as defined in
CASL) by seeking express consent.
• Any attempts to perfect implied consent following July 1,
2014 would need to be carried out in compliance with
CASL.
28
Preparing for CASL Compliance
Compliance with CASL will become a legal
requirement on July 1, 2014.
Organizations should be bringing their electronic
communications practices into compliance now, both
due to the magnitude of the potential penalties, and to
help establish an express consent list that will survive
the coming into force of the Act.
29
Preparing for CASL Compliance
To prepare for compliance with CASL, it is essential for
organizations to audit their existing practices regarding
commercial electronic messages and the continued validity
of their existing consents:
• Determine if you are sending CEMs;
• Identify the channels through which you send CEMs;
• Assess if you have implied or express consent to send
CEMs or if an exemption applies;
• If you conclude you have consent, assess your ability to prove it
in the face of a challenge;
• Develop a plan to obtain any required consents. This
plan should address both the treatment of current lists,
as well as how the organization will continue to acquire
consent after July 1, 2014;
30
Preparing for CASL Compliance
• Ensure your CEMs contain the content required by
CASL, except where an exception applies;
• Determine how CASL may affect your policies,
processes, customer relationship management (CRM)
and other IT systems, and staff training and awareness
programs;
• Revise your policies, processes and systems as
required;
• Keep an audit trail, since CASL contains a “due
diligence” defense.
31
Collecting, using and disclosing
personal information online
Regulatory Framework
The Personal Information Protection and Electronic
Documents Act (“PIPEDA”)
• Regulates the collection, use, and disclosure of personal
information in the private sector.
• PIPEDA applies to the collection, use, and disclosure of
“personal information” by federal works, undertakings and
businesses, and by all private sector organizations in
provinces that do not have “substantially similar” private sector
privacy legislation.
• PIPEDA also applies to private organizations in any province
in cases where personal information is transferred across
provincial or national borders.
33
Regulatory Framework
What is ‘Personal Information’?
“Personal information” is broadly defined in PIPEDA to include
any “information about an identifiable individual”, whether public
or private, with limited exceptions.
The Privacy Commissioner has repeatedly held personal
information to include email addresses, including business
addresses.
34
Regulatory Framework
‘Anonymous’ Information
Personal Information must be thoroughly de-identified before it is
no longer “personal information”. The standard is high, and care
must be taken that it is no longer possible to link the information
back to an individual.
A decision under PIPEDA held:
• Personal information that has been de-identified does not qualify as
anonymous information if it is still possible to link the de-identified data
back to an identifiable individual.
• Information will be about an identifiable individual if there is a serious
possibility that someone could identify the available information. It is not
necessary (…) to demonstrate that someone would (…) actually do so.
• (…) de-identified data will not constitute “truly anonymous information”
when it is possible to subsequently link the de-identified data back to an
identifiable individual.
35
Regulatory Framework
‘Public’ Information
Personal Information that can be accessed from a ‘public’ source
remains subject to the requirement for consent in most cases.
PIPEDA provides only limited exceptions:
• A name, address and telephone number in a
telephone directory
• A name, title, address and telephone number in a
professional or business directory
• A registry collected under statutory authority or a
record/document of a judicial body
If the individual can refuse to have
their information in the directory.
If the information is used for the
purpose for which it appears in the
directory.
If the information is used for the
purpose for which it appears in the
registry or document.
• A publication including a magazine, book or
newspaper available to the public, where the
individual provided the information.
36
Regulatory Framework
Provincial Privacy Legislation
Alberta and British Columbia have enacted privacy legislation (in
both, the Personal Information Protection Act (“PIPA”)) which
applies generally to private sector entities.
• Alberta’s PIPA was declared invalid by the Supreme Court of
Canada in November 2013.
Québec’s private sector privacy legislation, an Act respecting the
protection of personal information in the private sector, is similar
in principle to PIPEDA; however, there are important differences in
detail.
• The Québec Privacy Act applies to all private sector
organizations with respect to collection, use and disclosure of
personal information (not just with respect to commercial
activities) and to employee information.
• Also applies to private sector collection, use and disclosure of
personal health information.
37
Key Principles
The four key private-sector statutes apply similar principles
to comply with these obligations. Privacy legislation:
1.
2.
3.
States that personal information may only be collected,
used or disclosed with the knowledge and consent of
the individual;
Limits the collection of personal information to what is
necessary for purpose(s) identified; and
Requires that personal information be collected by fair
and lawful means.
38
Key Principles
PIPEDA sets out 10 principles that are key to
compliance:
1.
2.
3.
4.
5.
Consent
Accountability
Identifying Purposes
Limiting Collection
Limiting Use,
Disclosure and
Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging
Compliance
39
Collecting Personal Information
The overarching principles of privacy law apply
regardless of where personal information is collected.
Generally, Canadian privacy law is technology neutral. Always:
•
•
•
•
Disclose the purposes for which you collect information;
Obtain consent to those purposes;
Use personal information only in accordance with the purposes
disclosed;
Provide adequate security for the information you collect,
proportionate to its sensitivity.
40
Collecting Personal Information
Consider:
•
•
•
What information are you collecting?
• More sensitive information requires clearer consent, and
increased security.
• Beware of over collection from loose coding in third party
applications.
How are you obtaining consent?
• Remember, consent must be in relation to the purposes
you disclose to the individual.
How are you disclosing your privacy policy?
41
Challenges for Mobile Advertisers
Mobile applications present a particular challenge.
Consider the need for your terms and policies to be readable
using a small viewing screen.
MMA MOBILE APPLICATION PRIVACY POLICY FRAMEWORK
•
•
•
This application does collect precise information about the location of your device.
[INSERT A GENERAL DESCRIPTION OF HOW THIS IS DONE IN A WAY THAT IS CLEAR TO
AN AVERAGE CONSUMER.]
We use your location information to Provide requested location services, and [INSERT A
LIST OF OTHER USES (E.G., TO ALLOW TAGGING, OR TO CHECK-IN) AND IF
APPLICABLE, DESCRIBE THE CIRCUMSTANCES WHERE PRECISE LOCATION DATA IS
SHARED WITH THIRD PARTIES FOR THEIR INDEPENDENT USE.]
[IF APPLICABLE] You may at any time opt-out from further allowing us to have access to
your location data by [state how user can manage their location preferences either from the
app or device level]. For more information, please see the section below entitled “opt-out
rights.”
Mobile Marketing Association 2011
42
Challenges in Social Media
Consider what social media site are you using:
Different sites will have different terms that apply to the
information that users share on them:
• Facebook prohibits using user information obtained from
Facebook in advertisement, and prohibits any use of
information obtained from a Facebook Ad, expect on an
aggregate basis to assess Ad performance.
• Facebook permits the use of user information provided
directly to a developer IF the user is provided with clear
notice and provides their consent.
• YouTube users provide a flow-through licence for other
users to “use, reproduce, distribute, display and perform”
their content as permitted under the YouTube Terms.
43
Behavioural Advertising
Behavioural Advertising and Tracking
“Tracking consumers’ online activities over time in order to
deliver advertisements targeted to their inferred interests”
The Privacy Commissioner has issued guidelines:
• Behavioural advertising CAN comply with PIPEDA,
• The overall requirements to identify your purposes and
obtain informed consent apply,
• The form of consent can vary- opt-in or opt-out
consent may be acceptable, considering the sensitivity
of the information,
• As a best practice, children should not be tracked,
• Behavioural advertising should not be a condition of
service.
44
Behavioural Advertising
Behavioural Advertising and Tracking
Privacy Commissioner Guidelines for opt-out consent:
• The individual must be made aware of the purposes for
which you are collecting personal information.
A clause buried in
• The individual must be informed at the time or a privacy policy
would not be
before information is collected and informed
adequate!
of the parties involved.
• There must be an easily available opt-out, that takes effect
immediately and is persistent.
• The information is not sensitive.
• The information is de-identified or destroyed as soon as
possible.
45
IAB Canada
IAB Canada, an industry group with many large
advertisers, agencies, and media groups as members, has
also published a framework for behavioural advertising:
• Transparency: Provide notice when websites are supplying
behavioural advertising.
• Education: Provide web based information about behavioural
advertising.
• Choice: Provide a one click opt-out.
• Accountability: Retain opt-put preferences.
46
Mitigating Risk
Mitigating Risk :
Ensure your privacy compliance program addresses your actual
collection and use of personal information.
• Ensure your privacy policy identifies the purpose for any collection,
use, or disclosure of personal information, seeks consent for these
activities, and addresses the need to protect personal information.
• Depending on the circumstances, additional measures should
be taken. Compliance in the mobile space and when engaging
in behavioural tracking is particularly challenging.
• Ensure your employees, as well as your service providers, are
aware of your policies, how to apply them, and the consequences
of failing to do so.
• Reconsider your compliance policy when you change your
practices or purpose for the collection, use, or disclosure of
personal information.
47
Data Protection and Transfers
PIPEDA requires organizations to implement physical,
organizational and technological measures to ensure adequate
safety.
• In an increasingly digitized world, technological measures
are key to compliance. These may include data encryption,
passwords, and access keys.
• Organizational data protection measures will include
ensuring that only certain personnel have access, or the
access keys, to personal information.
• Physical data protection mechanisms may include
restricting access to secure locations.
• Certain market sectors have industry standards that provide
specific security standards, for example, the PCI DSS is used
in the payment cards industry.
48
Data Protection and Transfers
Third Party Service Providers
Organizations are responsible for personal information in their
possession or custody, including information that has been
transferred to a third party.
An organization must consider the activities of the companies it
retains to store personal information, to build platform
integrations or applications, to moderate content, advertising
agencies, and public relations companies.
Be aware that the legal onus is on an outsourcing organization to
ensure that service provider to whom personal information is
transferred complies with Canadian privacy laws.
49
Data Protection and Transfers
Breach Notification
The federal Privacy Commissioner has published voluntary
guidelines regarding responding to security breaches. The
guidelines state four key steps when responding to a breach:
1. Contain the breach by taking immediate steps to stop
any further information from being disclosed. Undertake a
preliminary assessment of the situation;
2. Evaluate the risk associated with the breach by
considering the sensitivity of the information involved,
whether it was encrypted, how it may be used, and the
risks to the individual resulting from that use;
3. Notifying the individuals if the privacy breach creates a
risk of harm to the individual; and
4. Develop a plan for the prevention of future breaches.
50
Data Protection and Transfers
Breach Notification
Bill S-4 (the Digital Privacy Act) would amend PIPEDA to
mandate breach reporting and create the following duties:
1. A duty to report any breach of security safeguards
involving personal information under their control to
the Privacy Commissioner, if it is reasonable in the
circumstances to believe that “the breach creates a
real risk of significant harm to an individual”; and
2. A duty to notify individuals of any breach of security
safeguards involving their personal information when
“the breach creates a real risk of significant harm to
the individual”.
Bill S-4 will create a right for individuals to file a complaint with
the Privacy Commissioner if these procedures are not followed.
51
QUESTIONS?
Thank You
Chris Oates
Associate
Gowling Lafleur Henderson LLP
[email protected]
416-369-7333
montréal  ottawa  toronto  hamilton  waterloo region  calgary  vancouver  moscow  london