The document discusses Canada's Anti-Spam Law (CASL) and provides the following key points: 1) CASL requires obtaining permission prior to sending any commercial electronic messages and has stricter consent standards than CAN-SPAM. 2) CASL applies more broadly than CAN-SPAM, regulating messages sent from or received in Canada across email, voice, text, and social media. 3) Violations of CASL can result in fines up to $10 million Canadian dollars per violation, and directors and officers can be held liable for their organization's messages.

1. Fall into Compliance
Canada’s Anti Spam Law (CASL)
Presented by:
David Fowler | Act-On Chief Privacy & Deliverability Officer
david.fowler@act-on.net

2. Chat or Q/A
#AOWEB

3. Todays Agenda
• Legal Disclaimer
• CAN-SPAM Review
• The Canadian Anti-Spam Law (CASL)
– Tenants of the Law
– Disclosure and Consent
– Key Differences
• Next Steps
– For CASL and You
• Notable Quotes
• Wrap Up – Q&A

4. Disclaimer
Act-On Software does not provide legal advice or counsel
pertaining to this subject or any related legislation or
compliance issue. We always recommend that should you
require a legal opinion you should seek counsel form a
qualified legal resource.

5. CAN-SPAM Review

6. CAN-SPAM Review
• The Controlling the Assault of Non-Solicited Pornography and Marketing Act
of 2003 (CAN-SPAM or the Act).
CAN-SPAM REQUIREMENTS
The CAN-SPAM Act covers commercial email messages, the
Types of Messages primary purpose of which is the advertisement or promotion of a
commercial product or service.
Under CAN-SPAM, direct marketing email messages can be sent to
Permission | Opt-In
anyone, without permission, until the recipient explicitly requests
Requirements
that they cease ("opt-out").
Every message must include opt-out instructions. The sender
must honor the opt-out requests of recipients within 10 days.
2008 Rule Provision:
Unsubscribe | Opt-Out An email recipient cannot be required to pay a fee, provide
Requirements information other than his or her email address and opt-out
preferences, or take any steps other than sending a reply email
message or visiting a single Internet Web page to opt out of
receiving future email from a sender

7. CAN-SPAM Review
CAN-SPAM REQUIREMENTS
The CAN-SPAM Act bans false or misleading header information. The
email's "From", "To" and routing information – including the originating
domain name and email address – must be accurate and identify the person
who initiated the email. The Act prohibits open relay abuses, falsifying
header information, generating multiple email addresses to send from,
deceptive subject headers, address harvesting and dictionary attacks, and
Sender Identity
other fraudulent ways of sending spam. 2008 Rule Provision:
The definition of "sender" was modified to make it easier to determine which
of multiple parties advertising in a single email message is responsible for
complying with the Act's opt-out requirements. A definition of the term
"person" was added to clarify that the CAN-SPAM Act's obligations are not
limited to natural persons.

8. CAN-SPAM Review
CAN-SPAM REQUIREMENTS
Deceptive subject lines are prohibited. The subject line cannot mislead the
Subject Lines |
recipient about the contents or subject matter of the message. Identification
Labeling
that the message is an advertisement or solicitation is required.
Yes, a valid physical postal address is required. 2008 Rule Provision: A
"sender" of commercial email can include an accurately registered PO box or
Contact Information
private mailbox established under United States Postal Service regulations to
Postal Address
satisfy the Act's requirement that a commercial email display a "valid physical
postal address".

9. CAN-SPAM Exemptions
• As discussed the act applies to 100% commercial email
• But what about transactional or hybrid messaging?
– Commercial + Transactional | Cross Selling
• The “primary purpose” rule comes into effect
– The recipient decides on the primary purpose
• If the recipient determines the message is commercial in
nature then the message has to be compliant
– Consider the 80/20 rule
– 80% transactional | 20% commercial
• Place the offer below the fold as not to dominate the real
estate

10. Canadian Anti Spam Law (CASL)

11. Canadian Anti-Spam Law (CASL)
• Enacted in 2010 and scheduled to go into effect in 2013
• Intended to promote ecommerce by deterring spam,
identity theft, phishing, spyware, viruses, botnets and
misleading representations online
• CASL creates new offenses, enforcement mechanisms and
penalties
• The last of the G8 to introduce a law on Spam
• It’s one of the strictest ecommerce laws globally
– Higher consent standards for all
– Detailed content requirements
– High penalties: $10M fines a possibility for non compliance

12. Tenents of the Law
• Permission:
– CASL Requires you obtain permission (consent) prior to sending any
communication. You also need to have proof of opt-in including source and time
• Scope of the law, who does it apply to?
– Senders of any form of commercial electronic messaging, for example:
email, voice, text messaging and social media
• Location:
– Where does it apply? CASL is unique in that it regulates any message sent from
or received in Canada.
– So if a recipient opted-in the USA, CASL would still apply if the commercial
message was accessed in Canada.
– This provision requires marketers to be cognizant of where their email
subscribers are opening their campaigns.
• Unsubscribing:
– All commercial messages sent must contain an opt-out method, one difference
being that you cannot confirm the opt-out request via a follow up method.
• Exceptions:
– Quotes, estimates, pre-existing transaction material and factual information
about loans, memberships and accounts are exempt

13. Disclosure Requirements
• Electronic Messages being sent from or to Canada
must:
– Clearly identify the sender of the message
– Have a clear, applicable, and relevant subject line and 'From'
name that reflect the purposes of the email
– A notice that the message is for commercial purposes (if
applicable)
– Contain a physical address as well as a URL, email address, or
phone number where the sender can be reached and that is
valid for up to 60 days after the message has been sent
– Contain a valid and working mechanism that will unsubscribe the
recipient within 10 days (just like Can-Spam) and is available for
at least 60 days after the messages have been sent

14. Consent Requirements
• Implied and Express consent
• Must clearly and simply set out purpose(s) for consent:
• Must obtain express consent to send CEMs unless there is
– Existing business relationship OR
– Existing non-business relationship
– An email user must express consent by opting-in to receive
communications from the sender.
• You can rely on implied consent to send CEMs to recipients
with an existing business or non-business relationship
– EBR lasts for 2 years from the last transaction

15. Violations and Enforcement
• CRTC: primary enforcement agency, including
administrative monetary penalties (AMPs)
– Maximum penalty is $10m, for an organization per violation
– Relevant factors include purpose of penalty, nature & scope of
violation, history, financial benefit ability to pay
– May enter into compliance undertaking with the CRTC
• Directors and officers liability | Employers liability
• Importance of “due diligence” taken to prevent the
violation

16. CASL vs. CAN-SPAM – Key Differences
 Addresses spam only
 Apples only to email, contains SMS domain opt-out
 You can technically email any person at least once
 No private right of action, available to ISPs and
Government to bring lawsuits
 Address a broad range of internet issues
 Applies to all form of electronic messaging (email,
SMS, IM etc.)
 Prior permission based
 Private right of action available to anyone (individuals,
businesses etc.)

17. CASL: Summary
 Prior consent required
 Prohibits unsolicited commercial electronic messages
 Prohibits program installations without consent
 No false information allowed
 Sender or subject lines
 No harvesting or dictionary attacks
 More than email | IM, SMS, Social Media, Voice

18. CASL Summary
 Other Requirements:
– Unsubscribe no longer than 10 business days
– Postal address required
– Private right of action included
– Officers of organizations can be held accountable for their
organizations messages
 Exemptions
– Family or personnel relationship | business or inquiry relationship
 Enforcement
– Cross boarder can’t hide under HQ location
– Protection for “honest” mistakes

19. Next Steps for CASL
• CASL expected to become law in 2013
• Implementation of a Spam Reporting Center:
– Once operational will accept messages, analyze trends in spam and other
threats to electronic commerce
• New roles & responsibilities for three government agencies:
– CRTC | Competition Bureau | Privacy Commissioner
– International agency cross boarder cooperation | Including the FTC
• Interpretive guidelines
– Many definitions and requirements under CASL remain broad and
unclear

20. Next Steps For You
• Update your website and privacy policy
• Update form and procedures that document consent
• Address unsubscribe requirements and timeframes
• Update existing customer service processes
• Develop and included information and training for
employees, management and respective associates
• Review and amend any third party contract requirements
– Limitation of liability, representations and warranties, including
address rental
• If operating in North America meet BOTH CASL & CAN-
SPAM requirements

21. Notable Client Quotes

22. Notable Quotes
"Should you be worried about CASL? I don't know if worried is the right
term, but if you are sending or receiving email to or from Canada you
need to read up on CASL. Unlike CAN-SPAM the new CASL law is opt-
in based, not just about giving the client the ability to unsubscribe. It
also deals with social media and SMS so it has a lot wider scope than
CAN-SPAM."
Kent M, 1ShoppingCart

23. Notable Quotes
There is an opt-in law, but don't be alarmed. It does not establish
some arduous new standard for permission. The law states that "it is
prohibited to send or cause or permit to be sent to an electronic
address a commercial electronic message unless the person to whom
the message is sent has consented to receiving it, whether the consent
is express or implied." Implied consent seems to basically be defined
as "existing business relationship," and there is a defined two year
period after which you cannot assume an existing business
relationship. We recommend that all clients adhere to opt-in permission
to avoid having to cease mail to customers after the two year period
expires.
• Al Iverson, ExactTarget

24. Notable Quotes
C-28 does not change a thing where deliverability is concerned. C-28 is
all about permission, but there's nothing in the SMTP protocol that
allows the sender to meaningfully, verifiably assert that they had
permission to send. The real impact of C-28 is on e-mail marketing
itself. And the impact will be enormous.
• Andrew Barrett, iContact (Vocus)

25. More Info & Resources
• Government of Canada:
– http://fightspam.gc.ca/eic/site/030.nsf/eng/home
• Industry Canada:
– http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00521.html
• FMC Law Group | Margot Patterson:
– www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law
• Email Karma | Matt Vernhout:
– http://emailkarma.net
• Port 25:
– www.port25.com

26. Thank You
david.fowler@act-on.net