Successfully reported this slideshow.

Preparing for Canada’s Anti-Spam Legislation: Conducting a compliance audit

1

Share

1 of 29
1 of 29

Preparing for Canada’s Anti-Spam Legislation: Conducting a compliance audit

1

Share

Canada’s Anti-Spam Legislation establishes complex new rules for anyone sending email or other forms of electronic messaging, which is reinforced with significant penalties for non-compliance. Now that regulations under the legislation are nearly finalized, it is time for organizations to begin preparing by conducting an audit of existing and future practices, identifying risks, and developing a compliance program.

Originally presented at the 2013 IAPP Canada Privacy Symposium held in Toronto, On on May 23, 2012

Canada’s Anti-Spam Legislation establishes complex new rules for anyone sending email or other forms of electronic messaging, which is reinforced with significant penalties for non-compliance. Now that regulations under the legislation are nearly finalized, it is time for organizations to begin preparing by conducting an audit of existing and future practices, identifying risks, and developing a compliance program.

Originally presented at the 2013 IAPP Canada Privacy Symposium held in Toronto, On on May 23, 2012

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Preparing for Canada’s Anti-Spam Legislation: Conducting a compliance audit

  1. 1. READY, SET, AUDIT! PREPARING YOUR ORGANIZATION FOR CASL Matt Vernhout Shaun Brown Director, Client Support Partner, nNovation LLP & ISP Relations, TC Media @emailkarma
  2. 2. OUTLINE: PREPARING FOR CASL 1. Primary requirements 2. What we don’t know 3. How to prepare
  3. 3. STATUS • December 15, 2010 – Bill C-28 given Royal Assent • August 2011 – IC and CRTC regs published for comment • March 2012 – CRTC Regs finalized • October 2012 – Final CRTC Guidelines Published • January 2013 – Draft Industry Canada regs published (part II) • Spam Reporting Centre • Coming in to force 2014 (?)
  4. 4. WHAT IS CASL? • Standalone legislation (CASL), amendments to PIPEDA and Competition Act • Rules for sending commercial electronic message (CEM) • Rules for installing computer programs • Prohibits hacking/alteration of transmission data
  5. 5. APPLICATION • Apply to any message sent to or from computer system in Canada • More than email: IM; SMS; social media; etc. • Voice, fax currently excluded (covered by DNCL)
  6. 6. COMMERCIAL ELECTRONIC MESSAGE • Any message where “it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity” including • Product or service • Business opportunities • Promotes an individual who does any of the above • Message to request consent deemed to be CEM
  7. 7. THREE PRIMARY RULES 1. Consent 2. Identification 3. Unsubscribe
  8. 8. EXEMPTIONS • CEM sent between two individuals with personal or family relationship • Sent to inquire about or apply for service (i.e., purchaser to vendor) • Exempt from all requirements of CASL
  9. 9. 1. CONSENT (IMPLIED) • Consent can be express or implied • Four categories of implied consent: 1. Existing business relationship 2. Existing non-business relationship 3. Conspicuous publication of electronic address 4. Recipient has disclosed electronic address to the sender
  10. 10. 1. CONSENT (EXPRESS) • CASL: • clear notice, describe purposes, prescribed information • CRTC Regs: • Name of person seeking consent • Name of person on whose behalf consent is sought, if different; identify who is seeking, and on whose behalf • Contact info for either of the above, including: Mailing address and any one of telephone # (live or voice mail), email address or a web address • Statement that consent can be withdrawn • CRTC Guidance: • No pre-checked boxes; separate box not necessary if person req’d to fill in email address next to request for consent
  11. 11. 2. IDENTIFICATION • Identification requirements apply to all CEMs • Identify sender as well as person on whose behalf message is sent • Name by which person carries on business • Must indicate who is “sending” and “on whose behalf” the message is sent • Contact information for either of above • Mailing address and any of telephone number/email address/web address of either person • Information must be set out “clearly and prominently”
  12. 12. 3. UNSUBSCRIBE • Must be functional for 60 days • No cost • Same means unless impracticable • Include either electronic address or link • Must be “able to be readily performed” • Must process without delay
  13. 13. PUBLIC AND PRIVATE ENFORCEMENT Enforcement Agency/Mechanism Target/Application Penalties Canadian Radio-television and Telecommunications Commission (CRTC) (CASL) Consent, prescribed identification requirements and unsubscribe requirements Administrative monetary penalties (AMPs) up to $1 million/violation for individuals; $10 million/violation for organizations Competition Bureau (Competition Act) False or misleading representations in content, subject line, sender info Can pursue civil or criminal remedies; AMPs similar to those available to CRTC under CASL Office of the Privacy Commissioner of Canada (PIPEDA) Collecting, using disclosing electronic address without consent Address harvesting and dictionary attacks No real powers for enforcement; can make recommendations or pursue order in Federal Court Private right of action Violations of CASL, Competition Act and PIPEDA Actual and/or statutory damages
  14. 14. INDUSTRY CANADA REGS • Definition of personal family relationship • Number of new exemptions • Business communications within organizations and between organizations with ongoing business relationships • Response to request, inquiry, complaint or is otherwise solicited by the recipient • Messages targeted to non-Canadians, advertising products not available in Canada; sender could not “reasonably be expected to know” recipient is in Canada” • Enforcing legal rights (e.g., court order, copyright, debt collection, etc.) • Third party referrals where referring party has personal, family or existing business relationship with sender and recipient (exemption from consent only) • Use of consent on behalf of unknown third party
  15. 15. WHAT WE DON’T KNOW: WHAT IS A CEM? • Where is the commercial “threshold”? • What elements are commercial (hyperlinks, logos, taglines, request to “like” on Facebook) • What about “transactional” or “relational” messages? • Section 6(6) refers to certain types of CEMs as exempt from the need for consent if they solely (e.g., warranty, subscription information, delivering a product, etc.)
  16. 16. WHAT WE DON’T KNOW: HOW TO TREAT LEGACY DATA? • How does CASL apply to pre-existing lists • Increased flexibility where: • Consent not technically compliant (e.g., missing certain identification requirements) • Lack of evidence
  17. 17. WHAT WE DON’T KNOW: SENDING ON BEHALF OF OTHERS • CASL states that messages must identify person sending message, and person on whose behalf message is sent, if different? • What does it mean to send on behalf of another person? • Does this refer to ESPs? • List rentals? • Both? • CRTC Guidelines: a person who may "facilitate the distribution of a CEM", but who has "no role in its content or choice of the recipients” need not be identified
  18. 18. BUILDING A CHECKLIST • Who’s involved • Where to start • Data collection • Before Broadcasting • After Broadcasting
  19. 19. WHO’S INVOLVED? • Privacy/Compliance team • Legal Team • VP Marketing • Database Analytics Team • Deployment teams • Account Teams • Brand Managers
  20. 20. DATA COLLECTION • Audit Data Collection Sources • Internal Sources • External Sources • Point of Sale • Call Center • Identification requirements • Proper consent notices/options/scripts • Contact notices
  21. 21. BEFORE BROADCASTING • Review CASL exemptions for this message • Is it a CEM? • Review the content • Postal address, unsubscribe, contact requirements • Review the list • Remove addresses that have exceed 2 yr consent period as needed • Review targeting of content to recipients • Test functionality of all links and seek appropriate approvals
  22. 22. CHECKLIST REVIEWED Functional Check (Level 1) Yes/No Yes/No Client/TD Deficiencies Noted/Comments Images render properly Alt tags in place and correct Check for image maps Links go to correct page or not broken Links are tracked Mailto functions properly and has NOTRACK Display name and From Address are correct Subject line is correct and does not truncate Subject line does not contain illegal characters View as web page included Personalization is present and populating correctly Personalization is pulling from the correct DB HTML TEXT OVERRIDE Compliance & EMS System Check (Level 3) Yes/No Yes/No Client/TD Deficiencies Noted/Comments Postal Address included Unsubscribe link present and working Correct Database has been selected Has the Seed List been added Segmentation is correct Recipient Count is Approved Mailing List send to Duplicates option on Reply Management is correct Recipient Cap field checked
  23. 23. Is this a CEM? DO ANY EXCEPTIONS APPLY? Email Message CASL Does not apply Exempt from s 6.5? Exempt from s 6.6? Consent is not required Explicit Consen t Implied Consen t Proper ID and Unsub ? Likely NOT compliant Ready to Send  No  Yes
  24. 24. AFTER BROADCASTING • Unsubscribe requirements being met • 60 days of live access • Unsubscribes are being processes • Review metrics and begin next broadcast planning
  25. 25. MANAGING UNSUBSCRIBES K.I.S: • Limit number of data locations for sync purposes and timing • Review current practices • Identify responsible individuals • Offer preference choices • opt-down vs. opt-out • Vendor options • Most email marketing providers can manage this for you and supply delta files
  26. 26. RELATIONSHIP MARKETING • Identified risks: • Rolling window of consent • Unknown data • Mitigating risk: • Reduce number of active databases • Backfill dates when possible • Re-confirm consent for the unknown address prior to enforcement • Build automated solutions for sun setting users
  27. 27. CASL COMPLIANCE TO DO LIST  Watch legislative developments carefully: final IC regs, in-force date, further guidelines/interpretations  Review/modify practices for obtaining eMarketing lists, choose vendors/partners carefully, bind to unsubscribe requirements  Review/modify formats for eMarketing  Ensure effective and timely unsubscribe  Review/modify program installations, associated disclosures and consent  Ensure consent records are retained and retrievable  Engagement of marketing, brand, technical resources to detect issues, ensure compliance  Start reviewing your digital marketing programs now
  28. 28. THANK YOU Questions?

×