Canada's Anti-Spam Legislation: What Nonprofits Need to Know Before July 1, 2014


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Canada's Anti-Spam Legislation: What Nonprofits Need to Know Before July 1, 2014

  1. 1. Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014 .Maanit Zemel, Miller Thomson LLP / 416.595.7907 / 416.937.9321
  2. 2. Overview 1. Overview of Canada’s Anti-Spam Legislation (CASL) 2. The Commercial Electronic Messages (CEM) Requirements 3. Tips for preparing for CASL 4. Other CASL requirements
  3. 3. What is Canada’s Anti-Spam Legislation (“CASL”)? The problem:
  4. 4. What is CASL? (cont’d) The solution:  CASL regulates a broad range of electronic / online activities including:  Commercial electronic messages (CEM)  The installation of computer programs  Misleading advertising and marketing practices  Privacy invasion via your computer  Collecting email addresses without consent (email harvesting)
  5. 5. What is CASL? (cont’d) Anyone can complain to the regulators by filing a complaint at:
  6. 6. Fundamental Underlying Principles  All of the regulated activities may only be carried out: 1. With informed consent; and 2. With clear identification of the sender  “Opt-In” Regime
  7. 7. Significant Consequences for Non-Compliance  Administrative monetary penalties:  Individuals – fines up to $1 million per violation  Corporations – fines up to $10 million per violation  Private rights of action  Class actions  Vicarious liability of corporation for employees  Liability of officers and directors for acts of corporation  Sweeping investigative powers (search and seizure orders)
  8. 8. When will CASL be in force?  Three important dates:  July 1, 2014: requirements respecting CEMs  January 15, 2015: requirements respecting computer programs  July 1, 2017:  End of transition period for implied consent  private rights of action
  9. 9. Regulating Bodies  3 Federal bodies : 1) CRTC – CEMs and installation of computer programs 2) Privacy Commissioner – collection of personal information and address harvesting 3) Competition Bureau – misleading online advertising and marketing practices
  10. 10. Commercial Electronic Messages (“CEM”s)  What is a CEM? CEM is a message sent by any electronic means (i.e., email, text, instant message, tweet) that has, as its purpose, or one of its purposes, to encourage participation in a “commercial activity”
  11. 11. What is a CEM (cont’d)  “Commercial activity” is: “any particular transaction, act or conduct that is of a commercial character whether or not the person who carries it out does so in the expectation of profit”
  12. 12. Do Charities / NPOs Transmit CEMs?  Yes!  Examples of CEMs:  Emails seeking donations  Emails seeking volunteers / members  Emails selling tickets to an event / lottery  Emails promoting services  Emails promoting a charitable event / activity  Electronic newsletters  Emails promoting the organization / charity
  13. 13. CEM Requirements  You are prohibited from sending a CEM to an electronic address unless:  The receiver has already consented to the receipt of the CEM; and  The CEM contains certain prescribed information  Subject to limited exclusions / exemptions
  14. 14. CEM Consent Requirements  CEMs may only be sent with recipient’s express or implied consent  Onus of proving consent rests with sender
  15. 15. CEM Consent (cont’d) An electronic message requesting consent is a CEM and is therefore prohibited (post July 1, 2014)
  16. 16. Express Consent  Request for express consent may be obtained orally or in writing  Request for consent must include:  The purpose for which consent is being sought (“clearly and simply”)  Sender’s identifying and contact information and/or on whose behalf consent is being sought  Statement that receiver can withdraw their consent
  17. 17. Implied Consent  Consent may be implied when:  the recipient has: 1) “conspicuously published” his/her electronic address (on a website for example) 2) has not indicated a desire to not receive unsolicited CEMs; and 3) the message is relevant to recipient’s business role, duties or functions  the recipient has: 1) disclosed his/her electronic address to sender without indicating a wish not to receive unsolicited CEMs (e.g., business card); and 2) message is relevant to person’s role or duties in business or official capacity
  18. 18. Implied Consent (cont’d) – “Non-Business Relationship”  Applies to charities and NPOs  Consent is implied when:  Sender is registered charity and recipient made donation or performed volunteer work in preceding two years  Sender is a non-profit organization and recipient has been a member in the preceding two years
  19. 19. Implied Consent (cont’d) – “Existing Business Relationship”  In the two years prior to the sending of the CEM, the recipient had:  Purchased / leased / bartered a product / good / service / land from the sender;  accepted a business / investment / gaming opportunity offered by the sender; or  a written contract is created between the recipient and the sender.  Or - Six months before the message is sent, the sender received from the recipient an inquiry or application about one of the items above.
  20. 20. Implied Consent (Cont’d)  3 Year Transitional Period:  For parties who are in an existing business or non-business relationship - implied consent is extended until July 1, 2017  This means that charities and NPOs have implied consent from their donors, volunteers and members until July 1, 2017
  21. 21. Information Requirements for CEMs  All CEMs must include:  Identifying and contact information of sender (or on whose behalf CEM is sent)  A means by which to contact the sender (to be effective for at least sixty days)  An “unsubscribe” mechanism  When not practical to include in CEM, this information must be posted on a website and the CEM must include a link to that website, which is clearly and prominently set out in message and is readily accessible
  22. 22. “Unsubscribe” Mechanism:  Must be effective for 60 days  Must be given effect within 10 days of request  Must be at no cost to requester
  23. 23. Exemptions from CEM Requirements  Registered Charities Exemption: CEMs sent by or on behalf of a registered charity and “the message has as its primary purpose raising funds for the charity”
  24. 24. Charities Exemption  Emphasis is on “primary purpose” of message  Examples:  Email that provides information about the charity’s work and contains one sentence at the bottom asking for donations - is it for the primary purpose of raising funds?  probably not  Email that sells tickets to a charitable event – is it for the primary purpose of raising funds?  probably yes
  25. 25. Charities Exemption (cont’d)  What does “raising funds” mean?  Is it different than “fundraising”, as interpreted by the CRA?  CRTC likely to focus less on the intended use of the funds and more on the content of the message
  26. 26. Other CEM Exemptions 1) “Personal” or “family” relationship 2) A CEM that consists solely of an inquiry or application 3) Solicited CEMs - sent in response to a request, inquiry or complaint, or otherwise solicited by the person to whom the message is sent 4) Internal CEMs – sent within an organization / business and concerns the activities of that organization / business 5) CEMs between organizations / business – if the businesses / organizations “have a relationship” and the CEM concerns activities of the receiver business / organization 6) CEMs sent to enforce a legal right
  27. 27. CEM Exemptions (cont’d) 7) CEMs sent within an electronic platform where “unsubscribe” and identifying information is conspicuously published and readily available (e.g., within a social network) 8) CEM sent within a limited-access secure account by the person who provides that account (e.g., banking portals) 9) CEM sent by a political party for the primary purpose of soliciting contributions 10) CEMs sent to a foreign jurisdiction (but must comply with foreign anti-spam laws) 11) Two way voice communications 12) Faxes and voicemail messages sent to telephone accounts
  28. 28. Exemptions that must contain info and “unsubscribe”  In limited circumstances, there is no need to obtain consent but must still include prescribed information (identifying info + unsubscribe): 1) Third party referral - the first CEM sent to a person based on a referral from a third party, after which consent will be needed for added CEMs 2) Provision of quote or estimate in response to a request 3) Warranty, recall or product safety information 4) CEM that delivers a product or service, including updates and upgrades 5) CEM that facilitates or confirms transactions 6) CEM that provides factual information about: • Ongoing subscription, membership, accounts, loans • Ongoing use or ongoing purchases • Employment relations or benefit plans for employees
  29. 29. Do you send CEMs? You may be exempt from compliance only If: The primary purpose of CEM is to raise funds for the charity* Are you a Registered Charity? No further action required Is the CEM: • A third party referral? • Providing a quote or estimate in response to an request • Providing warranty, recall or product safety information • delivering a product or service, including updates and upgrades • facilitating or confirming transactions • Providing factual information about: 1. Ongoing subscription, membership, accounts, loans; 2. Ongoing use or ongoing purchases; 3. Employment relations or benefit plans for employees No further action required No consent required but CEM must include: • Identifying information • Unsubscribe mechanism Do Other Exemptions Apply? Ex.: • Organization to organization • Personal / family relationship • Internal CEM • An inquiry / application • A response to an inquiry / request / complaint • To enforce a legal right • Sent within a secured access platform • Within a platform containing unsubscribe and ID info • To a foreign jurisdiction (must comply with foreign laws) Yes Yes Is Consent Implied? Only if: 1. You are a registered charity / Not-for-profit org.; and 2. Recipient has been a donor, volunteer or member in the preceding 2 years Implied consent only good for 2 years Need to: 1. Include prescribed info 2. Keep track of 2 years 3. Obtain express consent before 2 years expires Yes • Before July 1, 2014: 1. Obtain express consent 2. Include prescribed ID info and unsubscribe mechanism in all CEMs • After July 1, 2014: 1. Obtain consent in prescribed form 2. Include prescribed ID info and unsubscribe mechanism in all CEMs No / unsure No CASL Flowchart for Charities/NPOs Yes Yes (most likely) No (unlikely) No Unsure – consider next step
  30. 30. Tips for Preparing for CASL TIP #1: CONDUCT AN AUDIT  Does your organization send CEMs?  Is consent required?  Is consent implied?  What forms of express consent do you plan on obtaining?  Do you need to include prescribed information in CEM?
  31. 31. Do You Send CEMs?  Most likely YES  Consider: 1) What forms of electronic communications does the organization use to communicate with internal and external parties? 2) On behalf of which entities does the organization send electronic communications? 3) What third-parties send electronic communications on your organization’s behalf? 4) To whom does the organization send electronic communications? 5) What do these communications contain? 6) What is the purpose of sending the electronic communications?
  32. 32. Is Consent Required?  NPOs - most likely YES (unless meets one of the listed exemptions)  Registered charities:  You will not be required to obtain consent only if CEM is for primary purpose of raising funds for the charity (or meets one of the other exemptions)  Recommended: obtain consent for all CEMs
  33. 33. Is Consent Implied?  Charities and Not-for-Profit Organizations have the benefit of 2 years implied consent for all registered donors, volunteers and/or members  Beyond 2 years (with exception of transitional period) – must obtain express consent  If you are going to rely on implied consent - you must keep track of the 2 year period for all donors, members and volunteers - create a “tickler” system
  34. 34. Forms of Express Consent  If you are seeking express consent – ensure that it complies with form requirements  Proper forms of express consent:  Paper  Electronically, not in a form of a CEM, and cannot include a “pre-checked box”  Must set out clearly for what purpose you are seeking the consent
  35. 35. Prescribed Information Requirements  If charities exemption applies:  No need for prescribed information  Consider including it anyway  All others:  Ensure that all electronic communications from your organization contain the prescribed identification  Ensure that all electronic communications from your organization contain “unsubscribe” function  Ensure that you implement the “unsubscribe” requests
  36. 36. Tips for Preparing for CASL (cont’d)  TIP#2: Develop and Implement CASL Compliance Policies and Procedures  Due Diligence Defence – your best defence to CASL violations
  37. 37. Compliance Policies (cont’)  Develop and implement procedures for: • requesting, maintaining and implementing consents • keeping track of implied consents • implementing “unsubscribe” requests  Develop and implement CASL compliant language
  38. 38. Tips (cont’d)  TIP #3: Training and Education  Train and educate management, employees and volunteers on CASL requirements  Develop a training program  Ensure all new hires / volunteers receive training  Consider training third-parties that are sending CEMs on your behalf
  39. 39. TIPS (cont’d)  TIP#4: Review your contracts with third parties – require CASL compliance and include indemnification provisions for non-compliance  TIP#5: Consider buying insurance for CASL
  40. 40. Other CASL Requirements (non CEM) 1) Installation of computer programs 2) Unauthorized electronic collection of personal information 3) Email address harvesting 4) Prohibition against misleading marketing / advertising in electronic format
  41. 41. Computer Programs  It is prohibited to install a computer program (e.g., software, applications etc.) on a computer or device (phone, tablet etc.) in Canada unless express consent is provided by owner  This requirement applies to upgrade and updates of the computer program  Express consent is assumed if:  Consent was provided at the time the program was installed  For telecommunication service providers  To address a failure in the system’s software or hardware  For specific types of programs (cookies, HTML code etc.)  Coming into force – January 15, 2015
  42. 42. Computer Programs (cont’d)  Does this requirement apply to your organization?  Does your organization have an app for mobile devices?  Does your organization provide services through a computer program? (e.g., instructional video games)  Does your organization provide a program for its employees, members, donors etc. to be used to internally communicate with the organization (e.g., remote access)  If the answer is yes - you must seek consent for the installation, updates and upgrades of the program
  43. 43. Computer Programs (cont’d)  Does your program:  Collect personal information?  Interfere with owner’s ability to control their device?  Change settings or preferences without the owner’s knowledge?  Interfere with data, preventing the owner from accessing it?  Cause the device to communicate with another without the knowledge of the owner?  Install any software that can be activated remotely by a third party?  If YES to any of the above - make this information clear when requesting consent
  44. 44. Electronic Collection / Use Of Personal Information and Address Harvesting  CASL prohibits anyone from using electronic systems to collect and use personal information and email addresses without the express consent of the person whose information is collected / used  Review your online marketing strategy - does it perform any of these functions?  If yes - consider eliminating the practice altogether or obtaining consent
  45. 45. How Can We Help You?  Auditing of current and future practices  Drafting and review of policies, processes, and documentation  Drafting and review of third party contracts  Compliance training  Representation before regulators and courts
  46. 46. QUESTIONS? Maanit Zemel / Disclaimer: This presentation is provided as an information service and is a summary of current legal issues. The information is not meant as legal opinion or advice and viewers are cautioned not to act on information provided in this publication without seeking specific legal advice with respect to their unique circumstances. All rights reserved. This presentation may not be reproduced and redistributed without the prior written consent of the author.