Emerging Privacy Themes That Will Impact Your Company


Published on

Adam Kardash of Osler, Hoskin & Harcourt LLP spoke about emerging privacy themes that companies should be paying attention to at our MIXX conference held on March 20, 2014.

Published in: Marketing
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Emerging Privacy Themes That Will Impact Your Company

  1. 1. Emerging Privacy Themes That Will Impact Your Company IAB Canada Spring MIXX Conference Thursday, March 20, 2014 Adam Kardash Partner, Privacy & Information Management
  2. 2. Three Key Privacy Challenges Impacting Companies in the “Digital” Sector 2  Canada’s Anti-Spam Legislation  Online Behavioural Advertising  Security Incidents
  3. 3. Canada’s Anti-Spam Legislation 3  Federal legislation imposing strict consent, notice and content requirements for “commercial electronic messages”.  Will impact organizations in all sectors, particularly digital marketing practices.  Potentially severe penalties for contravention of the statute.
  4. 4. Canada’s Anti-Spam Legislation 4  Enacted in December 2010 but not yet in force.  Commercial Electronic Message provisions in force July 1, 2014  Computer programming provisions in force January 15, 2015  Private right of action in force July 1, 2017  Details of CASL set out in 2 regulations:  CRTC Regulations finalized in March 2012.  Industry Canada Regulations finalized in December 2013.  CRTC Guidelines released in October 2012  Guidelines on the Interpretation of the Electronic Commerce Protection Regulations (CRTC)  Guidelines on the use of Toggling as a means of Obtaining Express Consent under CASL  CRTC FAQs released in December 2013  More FAQs, compliance guidelines expected
  5. 5. Canada’s Anti-Spam Legislation 5  Administrative Monetary Penalties  Up to $1 million per violation for individuals and $10 million for businesses.  Private Right of Action  Statutory damages up to $200 for each violation of the prohibition against unsolicited commercial electronic messages up to $1 million for each day on which the violation occurred.  A single email or text message is contravention of CASL = violation.
  6. 6. Canada’s Anti-Spam Legislation 6  Applies to any “Commercial Electronic Message”  Any means of telecommunication, including text, sound, voice or image messages.  Reasonable to conclude that, among its purposes, the message is aimed at encouraging participation in a commercial activity.  Examples of commercial electronic messages:  emails  text messages  refer-a-friend  emerging forms of messaging  an email or text message that hyperlinks to content “aimed at encouraging participation in a commercial activity”
  7. 7. Canada’s Anti-spam Legislation 7  Prohibited to send, or cause or permit to be sent, a commercial electronic message (CEM) to an electronic address unless the recipient has provided express or implied consent.  Most CEMs must also meet certain specified content requirements, including an unsubscribe mechanism.
  8. 8. Canada’s Anti-Spam Legislation 8  Compliance Requirements - Tackling the CASL Hassle  Engaged multi-stakeholder teams required  Inventory critical  Complicated, technical exceptions and requirements  Operational impact potentially severe  Due diligence requirement to mitigate enforcement and class action risk  Policies, practices, protocols  Training  Contractual requirements
  9. 9. Online Behavioural Advertising 9  Office of the Privacy Commissioner of Canada is focused on the potential privacy issues associated with OBA.  Privacy and Online Behavioural Advertising Guidelines  Policy Position on Online Behavioural Advertising  Multiple Investigations  Report of Findings #2012-001: Social networking site for youth, Nexopia, breached Canadian privacy law  Report of Findings #2013:003: Profiles on PositiveSingles.com dating website turn up on other affiliated dating websites  Report of Findings #2014-001: Use of sensitive health information for targeting of Google ads raises privacy concerns  Ongoing Bell Canada Investigation
  10. 10. Online Behavioural Advertising 10  Digital Advertising Alliance of Canada’s “Ad Choices” Self-Regulatory Program for Online Behavioural Advertising  Program framework based on six key principles: 1. Education 2. Transparency 3. Consumer Control 4. Data Security 5. Sensitive Personal Information 6. Accountability
  11. 11. Online Behavioural Advertising 11  Principles set out obligations for three different parties involved in OBA:  First Parties  Web site Publishers or Operators  Third Parties  Ad Networks, Data Companies  Service Providers  Internet Service Providers, Browser Operators, Web Toolbars
  12. 12. Online Behavioural Advertising 12  The DAAC has created a website (available at YourAdChoices.ca) that is the hub of the Program.  Participating companies listed on the website.  To date, over 40 companies registered/registering.
  13. 13. Security Incidents 13  Security incident matters have now become a business critical issue for companies across all sectors  Key Drivers  Data explosion  Technological developments  Cybersecurity threats  Government/law enforcement/national security authority access to personal information via private sector companies
  14. 14. Implied Breach Notification Requirement 14  Implied Breach Notification Obligation  While there are currently no express data breach notification requirements under PIPEDA, OPC Letters of Finding and guidance documents suggests that a duty to notify affected individuals is implicit within the general safeguarding requirements under the Act:  In circumstances where material harm is reasonably foreseeable; and  Where such notification would serve to protect personal information from further unauthorized access, use or disclosure
  15. 15. Express Breach Notification Requirement 15  PIPA Alberta  Organizations must report to the Commissioner any incident involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual.  PIPITPA Manitoba [Not yet in force]  An organization must, as soon as reasonably practicable and in the prescribed manner, notify an individual if personal information about the individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner.  Exceptions:  Instructions from law enforcement that is investigating the theft, loss or unauthorized accessing of the personal information; or  Organization satisfied that it is not reasonably possible for the personal information to be used unlawfully
  16. 16. Impact of Breach Notification Requirements 16  Enhanced transparency/reporting about security incidents within organizations.  More notifications to affected individuals about security incidents.  More media reports and general awareness about information security (or lack thereof).  More investigations by privacy regulatory authorities.  Increased litigation risk.  More proactive efforts by organizations to address personal information security concerns.  Increased out-of-pocket, reputation and other costs to organizations due to all of the above.
  17. 17. Thank you!