Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preparing for Canada’s Anti-Spam Legislation: Conducting a compliance audit


Published on

Canada’s Anti-Spam Legislation establishes complex new rules for anyone sending email or other forms of electronic messaging, which is reinforced with significant penalties for non-compliance. Now that regulations under the legislation are nearly finalized, it is time for organizations to begin preparing by conducting an audit of existing and future practices, identifying risks, and developing a compliance program.

Originally presented at the 2013 IAPP Canada Privacy Symposium held in Toronto, On on May 23, 2012

  • Be the first to comment

  • Be the first to like this

Preparing for Canada’s Anti-Spam Legislation: Conducting a compliance audit

  1. 1. READY, SET, AUDIT!PREPARING YOURORGANIZATION FOR CASLMatt Vernhout Shaun BrownDirector, Client Support Partner, nNovation LLP& ISP Relations, TC Media@emailkarma
  2. 2. OUTLINE: PREPARING FOR CASL1. Primary requirements2. What we don’t know3. How to prepare
  3. 3. STATUS• December 15, 2010 – Bill C-28 given Royal Assent• August 2011 – IC and CRTC regs published for comment• March 2012 – CRTC Regs finalized• October 2012 – Final CRTC Guidelines Published• January 2013 – Draft Industry Canada regs published(part II)• Spam Reporting Centre• Coming in to force 2014 (?)
  4. 4. WHAT IS CASL?• Standalone legislation (CASL), amendments to PIPEDAand Competition Act• Rules for sending commercial electronic message (CEM)• Rules for installing computer programs• Prohibits hacking/alteration of transmission data
  5. 5. APPLICATION• Apply to any message sent to or from computer system inCanada• More than email: IM; SMS; social media; etc.• Voice, fax currently excluded (covered by DNCL)
  6. 6. COMMERCIAL ELECTRONICMESSAGE• Any message where “it would be reasonable to concludehas as its purpose, or one of its purposes, to encourageparticipation in a commercial activity” including• Product or service• Business opportunities• Promotes an individual who does any of the above• Message to request consent deemed to be CEM
  7. 7. THREE PRIMARY RULES1. Consent2. Identification3. Unsubscribe
  8. 8. EXEMPTIONS• CEM sent between two individuals with personal or familyrelationship• Sent to inquire about or apply for service (i.e., purchaserto vendor)• Exempt from all requirements of CASL
  9. 9. 1. CONSENT (IMPLIED)• Consent can be express or implied• Four categories of implied consent:1. Existing business relationship2. Existing non-business relationship3. Conspicuous publication of electronic address4. Recipient has disclosed electronic address to the sender
  10. 10. 1. CONSENT (EXPRESS)• CASL:• clear notice, describe purposes, prescribed information• CRTC Regs:• Name of person seeking consent• Name of person on whose behalf consent is sought, if different;identify who is seeking, and on whose behalf• Contact info for either of the above, including: Mailing addressand any one of telephone # (live or voice mail), email address ora web address• Statement that consent can be withdrawn• CRTC Guidance:• No pre-checked boxes; separate box not necessary if personreq’d to fill in email address next to request for consent
  11. 11. 2. IDENTIFICATION• Identification requirements apply to all CEMs• Identify sender as well as person on whose behalfmessage is sent• Name by which person carries on business• Must indicate who is “sending” and “on whose behalf” the message issent• Contact information for either of above• Mailing address and any of telephone number/email address/webaddress of either person• Information must be set out “clearly and prominently”
  12. 12. 3. UNSUBSCRIBE• Must be functional for 60 days• No cost• Same means unless impracticable• Include either electronic address or link• Must be “able to be readily performed”• Must process without delay
  13. 13. PUBLIC AND PRIVATEENFORCEMENTEnforcementAgency/MechanismTarget/Application PenaltiesCanadian Radio-television andTelecommunicationsCommission (CRTC) (CASL)Consent, prescribed identificationrequirements and unsubscriberequirementsAdministrative monetary penalties(AMPs) up to $1 million/violation forindividuals; $10 million/violation fororganizationsCompetition Bureau(Competition Act)False or misleadingrepresentations in content,subject line, sender infoCan pursue civil or criminal remedies;AMPs similar to those available toCRTC under CASLOffice of the PrivacyCommissioner of Canada(PIPEDA)Collecting, using disclosingelectronic address withoutconsentAddress harvesting and dictionaryattacksNo real powers for enforcement; canmake recommendations or pursueorder in Federal CourtPrivate right of action Violations of CASL, CompetitionAct and PIPEDAActual and/or statutory damages
  14. 14. INDUSTRY CANADA REGS• Definition of personal family relationship• Number of new exemptions• Business communications within organizations and betweenorganizations with ongoing business relationships• Response to request, inquiry, complaint or is otherwise solicited bythe recipient• Messages targeted to non-Canadians, advertising products notavailable in Canada; sender could not “reasonably be expected toknow” recipient is in Canada”• Enforcing legal rights (e.g., court order, copyright, debt collection,etc.)• Third party referrals where referring party has personal, family orexisting business relationship with sender and recipient (exemptionfrom consent only)• Use of consent on behalf of unknown third party
  15. 15. WHAT WE DON’T KNOW: WHATIS A CEM?• Where is the commercial “threshold”?• What elements are commercial (hyperlinks, logos,taglines, request to “like” on Facebook)• What about “transactional” or “relational” messages?• Section 6(6) refers to certain types of CEMs as exemptfrom the need for consent if they solely (e.g., warranty,subscription information, delivering a product, etc.)
  16. 16. WHAT WE DON’T KNOW: HOWTO TREAT LEGACY DATA?• How does CASL apply to pre-existing lists• Increased flexibility where:• Consent not technically compliant (e.g., missing certain identificationrequirements)• Lack of evidence
  17. 17. WHAT WE DON’T KNOW:SENDING ON BEHALF OF OTHERS• CASL states that messages must identify person sendingmessage, and person on whose behalf message is sent,if different?• What does it mean to send on behalf of another person?• Does this refer to ESPs?• List rentals?• Both?• CRTC Guidelines: a person who may "facilitate thedistribution of a CEM", but who has "no role in its contentor choice of the recipients” need not be identified
  18. 18. BUILDING A CHECKLIST• Who’s involved• Where to start• Data collection• Before Broadcasting• After Broadcasting
  19. 19. WHO’S INVOLVED?• Privacy/Compliance team• Legal Team• VP Marketing• Database Analytics Team• Deployment teams• Account Teams• Brand Managers
  20. 20. DATA COLLECTION• Audit Data Collection Sources• Internal Sources• External Sources• Point of Sale• Call Center• Identification requirements• Proper consent notices/options/scripts• Contact notices
  21. 21. BEFORE BROADCASTING• Review CASL exemptions for this message• Is it a CEM?• Review the content• Postal address, unsubscribe, contact requirements• Review the list• Remove addresses that have exceed 2 yr consent period as needed• Review targeting of content to recipients• Test functionality of all links and seek appropriateapprovals
  22. 22. CHECKLIST REVIEWEDFunctional Check (Level 1) Yes/No Yes/No Client/TD Deficiencies Noted/CommentsImages render properlyAlt tags in place and correctCheck for image mapsLinks go to correct page or not brokenLinks are trackedMailto functions properly and has NOTRACKDisplay name and From Address are correctSubject line is correct and does not truncateSubject line does not contain illegal charactersView as web page includedPersonalization is present and populating correctlyPersonalization is pulling from the correct DBHTML TEXT OVERRIDECompliance & EMS System Check (Level 3) Yes/No Yes/No Client/TD Deficiencies Noted/CommentsPostal Address includedUnsubscribe link present and workingCorrect Database has been selectedHas the Seed List been addedSegmentation is correctRecipient Count is ApprovedMailing List send to Duplicates option onReply Management is correctRecipient Cap field checked
  23. 23. Is thisaCEM?DO ANY EXCEPTIONS APPLY?Email MessageCASL Does notapplyExemptfroms 6.5?Exemptfroms 6.6?Consent is notrequiredExplicitConsentImpliedConsentProperID andUnsub?Likely NOTcompliantReady to Send No Yes
  24. 24. AFTER BROADCASTING• Unsubscribe requirements being met• 60 days of live access• Unsubscribes are being processes• Review metrics and begin next broadcast planning
  25. 25. MANAGING UNSUBSCRIBESK.I.S:• Limit number of data locations for sync purposes andtiming• Review current practices• Identify responsible individuals• Offer preference choices• opt-down vs. opt-out• Vendor options• Most email marketing providers can manage this for you and supplydelta files
  26. 26. RELATIONSHIP MARKETING• Identified risks:• Rolling window of consent• Unknown data• Mitigating risk:• Reduce number of active databases• Backfill dates when possible• Re-confirm consent for the unknown address prior to enforcement• Build automated solutions for sun setting users
  27. 27. CASL COMPLIANCE TO DO LIST Watch legislative developments carefully: final IC regs, in-force date,further guidelines/interpretations Review/modify practices for obtaining eMarketing lists, choosevendors/partners carefully, bind to unsubscribe requirements Review/modify formats for eMarketing Ensure effective and timely unsubscribe Review/modify program installations, associated disclosures andconsent Ensure consent records are retained and retrievable Engagement of marketing, brand, technical resources to detectissues, ensure compliance Start reviewing your digital marketing programs now
  28. 28. THANK YOUQuestions?