Canada’s Anti-Spam Legislation establishes complex new rules for anyone sending email or other forms of electronic messaging, which is reinforced with significant penalties for non-compliance. Now that regulations under the legislation are nearly finalized, it is time for organizations to begin preparing by conducting an audit of existing and future practices, identifying risks, and developing a compliance program.
Originally presented at the 2013 IAPP Canada Privacy Symposium held in Toronto, On on May 23, 2012
Borderless Access - Global B2B Panel book-unlock 2024
Preparing for Canada’s Anti-Spam Legislation: Conducting a compliance audit
2. READY, SET, AUDIT!
PREPARING YOUR
ORGANIZATION FOR CASL
Matt Vernhout Shaun Brown
Director, Client Support Partner, nNovation LLP
& ISP Relations, TC Media
@emailkarma
3. OUTLINE: PREPARING FOR CASL
1. Primary requirements
2. What we don’t know
3. How to prepare
4. STATUS
• December 15, 2010 – Bill C-28 given Royal Assent
• August 2011 – IC and CRTC regs published for comment
• March 2012 – CRTC Regs finalized
• October 2012 – Final CRTC Guidelines Published
• January 2013 – Draft Industry Canada regs published
(part II)
• Spam Reporting Centre
• Coming in to force 2014 (?)
5. WHAT IS CASL?
• Standalone legislation (CASL), amendments to PIPEDA
and Competition Act
• Rules for sending commercial electronic message (CEM)
• Rules for installing computer programs
• Prohibits hacking/alteration of transmission data
6. APPLICATION
• Apply to any message sent to or from computer system in
Canada
• More than email: IM; SMS; social media; etc.
• Voice, fax currently excluded (covered by DNCL)
7. COMMERCIAL ELECTRONIC
MESSAGE
• Any message where “it would be reasonable to conclude
has as its purpose, or one of its purposes, to encourage
participation in a commercial activity” including
• Product or service
• Business opportunities
• Promotes an individual who does any of the above
• Message to request consent deemed to be CEM
9. EXEMPTIONS
• CEM sent between two individuals with personal or family
relationship
• Sent to inquire about or apply for service (i.e., purchaser
to vendor)
• Exempt from all requirements of CASL
10. 1. CONSENT (IMPLIED)
• Consent can be express or implied
• Four categories of implied consent:
1. Existing business relationship
2. Existing non-business relationship
3. Conspicuous publication of electronic address
4. Recipient has disclosed electronic address to the sender
11. 1. CONSENT (EXPRESS)
• CASL:
• clear notice, describe purposes, prescribed information
• CRTC Regs:
• Name of person seeking consent
• Name of person on whose behalf consent is sought, if different;
identify who is seeking, and on whose behalf
• Contact info for either of the above, including: Mailing address
and any one of telephone # (live or voice mail), email address or
a web address
• Statement that consent can be withdrawn
• CRTC Guidance:
• No pre-checked boxes; separate box not necessary if person
req’d to fill in email address next to request for consent
12. 2. IDENTIFICATION
• Identification requirements apply to all CEMs
• Identify sender as well as person on whose behalf
message is sent
• Name by which person carries on business
• Must indicate who is “sending” and “on whose behalf” the message is
sent
• Contact information for either of above
• Mailing address and any of telephone number/email address/web
address of either person
• Information must be set out “clearly and prominently”
13. 3. UNSUBSCRIBE
• Must be functional for 60 days
• No cost
• Same means unless impracticable
• Include either electronic address or link
• Must be “able to be readily performed”
• Must process without delay
14. PUBLIC AND PRIVATE
ENFORCEMENT
Enforcement
Agency/Mechanism
Target/Application Penalties
Canadian Radio-television and
Telecommunications
Commission (CRTC) (CASL)
Consent, prescribed identification
requirements and unsubscribe
requirements
Administrative monetary penalties
(AMPs) up to $1 million/violation for
individuals; $10 million/violation for
organizations
Competition Bureau
(Competition Act)
False or misleading
representations in content,
subject line, sender info
Can pursue civil or criminal remedies;
AMPs similar to those available to
CRTC under CASL
Office of the Privacy
Commissioner of Canada
(PIPEDA)
Collecting, using disclosing
electronic address without
consent
Address harvesting and dictionary
attacks
No real powers for enforcement; can
make recommendations or pursue
order in Federal Court
Private right of action Violations of CASL, Competition
Act and PIPEDA
Actual and/or statutory damages
15. INDUSTRY CANADA REGS
• Definition of personal family relationship
• Number of new exemptions
• Business communications within organizations and between
organizations with ongoing business relationships
• Response to request, inquiry, complaint or is otherwise solicited by
the recipient
• Messages targeted to non-Canadians, advertising products not
available in Canada; sender could not “reasonably be expected to
know” recipient is in Canada”
• Enforcing legal rights (e.g., court order, copyright, debt collection,
etc.)
• Third party referrals where referring party has personal, family or
existing business relationship with sender and recipient (exemption
from consent only)
• Use of consent on behalf of unknown third party
16. WHAT WE DON’T KNOW: WHAT
IS A CEM?
• Where is the commercial “threshold”?
• What elements are commercial (hyperlinks, logos,
taglines, request to “like” on Facebook)
• What about “transactional” or “relational” messages?
• Section 6(6) refers to certain types of CEMs as exempt
from the need for consent if they solely (e.g., warranty,
subscription information, delivering a product, etc.)
17. WHAT WE DON’T KNOW: HOW
TO TREAT LEGACY DATA?
• How does CASL apply to pre-existing lists
• Increased flexibility where:
• Consent not technically compliant (e.g., missing certain identification
requirements)
• Lack of evidence
18. WHAT WE DON’T KNOW:
SENDING ON BEHALF OF OTHERS
• CASL states that messages must identify person sending
message, and person on whose behalf message is sent,
if different?
• What does it mean to send on behalf of another person?
• Does this refer to ESPs?
• List rentals?
• Both?
• CRTC Guidelines: a person who may "facilitate the
distribution of a CEM", but who has "no role in its content
or choice of the recipients” need not be identified
19. BUILDING A CHECKLIST
• Who’s involved
• Where to start
• Data collection
• Before Broadcasting
• After Broadcasting
20. WHO’S INVOLVED?
• Privacy/Compliance team
• Legal Team
• VP Marketing
• Database Analytics Team
• Deployment teams
• Account Teams
• Brand Managers
21. DATA COLLECTION
• Audit Data Collection Sources
• Internal Sources
• External Sources
• Point of Sale
• Call Center
• Identification requirements
• Proper consent notices/options/scripts
• Contact notices
22. BEFORE BROADCASTING
• Review CASL exemptions for this message
• Is it a CEM?
• Review the content
• Postal address, unsubscribe, contact requirements
• Review the list
• Remove addresses that have exceed 2 yr consent period as needed
• Review targeting of content to recipients
• Test functionality of all links and seek appropriate
approvals
23. CHECKLIST REVIEWED
Functional Check (Level 1) Yes/No Yes/No Client/TD Deficiencies Noted/Comments
Images render properly
Alt tags in place and correct
Check for image maps
Links go to correct page or not broken
Links are tracked
Mailto functions properly and has NOTRACK
Display name and From Address are correct
Subject line is correct and does not truncate
Subject line does not contain illegal characters
View as web page included
Personalization is present and populating correctly
Personalization is pulling from the correct DB
HTML TEXT OVERRIDE
Compliance & EMS System Check (Level 3) Yes/No Yes/No Client/TD Deficiencies Noted/Comments
Postal Address included
Unsubscribe link present and working
Correct Database has been selected
Has the Seed List been added
Segmentation is correct
Recipient Count is Approved
Mailing List send to Duplicates option on
Reply Management is correct
Recipient Cap field checked
24. Is this
a
CEM?
DO ANY EXCEPTIONS APPLY?
Email Message
CASL Does not
apply
Exempt
from
s 6.5?
Exempt
from
s 6.6?
Consent is not
required
Explicit
Consen
t
Implied
Consen
t
Proper
ID and
Unsub
?
Likely NOT
compliant
Ready to Send
No
Yes
25. AFTER BROADCASTING
• Unsubscribe requirements being met
• 60 days of live access
• Unsubscribes are being processes
• Review metrics and begin next broadcast planning
26. MANAGING UNSUBSCRIBES
K.I.S:
• Limit number of data locations for sync purposes and
timing
• Review current practices
• Identify responsible individuals
• Offer preference choices
• opt-down vs. opt-out
• Vendor options
• Most email marketing providers can manage this for you and supply
delta files
27. RELATIONSHIP MARKETING
• Identified risks:
• Rolling window of consent
• Unknown data
• Mitigating risk:
• Reduce number of active databases
• Backfill dates when possible
• Re-confirm consent for the unknown address prior to enforcement
• Build automated solutions for sun setting users
28. CASL COMPLIANCE TO DO LIST
Watch legislative developments carefully: final IC regs, in-force date,
further guidelines/interpretations
Review/modify practices for obtaining eMarketing lists, choose
vendors/partners carefully, bind to unsubscribe requirements
Review/modify formats for eMarketing
Ensure effective and timely unsubscribe
Review/modify program installations, associated disclosures and
consent
Ensure consent records are retained and retrievable
Engagement of marketing, brand, technical resources to detect
issues, ensure compliance
Start reviewing your digital marketing programs now