Legal Marketing Presentation to various LMA chapters by attorney Jennifer Schaller on GDPR, Cookies, CCPA, CASL and covering CAN-SPAM. Info for legal marketing professionals about regulatory compliance and data privacy laws applicable to their law firms CRM Systems. Lawyer Jennifer Schaller of the National Law Review discussed best practices in data storage and data privacy compliance for storing information in CRM systems for legal marketing professionals. CAN-SPAM, Canada's Anti-Spam Law CASL and best practices for privacy law for your law firm's legal marketing are addressed. How CCPR California's Privacy Law and the EU's GDPR impact your law firm's marketing efforts. How to store contact information legally. What information can you keep on contacts to be compliant with data storage regulations?
2. Overview
CAN-SPAM, CASL, GDPR +
CCPA
Data Storage, Breach
Notification & Privacy
Requirements
Examples of Disclosures +
Forms
Gathering + Storing Data for
Compliance
Mitigate Privacy Risk to Firm
from the Marketing Dept
4. 50%
Of U.S. SPAM Complaints Because
Recipients Couldn’t Easily Opt Out
Opt-out barriers not only jeopardize
compliance, they can jeopardize your email
deliverability as well!
5.
6. Opt Out Best
Practices Don’t charge a fee
Don’t require info.
beyond email address
Don’t require log in
“Unsubscribe” link easy
to find
One action to opt-out
Unsubscribes removed
within 10 biz days
Unsubscribe link active
30 days
7. CONSENT + RECORD KEEPING
CASL requires you to document consent,
either implied or express - definitions.
APPLICATION + EXCEPTIONS
What is a Commercial Electronic
Messages (CEM) What‘s a Business
Relationship
CASL NON-COMPLIANCE
Penalties, incl criminal charges, civil
charges, personal liability for
officers & directors, & penalties up
to $10 mill
CASL
(Canada’s Anti-
Spam
Legislation –
2014 )
(Fully Phased in July 1, 2017
8. Existing businesses must
implement these changes for new
mail recipients, but they have three
years (until July 1, 2017) to apply
them to existing mailing-list
subscribers.
CASL
For all Canadian email
addresses added to your
email marketing database
after
July 1, 2014, CASL requires
you to document consent,
either implied or express.
9. Applies to any (CEMs), incl
text, sound, voice, image &
certain social media
a person “has clearly agreed to
receive a CEM, either in writing or
orally.”
Explicit =checking a box or typing in
an email address (consent cannot be
pre-checked)
Reel Engine Studios | 2020
EXPLICIT
CONSENT
10. Consent cannot be bundled
into general terms
and conditions
Can’t send an electronic message
that contains a request for
consent to email them also considered
to be a CEM under CASL
Applies to CEMs sent from or received
by computer systems in Canada
Reel Engine Studios | 2020
EXPLICIT
CONSENT
11. Exemptions to
express permission incl:
CEMs sent
within or between orgs
with an existing relationship;
CEMs sent in response to complaints,
inquiries, or requests; CEMs sent due to a
legal obligation or to enforce a right;
CEMs sent in relation to clubs or
organizations…..PLUS
Reel Engine Studios | 2020
IMPLIED
CONSENT
12. 1st message sent for the
purpose of contacting a
person for a referral (with terms
& conditions)
the recipient has “conspicuously published”
electronic address without a statement that the
person does not wish to receive unsolicited
CEMs AND message is relevant to person’s
business or official capacity Reel Engine Studios | 2020
IMPLIED
CONSENT
13. the recipient has
“conspicuously published”
electronic address without
a statement that the person
does not wish to receive
unsolicited CEMs AND message is
relevant to person’s business …duties in
a business or
official capacity)
Reel Engine Studios | 2020
IMPLIED
CONSENT
14. CASL Records
+ Processes 2) Provide a way for the recipient to
readily contact the sender.
3) Provide a functioning unsubscribe
method that meets these
requirements:
Must be functional for 60 days after
the message has been sent.
Must process a request within 10
days.
Both an email + a link for
unsubscribing
4) You must store the following
information for each of your
recipients’ addresses:
Type of opt-in (paper, landing page,
sign up, etc.)
Example of sign-up webpage (if
applicable)
Date they opted-in
The connecting IP (if applicable)
Provide a way for the recipient to readily
contact the sender
Provide a functioning unsubscribe method
that meets these requirements:
• Must be functional for 60 days after
the message has been sent
• Must process request within 10 days
• Both an email + a link for
unsubscribing
You must store the following information
for each of your recipients’ addresses:
• Type of opt-in (paper, landing page,
sign up, etc.)
• Example of sign-up webpage (if
applicable)
• Date they opted-in / opted-out
• The connecting IP address (if
applicable)
15. €20mil
Or Sanctions of up to 4% of Annual Global Revenue
In addition to brand and reputational
damage!
16. Applies to EEA –
Broader Area than EU
GDPR General Data
Protection Regulation
1 Year Later + Pending
E-Privacy Changes
GDPR + e-Privacy
Directive = EU Privacy
Requirements & are
Tentatively Changing
Again in 2019!!!
17. • Cookies and similar
technologies (more info to
follow)
• Electronic direct
marketing (email, texting,
fax marketing) and most
likely soon other direct
messaging platforms
• Phone marketing
What’s the
Difference??
GDPR +
e-Privacy
Directive
GDPR = general
privacy framework for
personal data,
regardless of type of
use, sector or
industry
Since
2002 e-Privacy
Regulates
18. Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
g
rective
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Photo Printing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Film Developing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Social Media
Posting
19. Freely given,
specific and
informed
Cookie Consent Post-GDPR + New e-Privacy
Evidenced by an
“affirmative act”
Inactivity does not
constitute consent
Provision of a service
pursuant
to a contract
cannot be conditioned
on consent for
processing that is not
essential
Cookie Quiz!!!!
20. Cookie Quiz!!!!
Post-GDPR + New e-Privacy
1. Is the continued use of a website an affirmative act from
which consent may be inferred?
2. Does the use of a pre-checked cookie box count as
valid consent?
3. The website does not provide the option to use the
website without cookies. In other words, there is no
option to deny the use of cookies.
4. Is this cookie disclosure OK?
23. Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
g
GDPR BASICS
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Photo Printing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Film Developing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Social Media
Posting
24. Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
g
GDPR BASICS cont’d
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Photo Printing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Film Developing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Social Media
Posting
25. Under GDPR guidelines, data
processing is only acceptable on the
grounds that it can be justified as a
necessary requisite to accomplish a
specific goal.
Article 5 of the GDPR states that
personal data can only be “collected for
specified, explicit and legitimate
purposes.”
Minimize
Personal Data
by Necessity
26. 2) Provide a way for the recipient to
readily contact the sender.
3) Provide a functioning unsubscribe
method that meets these
requirements:
Must be functional for 60 days after
the message has been sent.
Must process a request within 10
days.
Both an email + a link for
unsubscribing
4) You must store the following
information for each of your
recipients’ addresses:
Type of opt-in (paper, landing page,
sign up, etc.)
Example of sign-up webpage (if
applicable)
Date they opted-in
The connecting IP (if applicable)
Minimize Personal
Data by Necessity
Personal data means
any information relating
to an identified or
identifiable natural
person (‘data subject’)
an identifiable natural
person is one who can
be identified, directly or
indirectly, in particular
by reference to an
identifier
27. 2) Provide a way for the recipient to
readily contact the sender.
3) Provide a functioning unsubscribe
method that meets these
requirements:
Must be functional for 60 days after
the message has been sent.
Must process a request within 10
days.
Both an email + a link for
unsubscribing
4) You must store the following
information for each of your
recipients’ addresses:
Type of opt-in (paper, landing page,
sign up, etc.)
Example of sign-up webpage (if
applicable)
Date they opted-in
The connecting IP (if applicable)
Minimize Personal
Data by Necessity
Identifier such as:
• a name,
• an I.D number
• location data
• an online identifier
• factors specific to:
• physical, physiological,
genetic, mental,
economic, cultural or
social identity of that
natural person
33. Keeping evidence of consent
means that you must be able to
provide proof of:
When they consented
What they were told at the
time of consent
How they consented (e.g.,
during checkout, via Facebook
form, etc.)
Whether they have withdrawn
consent – when / how
Organize Your Data
Keep Evidence
of Consent
34. Organize Your Data
Delete, securely store
any non-essential PII
(Personal Identifiable Info)
Specially protected categories
(ethnic, marital status)
Info you would be embarrassed if
contact knew you had.
Be careful with children's info
(info in CRM about contact’s kids,
spouse’s health info)
35. Those in EEA without explicit
consent
Those without address or
country information
Older prospects / former
employee’s contacts
Let other employees know
who is on suppression list
Organize Your Data
Build a
Suppression List
37. Portability +
Best Practices
.
Restrict access to key
functions
and information
Talk with vendors
Determine breach /
request for info procedure
Train your staff; regularly
review procedures; audit
38.
39.
40.
41. Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
g
CCPA BASICS
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Photo Printing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Film Developing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Social Media
Posting
42. Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
g
CCPA BASICS cont’d
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Photo Printing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Film Developing
Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
Social Media
Posting
44. Ten Steps to Prepare for the CCPA
1.Data inventory and map for your data flows to
assess what information you may need to start
disclosing publicity or in response to a CCPA
rights requests
2.Update your privacy notices to include any
required disclosures regarding your collection
of personal information or California residents’
rights under the CCPA
3.Add a “Do Not Sell My Personal Information”
button to your website
4.Establish at least two ways for California
residents to submit CCPA rights requests,
including a toll-free telephone number
5.Develop policies and procedures to respond to
requests from California residents to access,
45. Ten Steps to Prepare for the CCPA –
cont’d
6. Review your agreements with existing
vendors to determine which ones may be
considered “third parties” or “service providers”
under the CCPA.
7.Develop standard contracts or agreement
riders for “service provider” engagements
that comply with the CCPA.
8. Develop a due diligence process to
understand, evaluate and manage your
vendors’ privacy and data security practices.
9. Evaluate your existing information security
practices and procedures and incident
response policy.
10. Train applicable employees regarding CCPA
46. BEGIN WITH AN ACTION PLAN – WHO IS
RESPONSIBLE, LOCATION + WHAT TO
KEEP
• Work with GC to take direction case
info vs. marketing info.
• Develop a process to determine
what and how long your going to
keep data
• Need to know who within org owns
data and how you got it
• Need to know location of contact
• Data sorting to ID location can use
phone number or .ca or .de help give
a clue to contacts location
• Update data collection forms + how
info stored, consider getting rid of
personal data collection not
expressly needed
• For data not going to keep – process
on who can access info. New
protocols to isolate data
• Building a suppression list –
timelines for limited access to data –
timelines for data deletion For data
not going to keep –records on what
and when deleted
• Develop privacy policy with GC
• Develop process if person wants to
access or change their data with GC
• Develop breach plan with GC
47. CAN - SPAM Tools +
Resources
1. FTC CAN-SPAM Act: A Compliance
Guide for Business https://www.ftc.gov/tips-advice/business-
center/guidance/can-spam-act-compliance-guide-business
2. Is Your Email Marketing Compliant
With The CAN-SPAM Act?
https://www.forbes.com/sites/forbesagencycouncil/2018/06/06/is-your-email-marketing-compliant-with-
the-can-spam-act/#100f393f32d0
3. Complying with the CAN-SPAM Act
https://www.lexisnexis.com/lexis-practice-advisor/the-journal/b/lpa/posts/complying-with-the-can-
spam-act
48. CASL Tools + Resources
1. Canada’s Anti Spam Legislation
website + Is it Spam Quiz
https://www.fightspam.gc.ca/eic/site/030.nsf/eng/home
https://www.fightspam.gc.ca/eic/site/030.nsf/eng/00016.html https://crtc.gc.ca/eng/com500/guide.htm
2. Deloitte Canada’s Anti-Spam Law
FAQ https://www2.deloitte.com/ca/en/pages/risk/articles/canada-anti-spam-law-casl-faq.html
3. Canadian Anti-Spam Law: What You
Need to Know https://sendgrid.com/blog/canadian-anti-spam-law-need-
know/
49. 1. Navigating the Inbox: Understanding
How GDPR Impacts You - LMA
Webinar 3-20-18 https://www.legalmarketing.org/p/do/sd/topic=521&sid=7470
2. Orrick’s EU GDPR Readiness
Assessment Tool https://www.orrick.com/Practices/GDPR-Readiness
https://www.alstongdprtracker.com/eea-map/
3. Alston & Bird GDPR + Privacy Tracker
4. Does GDPR Require New Consent
from Existing Clients? https://www.compliancejunction.com/gdpr-require-
new-consent-existing-clients/
GDPR Tools + Resources
50. CCPA Tools + Resources
1. Orrick Readiness Tool for
California Consumer Privacy Act
https://www.orrick.com/News/2019/04/Orrick-Unveils-Sophisticated-Tool-to-Assess-Readiness-for-California-
Consumer-Privacy-Act
2. The California Consumer Privacy
Act of 2018 https://privacylaw.proskauer.com/2018/07/articles/data-privacy-
laws/the-california-consumer-privacy-act-of-2018/
3. CCPA and GDPR: Comparison of
certain provisions
https://www.whitecase.com/publications/article/ccpa-and-gdpr-comparison-certain-provisions