The document outlines a workshop focused on e-marketing policy development, highlighting the importance of compliance with Canada’s Anti-Spam Legislation (CASL), the Competition Act, and the Personal Information Protection and Electronic Documents Act (PIPEDA). It covers critical considerations for obtaining consent, identifying senders, managing unsubscribe mechanisms, and the implications of enforcement mechanisms. Additionally, practical recommendations for list management, marketing strategies, and how to navigate legal requirements are provided.

1. e-Marketing Policy-Building
Workshop
Shaun Brown – nNovation LLP
Matthew Vernhout – Transcontinental
Interactive
IAPP Canada Privacy Symposium
May 4-6, 2011

2. Roadmap
1. Why this matters
2. Brief overview of requirements under CASL, Competition
Act and PIPEDA
3. Practical implementation issues
4. Key considerations in developing e-marketing policies

3. Why e-marketing policy matters: legal
• CASL applies to anyone who sends, causes, permits, aids,
induces, or procures a CEM to be sent.
• Vicarious liability for employees and agents
• Liability for officers/directors of corporations
• Significant penalties:
– Administrative monetary penalties (AMPs) of up to $10 million
per violation
– Private right of action allows any person affected by a violation
to sue for actual and statutory damages
• Privacy legislation applies to use of electronic addresses

4. Why e-marketing policy matters: non-
legal
• Protecting your brand and relationship with
customers
• Delivering campaigns that are effective
• Protecting your relationship with partners
• Deliverability

5. Canada’s Anti-Spam Legislation (CASL)
• Establishes permission-based regime for sending
commercial electronic messages (CEM)
• Applies to any message sent from or accessed by a
computer located in Canada (applies to American senders!)
• More than email: IM; SMS; social media; etc.
• Voice, fax currently excluded (covered by DNCL)
• Competition Act amendments: False and misleading
information (content, sender info, locators)
• PIPEDA amendments: address harvesting; dictionary
attacks; collection of personal information through
unauthorized access to a computer systems

6. Commercial Electronic Message
• Broadly defined to include any message with any
semblance of commercial activity
– Product or service
– Business opportunities
– Promotes an individual who does any of the above
• Message to request consent deemed to be CEM

7. Three primary rules
1. Consent (express or implied)
2. Identification
3. Unsubscribe

8. 1. Consent: exemptions
• Family or personal relationship (to be defined in
regs)
• Business inquiry

9. 1. Consent: no consent required
• Quotes or estimates, if requested
• Facilitates commercial transaction
• Warranty or safety information
• Information about ongoing subscription, membership, etc.
• Information related to employment relationship or benefit
plan
• Delivers good or service
*Other requirements still apply

10. 1. Consent: implied consent
• Consent is deemed in four circumstances:
1. Existing business relationship
2. Existing non-business relationship
3. Conspicuous publication of electronic address
4. Recipient has disclosed electronic address to the sender
• No implied consent for referrals
• In most cases implied consent last for 2 years – window of
opportunity to obtain express consent
• Transitional period for implied consent – 3 years for existing
bus and non-bus rel’ps at coming into force

11. 1. Consent: checklist
1. Does section 6 apply (see exemptions)?
2. If so, do I need consent (other requirements still apply)?
3. If not, can I rely on implied consent?
4. If not, how do I obtain express consent?

12. 2. Identification
• Identify sender as well as person on whose behalf message
is sent
– Provide postal address
• Contact information for either of above

13. 3. Unsubscribe mechanism
• Must be functional for 60 days
• No cost
• Same means unless impracticable
• Include either electronic address or link
• Must process without delay (no messages sent after unsub
sent)

14. Defining “sent”
• Message is sent once transmission has been initiated
• Does not matter whether
– Message reaches destination
– electronic address exists

15. Enforcement
Combination of public and private enforcement:
1. Regulatory enforcement – including administrative
monetary penalties (AMPs)
– Administrative as opposed of criminal
2. Private Right of Action

16. Protection for ‘honest mistakes’
1. Undertakings & Compliance (s.21)
– At any time
– Restricts other action (notice of violation and statutory damages under
PRA)
2. Due Diligence Defence and Common Law Principles (s.33)
– Cannot be found liable
– Justification or excuse consistent with the Act
3. Factors to be Considered re: AMPs (s.20)
– Nature and scope of violation
– Financial benefit
– Any relevant factor

17. Interaction with PIPEDA
• E-marketing already captured by PIPEDA; CASL creates
more specific rules
• PIPEDA additionally applies to:
– Sale and purchase of personal information (e.g., email
addresses)
– Failure to properly secure personal information (think about
recent ESP data breaches)
– Collection of personal information for purposes of targeting

18. Express consent: requirements
• Must clearly explain purposes
– E.g., “I would like to receive emails about offers from
[company]”.
• Sender must identify themselves when obtaining consent
(and other(s) where applicable)

19. Express consent: considerations
• What is “express” consent?
– Opt-in vs. Opt-out; single opt-in, notified opt-in, double opt-in
• Best practice: double opt-in
• Also, think about reminding recipients why they are
receiving your messages

20. Building your list: risky ideas
• Purchasing
• Email append
• Rental without assurance that lists are in compliance
• If it sounds too good to be true....

21. Leveraging your (others) list
• Renting not necessarily a violation, but potentially risky
• There are proper ways to send third party offers to your
(others) subscribers
• Considerations
– Relevance
– Ensuring subscribers know who is sending
– Consent allows for third party offers; e.g. “I would like to hear
about offers from [company] and its partners.”

22. Organic growth is key
• Organic growth allows you to control your lists to be sure
they are compliant
• 3 common ways to gain subscribers:
– Online registration/sale
– Inbound call centers
– In-store points of sale
• Take advantage of interactions with your brand
• Implied consent provisions can be useful, but obtain
express consent up front

23. Other tactics
• Sweepstakes
• Print/television/radio
• Forwarding (FTAF, SWYN)

24. Forwarding (FTAF, SWYN)
• Offering incentives to forward could result in liability
– Section 9: is prohibited to aid, induce, procure or cause to be
procured the doing of any act contrary to section 6
• Impose limits on forwards (how many, to whom)
– Exemption under 6(5): CASL does not apply to messages sent
between people with personal or family rel’p
• Share to social – does CASL apply?
– CASL only applies to CEM sent to an electronic address

25. B2B considerations
• No general exemption for B2B
• Implied consent:
– Conspicuous publication
– Recipient discloses electronic address to sender
• Relevance will be a key issue
• Electronic addresses from web must be collected
manually (address harvesting prohibited)

26. What about existing subscribers?
• Good time to consider quality of existing lists
• Do you have evidence of express consent?
• If express consent is required, get creative
– Response to reconfirmation messages low
– Offer incentives, new campaign features, etc.

27. Unsubscribe - considerations
• Applies once the unsub is sent, not received
• Must be implemented without delay, i.e., no
messages can be sent after an unsubscribe is
sent
• Pros and cons of allowing people to reply directly
to message as well as link to unsub
– Will have to ‘eat’ spam
– Miss out on opportunity to ask why

28. ePrivacy Policies
• Key considerations
– Length of and complexity of your policy
– Consider the language used based on your audience
• Include vendor and third parties that you work with and the
types of data shared

29. Analytics
• List your current analytics program
– Google Analytics, AWStats, etc…
• List what you track
– Pages, time on site, What brought you to the site, etc…
• List what you don’t track
– IP address, etc…

30. Other considerations
• Responsibility for the actions of marketing dep’t
• Upper mgmt should be involved in developing
policies
• Be clear about what marketing dep’t is authorized
to do
• Incentives for marketing dep’t

31. E-marketing policies: summary
• Agreements with 3rd parties
– Affiliates
– Email service providers
• Focus on more than just the rules
– Best practices
– Provide value –make subscribers look forward to your
announcements
• Ensure that PI is collected in compliance with PIPEDA
• Policies and procedures for ‘honest mistakes’ (e.g., contact
CRTC, notify subscribers)

32. Questions?
Shaun Brown, Counsel
nNovation LLP
sbrown@nnovation.com
Matthew Vernhout, Director, Delivery & ISP
Relations
Transcontinental Interactive
matthew.vernhout@transcontinental.ca

33. References
• Canada’s Anti-Spam Legislation:
http://www2.parl.gc.ca/HousePublications/Publication.aspx?Language=E&
Parl=40&Ses=3&Mode=1&Pub=Bill&Doc=C-28_4
• Personal Information Protection and Electronic Documents Act:
http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-
5.html
• Brown & Klein, A Complete Guide to e-Marketing Under Canada’s Anti-
Spam Legislation, (Toronto: Carswell, 2011)
• EmailKarma.net