Canada s New Anti-Spam and Anti- Spyware Regime: Why You Need to Get Ready Now September 15, 2011 Presented by: y Michael Fekete Andraya Frith Nicole Kutlesa Patricia Wilson 1
2 Presenters Michael Fekete Andraya Frith Nicole Kutlesa Patricia Wilson 2
3 Overview Introduction and Overview History of legislation Breadth of anti-spam and anti-spyware rules Primary requirements Comparison to PIPEDA and CAN-SPAM Act Key issues affecting business practices Enforcement regime Tips on getting ready for CASL 3
4 A long and winding road 2004: GoC Task Force on Spam launched 2005: Task Force report 2009: Bill C-27 2010: Bill C-28 December 15, 2010: Royal Assent Informal name: Canada s Anti-spam Law (CASL) Fall 2011: Final regulations expected Late 2011 or early 2012: Expected coming into force date 4
Structure of CASL Standalone legislation covering spam spyware altering transmission data (to redirect or copy an electronic message) Amendments to: CRTC Act: enforcement regime Competition Act: false and misleading messages/sender information PIPEDA: address harvesting/accessing a computer to collect PI Telecommunications Act: potential repeal of national Do- Not-Call List CASL takes precedence in the event of conflict, but does not replace related provisions of PIPEDA 5 5
Breadth of anti-spam rules The new rules apply to: electronic messages (no minimum number), when sent: by telecommunication, to an electronic address (i.e., an email, instant messaging, telephone or similar account), for the purpose of encouraging participation in a commercial activity (no primary purpose standard), if a computer system located in Canada is used to send or access the message 6 6
7 Breadth of anti-spam rules (continued) Limited exemptions for: family or personal relationships (as defined by regulation) business inquiries (about recipient s commercial activity) interactive two-way voice communications between individuals fax messages sent to telephone account voice recordings sent to telephone account 7
Primary requirements regarding CEMs Express consent opt-in positive confirmation debate regarding opt-out A message requesting consent is deemed to be a commercial electronic message ( CEM ) CEM) Disclosure requirements for consent purpose prescribed requirements (draft regulations): consent request must be in writing consent must be sought separately for each act identity and contact information consent withdrawal statement 8 8
Primary requirements regarding CEMs (continued) Exceptions to express consent transactional messages sole purpose exhaustive list, subject to regulations implied (deemed) consent existing business relationship (EBR) and existing nonbusiness relationship (ENBR) exhaustive lists, subject to regulations conspicuous publication or disclosure of electronic address message must be relevant to recipient s business/professional role 9 9
10 Primary requirements regarding CEMs (continued) Form and content requirements unsubscribe mechanism draft regulations set maximum of 2 clicks identity and contact information Opt-outs must be operationalized without delay no later than 10 business days Sender s contact information must be valid for 60 days 10
11 Breadth of anti-spyware rules The new rules apply to a person who: installs a computer program (no malware threshold) on another person s computer system, OR causes an electronic message to be sent from a computer system on which the person installed a computer program, IF the computer system is located in Canada or the person is in Canada Exemption for complying with court order 11
Primary requirements regarding computer programs Express consent Disclosure requirements for consent general function and purpose of the computer program detailed function-specific information (to be disclosed separate and apart from licence agreement) if: enumerated higher risk function (e.g., collection of stored personal information; change to computer settings), AND knowledge and intent that computer will operate contrary to reasonable expectations of user or owner prescribed requirements (draft regulations): same as for CEMs, PLUS: acknowledgment of higher risk functions must be in writing 12 12
Primary requirements regarding computer programs Exceptions to Consent: where person s conduct makes it reasonable to believe consent has been given to installation of: a cookie HTML code Java script operating system program executable only through another program for which express consent to installation or use has been given update or upgrade, but only where qualifying express consent given to original i installation ti and update/upgrade program 13 13
14 Comparison to PIPEDA PIPEDA adopts a principles approach to privacy CASL is rules based ban all except that which is permitted PIPEDA allows for opt-out consent when using nonsensitive PI for marketing purposes CASL requires express consent, with limited exceptions PIPEDA relies on soft enforcement principles CASL introduces material penalties and reasonable prospect of class actions 14
15 Comparison to CAN-SPAM Act CAN-SPAM applies only to email messages CASL also applies to instant messages and text messages CAN-SPAM relies on opt-out consent CASL requires express consent, with narrow exceptions CAN-SPAM applies only if primary purpose is commercial CASL applies if any content is commercial 15
Examples of key issues Fresh consent Limited grandfathering time limits applicable to EBRs and ENBRs do not apply for three years, BUT only for those EBRs and ENBRs which included communications using CEMs Consent from minors Social media Writing requirements 16 16
17 Key issues (continued) EBR definition iti free products and services gaming opportunity written contract Refer a friend programs Inclusion of unsubscribe mechanism in transactional messages Potential impact on online behavioural tracking 17
Enforcement provisions - Outline Administrative i ti Monetary Penalties ( AMPS ) Private Right of Action Compliance Undertakings Complaints and Court Reviews Under PIPEDA Offences and Reviewable Conduct Hearings under Competition Act Interplay of enforcement measures important; will drive mitigation strategies for those experiencing a CASL contravention 18 18
19 Enforcement provisions -AMPS Administered i d by the CRTC Applies to contraventions of sections 6 9 (Unsolicited CEMs; Altering transmission data, Installation of computer programs; Aiding, inducing, procuring, causing same) Maximum penalty of $10,000,000 per violation for businesses; $1,000,000 for individuals (i.e. per message, installation, alteration) 19
20 Enforcement provisions -AMPS AMPS Procedure: Three (3) year limitation period for issuing a notice of violation CRTC decides whether violation committed on balance of probabilities CRTC can order person to cease contraventions Appeal to Federal Court of Appeal 20
21 Enforcement provisions -AMPS Director and officers: AMPS may be levied against directors, officers, agents, mandataries of corporations Corporations: Vicariously liable for employees/ agents acting within the scope of employment/ duties Due diligence: No violation if establish due diligence to prevent commission of a violation; Common law defences: Apply to extent consistent with CASL 21
CASL Enforcement Private Right of Action Persons allegedly affected by contraventions of sections 6 9, PIPEDA, Competition Act provisions can apply for a court remedy Three year limitation period, subject to extension by court Class action potential for CASL statutory damages claims is high Cannot apply for a court remedy if undertaking entered into, notice of violation served Undertakings may not be entered into, notice of violation may not be served if CASL court application has been commenced Strategic considerations necessary where early settlement of a class action under CASL will prevent AMPs 22 22
CASL Enforcement Private Right of Action (continued) Court may order: Loss, damages suffered or expenses incurred Statutory damages to a maximum of $200 per contravention of section 6 (unsolicited CEMs), to a maximum of $1 million for each day contravention ti occurred / $1 million per contravention of CASL, Competition Act, PIPEDA, as applicable 23 23
CASL Enforcement Penalty, Damages Factors Purpose of AMPS and statutory damages is to promote compliance, not to punish CRTC and Court must consider following in determining AMP amounts and statutory damages: Purpose of the order Nature and scope of contravention History of contraventions/ violations History of undertakings to comply Financial benefit from contravention Ability to pay Whether applicants/ affected persons have received voluntary compensation 24 24
25 Preparatory work Scrubbing existing databases or re-qualifying customer and contact lists with fresh, express consent This should be done before CASL comes into force Taking steps to trigger grandfathering provision Modifying procedures for obtaining and documenting consent Meeting content requirements for express consent Building into database fields that can be used to pull data that meets applicable criteria and testing such systems Dates when contract entered into, product purchase, inquiry made, etc. (to track EBR) Monitoring expired business relationships 25
26 Preparatory work (continued) Modifying procedures for meeting CEM content, unsubscribe and withdrawal of consent obligations Updating relevant documents, including: third party service agreements address compliance ce with CASL (incl. address harvesting provisions) ensure appropriate reps, warranties and indemnities internal privacy and email marketing policies and procedures (both for compliance and due diligence purposes) p ensure training of employees and documenting same published privacy policies/statements 26
27 Preparatory work (continued) Modifying procedures for meeting consent and disclosure rules applicable to computer programs Address other compliance challenges created by CASL false and misleading messages/sender information address harvesting accessing a computer to collect PI 27
28 Questions? Michael Fekete (416)862-6792 mfekete@osler.com Nicole Kutlesa (416) 862-6417 nkutlesa@osler.com Andraya Frith (416) 862-4718 afrith@osler.com Patricia Wilson (613) 787-1009 pwilson@osler.com 28