Is there Spam in your Castle?

A Discussion of Canada’sAnti-Spam Legislation

Tamara Hunter, David Spratley, and Chris BennettJanuary 15, 2014

THE PLAN• Background (Dave)• Penalties (Tamara)• Anti-Spam Rules (Chris)• Exceptions (Tamara)• Computer Programs (Dave)• Altering Transmission Data (Dave)• How to Prepare (Tamara)• Questions (You)

Background

Dave Spratley

Seriously??

An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act

AA PEACE RADREM COCAA CRTCACA PIPEDATA

or

• “Canada’s Anti-Spam Legislation” or “CASL”

• not to be confused with:

What?

• Legislation to regulate certain activities that discourage reliance on electronic means of carrying out commercial activities, of course

What?

• Commercial electronic messages (spam)• Malware• Spyware• Message routing• Misrepresentations• Automatic collection

Why?

• To minimize receipt of unsolicited electronic messages, whether in the form of e-mail, text messages, social media or other means of telecommunication, that are sent for commercial reasons

• To reduce electronic threats to commerce, including “phishing”, “pharming”, “malware” and “spyware”

Who?

• Industry Canada

• CRTC

When?

• enacted in December 2010

• to come into force when both CRTC Regulations and Industry Canada Regulations finalized

• CRTC Regulations finalized March 2012

• Industry Canada Regulations finalized December 2013

So, when?

• July 1, 2014: majority of CASL in force, except:

• January 15, 2015: computer program rules in force, and

• July 1, 2017: private right of action in force

Penalties

Tamara Hunter

So What?

• Broad application and hefty fines!

• “Administrative Monetary Penalties” can be levied by CRTC

• As high as $1 M for individuals and $10 M for businesses

So What?

• CRTC can issue a Notice of Violation with the $ AMP set out

• Your organization can then challenge whether violation happened and whether amount of $ penalty is appropriate

• Penalties may be charged per violation and violations may be separately assessed for each day of non-compliance

So What?

• Individuals may bring a private civil action for any damages caused by a contravention of CASL

• The Court may award damages for actual loss/harm proven AND may award a separate monetary sum per violation (e.g. $200 per violation for a s. 6 violation - sending a CEM without prior consent (which doesn’t fall w/i an exception) and/or without the required disclosures/unsubscribe mechanism)

So What?

• The right to bring a civil claim for a breach of CASL will not become effective until July 1, 2017

• Once the right to bring a civil claim does become effective, it cannot be used if the CRTC has already taken action against the organization in relation to the contravention

There are risks other than penalties…..

• Having your organization publicly identified as a violator of anti-spam law can harm your brand and reduce customer and public trust and customer loyalty

• Reputational risk

• What organization wants to be known as a “spammer”?

Anti-Spam Rules

Chris Bennett

Commercial Electronic Messages

CEM = EM + Purpose

• Encouraging participation in a commercial activity

• Consider content, links and contact information in the

message

Commercial Electronic Messages

Electronic Messages• Email• Text / instant messages• Social Media

Commercial Activity• Sale/lease of product/service• Investment/business opportunity• Promote individual• Requests for Consent!

Commercial Electronic Messages

If it’s a Commercial Electronic Message, then…

CEM

Consent

Express

Oral

Written

Implied

Business Relationship

Non-Business Relationship

Published Info

Content

Disclosures

Unsubscribe

Consent

Express

Oral

Written

Implied

Business Relationship

Non-Business Relationship

Published Info

Express Consent

• Required info• Purposes• Name of requester• Name of third party recipient• Contact info• Statement that consent can be withdrawn

Express Consent

• Need separate consents for CEMs, data and programs• Can’t bundle• Can’t toggle• Should send confirmation

Implied Consent

Existing Business Relationship

• Purchase/lease• Acceptance• Contract• Inquiry

Existing Non-Business

Relationship

• Donation/gift• Volunteer work• Membership

Published Address

• Didn’t say no• Is relevant to

business/duties

CEM

Consent

Express

Oral

Written

Implied

Business Relationship

Non-Business Relationship

Published Info

Content

Disclosures

Unsubscribe

Content

Disclosures

Unsubscribe

Required Content

Disclosures

• Sender• Agent• Contact Info

Unsubscribe

• No cost• Same

means• Address/Link• 10 days

Alternative

• Post on web page

• Clear link

Exceptions to Anti-Spam Rules

Tamara Hunter

Exceptions to consent requirement - examples

• CEM solely provides a requested quote or estimate for the supply of goods/services

• CEM solely facilitates/confirms a previously agreed-to commercial transaction

• CEM solely provides warranty, product recall or safety info about a purchased product/service

Exceptions to consent requirement - examples

• CEM solely provides factual info about a subscription, membership, account or similar relationship

• CEM solely provides info directly related to an employment relationship or related benefit plan

• CEM solely delivers a product, including updates or upgrades pursuant to a transaction

Exceptions to the Prohibitions

• CEM sent to an individual with whom the sender has a “personal or family relationship”

• CEM sent to a person engaged in a commercial activity and consists solely of an inquiry or application related to that activity

(above exceptions are set out in the legislation itself)

Additional exceptions (in IC Regulations)

• The Industry Canada regulations contain several additional exceptions to the Key Prohibitions:

• Any CEM sent in response to a request, inquiry, complaint or otherwise solicited by the recipient

• CEMs sent between employees, representatives, etc. of an organization concerning that organization’s affairs

Additional exceptions cont’d

• CEMs sent by an employee (representative etc.) of one organization to an employee (representative etc.) of another organization in circumstances where the organizations have a business relationship and the message concerns the affairs of the organization to which the message is sent

Additional exceptions cont’d

• Any CEM sent to satisfy a legal obligation or enforce a legal right, court order, etc.

Exception to consent req’t - 3rd Party Referrals

• A single CEM sent to someone without consent, based on a 3rd party’s referral, so long as the sender discloses the name of the person making the referral and so long as there is an existing business, non-business, personal or family relationship between the person making the referral and each of the sender and the recipient

Exception - 3rd Party Referrals

Example:

• Susan, a friend of Joe, could suggest to her accountant that the accountant send an e-mail to Joe offering the accountant’s services.

• So long as the accountant sends one unsolicited e-mail only to Joe and states in the e-mail that Susan referred the accountant to Joe, the accountant will not have violated CASL

Newly Added Exceptions to the Prohibitions

• A CEM sent/received on an EM service if the disclosure/unsubscribe mechanism are conspicuously published and readily available on the user interface, and the person receiving the message has given express/implied consent to receive it (e.g. BB Messenger, WhatsApp)

Newly Added Exceptions to the Prohibitions

• A CEM sent to a limited-access and confidential account to which messages can only be sent by the account provider to the receiver (e.g. messages sent by a financial institution to a customer through an on-line banking account)

Newly added exceptions to the Prohibitions

• A CEM sent by a person who reasonably believes the CEM will be accessed in a foreign state (listed in schedule to Regs) and the message conforms to the anti-spam law of the foreign state

• A CEM sent by or on behalf of a registered charity where primary purpose is to raise funds for the charity

• A CEM sent by or on behalf of a political party/candidate and primary purpose is soliciting a contribution

IC Regulations re: “personal relationship”

• Persons who have had a “direct, voluntary, two-way communication” will qualify as having a personal relationship where it is reasonable to conclude that the relationship is personal based on all relevant factors, including the sharing of interests, experiences and opinions, the frequency of communications, the length of time since the parties communicated and whether the parties have met in person.

IC Regulations re “personal relationship”

• The proposed definition of “personal relationship” would allow relationships formed solely on electronic communications (e.g. Facebook) to potentially qualify for an exception to the Key Prohibitions

Computer Programs

Dave Spratley

Malware & Spyware: CASL s. 8

• 8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

• (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or

• (b) the person is acting in accordance with a court order

The Prohibition - Purpose

• Meant to reduce instances of malware and spyware

The Prohibition - Key Points

• “Computer program” and “computer system” incorporate broad definitions from Criminal Code -- not just limited to malware and spyware

• “Installing” is not defined

Consent

• Requires express consent, not implied (requirements for express consent as discussed previously)

• Must clearly and simply describe, in general terms, the computer program’s function and purpose

More Consent - s. 10(5) - computer programs

• If computer program performs certain specified functions, must clearly and prominently, separately from the licence agreement:

• describe the program’s material elements that perform the function, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation off the computer system, and

• bring those elements to the person’s attention

More Consent - computer programs - CRTC Regs

• bring those material elements to the person’s attention separately from any other information provided in a request for consent

• get written acknowledgement that the person understands and agrees that the program performs the specified functions

More Consent - computer programs

any of these functions that the person seeking consent knows and intends will cause the computer system to operate in a manner that is contrary to the owner’s or authorized user’s reasonable expectations:

• collecting personal information stored on system

• interfering with control of the system

• changing or interfering with settings, preferences, etc., without owner’s knowledge

More Consent - computer programs cont’d

• changing or interfering with stored data in a way that obstructs, interrupts or interferes with lawful access to or use of the data

• causing system to communicate with another system or device without authorization

• installing a program that may be activated by a third party without knowledge

• any other prescribed function

Deemed Consent - 10(8)

• a person is deemed to have expressly consented to installation of listed computer programs (e.g., cookies, HTML code, operating systems) if person’s conduct is such that it is reasonable to believe that the person consents to the installation

Deemed Consent - 10(8)

• IC regs allow telecom service providers to install programs on customers’ computers / devices to:

• protect network security

• update / upgrade network

• prevent failure of computer system or program

Cookie conundrum?

• 10(8) specifically mentions cookies -- are they therefore “computer programs” and subject to CASL?

• IC: cookies are not programs -- they are not executable, cannot carry viruses and cannot install malware

• CRTC: cookies are programs … but cannot be “installed” and so not subject to CASL

Updates / Upgrades

No consent required for update/upgrade if:

• express consent to the installation and use of original program

• person who gave consent is entitled to receive the update/upgrade under the terms of the express consent

• update/upgrade is installed in accordance with those terms

Withdrawal of Consent - 11(5)

Person who receives express consent for installation of program must:

• for 1 year after installation, ensure that the consenting person is provided with an electronic address through which to request program’s removal or disabling

• if consent based on inaccurate description program’s material elements, on receipt of that request within the 1-year period assist the person in removing or disabling the program as soon as feasible, without cost to the person

Computer Programs - Timing

• Effective: January 15, 2015

• Transition: if program already installed before, consent to update / upgrade implied until earlier of:

• consent withdrawn

• January 15, 2018 (3 years after s. 8 in force)

Altering Transmission Data

Dave Spratley

Pharming: CASL s. 7

• cannot in the course of commercial activity alter or cause to be altered the transmission data in an EM so that it is delivered to a destination other than or in addition to that specified by sender, unless:

• express consent

• court order

Pharming Prohibition: Purpose

• to combat “pharming”: using electronic measures to redirect traffic to a fraudulent site

• does not apply to alterations by telecom service providers for network management purposes

Pharming Prohibition: Consent

• same express requirement rules as discussed above

• if you have express consent to alter transmission data:• must provide an electronic address to which person may

sent notice of withdrawal of consent• give effect to notice of withdrawal of consent without

delay, and in any event within 10 business days after notice

How to Prepare

Tamara Hunter

Time is on our side … but not for too long!

• Coming-into-force is now 6 months away

• Then transition period O implied consent arising from existing business relationship will work until earlier of:

• Person withdrawing consent

• 3 years after CASL in force

Raise Awareness and establish Compliance Team

• Raise awareness with senior management (deadlines, penalties and risks, preparation will be complex)

• Develop compliance team

• Team should include sales/marketing, customer support, communications, privacy, legal, risk management, IT, and HR

Assess CEMs

• Consider and identify what kinds of CEMS your organization currently sends and what CEMs it is likely to want to send going forward

• Develop an inventory of all CEMs

Develop CEM Inventory

• Develop an inventory and identify within inventory, which CEMs fall within an exception or a time-limited implied consent - e.g. an existing business relationship that will “expire” after two years)

• Develop “stop send” mechanisms that will kick in when appropriate (e.g. on date when two years will expire for existing business relationships or when customer expressly withdraws consent)

Consider upgrading to express consent

• CASL creates a complex web of requirements and exceptions

• Difficult to determine which exception, if any, might apply in what circumstances

• CASL clearly allows sending CEMs with prior consent -- so consider using available time to get consent rather than worrying about fitting into an exception

Upgrading to express consent

• Upgrade to express consent where possible and, when express consent obtained, develop mechanism to reflect this in spreadsheets/system (to override the “stop send” that would otherwise kick in)

• Express consent does not expire (but can be withdrawn expressly)

CEM Management - ongoing

• Use spreadsheets and a coordinated internal communications and training plan to make all of this work

• Review and update inventory every six months

• Training is not a one-time event – refreshers will be required

Unsubscribe mechanisms

• Make sure unsubscribe mechanisms and notices are in place and meet all existing requirements

• Make sure organization can comply with unsubscribe requests in specified time frames

Internal Education and Compliance

• Implement policies, guidelines, training, procedures, controls, etc., as necessary to make sure your organization is CASL-ready

QUESTIONS?

Disclaimer

This publication is intended to provide our general comments on developments in the law. It is not intended to be a comprehensive review nor is it intended to provide legal advice. Readers should not act on information in the publication without first seeking specific advice on a particular matter. Readers should consult a qualified health professional before consuming actual canned meat.

Tamara Huntertamara_hunter@davis.ca

604.643.2952

David Spratleydspratley@davis.ca

604.643.6359

Chris Bennettcbennett@davis.ca

604.643.6308