Cookies GDPR CCPA CASL what Law Firm Marketers Need to Know to Comply

What to Know
What to Do
CAN-SPAM,
CASL, GDPR + CCPA

Overview
 CAN-SPAM, CASL, GDPR +
CCPA
 Data Storage, Breach
Notification & Privacy
Requirements
 Examples of Disclosures +
Forms
 Gathering + Storing Data for
Compliance
 Mitigate Privacy Risk to Firm
from the Marketing Dept

$42,530
Each separate message in violation of
CAN-SPAM
Now Combined with TCPA + COPPA
!

50%
Of U.S. SPAM Complaints Because
Recipients Couldn’t Easily Opt Out
Opt-out barriers not only jeopardize
compliance, they can jeopardize your email
deliverability as well!

Opt Out Best
Practices Don’t charge a fee
Don’t require info.
beyond email address
Don’t require log in
“Unsubscribe” link easy
to find
One action to opt-out
Unsubscribes removed
within 10 biz days
Unsubscribe link active
30 days

CONSENT + RECORD KEEPING
CASL requires you to document consent,
either implied or express - definitions.
APPLICATION + EXCEPTIONS
What is a Commercial Electronic
Messages (CEM) What‘s a Business
Relationship
CASL NON-COMPLIANCE
Penalties, incl criminal charges, civil
charges, personal liability for
officers & directors, & penalties up
to $10 mill
CASL
(Canada’s Anti-
Spam
Legislation –
2014 )
(Fully Phased in July 1, 2017

Existing businesses must
implement these changes for new
mail recipients, but they have three
years (until July 1, 2017) to apply
them to existing mailing-list
subscribers.
CASL
For all Canadian email
addresses added to your
email marketing database
after
July 1, 2014, CASL requires
you to document consent,
either implied or express.

Applies to any (CEMs), incl
text, sound, voice, image &
certain social media
a person “has clearly agreed to
receive a CEM, either in writing or
orally.”
Explicit =checking a box or typing in
an email address (consent cannot be
pre-checked)
Reel Engine Studios | 2020
EXPLICIT
CONSENT

Consent cannot be bundled
into general terms
and conditions
Can’t send an electronic message
that contains a request for
consent to email them also considered
to be a CEM under CASL
Applies to CEMs sent from or received
by computer systems in Canada
EXPLICIT
CONSENT

Exemptions to
express permission incl:
 CEMs sent
within or between orgs
with an existing relationship;
CEMs sent in response to complaints,
inquiries, or requests; CEMs sent due to a
legal obligation or to enforce a right;
CEMs sent in relation to clubs or
organizations…..PLUS
IMPLIED
CONSENT

1st message sent for the
purpose of contacting a
person for a referral (with terms
& conditions)
the recipient has “conspicuously published”
electronic address without a statement that the
person does not wish to receive unsolicited
CEMs AND message is relevant to person’s
business or official capacity Reel Engine Studios | 2020
IMPLIED
CONSENT

 the recipient has
“conspicuously published”
electronic address without
a statement that the person
does not wish to receive
unsolicited CEMs AND message is
relevant to person’s business …duties in
a business or
official capacity)
IMPLIED
CONSENT

CASL Records
+ Processes 2) Provide a way for the recipient to
readily contact the sender.
3) Provide a functioning unsubscribe
method that meets these
requirements:
Must be functional for 60 days after
the message has been sent.
Must process a request within 10
days.
Both an email + a link for
unsubscribing
4) You must store the following
information for each of your
recipients’ addresses:
Type of opt-in (paper, landing page,
sign up, etc.)
Example of sign-up webpage (if
applicable)
Date they opted-in
The connecting IP (if applicable)
 Provide a way for the recipient to readily
contact the sender
 Provide a functioning unsubscribe method
that meets these requirements:
• Must be functional for 60 days after
the message has been sent
• Must process request within 10 days
• Both an email + a link for
unsubscribing
 You must store the following information
for each of your recipients’ addresses:
• Type of opt-in (paper, landing page,
sign up, etc.)
• Example of sign-up webpage (if
applicable)
• Date they opted-in / opted-out
• The connecting IP address (if
applicable)

€20mil
Or Sanctions of up to 4% of Annual Global Revenue
In addition to brand and reputational
damage!

Applies to EEA –
Broader Area than EU
GDPR General Data
Protection Regulation
1 Year Later + Pending
E-Privacy Changes
GDPR + e-Privacy
Directive = EU Privacy
Requirements & are
Tentatively Changing
Again in 2019!!!

• Cookies and similar
technologies (more info to
follow)
• Electronic direct
marketing (email, texting,
fax marketing) and most
likely soon other direct
messaging platforms
• Phone marketing
What’s the
Difference??
GDPR +
e-Privacy
Directive
GDPR = general
privacy framework for
personal data,
regardless of type of
use, sector or
industry
Since
2002 e-Privacy
Regulates

Presentations are
communication tools that
can be used as
demonstrations, lectures,
speeches, reports, and
more. It is mostly presented
before an audience.
g
rective
Presentations are
can be used as
before an audience.
Photo Printing
Presentations are
can be used as
before an audience.
Film Developing
Presentations are
can be used as
before an audience.
Social Media
Posting

Freely given,
specific and
informed
Cookie Consent Post-GDPR + New e-Privacy
Evidenced by an
“affirmative act”
Inactivity does not
constitute consent
Provision of a service
pursuant
to a contract
cannot be conditioned
on consent for
processing that is not
essential
Cookie Quiz!!!!

Cookie Quiz!!!!
Post-GDPR + New e-Privacy
1. Is the continued use of a website an affirmative act from
which consent may be inferred?
2. Does the use of a pre-checked cookie box count as
valid consent?
3. The website does not provide the option to use the
website without cookies. In other words, there is no
option to deny the use of cookies.
4. Is this cookie disclosure OK?

Presentations are
can be used as
before an audience.
g
GDPR BASICS
Presentations are
can be used as
before an audience.
Photo Printing
Presentations are
can be used as
before an audience.
Film Developing
Presentations are
can be used as
before an audience.
Social Media
Posting

Presentations are
can be used as
before an audience.
g
GDPR BASICS cont’d
Presentations are
can be used as
before an audience.
Photo Printing
Presentations are
can be used as
before an audience.
Film Developing
Presentations are
can be used as
before an audience.
Social Media
Posting

Under GDPR guidelines, data
processing is only acceptable on the
grounds that it can be justified as a
necessary requisite to accomplish a
specific goal.
Article 5 of the GDPR states that
personal data can only be “collected for
specified, explicit and legitimate
purposes.”
Minimize
Personal Data
by Necessity

2) Provide a way for the recipient to
requirements:
days.
unsubscribing
sign up, etc.)
applicable)
Date they opted-in
Minimize Personal
Data by Necessity
Personal data means
any information relating
to an identified or
identifiable natural
person (‘data subject’)
an identifiable natural
person is one who can
be identified, directly or
indirectly, in particular
by reference to an
identifier

2) Provide a way for the recipient to
requirements:
days.
unsubscribing
sign up, etc.)
applicable)
Date they opted-in
Minimize Personal
Data by Necessity
Identifier such as:
• a name,
• an I.D number
• location data
• an online identifier
• factors specific to:
• physical, physiological,
genetic, mental,
economic, cultural or
social identity of that
natural person

KEY PROVISIONS: CAN-SPAM V.
CASL

Keeping evidence of consent
means that you must be able to
provide proof of:
 When they consented
 What they were told at the
time of consent
 How they consented (e.g.,
during checkout, via Facebook
form, etc.)
 Whether they have withdrawn
consent – when / how
Organize Your Data
Keep Evidence
of Consent

Organize Your Data
Delete, securely store
any non-essential PII
(Personal Identifiable Info)
 Specially protected categories
(ethnic, marital status)
 Info you would be embarrassed if
contact knew you had.
 Be careful with children's info
(info in CRM about contact’s kids,
spouse’s health info)

 Those in EEA without explicit
consent
 Those without address or
country information
 Older prospects / former
employee’s contacts
 Let other employees know
who is on suppression list
Organize Your Data
Build a
Suppression List

RIGHT TO BE FORGOTTEN
Right to be Forgotten

Portability +
Best Practices
.
 Restrict access to key
functions
 and information
 Talk with vendors
 Determine breach /
request for info procedure
 Train your staff; regularly
review procedures; audit

Presentations are
can be used as
before an audience.
g
CCPA BASICS
Presentations are
can be used as
before an audience.
Photo Printing
Presentations are
can be used as
before an audience.
Film Developing
Presentations are
can be used as
before an audience.
Social Media
Posting

Presentations are
can be used as
before an audience.
g
CCPA BASICS cont’d
Presentations are
can be used as
before an audience.
Photo Printing
Presentations are
can be used as
before an audience.
Film Developing
Presentations are
can be used as
before an audience.
Social Media
Posting

Comparison of Key GDPR and CCPA
Requirements

Ten Steps to Prepare for the CCPA
1.Data inventory and map for your data flows to
assess what information you may need to start
disclosing publicity or in response to a CCPA
rights requests
2.Update your privacy notices to include any
required disclosures regarding your collection
of personal information or California residents’
rights under the CCPA
3.Add a “Do Not Sell My Personal Information”
button to your website
4.Establish at least two ways for California
residents to submit CCPA rights requests,
including a toll-free telephone number
5.Develop policies and procedures to respond to
requests from California residents to access,

Ten Steps to Prepare for the CCPA –
cont’d
6. Review your agreements with existing
vendors to determine which ones may be
considered “third parties” or “service providers”
under the CCPA.
7.Develop standard contracts or agreement
riders for “service provider” engagements
that comply with the CCPA.
8. Develop a due diligence process to
understand, evaluate and manage your
vendors’ privacy and data security practices.
9. Evaluate your existing information security
practices and procedures and incident
response policy.
10. Train applicable employees regarding CCPA

BEGIN WITH AN ACTION PLAN – WHO IS
RESPONSIBLE, LOCATION + WHAT TO
KEEP
• Work with GC to take direction case
info vs. marketing info.
• Develop a process to determine
what and how long your going to
keep data
• Need to know who within org owns
data and how you got it
• Need to know location of contact
• Data sorting to ID location can use
phone number or .ca or .de help give
a clue to contacts location
• Update data collection forms + how
info stored, consider getting rid of
personal data collection not
expressly needed
• For data not going to keep – process
on who can access info. New
protocols to isolate data
• Building a suppression list –
timelines for limited access to data –
timelines for data deletion For data
not going to keep –records on what
and when deleted
• Develop privacy policy with GC
• Develop process if person wants to
access or change their data with GC
• Develop breach plan with GC

CAN - SPAM Tools +
Resources
1. FTC CAN-SPAM Act: A Compliance
Guide for Business https://www.ftc.gov/tips-advice/business-
center/guidance/can-spam-act-compliance-guide-business
2. Is Your Email Marketing Compliant
With The CAN-SPAM Act?
https://www.forbes.com/sites/forbesagencycouncil/2018/06/06/is-your-email-marketing-compliant-with-
the-can-spam-act/#100f393f32d0
3. Complying with the CAN-SPAM Act
https://www.lexisnexis.com/lexis-practice-advisor/the-journal/b/lpa/posts/complying-with-the-can-
spam-act

CASL Tools + Resources
1. Canada’s Anti Spam Legislation
website + Is it Spam Quiz
https://www.fightspam.gc.ca/eic/site/030.nsf/eng/home
https://www.fightspam.gc.ca/eic/site/030.nsf/eng/00016.html https://crtc.gc.ca/eng/com500/guide.htm
2. Deloitte Canada’s Anti-Spam Law
FAQ https://www2.deloitte.com/ca/en/pages/risk/articles/canada-anti-spam-law-casl-faq.html
3. Canadian Anti-Spam Law: What You
Need to Know https://sendgrid.com/blog/canadian-anti-spam-law-need-
know/

1. Navigating the Inbox: Understanding
How GDPR Impacts You - LMA
Webinar 3-20-18 https://www.legalmarketing.org/p/do/sd/topic=521&sid=7470
2. Orrick’s EU GDPR Readiness
Assessment Tool https://www.orrick.com/Practices/GDPR-Readiness
https://www.alstongdprtracker.com/eea-map/
3. Alston & Bird GDPR + Privacy Tracker
4. Does GDPR Require New Consent
from Existing Clients? https://www.compliancejunction.com/gdpr-require-
new-consent-existing-clients/
GDPR Tools + Resources

CCPA Tools + Resources
1. Orrick Readiness Tool for
California Consumer Privacy Act
https://www.orrick.com/News/2019/04/Orrick-Unveils-Sophisticated-Tool-to-Assess-Readiness-for-California-
Consumer-Privacy-Act
2. The California Consumer Privacy
Act of 2018 https://privacylaw.proskauer.com/2018/07/articles/data-privacy-
laws/the-california-consumer-privacy-act-of-2018/
3. CCPA and GDPR: Comparison of
certain provisions
https://www.whitecase.com/publications/article/ccpa-and-gdpr-comparison-certain-provisions

Cookies GDPR CCPA CASL what Law Firm Marketers Need to Know to Comply

Cookies GDPR CCPA CASL what Law Firm Marketers Need to Know to Comply

Recommended

Recommended

More Related Content

Similar to Cookies GDPR CCPA CASL what Law Firm Marketers Need to Know to Comply

Similar to Cookies GDPR CCPA CASL what Law Firm Marketers Need to Know to Comply (20)

More from The National Law Review

More from The National Law Review (9)

Recently uploaded

Recently uploaded (20)

Cookies GDPR CCPA CASL what Law Firm Marketers Need to Know to Comply