Wishart Law Firm LLP - CASL/Anti-Spam Seminar


Published on

Published in: Law
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • A club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, if no part of its income is payable to, or otherwise available for the personal benefit of, any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is a an organization whose primary purpse is the protection of amateur athletics in Canada. See IC regs s 7(2) that refers to s. 10(13)(3)(c) of CASL.
  • Note: “install” not defined
    Industry Canada has stated that CASL applies to installing computer programs on someone else’s computer system, not installations by personal on their own computing devices.
  • An example of an acceptable means of obtaining consent pursuant to section 5 of the Regulations would be an icon or an empty toggle box, separate from the licence agreement and other requests for consent, that would need to be actively clicked or checked, as applicable, in order to indicate consent to one, several, or all of the functions listed in subsection 10(5) of the Act, as applicable, provided that the date, time, purpose, and manner of that consent is stored in a database.
  • S 10(8) of CASL specifically mentions cookies in list of “deemed consent” computer programs -- so are they “computer programs” and subject to CASL?
    IC: cookies are not programs -- they are not executable, cannot carry viruses and cannot install malware
    CRTC: cookies are programs but are not “installed” and so not subject to CASL prohibition
  • Wishart Law Firm LLP - CASL/Anti-Spam Seminar

    1. 1. CASL A Primer on Canada’s Anti-Spam Legislation
    2. 2. AGENDA • Focus on Commercial Electronic Messages (CEMs) • What does the law prohibit? • What are the penalties for non-compliance? • Key concepts • Transition period • Preparing for compliance
    3. 3. WHAT IS CASL? • Full name of the Act is: – An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities and to amend the Canadian Radio- television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23 • We’ll just call it Canada’s Anti- spam Law (CASL)
    4. 4. WHAT DOES THE LAW PROHIBIT? • Sending unsolicited electronic messages; • Altering transmission data; • Installing a computer program without authorization; and • Aiding, inducing, procuring or causing to be procured any of the above-noted prohibited activities.
    5. 5. KEY CONCEPTS • Administrative and civil penalties • Commercial Electronic Messages (CEMs) • Consent – CEMs cannot be sent without it • Prescribed information – certain information must be in every CEM sent • Records – the sender has the burden of proof
    6. 6. PENALTIES • Administrative monetary penalties (AMPs) for violations • Up to $1 million for individuals & 10 million for organizations for each violation – Personal liability for directors, officers, and agents for violations committed by their businesses – Vicarious liability for businesses for violations committed by their employees • Purpose of AMPs is to promote compliance not punish • A number of factors must be taken into account when determining the amount of the AMP
    7. 7. PENALTIES • Violations are not criminal offences • Can be appealed to the Federal Court • Due diligence defence available • Private Right of Action (PRA) in force July 1, 2017
    8. 8. WHAT IS A CEM? • A commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; b) offers to provide a business, investment or gaming opportunity; c) advertises or promotes anything referred to in paragraph (a) or (b); or d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c) or who intends to do so.
    9. 9. WHAT IS A CEM • Note: an electronic message that contains a request for consent to send a CEM is also considered to be a CEM • So, subject to the transition provisions, these cannot be sent after July 1, 2014 without the recipient’s implied consent
    10. 10. WHAT IS AN ELECTRONIC MESSAGE? • “electronic message” means a message sent by any means of telecommunication, including a text sound, voice or image message
    11. 11. WHAT IS A COMMERCIAL ACTIVITY? • “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation or profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
    12. 12. BRINGING IT ALL TOGETHER • Your message is a CEM if it is sent electronically and: 1. It entices someone to buy something or do business with you; or 2. It is requesting someone’s permission to allow you to send them a CEM
    13. 13. WHAT DOES CASL REQUIRE • In order to send CEMs you must: 1. have the recipient’s express or implied consent; and 2. Include the following information: a) prescribed information identifying the sender or the person on whose behalf the message is sent; b) information enabling the recipient to readily contact one of the persons referred to in (a); and c) an unsubscribe mechanism
    14. 14. SENDER IDENTITY • the name by which the person sending the message carries on business, if different from their name, if not, the name of the person; • if the message is sent on behalf of another person, the name by which the person on whose behalf the message is sent carries on business, if different from their name, if not, the name of the person on whose behalf the message is sent; • if the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent; and • the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person sending the message or, if different, the person on whose behalf the message is sent
    15. 15. SENDER IDENTITY • “mailing address” includes the sender’s valid, current street (or civic) address, postal office box, rural route address, or general delivery address • Mailing and email address must remain valid for a minimum of 60 days after the CEM has been sent.
    16. 16. UNSUBSCRIBE MECHANISM • The original message must allow CEM recipient to indicate, using the same electronic means, at no cost to them, their wish to no longer receive CEMs from the sender (or the person on whose behalf the message is sent) • Effect must be given to an unsubscribe request within 10 days of receipt
    19. 19. EXCEPTION • What if sender identity and/or the unsubscribe mechanism cannot be included in a CEM? • Can be posted on a website: – accessible by the recipient; – at no cost to them; – through a link clearly set out in the CEM
    20. 20. COMPLETE EXCLUSIONS • Messages sent between individuals having a “personal relationship” or a “family relationship”; • Messages sent within organizations, where their content concerns the organization’s activities; • Messages sent between organizations that already have a relationship, where their content concerns the activities of the recipient organization; • Messages sent in response to requests, inquiries, or complaints, or where the message is otherwise solicited by the recipient; and • Messages sent to satisfy or enforce legal rights and obligations and/or to provide notice of existing or pending rights or legal obligations.
    21. 21. FAMILY RELATIONSHIP • “Family relationship”: – the relationship between an individual who sends a message and the individual to whom the message is sent if those individuals are related to one another through a marriage, common-law partnership or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication
    22. 22. PERSONAL RELATIONSHIP • “Personal relationship” – the relationship between an individual who sends a message and the individual to whom the message is sent, if those individuals have had direct, voluntary, two-way communications and it would be reasonable to conclude that they have a personal relationship, taking into consideration any relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person.
    23. 23. OTHER COMPLETE EXCLUSIONS • Messages sent to a limited access and confidential account to which messages can only be sent by the person who provides the account to the person who receives the account; • Messages sent and received on an electronic messaging service if the required information and unsubscribe mechanism are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom it is sent consents to receive it; • Messages sent on behalf of registered charities that have as their primary purpose raising funds for the charity;
    24. 24. OTHER COMPLETE EXCLUSIONS • Messages sent by or on behalf of a political party or organization, or a person who is a candidate for public office having as their primary purpose soliciting a contribution; and • Messages that the sender reasonably believes will be accessed in a foreign state that is listed in the schedule and the message conforms with the law of the foreign state that addresses conduct substantially similar to CASL prohibition against sending unsolicited CEMs – Note: U.S. is a foreign state listed in the schedule
    25. 25. OTHER COMPLETE EXCLUSIONS • Additional exemptions for a CEM: – that is, in whole or in part, an interactive two-way voice communication between individuals; – that is sent by means of facsimile to a telephone account; or – that is a voice recording sent to a telephone account.
    26. 26. PARTIAL EXCLUSIONS • No consent is required for messages that: – Provide quotes or estimates requested by the recipient; – Facilitate, complete, or confirm commercial transactions the recipient previously agreed to enter into with the sender; – Provide warranty or product recall information about goods the recipient uses, has used or has purchased ; – Provide notification of information about subscriptions or membership, accounts, or loans of the recipient; – Provide information directly related to employment relationships or related benefit plans the recipient is currently involved or enrolled in; – Deliver products or services including updates or upgrades that the recipient is entitled to under the terms of a transaction they previously entered into with the sender • Note: messages in these categories must still conform to CASL’s prescribed requirements
    27. 27. THIRD PARTY REFERRALS • No consent is needed for the first CEM following a referral by an individual who has an existing business, non-business, family or personal relationship with both the sender and the recipient • The CEM must disclose the full name of the person who made the referral and must state the message is being sent as a result of the referral
    28. 28. WHAT IT ALL MEANS • Commercial content is determined by the CRTC taking into consideration a number of factors • If your message is a CEM you must have recipient consent to send it or fit into one of the exemptions
    29. 29. WHAT IS CONSENT • Anyone to whom a CEM is sent must have provided permission in advance • Two types of consent 1. Implied 2. Express • Recall after July 1, 2014 an electronic message requesting consent is deemed a CEM
    30. 30. IMPLIED CONSENT • CASL permits consent to be implied in the following limited situations: – The sender has an existing business or non- business relationship with the recipient; – The recipient has conspicuously published the electronic address to which the message is sent, the publication is not accompanied by a statement indicating that he/she or it does not wish to receive unsolicited CEMs at the address and the message is relevant to the person’s business, role, function or duties in business or official capacity; or – The recipient has disclosed to the sender his/her or its electronic address without indicating a wish not to receive unsolicited CEMs at that address and the message is relevant to the recipient’s business, role, function or duties in a business or official capacity
    31. 31. EXISTING BUSINESS RELATIONSHIP • Means a business relationship between the recipient and the sender that arises from: 1. The purchase or lease of products, goods, services or land by the recipient within the two-year period immediately preceding the day on which the message is sent; 2. The acceptance by the recipient within that period of a business, investment or gaming opportunity offered by the sender; 3. The bartering of products, goods, services or land between the sender and recipient within that two-year period 4. A written contract entered into between the sender and the recipient relating to a matter not referred to in items 1-3 above if the contract is currently in existence or has expired within the two-year period immediately preceding the day on which the message was sent; 5. An inquiry or application sent by the recipient to the sender in relation to matter set out in items 1-3 above within the six- month period immediately preceding the day on which the message was sent
    32. 32. EXISTING NON-BUSINESS RELATIONSHIP • Means a non-business relationship between the recipient and the sender arising out of a donation made to certain entities, or volunteer work performed, by the recipient within the two-year period immediately preceding the day on which the message was sent • An existing non-business relationship can also arise from the recipient’s membership in a club, association or voluntary organization within the two-year period immediately preceding the day on which the message was sent
    33. 33. EXPRESS CONSENT • Required where relationship between sender and recipient does not fit any of the categories of exclusion or implied consent • Can be requested orally or in writing • Electronic message requesting express consent is a CEM • In addition to prescribed information, the sender must provide the purpose for which the recipient’s consent is being sought and must identify the person seeking consent or the person on whose behalf consent is being sought
    34. 34. EXPRESS CONSENT • Must be some positive act undertaken on the part of the person from whom consent is obtained • Examples: – Checking a box – Typing an email address into a field to obtain consent
    38. 38. BAD EXAMPLE OF A REQUEST FOR EXPRESS CONSENT 50% Off!!! Enter your email below to redeem your free gift certificate for 50% off and to qualify for our grand prize draw __________ submit
    39. 39. ANOTHER BAD EXAMPLE Please find your coupon for 50% off attached. You have also been entered into our grand prize draw!!! I agree to receive ABC Inc.’s newsletter. You can withdraw your consent at any time
    40. 40. OTHER CONSENT CONSIDERATIONS • Consents must be sought separately - computer programs and CEMs must have separate consents) • You cannot bundle consent – a consent to receive CEMs cannot be tied to an agreement, purchase or contest
    43. 43. BAD EXAMPLE OF ACQUIRING MULTIPLE CONSENTS I accept the terms and conditions. I agree to the installation of ABC Inc.’s software. I consent to receive ABC Inc.’s newsletter.
    44. 44. OUR EMAIL (EXAMPLE)
    45. 45. SHARING CONTACT LISTS WITH THIRD PARTIES • A person who obtained express consent on behalf of an unknown third party may allow such consent to be used by the unknown third party to send CEMs. This is conditional on the person who originally obtained consent ensuring that, in any CEMs sent to the person from whom consent was obtained: a) the person who obtained consent is identified; and b) the authorized person provided an unsubscribe mechanism that, not only meets CASL’s requirements, but also allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use it.
    46. 46. ALTERATION OF AN ELECTRONIC MESSAGE’S TRANSMISSION DATA • Without the express consent of the sender or recipient CASL prohibits, in the course of commercial activity, the alteration of transmission data electronic message so that the message is delivered to destinations other than, or in addition to, that specified by the sender • Same requirement for requests for express consent to alter the transmission data of an electronic message as for express consent to receive CEMs – Requester must provide the purpose for which the consent is being sought as well as the identification of the person(s) seeking consent or on whose behalf consent is being sought
    47. 47. ALTERATION OF AN ELECTRONIC MESSAGE’S TRANSMISSION DATA • Additional requirements on those who obtain the express consent of the original senders or recipients to alter transmission data: a) for the period covered by the consent, ensure that the person who gave their consent is provided with an electronic address to which they may send notice of the withdrawal of their consent; and b) ensure that effect is given to a notice of withdrawal of consent sent in accordance with paragraph (a) without delay, but in any event no later than 10 business days after receiving it • Exception for alterations made by a telecommunications service provider for the purpose of network management
    48. 48. INSTALLATION OF COMPUTER PROGRAMS • CASL prohibits a person from installing a computer program on another person’s computer system, in the course of commercial activity, and causing electronic messages to be sent from that computer system, unless: a) The person has obtained the owner’s express consent; or b) The person is acting in accordance with a court order • Again, CASL imposes the exact same requirement upon requests for express consent in respect of this prohibition as for those discussed previously
    49. 49. INSTALLATION OF COMPUTER PROGRAMS “Computer program” means: – data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function
    50. 50. INSTALLATION OF COMPUTER PROGRAMS “Computer system” means: – a device that, or a group of interconnected or related devices one or more of which, a) contains computer programs or other data, and b) pursuant to computer programs, i. performs logic and control, and ii. may perform any other function
    51. 51. INSTALLATION OF COMPUTER PROGRAMS • Additional requirements for express consent imposed if the computer program will do certain functions such as: – collecting personal information, – interfering with the user's control of the computer system, – changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the user, – changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of the computer system, – causing the computer system to communicate with another computer system without authorization, – installing a computer program that may be activated by a third party without the knowledge of the user, and – performing any other function listed in the regulations.
    52. 52. INSTALLATION OF COMPUTER PROGRAMS • If the computer program does any of those specified functions when installed, then you clearly and prominently, and separately and apart from the licence agreement, must: – describe the program's material elements that perform the specified function(s), including the nature and purpose of those elements, as well as their foreseeable impact, and – bring those elements to the attention of the user separate from other information provided in a request for consent.
    54. 54. EXCEPTION • Prohibition on installing computer programs does not apply if the installation is an update or upgrade to a computer program that the owner had previously provided consent to have installed on their computer and which they were entitled to receive
    55. 55. EXCEPTION • Computer owners are considered to have expressly consented to the installing of a computer program if the program is: i. a cookie; ii. HTML code; iii. Java Scripts; iv. an operating system; or v. any other program that is executable only through the use of another computer program whose installation was expressly consented to
    56. 56. EXCEPTION • Computer owners are considered to expressly consent to the installation of the following specified programs: – a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network; – a program that is installed for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network; and – a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose
    57. 57. EXCEPTION • Note: Industry Canada has clarified that automobile manufactures may be telecommunications service providers for the purposes of CASL – Allows auto manufacturers to rely on the exceptions in the last slide to upgrade computer software in automobiles
    58. 58. IP ADDRESSES • Industry Canada states: – Insofar as IP addresses are not linked to an identifiable person or to an account, IP addresses are not electronic addresses for the purposes of CASL • Result = banner advertising on websites is not subject to CASL
    59. 59. AIDING, INDUCING, PROCURING OR CAUSING TO BE PROCURED • It is prohibited “to aid, induce, procure, or cause to be procured the doing of any act contrary” to CASL in respect of the three previously discussed prohibitions
    60. 60. PRIVATE RIGHT OF ACTION • Contraventions actionable before a court • Compensation “in an amount equal to the actual loss or damage suffered or expenses incurred by the applicant” and a maximum amount of statutory damages for contravention of each CASL prohibition
    61. 61. PRIVATE RIGHT OF ACTION • CASL statutory damages: – unsolicited electronic messages • $200 per contravention up to $1 million per day – altering transmission data or installation of a computer program • up to $1 million per day per contravention
    62. 62. COMING INTO FORCE • When does the legislation come into force? CEMs • July 1, 2014 Computer programs • January 15, 2015 Private right of action • July 1, 2017
    63. 63. TRANSITION PERIOD • A person’s consent to receive CEMs from another person is implied until the earlier of: 1) the person gives notice that they no longer consent to receiving CEMs from that other person; or 2) until three years after the day on which the prohibition against sending CEMs comes into force if: a)those persons have an “existing business” or an “existing non-business relationship”; and b)The relationship includes the communication between them of CEMs
    64. 64. TRANSITION PERIOD • If a computer program was installed on a person’s computer system before the prohibition comes into force, the persons consent to the installation is implied until: 1) the person gives notice that they no longer consent to receiving such an installation; or 2) Until three years after the day on which the prohibition against installing computer programs comes into force (January 15, 2018)
    65. 65. HOW TO PREPARE • Get express consent from your current mailing list • Review and inventory CEMs currently being sent – form – purpose – recipients • Developing a database identifying which CEMs: – require express consent and must comply with the formalities; – must comply with formalities; and – neither require consent nor comply with formalities;
    66. 66. HOW TO PREPARE • Create compliant unsubscribe mechanisms • Create template CEMs that meet the prescribed requirements • Develop an CASL compliance policy • Designate one or more people in your organization to administer the policy
    67. 67. HOW TO PREPARE • Start keeping records of consents and compliance procedures – Important for supporting a due diligence defence
    68. 68. OUR CHECKLIST 390 Bay Street, Suite 500 Sault Ste. Marie, ON P6A 1X2 Tel.705.949.6700 Fax.705.949.2465 excellent solutions. CASL COMPLIANCE CHECKLIST 1. Determine if CASL applies to your organization 2. Review and inventory CEMs being sent 3. Develop database identifying CEMs that require consent 4. Develop standard Consent Forms and record maintenance procedures 5. Get consent from parties on your existing mailing list 6. Identifying gaps and ensure that compliance programs and databases are in place and working to document consent and unsubscribe information. 7. Ensure sources of contact lists have appropriate CASL compliance protocols (3rd party lists) 8. Update Business Policies 9. Train All Staff - It is very important to understand that a single unauthorized CEM is a breach 10. Audit compliance periodically www.wishartlaw.com
    69. 69. QUESTIONS? J. Paul R. Cassan pcassan@wishartlaw.com (705) 949-6700 ext. 230 Tim J. Harmar tharmar@wishartlaw.com (705) 949-6700 ext. 233