Canada Anti-Spam Legislation: Review and Update
Agenda Introduction Overview Nuts and Bolts Compliance Strategies CRTC Administrative Penalties July 1, 2017 Changes
July 1, 2017 What Does it Mean? Final provisions of CASL becomes effective: Individuals gain a personal right of action June 7 th update: Provision temporarily suspended!! The transition rules for Implied Consent are no longer effective
CASL - An Overview
It s a Mouthful! CASL actually: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act. Better Yet: Canada Anti-Spam Legislation (CASL)
What Is it Really? Federal Legislation (i.e., Canada wide) designed to promote e-commerce and discourage unsolicited electronic messaging as a business and marketing tool Response to the proliferation of spam Takes a prohibitive approach not a permissive one Deters most damaging and deceptive forms of spam
What Does CASL Capture? Applies to Email Marketing, and all Social Media Marketing for a commercial activity Barring specific exemptions, don t assume that recipients want to receive marketing materials get consent! Very broad coverage Commercial Electronic Messages (CEMs) Malware / Spyware Automatic Information Collection
CEMs What Are They? Commercial Electronic Messages - message sent by any means of telecommunication, including a text, sound, voice or image message, to an electronic address E-mail / instant messaging accounts Similar accounts Several classes of commercial messaging are exempted from CASL Phone conversations Messages sent via fax to telephone accounts Voice recordings sent to a telephone account
CASL Nuts and Bolts
Is an Electronic Message Commercial? Commercial message: content that as one of its purposes encourages participation in a commercial activity, regardless of whether this is done with the expectation of profit Messages that offer to sell or advertise products Messages that promote a person or corporation, including personal contact information Messages that aim to collect consumer or market information Messages aimed at obtaining consent to send further messages
Exemptions From CASL Do Exist CEM provides only factual info about a subscription, membership or account CEM sent to an individual with whom the sender has a personal or family relationship CEM sent to a person engaged in a commercial activity and consists solely of an inquiry or application related to that person s commercial activity Any CEM sent in response to a request, inquiry, complaint or otherwise solicited by the person receiving the CEM
Exemptions From CASL Do Exist (con t) Employee to employee CEMs between companies that have a business relationship and the CEMs relate to the company receiving the message A CEM sent to satisfy or inform of a legal obligation, recall notice or warranty information A one-time CEM sent to someone without consent, relying on a referral from a 3rd party, as long as the sender discloses the name of the person making the referral, and as long as the person making the referral has a relationship with both the sender and the receiver
GET CONSENT! Two things to think about in order to comply with a Non-exempt CEM: Need Consent from the receiver Express Consent; or Implied Consent CEM Content must contain Information Disclosure Unsubscribe Mechanism
Picture It CEMs Non-Exempt Consent Do I have?? Content Is it there? Express Implied Disclosures Unsubscribe Gold Standard Limited Time Required Info Mechanism Oral Keep Records Written Preferred Previous Business Relationship Is it really? Previous Non- Business Relationship Close enough? Published Info Relevant Info
Express Consent Go to form of consent Required disclosures to obtain consent Purpose of the request Name and contact information of party making the request for consent Communication must include statement that consent can be withdrawn at anytime (an unsubscribe option)
Implied Consent Onus on the Sender Business Relationship Contractual Relationships Parties to leases, contracts for sale Supply or Services contracts Relationship Outside Business Shared volunteer associations Membership in clubs or groups Address of Recipient is Published Hasn t previously withdrawn consent Information is relevant to the recipient s duties
Content Requirements Disclosure of Information Who is sending the CEM The name of the agent used (if any) Sender s contact information Unsubscribe Option Must advise receiver they can unsubscribe at anytime Receiver must be able to reply directly to the notice
Express Consent Means EXPRESS!
Express Consent Be Careful
Unsubscribing Examples
CASL What is Compliance?
Staff Knowledge & Compliance Groups Internal buy-in is key E-mails to staff / required replies Senior and Mid-level management messaging Continual process, not a one time event Cross organizational compliance group Leaders across divisions Information Tech / sales & marketing / administrative CASL compliant database of CEMs ABR - Always Be Reminding
The CASL 500 CASL not a one lap race Compliance on Day 1 doesn t mean compliance forever Coordinate departmental communications and develop/implement training plan Don t forget new employees Refresher courses Targeted training CEM Database review benchmarks Monthly / quarterly Are management tools working
Show Me the Solution! voicemail or calls events and meetings email signature online presence
Customer Interactions Every interaction with a contact is an opportunity to invite people to join your list Business Card drops, voicemail, sales/service invoices & quotes
CRTC Administrative Penalties
March 5, 2015: Compu-finder Company data-mined websites for email addresses Sent unsolicited offers to recipients for educational training Relied on implied consent Email addresses were posted on websites Forgot to ensure offers were relevant to recipients business Didn t provide a working unsubscribe mechanism CRTC found that Compu-finder flagrantly violated CASL $1,100,000.00 penalty levied against the company
June 2015: Porter Airlines Agreed to pay $150,000.00 penalty and undertake an update of its compliance program Sent out emails to business contacts Relied on both express and implied consent provisions Couldn t prove any express consent Content requirements weren t clearly laid out Unsubscribe mechanism was incomplete or missing
November 2015: Rogers Media Agreed to pay a $200,000.00 penalty and undertake an update of its compliance program Penalty centered around the unsubscribe process Mechanism applied was not readily performed Missing in some cases Unsubscribe requests took longer than 10 days to process
October 2016: Blackstone Learning Notice of Violation issued and $640,000.00 penalty levied company appealed the findings and the penalty amount Company relied on implied consent provisions of CASL Email addresses used were conspicuously published CRTC decision: publicly available email addresses not a blanket authorization to send CEMs In both express and implied consent the onus is on the sender to establish consent has been obtained Company failed to make out any form of consent But penalty reduced to $50,000.00 on hardship basis
July 1, 2017 CASL Provisions
It s Here Are You Ready?? Main body of CASL came online July 1, 2014 3 year transition period in some cases Implied consent rules and time periods Parties having a right of action
New Implied Consent Rules Implied Consent rules during the transition period: For a period of 3 years after July 1, 2014 Valid until express consent was obtained or withdrawn So long as there was any relationship previous to July 1, 2014, implied consent could be used Provided remaining CASL provisions were followed
New Implied Consent Rules As of July 1, 2017 Can no longer rely on a previous business interaction for implied consent Must be an existing business relationship actually done related business with the party in the prior two year period OR the party receiving CEM must have made a related inquiry within the previous six months Database management systems need to track new limitation periods and dynamically update contact permissions Consider eliminating implied consent, only have express
Picture It again CEMs Non-Exempt Consent Do I have?? Content Is it there? Express Implied Disclosures Unsubscribe Gold Standard Limited Time Required Info Mechanism Oral Keep Records Written Preferred Existing Business Relationship Is it really? Existing Non- Business Relationship Close enough? Published Info Relevant Info
Private Right of Action
Private Right of Action Until June 30, 2017, CRTC has sole authority to investigate complaints and issue penalties Once/If order is lifted, private parties will have right to sue personally in civil court Action must be started within 3 years of receiving CEM Liability is up to $200 per day for each CEM, not to exceed $1,000,000 per day of breach Small risk of liability to any one person, but very large risk through class action suits or corporate actions Potential for both administrative penalties AND civil liability
Take Away Points CRTC is showing a willingness to levy penalties under CASL Some evidence they are gearing up for a new round of enforcement The transition rules for implied consent are about to lapse New implied consent rules create potential database management issues and new opportunities for penalties A focus on obtaining express consent is prudent New civil liability provisions about to come online Large exposure to class actions and corporate actions Civil liability in addition to administrative penalties