More Related Content

Similar to Canada’s Anti-Spam Legislation(20)

More from NetSquared Vancouver(20)

Canada’s Anti-Spam Legislation

  1. Maanit Zemel MTZ Law P.C. &June 18, 2014Canada’s Anti-Spam Legislation What Charities and Non-Profits Need to Know Before July 1, 2014
  2. Maanit Zemel MTZ Law P.C. &Agenda 1.Introduction to CASL (Canada’s Anti-Spam Legislation) 2.CEMs (Commercial Electronic Messages) 3.CASL Compliance 4.Exemptions to CEM Requirements 5.Preparing for CASLJune 18, 2014Canada’s Anti-Spam Legislation
  3. Maanit Zemel MTZ Law P.C. & Introduction to CASL
  4. Maanit Zemel MTZ Law P.C. & The Problem…
  5. Maanit Zemel MTZ Law P.C. &The Solution… Regulate Everyone! »CASL regulates all Commercial Electronic Messages sent or accessed by a computer in Canada »CASL also regulates a broad range of electronic and online activities, including: » The installation of computer program » Misleading advertising and marketing practices » Privacy invasion via computers » Collecting email addresses without consent (i.e., email harvesting) Maanit Zemel MTZ Law P.C. &
  6. Maanit Zemel MTZ Law P.C. &Underlying Principles »All regulated activities may only be carried out with: 1. Informed consent by the recipient; and 2. Clear identification of the sender »All activities are based on an Opt-In regime, not an Opt-Out Maanit Zemel MTZ Law P.C. &
  7. Maanit Zemel MTZ Law P.C. &Non-Compliance »CASL provides a complaint mechanism »Anyone can complain to the regulators at www.fightspam.gc.ca »There will be significant consequences for non-compliance Maanit Zemel MTZ Law P.C. &
  8. Maanit Zemel MTZ Law P.C. &Consequences Include »Administrative penalties »Fines up to $1 million for individuals per violation »Fines up to $10 million for organizations per violation »Private rights of action »Class action suits »Vicarious liability of organizations for employee actions »Liability of officers and directors for organization actions Maanit Zemel MTZ Law P.C. &
  9. Maanit Zemel MTZ Law P.C. &Regulating Bodies »Regulators have sweeping investigative powers (search an seizure orders) »Division of responsibility among 3 government bodies »CRTC – Commercial Electronic Messages and installation of computer programs »Privacy Commissioner – Collection of personal information and address ‘harvesting’ »Competition Bureau – misleading advertising and marketing Maanit Zemel MTZ Law P.C. &
  10. Maanit Zemel MTZ Law P.C. &Dates to Know »July 1, 2014: Requirements respecting Commercial Electronic Messages »January 15, 2015: Requirements respecting computer programs »July 1, 2017 »End of transition period for implied consent »Private rights of action become available to complainants Maanit Zemel MTZ Law P.C. &
  11. Maanit Zemel MTZ Law P.C. & CEMs Commercial Electronic Messages
  12. Maanit Zemel MTZ Law P.C. &CEMs A Commercial Electronic Message (CEM) is a message sent by any electronic means (i.e., email, SMS text, instant message, social media) that has, as its purpose, or one of its purposes, to encourage participation in a “commercial activity” Maanit Zemel MTZ Law P.C. &
  13. Maanit Zemel MTZ Law P.C. &Commercial Activities Commercial activity is “any particular transaction, act or conduct that is of a commercial character whether or not the person who carries it out does so in the expectation of profit.” Maanit Zemel MTZ Law P.C. &
  14. Maanit Zemel MTZ Law P.C. &Examples of CEMs for Charities and Non-Profits »Email appeals for donations »Emailed invitations to events »Promotional emails (i.e., event or lottery promotions) »Emails promoting a charitable event or activity, if those activities are of a “commercial character” »Electronic newsletters »Emails promoting the organization, if the organization’s activities are of a “commercial character” Maanit Zemel MTZ Law P.C. &
  15. Maanit Zemel MTZ Law P.C. & CASL Compliance
  16. Maanit Zemel MTZ Law P.C. &Requirements »You are prohibited from sending a CEM to an electronic address unless: »The recipient has already consented to receive the CEM; and »The CEM contains specific prescribed information »Consent can be “express” or “implied” »The onus is on the sender to provide documentation proving consent Maanit Zemel MTZ Law P.C. &
  17. Maanit Zemel MTZ Law P.C. &Establishing Implied Consent »Implied consent exists when the recipient has »Conspicuously published his or her electronic address (e.g., on a website); and »Has not indicated a desire not to receive unsolicited CEMs; and »The message is relevant to the recipient’s business role, duties, or functions Or »Disclosed his or her electronic address to the sender without indicating a wish not to receive unsolicited CEMs; and »The message is relevant to the recipient’s business role, duties, or functions Maanit Zemel MTZ Law P.C. &
  18. Maanit Zemel MTZ Law P.C. &Establishing Implied Consent (non business relationships) »Consent is implied when the sender is a registered charity (as defined in ITA) and: »The recipient has made a donation to the charity within the preceding two years; or »The recipient has volunteered in the preceding two years; or »The sender is a Non-Profit Organization (as defined in ITA) and: »The recipient was a member of the organization at some point in the preceding two years Maanit Zemel MTZ Law P.C. &
  19. Maanit Zemel MTZ Law P.C. &Establishing Implied Consent (existing business relationships) »Consent is implied when the recipient had: »Purchased / leased / bartered a product / good / service / or land in the preceding two years; »Accepted a business / investment / gaming opportunity offered by the sender in the preceding two years; or »A written contract is created or had existed between the recipient and sender in the preceding two years Or »The sender had received an inquiry or application about one of the above items in the preceding six months Maanit Zemel MTZ Law P.C. &
  20. Maanit Zemel MTZ Law P.C.. &Proving Implied Consent Proving implied consent relies on your ability to track and report on your constituents’ relationships and activities with your organization. We strongly recommend using a centralized Customer Relationship Management (CRM) system.
  21. Maanit Zemel MTZ Law P.C. &Express Consent »Express consent may be obtained orally or in writing »The request for express consent must include: »The purpose for which consent is being sought, stated “clearly and simply” »The sender’s identification and contact information and/or on whose behalf consent is being sought »Statement that the receiver can withdraw their consent »No pre-checked boxes »Cannot be in the form of a CEM – post July 1, 2014 cannot send an email requesting consentMaanit Zemel MTZ Law P.C. &
  22. Maanit Zemel MTZ Law P.C.. &Proving Express Consent Express consent can be tracked within a CRM as well, by marking how and when your constituents consented to each message type (like “event invitations”) you easily send messages to the people who have asked for them.
  23. Maanit Zemel MTZ Law P.C. &Transitional Period »Parties who are in an existing business relationship or non-business relationship and have been sending CEMs to the recipients prior to July 1, 2014, will have their implied consent period extended until July 1, 2017 »Therefore charities and non-profits have implied consent from their existing donors, volunteers, and members until July 1, 2017 Maanit Zemel MTZ Law P.C. &
  24. Maanit Zemel MTZ Law P.C. &Information Requirements on CEMs »All CEMs must include the following: 1. The sender’s (and/or on whose behalf the CEM is sent) identifying information and contact details (name and mailing address and email or phone) – this information must be valid for 60 days following the deployment of the message 2. A means by which to contact the sender 3. An unsubscribe mechanism »If it isn’t practical to include all the requirements directly within the CEM, the information must be posted on a website and a link to that website be included, prominently and clearly, in the CEM Maanit Zemel MTZ Law P.C. &
  25. Maanit Zemel MTZ Law P.C. &Unsubscribing »The unsubscribe mechanism must be effective for at least 60 days »The provided unsubscribe mechanism must be in the same means as the message or other electronic means »The mechanism must be at no cost to the unsubscriber »All requests must be given effect within 10 days Maanit Zemel MTZ Law P.C. &
  26. Maanit Zemel MTZ Law P.C.. &Unsubscribing Many email deployment programs track unsubscribes by removing email addresses from their deployment list. We recommend not doing this, rather we suggest tracking ‘unsubscribes’ much like explicit consent (to what, when, and how did a person unsubscribe).
  27. Maanit Zemel MTZ Law P.C. & Exemptions to CEM Requirements
  28. Maanit Zemel MTZ Law P.C. &Registered Charities Exemption Maanit Zemel MTZ Law P.C. & CEM sent by or on behalf of a registered charity which has “as its primary purpose raising funds for the charity”
  29. Maanit Zemel MTZ Law P.C. &Other Exemptions »“Personal” or “family” relationships »A CEM consisting solely of an inquiry or application relating to the commercial activity of the recipient »Solicited CEMs – i.e., responses to requests, inquires, or complaints, or otherwise solicited by the person to whom the message is sent »Internal CEMs to the business, if concerns the activities of the business – emails sent between employees that are unrelated to the business are not exempted (e.g., soliciting volunteers for an external charity event) Maanit Zemel MTZ Law P.C. &
  30. Maanit Zemel MTZ Law P.C. &Other Exemptions »CEMs between organizations/business if they ‘have a relationship’ and concerns the activities of the receiver’s business/organization »CEMs sent to enforce a legal right »CEMs sent to foreign jurisdictions listed in the CASL schedule – but, must comply with any foreign anti-spam laws in force in that jurisdiction or face prosecution under CASL »CEMs sent by political parties for the primary purpose of soliciting contributions Maanit Zemel MTZ Law P.C. &
  31. Maanit Zemel MTZ Law P.C. &Other Exemptions »CEMs sent within electronic platforms where ‘unsubscribe’ and identifying information is readily available (e.g., most social networks) »CEMs sent within a limited-access secure account by the person who provides that account (e.g., banking portals) »Two way voice communications »Faxes and voicemail messages Maanit Zemel MTZ Law P.C. &
  32. Maanit Zemel MTZ Law P.C. &Exemptions that Require Information and Unsubscribes »Third party referrals – the first CEM sent to a person based on a referral by a third party, consent is required thereafter »Quotes or estimates in response to a request »Warranty, recall, or product safety information »CEMs that deliver products or services, including updates and upgrades Maanit Zemel MTZ Law P.C. &
  33. Maanit Zemel MTZ Law P.C. &More Exemptions that Require Information and Unsubscribes »CEMs that facilitate or confirm transactions; and »CEMs that provide factual information about: »Ongoing subscriptions, memberships, accounts, loans »Ongoing use or purchases »Employment relations or benefit plans for employees Maanit Zemel MTZ Law P.C. &
  34. Maanit Zemel MTZ Law P.C. & Preparing for CASL
  35. Maanit Zemel MTZ Law P.C. &CASL Flowchart Maanit Zemel MTZ Law P.C. & Do you send CEMs? You may be exempt from compliance only If: The primary purpose of CEM is to raise funds for the charity* Are you a Registered Charity? No further action required Is the CEM: •A third party referral? •Providing a quote or estimate in response to an request •Providing warranty, recall or product safety information • delivering a product or service, including updates and upgrades • facilitating or confirming transactions • Providing factual information about: 1. Ongoing subscription, membership, accounts, loans; 2. Ongoing use or ongoing purchases; 3. Employment relations or benefit plans for employees No further action required Yes Yes Implied consent only good for 2 years Need to: 1. Include prescribed info 2. Keep track of 2 years 3. Obtain express consent before 2 years expires Yes • Before July 1, 2014: 1. Obtain express consent 2. Include prescribed ID info and unsubscribe mechanism in all CEMs • After July 1, 2014: 1. Obtain consent in prescribed form 2. Include prescribed ID info and unsubscribe No / unsure No Yes Yes (most likely) No (unlikely ) No Unsure – consider next step No consent required but CEM must include: • Identifying information • Unsubscribe mechanism Do Other Exemptions Apply? • Organization to organization • Personal / family relationship • Internal CEM • An inquiry / application • A response to an inquiry / request / complaint • To enforce a legal right • Sent within a secured access platform • Within a platform containing unsubscribe and ID info • To a foreign jurisdiction (must comply with foreign laws) Is Consent Implied? 1. You are a registered charity / Not- for-profit org.; and 2. Recipient has been a donor, volunteer or member in the preceding 2 years
  36. Maanit Zemel MTZ Law P.C. &CASL Systems »Contains constituent information »Stores relationship (transaction, volunteer, membership) details »Express consent »Processes self-serve unsubscribe requests »Filters email deployments against opt-out lists »Sends email contact information to the CRM Maanit Zemel MTZ Law P.C. & Database (CRM) Email System
  37. Maanit Zemel MTZ Law P.C. &The CRM and Email System Supports Your Planning Maanit Zemel MTZ Law P.C. & Do you send CEMs? You may be exempt from compliance only If: The primary purpose of CEM is to raise funds for the charity* Are you a Registered Charity? No further action required No further action required Yes Yes Implied consent only good for 2 years Need to: 1. Include prescribed info 2. Keep track of 2 years 3. Obtain express consent before 2 years expires Yes Obtain / Send with Express Consent Filter Track Unsubscriptions No / unsure No Yes Yes (most likely) No (unlikely ) No Unsure – consider next step No consent required but CEM must include: • Identifying information • Unsubscribe mechanism Do Other Exemptions Apply? • Track applicable relationships through the CRM, for example family relationships can be coded in most systems. Is Consent Implied? Is the CEM itself exempted? Planning CRM Email System
  38. Maanit Zemel MTZ Law P.C.. &Developing and Email Process There are a lot of steps to remember. Building a solid and systematic process will help make it easier, encourages compliance, and allows for effective process monitoring.
  39. Maanit Zemel MTZ Law P.C. &Recommended Process Plan deployment Create email list Filter list Send email Process opt-outs Report on success Maanit Zemel MTZ Law P.C. &
  40. Maanit Zemel MTZ Law P.C. & Database (CRM) Email System Some Functions Fit Best With Specific Systems Plan deployment Create email list Filter list Send email Process opt-outs Report on success Maanit Zemel MTZ Law P.C. &
  41. Maanit Zemel MTZ Law P.C.. &Integrated Systems? There are a number of integrated systems that handle both Constituent management and Email deployments. If you have such a system we still strongly encourage maintaining distinct processes for each activity – or even separate staff members be responsible for different phases.
  42. Maanit Zemel MTZ Law P.C. &Plan Your Message »Planning out your emails is the first step in sending compliant and effective messages: • Identify a clear goal for the message – are you trying to acquire new donors, engage current constituents, inform them about your organizations activities? Based on your goals who should receive your message? • When is the message being sent, are there critical groups that you need to establish consent for and do you have time to do that before you send? • Can you take what you’ve learned from previous messages and improve this message? Maanit Zemel MTZ Law P.C. & Plan deployment Create email list Filter list Send email Process opt-outs Report on success
  43. Maanit Zemel MTZ Law P.C. &Building a List »Build your email list through your database (CRM) based on groups of constituents that are meaningful to your organization, but ensure: • You track, on each constituent or individual person, what they have opted in to and when • You develop a standard set of queries or criteria that comply with CASL’s implied consent criteria Maanit Zemel MTZ Law P.C. & Plan deployment Create email list Filter list Send email Process opt-outs Report on success
  44. Maanit Zemel MTZ Law P.C. &Filtering the List »Building your email list creates a baseline of people who have opted in, and by extension filter most of the people who have opted out. Now just before sending we filter again, directly within the email system, to ensure self-service opt-outs are captured. • To be effective the master opt-out list should be maintained in the system that sends the emails • All unsubscribes should be added to this list Plan deployment Create email list Filter list Send email Process opt-outs Report on success Maanit Zemel MTZ Law P.C. &
  45. Maanit Zemel MTZ Law P.C. &Send Your Message »All of your planning is done, now write the email message and send it. Ensure that you have all the crucial information: • You’ve identified your organization and whom the message is sent on behalf of Current mailing address • Phone, email address, or web address (that’s valid for at least 60 days after sending) • An unsubscribe mechanism – preferably automatic, but must process opt-outs in at least 10 days.Plan deployment Create email list Filter list Send email Process opt-outs Report on success Maanit Zemel MTZ Law P.C. &
  46. Maanit Zemel MTZ Law P.C. &Process Any Unsubscribes »After the message is sent you can generally expect to see a few unsubscribes, remember that they must be processed within 10 days of sending. Generally we suggest • Updating your opt-out information on the email system first • Make sure you are flagging peoples’ accounts that they have opted out, do not delete them! This is a valuable and important record Plan deployment Create email list Filter list Send email Process opt-outs Report on success Maanit Zemel MTZ Law P.C. &
  47. Maanit Zemel MTZ Law P.C. &Synchronize Your Information and Report »Your plan identified some goals, it’s important to review them as well as the general performance of your message. As well this is a good opportunity to update your constituents in your CRM • Build an import/synchronization schedule for regular updates • Track usable metrics in your database, and evaluate your message and identify any lessons learned for future deployments • Use your opt out list to update your CRM • Note, the opt-out data in the CRM should be used for analysis and review, not for filtering your lists as it will always be slightly out-of-date. Plan deployment Create email list Filter list Send email Process opt-outs Report on success Maanit Zemel MTZ Law P.C. &
  48. Maanit Zemel MTZ Law P.C. & CASL Tips
  49. Maanit Zemel MTZ Law P.C. &Get Your Board on Board! Decisions respecting CASL should form part of the organization’s overall risk management strategies »Decisions must be made at board and executive levels »If you are not getting the board or senior leadership to pay attention – remind them of the directors’ and officers’ liability Maanit Zemel MTZ Law P.C. &
  50. Maanit Zemel MTZ Law P.C. &Conduct an Audit Create an inventory of all messages that your organization sends, and identify the audiences that you reach out to »Try to think through an entire business cycle – you may be surprised how much is actually sent »Audit each message and audience for CASL compliance »Have they opted in? »Implied consent? »Have they opted out? »Do the messages contain requisite information? Maanit Zemel MTZ Law P.C. &
  51. Maanit Zemel MTZ Law P.C. &Obtain Consent While express consent isn’t required for all emails, it is the safest way to send messages and a great way to qualify contacts »Consent is required in most cases for businesses and non-profits, charities have additional exemptions »An opt in – or express consent – is not just a requirement it is a person telling you that they want to hear from you Maanit Zemel MTZ Law P.C. &
  52. Maanit Zemel MTZ Law P.C. &Develop a CASL Compliance Policy A Due Diligence defence only works if you have a reasonable compliance policy »The procedures must include: »Requesting, maintaining, and utilizing consents »Tracking implied consents »Acting on ‘unsubscribe’ requests »Include CASL compliance and indemnification clauses in third-party contracts Maanit Zemel MTZ Law P.C. &
  53. Maanit Zemel MTZ Law P.C. &Train Staff, Volunteers, and if Necessary Contractors It is critical that anyone sending messages on behalf of your organization is educated and trained on your process »Develop and deploy a training program »Ensure Management, Employees, and Volunteers have gone through the program »Include CASL training in new hire onboarding »Ensure third-parties who send messages on your behalf are familiar with and adhere to your process – this may require some training for them Maanit Zemel MTZ Law P.C. &
  54. Maanit Zemel MTZ Law P.C. &Get Help! CASL compliance can be challenging to achieve and maintain. Don’t be afraid to seek help achieving compliance, avoiding complacency, and mitigating risk »Consider CASL insurance »IT professionals or departments may have systems based support »Ensure you have any compliance language and policies reviewed by legal counsel Maanit Zemel MTZ Law P.C. &
  55. Maanit Zemel MTZ Law P.C. & Final Notes
  56. Maanit Zemel MTZ Law P.C. &Not Just SPAM – Other CASL Activities CEMs are only one part of CASL, the following other areas are controlled by CASL regulators »Installation of computer programs without consent »Unauthorized collection of personal information online »Email address harvesting »Misleading marketing and advertising in any electronic format Maanit Zemel MTZ Law P.C. &
  57. Maanit Zemel MTZ Law P.C. &How Can We Help? »Comprehensive compliance and systems audits – current and planned »Advice on developing and implementing CASL compliance »Drafting and review of compliance policies, processes, and documentation »Computer systems and process design »Drafting and review of third party contracts »Compliance training »Representation before regulators and courts Maanit Zemel MTZ Law P.C. &
  58. Maanit Zemel MTZ Law P.C. & Disclaimer: This presentation is provided as an information service and is a summary of current legal issues. The information is not meant as legal opinion or advice and viewers are cautioned not to act on information provided in this publication without seeking specific legal advice with respect to their unique circumstances. All rights reserved. This presentation may not be reproduced and redistributed without the prior written consent of the author. Maanit Zemel mzemel@casllaw.ca / @maanitzemel Jim Freer jimf@methodworksconsulting.com

Editor's Notes

  1. - What does “raising funds” mean? Is it different than “fundraising”, as interpreted by the CRA? - CRTC likely to focus less on the intended use of the funds and more on the content of the message - “Primary purpose” is likely to be interpreted from the point of view of the receiver of the email (and not of the sender)
  2. Most email deployments fit this process in some fashion. We suggest treating each phase discretely, and building CASL compliance into each area. E.g., - During planning you can craft messages that specifically follow exemptions - Creating compliant lists early simplifies your segmentation process - By filtering your list as a separate process, you catch late unsubscribers and allow you to strategically build a list without trying to address opt-outs at that point - If each deployment has a standard report it makes it easier to revise your email strategy going forward
  3. Each system has a best fit process. Planning is relying on the expertise of the marketing or fundraising staff. Everything else relies on one of two systems.
  4. Short cuts remove checks on a process and make it easy for mistakes to happen.
  5. The more vague your email the less effective it becomes, and the more likely you are to blur the email ‘type’ (like “Enewsletter”). Clear messaging is part of CASL compliance, and leads to higher conversion rates. Sending messages to disinterested individuals is a sure-fire way of getting unsubscribes. Don’t try to be sneaky, people don’t like being fooled and in the face of complaints the CRTC is unlikely to be swayed by ‘clever.’ Tailoring your audience to your message or vice versa also leads to more effective messages, in web design we call this user-centric messaging, in fundraising it’s donor-centric messaging. Also by knowing your audience at the outset you can determine if you have the appropriate consent from that group to send your messages.
  6. Many systems allow you to flag whether or not someone has unsubscribed, or requested no contact. This is a useful part of tracking consent but is normally insufficient for the sort of tracking that CASL requires. Depending on the system there are a number of different ways to flag individuals as having expressly consented, or of building database queries that match donors with last donation dates Consistency is key to making this work, develop business rules around how you track consent and stick to it, you may run into situations that seem complicated or make you unsure of whether someone has consented or not. To avoid risk exposure we recommend a blanket “if you’re not sure or can’t prove it, then the person hasn’t consented” rule.
  7. The master opt-out list (sometimes called the kill list) is the last compliance tool – it includes people who have explicitly opted out of the message you are about to send. Some organizations have multiple opt-out lists that consist of people who have explicitly opted out of everything as well as people who have opted out of specific messages. For example an Enewsletter Opt Out List might include: People who have opted out of everything People who have opted out of enewsletters, and People that the director of development is contacting directly
  8. The unsubscribe mechanism must be in the same format as the message (e.g., you can’t force people to phone to unsubscribe when you’ve sent an email). For emails it means your ‘reply to’ address should be valid and monitored for unsubscribe requests, and ideally that you include a link to your website that allows people to automatically unsubscribe themselves.
  9. By maintaining opt-out information on the email system it lets you control the synchronization without risking unauthorized messages going out. Integrated systems will synchronize automatically, but commercial systems (such as Mailchimp™ or Industry Mailout™ for example) track by email address and so do not require a constituent record in your database
  10. Integrated systems do this automatically, however often disparate systems will require a manual import process. This can be challenging, so we recommend doing this on a regular basis (or on a contingent schedule – such as download records immediately before building the new list). By clearly distinguishing the two systems you will have a solid process without any gaps. People will not be emailed in a uncompliant fashion.