Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
April 12, 2016
PROTECTING
YOUR CASTLE
FROM CASL
Bettina Burgess, Partner, Gowling WLG (Canada) LLP
• What is CASL?
• Does CASL apply to my organization?
• Why should my organization care about CASL?
• What prohibitions, r...
• Anti-spam legislation enacted in 2010
• CASL deals with:
• Sending unsolicited commercial electronic messages
• Unauthor...
MYTH: CASL does not apply to charities or
not-for-profit organizations
• CASL applies to all organizations of any type if
...
•Administrative monetary penalties for violations:
• A fine of up to $1,000,000 for a violation by an individual.
• A fine...
• 1,000 complaints filed within 3 days following
CASL coming into force
• 1,000 daily complaints
• 245,000 complaints to d...
•March 6, 2015: CRTC’s first Notice of Violation by Compu-Finder
•The imposed penalty: $1.1 MILLION
•The messages: unsolic...
•March 25, 2015: CRTC announced second violation by Plentyoffish
Media Inc.
•The imposed penalty: $48,000 and an undertaki...
•June 29, 2015: CRTC announced third violation by Porter Airlines
•The imposed penalty: $150,000 and an undertaking to com...
What do the CRTC’s enforcement actions to date tell us?
• The CRTC is targeting both egregious behaviour and technical
vio...
Understand the legislation
HOW DO WE AVOID BEING
NEXT?
11
To which messages does CASL apply?
CASL applies to Commercial Electronic Messages (“CEMS”) that
are sent by any means of t...
What is not a Commercial Electronic Message?
CASL does not apply to:
• Interactive two way voice communications;
• Message...
Is the Electronic Message Commercial?
•Messages that encourages or promotes a commercial activity
•Can be by way of link o...
Which messages are exempt?
No consent and in message disclosure requirements for the
following:
• messages sent between em...
Which messages are exempt?
No consent and in message disclosure requirements for the following:
• messages where the perso...
• The following messages would not be caught by
CASL:
• Soliciting donations
• Selling tickets to fundraising activities
•...
• The following messages would be caught by
CASL
• Messages promoting the services or products of the
organization e.g. co...
• May be express or implied (EXPRESS is BEST)
• Implied consent is more restricted than under privacy
laws
• Under privacy...
EXPRESS CONSENT
UNDER CASL
20
Must be informed:
1. Provide the purpose for which the consent is sought;
2. Provide the nam...
EXPRESS
CONSENT
21
• Express consent
must be “positive or
explicit”.
• Note that a check
box is not
specifically
required,...
EXPRESS
CONSENT
22
• “Assumed”
consent through a
pre-checked box
or an opt-out
mechanism is not
sufficient.
IMPLIED CONSENT UNDER
CASL
23
Remember the Compu-finder penalty in relying on “publication”. The CRTC looked to
whether th...
• An “Existing Business Relationship” is where the recipient of the
message:
• Purchased a good or service from the messag...
• An “Existing Non-Business Relationship” is where the recipient of the
message:
• Made a donation or preformed volunteer ...
CASL creates an exception to the need for consent for certain
“transactional” messages. This exception will apply to CEMs
...
MESSAGE CONTENT UNDER CASL
27
Service providers sending electronic messages on behalf of third parties who do not have mat...
CASL requires CEMs to set out an unsubscribe mechanism
that allows the message recipient to indicate at no cost, the
wish ...
The General Exception
“If it is not practicable to include the information… and the
unsubscribe mechanism… in a commercial...
• Neither the requirement to obtain consent, nor the requirement
to disclose information regarding the sender, will apply ...
The Regulations include an exception that permits a single referral
message to be sent where:
• The referral is made by an...
• CASL allows consent to be obtained on behalf of
unknown third parties such as list brokers. However,
it limits how this ...
• Message content when consent is obtained from a
third party, such as a list broker.
• When an email list is purchased fr...
There is a transitional period in CASL that lasts from July 1, 2014
ending July 1, 2017. During this time, “implied consen...
• On January 15, 2015, provisions requiring express
consent to install a “computer program” on a person’s
computer system ...
Similar to requests for consent to send messages, a request for consent to
install a computer program must state:
1. The p...
If the program performs one of the following functions, then these elements
and their impact on the system must be brought...
CASL deems a person to expressly consent to the installation of the following
programs, if their behaviour makes that assu...
CONSENT FOR INSTALLING
COMPUTER PROGRAMS
39
NOTE: Consent to
install a computer
program must be
sought separately from
con...
What does it mean to “Install” a Program?
In its guidance, the CRTC suggests programs that are “self
installed”, (e.g. buy...
• Monitor developments in the legislation and how CRTC is
enforcing its provisions
• Develop compliance policies
• Train s...
• Do not tie consent for service/goods to consent to
receive further CEMs
• Develop a plan to deal with complaints
• Respo...
QUESTIONS?
43
gowlingwlg.com
Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of
independen...
Protecting your castle from CASL
Upcoming SlideShare
Loading in …5
×

Protecting your castle from CASL

197 views

Published on

Bettina Burgess, Partner, Gowling WLG (Canada) LLP presentation on April 12, 2016 for WFRE

Published in: Business
  • Be the first to comment

  • Be the first to like this

Protecting your castle from CASL

  1. 1. April 12, 2016 PROTECTING YOUR CASTLE FROM CASL Bettina Burgess, Partner, Gowling WLG (Canada) LLP
  2. 2. • What is CASL? • Does CASL apply to my organization? • Why should my organization care about CASL? • What prohibitions, restrictions, requirements are imposed by CASL? • What are some tips for compliance with CASL? OVERVIEW 2
  3. 3. • Anti-spam legislation enacted in 2010 • CASL deals with: • Sending unsolicited commercial electronic messages • Unauthorized alteration of transmission data • Installation of computer programs • False or misleading electronic representations (including on websites) • Unauthorized collection of electronic addresses • Collection of personal information by accessing a computer system in contravention of an Act of Parliament (hacking) WHAT IS CASL 3
  4. 4. MYTH: CASL does not apply to charities or not-for-profit organizations • CASL applies to all organizations of any type if the organization does any of activities on the previous slide and such activities are carried out in or from Canada. DOES CASL APPLY TO MY ORGANIZATION? 4
  5. 5. •Administrative monetary penalties for violations: • A fine of up to $1,000,000 for a violation by an individual. • A fine of up to $10,000,000 for a violation by a corporation. •Private rights of action by individuals •If the action is successful in court, the court may order: • Compensation equal to the actual loss or damage suffered; and • $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred. WHY SHOULD MY ORGANIZATION CARE ABOUT CASL? 5 The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017. The CRTC may impose administrative monetary penalties prior to this.
  6. 6. • 1,000 complaints filed within 3 days following CASL coming into force • 1,000 daily complaints • 245,000 complaints to date IF YOU THOUGHT NO ONE WOULD COMPLAIN… 6
  7. 7. •March 6, 2015: CRTC’s first Notice of Violation by Compu-Finder •The imposed penalty: $1.1 MILLION •The messages: unsolicited emails promoting training courses to businesses relating to management social media and professional development • The violations: • failing to obtain consent (found business emails on internet); • failing to include unsubscribe mechanisms that functioned properly; • failing to ensure unsubscribe remained active for 60 days; • failing to comply with a request to unsubscribe IF YOU THOUGHT THEY WERE KIDDING… 7
  8. 8. •March 25, 2015: CRTC announced second violation by Plentyoffish Media Inc. •The imposed penalty: $48,000 and an undertaking to comply, including updating emails and providing training/education for staff •The messages: emails sent to registered users • The violations: 1) failing to include unsubscribe mechanisms that were clearly and prominently set out; 2) failing to ensure unsubscribe mechanism could be readily performed. THEY REALLY WEREN’T KIDDING… 8
  9. 9. •June 29, 2015: CRTC announced third violation by Porter Airlines •The imposed penalty: $150,000 and an undertaking to comply •The messages: emails. •The violations: 1) failing to include an unsubscribe mechanism; 2) failing to include full contact information; 3) failing to honor unsubscribe requests within 10 business days; 4) Failing to provide the CRTC with proof it had obtained consent for each electronic address that had received its CEMs. SERIOUSLY! THEY WEREN’T KIDDING… 9
  10. 10. What do the CRTC’s enforcement actions to date tell us? • The CRTC is targeting both egregious behaviour and technical violations • Cooperation counts • Correct violations promptly NOW THAT YOU’RE SCARED TO DEATH 10 In assessing a penalty, the CRTC is required to consider statutory factors including: • The penalty is to promote compliance, not punish. • The nature and scope of the violation. • The person’s history with respect to compliance and previous compliance undertakings. • Any financial benefit obtained from the violation. • Any other relevant factor.
  11. 11. Understand the legislation HOW DO WE AVOID BEING NEXT? 11
  12. 12. To which messages does CASL apply? CASL applies to Commercial Electronic Messages (“CEMS”) that are sent by any means of telecommunication, including a text, sound, voice or image message, to an “electronic address”: • an electronic mail account; • an instant messaging account (SMS text messages); • a telephone account; or • any similar account. UNDERSTANDING CASL: CEMS 12
  13. 13. What is not a Commercial Electronic Message? CASL does not apply to: • Interactive two way voice communications; • Messages sent via facsimile to telephone accounts; and • Voice recordings sent to a telephone account. These messages are subject to the CRTC’s oversight via the Telecommunications Act and the Unsolicited Telecommunications Rules. UNDERSTANDING CASL: CEMS 13
  14. 14. Is the Electronic Message Commercial? •Messages that encourages or promotes a commercial activity •Can be by way of link or contact information •Expectation of profit is irrelevant Examples of CEMS are messages that: • offer to sell a product or service; • advertise a product or service; • promote a person or corporation; • seek to gather consumer or market information in a commercial context; • seek consent to send further messages. UNDERSTANDING CASL: IS IT COMMERCIAL? 14
  15. 15. Which messages are exempt? No consent and in message disclosure requirements for the following: • messages sent between employees of an organization relating to the affairs of the organization (think Compu-Finder) • messages sent between employees of two organizations with a relationship, where the message relates to the affairs of the recipient organization; • messages that respond to an inquiry, complaint, or other solicitation from the recipient; • fundraising messages sent by or on behalf of a registered charity. UNDERSTANDING CASL: IS THE CEM OTHERWISE EXEMPT? 15
  16. 16. Which messages are exempt? No consent and in message disclosure requirements for the following: • messages where the person sending the message reasonably expects it to be received in a foreign state listed in the Regulations, if the message complies with the law of that state; • messages sent to a secure account to which only the person providing the account may send messages; • messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements; • messages sent to satisfy a legal obligation. UNDERSTANDING CASL: IS THE CEM OTHERWISE EXEMPT? 16
  17. 17. • The following messages would not be caught by CASL: • Soliciting donations • Selling tickets to fundraising activities • Lotteries to raise funds • Newsletters that promote fundraising events, even if sponsors are identified • Promoting events by art & culture groups through ticket sales • Invitations to purchase memberships (maybe) SO, WHAT MESSAGES CAN MY CHARITY/NFP SEND? 17
  18. 18. • The following messages would be caught by CASL • Messages promoting the services or products of the organization e.g. counselling services, patient care, elderly/disability assistance, CPR/medical aid training, camps, art lessons, fitness lessons/classes • Messages promoting the services or products of the organization even if there is a donate option in the message SO, WHAT TYPES OF MESSAGES WILL TRIGGER CASL? 18
  19. 19. • May be express or implied (EXPRESS is BEST) • Implied consent is more restricted than under privacy laws • Under privacy laws, implied consent depended on the circumstances • May use consent obtained under privacy laws for purpose of CASL • Under CASL, implied consent is prescribed CONSENT UNDER CASL 19
  20. 20. EXPRESS CONSENT UNDER CASL 20 Must be informed: 1. Provide the purpose for which the consent is sought; 2. Provide the name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business; 3. If applicable, identify which person is seeking consent, and on whose behalf consent is sought; 4. Provide the mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought; 5. State that consent may be withdrawn.
  21. 21. EXPRESS CONSENT 21 • Express consent must be “positive or explicit”. • Note that a check box is not specifically required, other mechanisms that amount to an explicit indication of consent may be used.
  22. 22. EXPRESS CONSENT 22 • “Assumed” consent through a pre-checked box or an opt-out mechanism is not sufficient.
  23. 23. IMPLIED CONSENT UNDER CASL 23 Remember the Compu-finder penalty in relying on “publication”. The CRTC looked to whether the recipients considered the messages relevant. Prescribed Requirements: 1. There is an “existing business” or existing non-business relationship” between the sender and the recipient, or 2. The recipient has “conspicuously published” their address, or has “disclosed it to the sender” and: • it has not indicated they do not wish to receive commercial messages; and, • the message is relevant to the recipient’s business, role, functions or duties.
  24. 24. • An “Existing Business Relationship” is where the recipient of the message: • Purchased a good or service from the message sender within the prior two years; • Accepted a business opportunity from the message sender within the prior two years; • Has a written contract with the message sender in respect of a matter other than a purchase, lease, or business opportunity, or such a contract that expired in the prior two years; • Made an inquiry or application to the message sender regarding a purchase, lease, or business opportunity within the six months prior the message. “EXISTING RELATIONSHIPS” – ROLLING TIME FRAME 24 Note: The “Existing Business Relationships” definitions all turn on the relationship between the sender of the message (or the person on whose behalf the message was sent) and the recipient. They do not extend “implied consent” to related third parties.
  25. 25. • An “Existing Non-Business Relationship” is where the recipient of the message: • Made a donation or preformed volunteer work for the sender, which is a registered charity; • Has a Membership with the sender, and the sender is a club, association or voluntary organization that: • is a non-profit organization organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder (with an exception for amateur athletics) IMPLIED CONSENT – “EXISTING RELATIONSHIPS” 25 Note: The “Existing Non-Business Relationships” definitions also turn on the relationship between the sender of the message (or the person on whose behalf the message was sent) and the recipient. They will primarily apply to registered charities, political parties, and certain not-for-profits.
  26. 26. CASL creates an exception to the need for consent for certain “transactional” messages. This exception will apply to CEMs that solely: • provide a quote or estimate for the supply of a product or service; • facilitate, complete or confirm a previously agreed upon commercial transaction; • provide warranty information, product recall information or safety or security information about a product the recipient uses or had purchased; • provide notification of factual information about the ongoing use by recipient of a product or a service offered under a subscription, membership, account, loan or similar relationship by the sender. EXCEPTIONS TO THE NEED FOR CONSENT 26 These messages remain subject to the message content requirements.
  27. 27. MESSAGE CONTENT UNDER CASL 27 Service providers sending electronic messages on behalf of third parties who do not have material control over the message content or recipient list would not need to be identified. The required contact information must remain current for a minimum of 60 days after the message is sent. Prescribed Disclosure Requirements for Electronic Messages 1. The name under which the person sending the message and the person on whose behalf the message is sent, if different, carry on business, if different from their names, if not their names; 2. If applicable, an indication which person sent the message and on whose behalf it was sent; 3. The mailing address, and one (or more) of a telephone number, web address, or email address of either the person sending the message, or if different, the person on whose behalf it is sent; and 4. An unsubscribe mechanism.
  28. 28. CASL requires CEMs to set out an unsubscribe mechanism that allows the message recipient to indicate at no cost, the wish to unsubscribe from all CEMs or a specified class of CEMs. This mechanism must: • Use the same electronic means as the message, or if not practicable, other electronic means; • Give an electronic address or a web link for unsubscribe requests; • Be set out clearly and prominently, and be able to be “readily” performed; • Be effective “without delay”, and no later than 10 business days UNSUBSCRIBE MECHANISM 28
  29. 29. The General Exception “If it is not practicable to include the information… and the unsubscribe mechanism… in a commercial electronic message, that information may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message.” This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email. EXCEPTIONS TO THE DISCLOSURE REQUIREMENTS 29
  30. 30. • Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent “by” or “on behalf” of a person who has a “personal” or “family” relationship with the recipient. THE FAMILY AND PERSONAL RELATIONSHIP EXCEPTION 30 Note: Both family relationships and personal relationships are between individuals. A corporation could not have a personal relationship under CASL; however, the exception applies to messages that are sent “by” or “on behalf” of such individuals. “Family” “Personal Relationship” • Marriage; • A common-law partnership • A legal parent/child relationship where: • Those persons have had a direct voluntary two way communication • Must have had direct, voluntary two way communications; • Must be reasonable to conclude the relationship is personal considering all relevant factors.
  31. 31. The Regulations include an exception that permits a single referral message to be sent where: • The referral is made by an individual who has an existing business relationship, existing non-business relationship, family, or personal relationship with the message recipient; • The referrer has one of those relationships with the sender of the message; and • The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral. REFERRAL MESSAGES 31 The referral message must also comply with the standard CASL message disclosure requirements.
  32. 32. • CASL allows consent to be obtained on behalf of unknown third parties such as list brokers. However, it limits how this consent may be obtained and used: • The party that seeks consent is required to comply with the standard CASL requirements for obtaining consent, including stating the purpose for the collection, and providing their name and contact information. • A person who relies on such a consent must meet additional disclosure and unsubscribe mechanism requirements for the messages they send relying on this consent. THIRD PARTY MAILING LISTS 32
  33. 33. • Message content when consent is obtained from a third party, such as a list broker. • When an email list is purchased from a third party, messages sent pursuant to such consent are subject to additional disclosure requirements: • The message must identify the person who obtained the original consent as well as the person who sent the message, in addition to providing the standard prescribed contact information. • The unsubscribe mechanism must allow the recipient to remove consent from both the person who sent the message, the person who obtained the original consent or any other person authorized to use the consent. THIRD PARTY MAILING LISTS 33 It is essential that such a list is used separately from the company’s own consent lists.
  34. 34. There is a transitional period in CASL that lasts from July 1, 2014 ending July 1, 2017. During this time, “implied consent” will survive for three years in cases of “existing business relationships”, as defined in CASL, that predate CASL and that included the sending of commercial messages when CASL came into force. • Existing business relationships that are established after CASL will survive for two years following a purchase, or six months following an inquiry. • The transitional period provides an extended timeline for perfecting pre-existing implied consent (as defined in CASL) by seeking express consent. • Any attempts to perfect implied consent will need to be carried out in compliance with CASL. TRANSITIONAL PROVISIONS 34
  35. 35. • On January 15, 2015, provisions requiring express consent to install a “computer program” on a person’s computer system came into force. CONSENT FOR INSTALLING COMPUTER PROGRAMS 35
  36. 36. Similar to requests for consent to send messages, a request for consent to install a computer program must state: 1. The purpose for which the consent is sought, including providing a simple description of the of the function and purpose of the program; 2. The name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business; 3. If applicable, which person is seeking consent, and on whose behalf consent is sought; 4. The mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought; 5. That consent may be withdrawn. CONSENT FOR INSTALLING COMPUTER PROGRAMS 36
  37. 37. If the program performs one of the following functions, then these elements and their impact on the system must be brought to the person’s attention separately from any other information provided in the request for consent, and the person must acknowledge in writing they understand and agree to these functions: • collecting personal information stored on the computer; • interfering with the owner’s control of the computer; • changing the settings, preferences or commands already installed or stored on the computer without the knowledge of the owner; • changing the data stored on the computer in a manner that obstructs lawful access to or use of the data by the owner of the computer; • causing the computer to communicate with another computer without the authorization of the owner; • installing a computer program that may be activated by a third party without the knowledge of the owner CONSENT FOR INSTALLING COMPUTER PROGRAMS 37
  38. 38. CASL deems a person to expressly consent to the installation of the following programs, if their behaviour makes that assumption reasonable: • Cookies • HTML Code • Java Scripts • Operating systems • A program that is executable only through the use of another program the person previously agreed to install • Programs installed by a TSP to protect network security • Programs installed to update a network by the TSP that operates the network • Programs installed solely to correct a failure in the operation of the computer system or a program installed on it CONSENT FOR INSTALLING COMPUTER PROGRAMS 38
  39. 39. CONSENT FOR INSTALLING COMPUTER PROGRAMS 39 NOTE: Consent to install a computer program must be sought separately from consent to send commercial messages. Remember: Your request for consent should expressly include consent to future upgrades of the program!
  40. 40. What does it mean to “Install” a Program? In its guidance, the CRTC suggests programs that are “self installed”, (e.g. buying an app in an app store, or installing a program from a CD) are not subject to the CASL consent requirements. Programs that are automatically or surreptitiously installed along with other programs are subject to the CASL express consent requirements. This could apply to BYOD circumstances!! INSTALLING COMPUTER PROGRAMS 40
  41. 41. • Monitor developments in the legislation and how CRTC is enforcing its provisions • Develop compliance policies • Train staff • Obtain consent and develop a plan for obtaining such consent • Include in message information requirements • Maintain evidence of how express consent was obtained • If relying on implied consent, maintain records of dates of service, membership etc. COMPLIANCE TIPS 41
  42. 42. • Do not tie consent for service/goods to consent to receive further CEMs • Develop a plan to deal with complaints • Respond promptly to complaints • Comply with unsubscribe requests COMPLIANCE TIPS 42
  43. 43. QUESTIONS? 43
  44. 44. gowlingwlg.com Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of independent and autonomous entities providing services around the world. Our structure is explained in more detail at gowlingwlg.com/legal Bettina Burgess Partner bettina.burgess@gowlingwlg.com 519-569-4557

×