preparing for canadian anti-spam legislation

© 2014 Marketo, Inc. #MKTGNATION14

Preparing for CASL

Kiersti Esparza, CIPP/USManager, Privacy Team | Marketo


Preparing for CASL

Disclaimer:“The information provided in this presentation can not be considered legal advice, and is not legally binding.”


Preparing for CASL

Disclaimer:• Marketo would be pleased to answer questions you

may have about CASL

• To avoid potentially misleading participants, Marketo is not in a position to answer hypothetical or situational questions such as “what if I” as we cannot measure the varying circumstances or procedures you may have in place. These types of questions should be either reviewed by your legal counsel or sent in writing to the CRTC, for their review and interpretation.


What is CASL?

• Canada's Anti-Spam Legislation

Anti-SpamAnti-

Malware

Anti-Hacking

Rules for sending Commercial Email Messages (CEMs)

Rules for installation of computer programs

Prohibition against unauthorized alteration of transmission data


What is CASL?

• Canada's Anti-Spam Legislation • CEMs – Commercial Electronic Messages• “an electronic message that, … it would be reasonable to

conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity” Transactional or Operational messages with ANY commercial or

marketing purpose


Who enforces CASL?

• Canadian Radio-television and Telecommunications Commission (CRTC)• Enforcement Agency

• The Competition Bureau of Canada• Office of the Privacy

Commissioner of Canada


Requirements under CASL

• Consent• Express or Implied • Several exemptions

• Clearly identify yourself• Provide a method where the recipient can

readily contact you• Unsubscribe mechanism• Functional for 60 days• No cost• Must process without delay


Types of Consent

• Express Consent

• Implied Consent

• Inquiry Consent


Types of Consent

• Express Consent• Did the recipient say “yes” to receiving your CEM?• An individual must take action to “opt-in” to a stated

purpose


Types of Consent

• Implied Consent• Can you show that you have an existing business or non-

business relationship?• Did the recipient disclose their address to you?• Is the address published? Is there a statement saying they

don’t wish to be contacted?• Expires within 2 years


Types of Consent

• Inquiry Consent• Expires within 6 months


Types of Consent

• Express Consent

• Implied Consent

• Inquiry Consent


Types of Consent

• Don’t be afraid to ask!


Can you prove Consent?

• You are required to maintain an auditable record of consent No Pre-Checked Boxes for Express Consent• Request for consent must be separate from general terms

and conditions • Record the date, time, purpose, and manner of consent in a

database• Filling out a consent form at a point of purchase


Can you prove Consent?

FAQs: What about verbal consent?• where oral consent can be verified by an independent third

party; or • where a complete and unedited audio recording of the

consent is retained by the person seeking consent or a client of the person seeking consent.


Timing

• Coming Into Force July 1, 2014 • You will need consent from any new customer or lead and

each CEM must include identification and unsubscribe mechanisms

• Transitional Provisions • Previous express consent remains valid under CASL • Implied consent to continue sending for 3 years


Special Cases

• A person can get consent on behalf of yet to be determined third parties • All parties relying on consent obtained by others are

accountable for managing that consent. • Identification and unsubscribe requirements still apply e.g. A Frequent Flyer program gets consent from members

to send them messages on behalf of third parties that will be identified in the future (i.e. a car rental company). Must be a separate Opt-In from the main company’s Opt-In

process.


Special Cases

• Third Party Referrals • You may refer a prospective customer to another person if

you have an existing relationship with the prospective customer

• If you receive a referral, you may send one CEM to the prospect

CEM must include the full name of the individual who made the referral


When is consent NOT required?• Personal emails between family and friends• Communications within an organization• In response to a request; quotes or estimates • Messages that facilitate or confirm transactions • Provides warranty, recall, safety or security information • Provides information about

• ongoing use or ongoing purchases • ongoing subscription, membership, accounts, loans or similar • employment relationships or benefit plans

• Registered charities and political candidates (Canadian only)• When the recipient is protected by equitable data protection laws in

their own county

NOTE: Identification and Unsubscribe mechanisms are still required for these types of messages


Case Study #1


Case Study #1

• Happy High School contracts Photo Corp to take graduation photos of its students.

• Photo Corp sends these students’ parents a reminder that Photo Day is in one week.

• The reminders contain a URL to Photo Corp’s website, where the parents can pre-order copies of their children’s graduation photos.


Case Study #1

Are these Photo Day reminders CEMs?

What if Happy High School is the one sending the Photo Day reminders?

What if the Photo Day reminders state that there is a 10% early bird discount?


Case Study #2


Case Study #2

• Sally is an artist holding an exhibit at an art gallery. Sanjin is a sales representative of an art supplies store.

• Sanjin picked up Sally’s business card at the exhibit but didn’t speak to her at the event.

• Sanjin sends an email to Sally saying that, as an artist, she might be interested in a sale that his store is holding.


Case Study #2

Is Sanjin’s email covered by any of the exemptions discussed?

What if Sally is an employee of the art gallery, and a different employee of the art gallery has purchased art supplies from Sanjin’s store in the past?


Case Study #3


Case Study #3

• Tania is a lawyer in Toronto and a member of an international bowling association.

• She obtains a list of the other members’ email addresses and notices that some of them end in .es, indicating the addresses are from Spain.

• Since she is licensed to practice law in Spain, she emails the .es email addresses advertising her legal services.


Case Study #3

Would CASL apply to Tania’s email?

What if Sally, who works in Tania’s firm, emails the list of members notifying them that they may be eligible to join a class action she is organizing against a bowling ball manufacturer?


• To catch blatant offenders• Responsible senders who are making efforts

to comply are not the target of the law.

What is the goal of CASL?


Pop Quiz!


Pop Quiz!

• As long as your email is not commercial, CASL will not apply.

a) Trueb) False


Pop Quiz!

• Which of these could violate CASL? a) An investment advisor gets a list of fellow attendees at a

financial seminar and emails them all a sales pitch b) A business consultant emails someone she has never met in

response to an inquiry about her professional services c) A computer salesperson emails someone about a laptop

sale a year after selling her a computer d) A registered charity emails you asking for a donation


Pop Quiz!

• Which of the following is not an exemption category? a) Personal relationshipb) Family relationshipc) Existing business relationship d) Existing privacy consente) Existing non-business relationship


Pop Quiz!

• Once CASL is fully in force, violations may result in: a) Penalties of up to $1 million for individuals b) Penalties of up to $10 million for organizations c) Civil liability for compensatory damages d) Civil statutory liability of up to $1 million per day e) All of the above


Enforcement Process


Checklist - Top 10 Steps

Determine which of your messages are CEMs Identify any exemptions that may apply to your CEMs Record all consents, inquiries, applications, complaints and requests

and when they were received Establish a process to help you refresh your consents Ensure that parties that have unsubscribed or otherwise not to receive

CEMs will not be sent any requested Use an opt-in mechanism to gather consent Ensure there is a compliant unsubscribe function Ensure there is a compliant identification included Approach external service providers to ensure they can support

marketing activities taken on your behalf in compliance of CASL Review legal developments relating to CASL to clarify some of the

ambiguities surrounding the legislation


Key Resources • Marketo’s webinar on CASL

http://www.marketo.com/webinars/getting-ready-for-the-canadian-anti-spam-legislation/

• Information Session on Canada's Anti-Spam Legislation http://www.crtc.gc.ca/eng/com500/info.htm

• Shaun Brown, Legal Counsel – http://www.nnovation.com

• CASL Statute: http://laws-lois.justice.gc.ca/eng/acts/E-1.6/index.html

• CRTC Regulations: http://laws-lois.justice.gc.ca/eng/regulations/SOR-2012-36/index.html

• IC Regulations: http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html

• Industry Canada’s Regulatory Impact Analysis Statement: http://fightspam.gc.ca/eic/site/030.nsf/eng/00271.html

• CRTC’s Information Bulletin (2012-548) on formality requirements: http://www.crtc.gc.ca/eng/archive/2012/2012-548.htm

• CRTC’s Information Bulletin (2012-549) on express consent: http://www.ic.gc.ca/eic/site/064.nsf/eng/07401.html

preparing for canadian anti-spam legislation

Business