anti-spam requirements- preparing to comply with casl chris oates, associate, gowling lafleur...

29
Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

Upload: brodie-archbold

Post on 29-Mar-2015

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

Anti-Spam Requirements- Preparing to Comply with CASL

Chris Oates, Associate, Gowling Lafleur Henderson LLP

Prepared, January 15, 2014

Page 2: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

Outline

Canada’s anti-spam law• To what does the law apply?• How do you ask for consent?• What do electronic messages need to contain? • How do you maintain your contact list when the law comes into

force?

Disclaimer• This presentation is intended to assist you in flagging legal issues relating to

Canada’s Anti-Spam Law.• This is ONLY a guide and legal counsel should be consulted for specific

situations.

2

Page 3: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

Canada’s Anti-Spam Legislation

Page 4: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

4

Canada’s Anti-Spam Legislation

Legislative Background:CASL comes into force on July 1, 2014 and will take a prohibitive approach to “Commercial Electronic Messages”, prohibiting all but those messages that comply with its requirements.

In some cases, existing, valid consent may not survive when CASL is in force.

Under CASL: • Electronic messages require consent from the

recipient, either express or implied;• The message must contain prescribed

disclosure; and• The message must contain an

unsubscribe mechanism in prescribed form.

Page 5: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

5

Canada’s Anti-Spam Legislation

To which messages does CASL apply?

Commercial Electronic Messages - a message sent by any means of telecommunication, including a text, sound, voice or image message, to an “electronic address” including:

• an electronic mail account;• an instant messaging account;• a telephone account; or • any similar account.

CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit.

Page 6: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

6

Canada’s Anti-Spam Legislation

Is the Electronic Message Commercial?

CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit.

• Messages that offer to sell a product; • Messages that advertise a product; • Messages that promote a person or corporation; • Messages that seek to gather consumer or market

information; • Messages that seek consent to send further messages.

Page 7: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

7

Canada’s Anti-Spam Legislation

What is not a Commercial Electronic Message?

CASL will not apply to several classes of message:

• Interactive two way voice communications;• Messages sent via facsimile to telephone accounts; and• Voice recordings sent to a telephone account.

These messages are currently subject to the CRTC’s oversight via the Telecommunications Act and the Do Not Call List.

CASL contains a provision that permits the government to repeal this exception AND the National Do Not Call List at a later date. If exercised, this would make unsolicited commercial telephone calls subject to the CASL requirements.

Page 8: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

8

Canada’s Anti-Spam Legislation

Which messages will be exempt?

The Regulations provide exceptions for the following message classes: • messages sent between employees of an organization relating to the affairs

of the organization, and messages sent between two organizations with a relationship, where the message relates to their affairs

• messages that respond to an inquiry, complaint, or other solicitation from the recipient

• fundraising messages sent by a registered charity• messages where the person sending the message reasonably expects it to

be received in a foreign state listed in the Regulations, if the message complies with the law of that state

• messages sent to a secure account to which only the person providing the account may send messages

• messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements.

• messages sent to satisfy a legal obligation

Page 9: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

9

Penalties

Administrative monetary penalties for violations: • A fine of up to $1,000,000 for a violation by an individual. • A fine of up to $10,000,000 for a violation by a corporation.

CASL also creates a private right of action for persons who allege they have been affected by a violation. If the action is successful in court, the court may order:

• Compensation equal to the actual loss or damage suffered; and

• $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred.

The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017.

Page 10: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

10

Express Consent Under CASL

Requirements for a Request for Express Consent

1. Provide the purpose for which the consent is sought;

2. Provide the name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business;

3. If applicable, identify which person is seeking consent, and on whose behalf consent is sought;

4. Provide the mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought

5. State that consent may be withdrawn.

Requests for consent may be made orally (e.g. through personal and direct contact, at the point the relationship began) or in writing (incl. electronic forms). In all cases these disclosures must be made.

Page 11: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

11

Express Consent Under CASL

In all cases, the burden of proof to establish consent rests on the party claiming to have consent.

For example, a party may demonstrate oral consent in cases where: i. it can be “verified by an independent third party”; orii. “where a complete and unedited audio recording of the consent is

retained by the person seeking consent” (or a client of the person seeking consent). Note that audio recording and the purpose for it must be disclosed under existing privacy law.

Written consent can be satisfied where either paper or electronic form consent is obtained, including by checking a box on a web page to give consent (with a record of the date, time, purpose, and manner of consent stored in a database).

Page 12: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

The CRTC’s Position on Express Consent

• The CRTC takes the position that express consent must be “positive or explicit”.

12

Page 13: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

The CRTC’s Position on Express Consent

• “Assumed” consent through a pre-checked box or an opt-out system would not be accepted.

13

Page 14: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

14

Implied Consent under CASL:

Implied Consent Under CASL

Requirements for Implied Consent

1.There is an existing business or non-business relationship between the sender and the recipient, or

2.The recipient has conspicuously published their address, or has disclosed it to the sender and: • has not indicated they do not wish to receive commercial messages; and,• the message is relevant to the recipient’s business, role, functions or duties

Page 15: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

15

Implied Consent Under CASL

Both “existing business relationship” and “existing non-business relationship” are narrowly defined in the legislation:

“Existing business relationships” exist only where the recipient: i. Purchased, leased or bartered products, goods, services or land from the

sender within two years before a message is sent; ii. Accepted a business, investment or gaming opportunity from the sender

within two years before a message is sent; iii. Has a existing written contract with the sender about a matter other than

i or ii or such a contract expired in the two years prior to the message; oriv. Made an inquiry or application for products, goods, services, etc. within

six months before the message

“Existing non-business relationships” exist only where the recipient:v. Made a donation, gift or volunteered for a registered charity or political

party who sends the message; orvi. Is a member in a club, association or voluntary organization that sends

the message and is operated for social welfare.

Page 16: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

16

Exceptions to the Need for Consent

CASL creates an exception to the need for consent for certain “transactional” messages.

This exception will apply to messages that solely: • provide a quote or estimate for the supply of a product or service;• facilitate, complete or confirm a previously agreed upon

commercial transaction; • provide warranty information, product recall information or safety

or security information about a product the recipient uses or had purchased;

• provide notification of factual information about the ongoing use by recipient of a product or a service offered under a subscription, membership, account, loan or similar relationship by the sender.

Page 17: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

17

Message Content under CASL

Commercial Electronic Message Content under CASL:

Message Content

1.Identify the person who sent the message and, if applicable, the person on whose behalf it was sent;

2.Provide prescribed contact for one of these persons; and

3.Include an unsubscribe mechanism.

The required contact information must remain current for a minimum of 60 days after the message is sent.

Page 18: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

18

Message Content under CASL

Prescribed Disclosure Requirements for Electronic Messages

1. The name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business;

2. If applicable, an indication which person sent the message and on whose behalf it was sent;

3. The mailing address, and one (or more) of a telephone number, website, or email address of either the person sending the message, or if different, the person on whose behalf it is sent; and

4. An unsubscribe mechanism.

The Regulations do not make any exceptions for service providers sending electronic messages on behalf of third parties.

Page 19: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

Unsubscribe Mechanisms

19

Unsubscribe Mechanisms

The unsubscribe mechanism included in a CEM must: (i) allow recipients to indicate that they no longer want to receive any CEMs or any class of CEMS from the sender or – if different – the person on whose behalf the message was sent; (ii) using the same electronic means (or if not possible any other electronic means enabling the same result); and (ii) specify an electronic address or web link to unsubscribe.

The electronic address or webpage for unsubscribing must be valid for a minimum of 60 days. Recipients who unsubscribe must also be unsubscribed “without delay” and no later than 10 business days after asking to be unsubscribed.

The CRTC Regulations require that an unsubscribe mechanism must be “set out clearly and prominently” and “must be able to be readily performed.” According to CRTC guidelines, for an unsubscribe mechanism to be “readily performed” it must be “accessed without difficulty or delay and should be simple, quick and easy for the consumer to use”.

Page 20: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

20

Third Party Mailing Lists

CASL expressly provides for consent obtained on behalf of an unknown third party; however, it limits how this consent may be obtained and used:

• The party that seeks consent is required to comply with the standard CASL requirements for obtaining consent, including stating the purpose for the collection, and providing their name and contact information.

• A person who relies on such a consent must meet additional disclosure requirements for the message content.

Page 21: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

21

Third Party Mailing Lists

Message content when consent is obtained from a third party.

When a consumer list is purchased from a third party, it is essential that such a list be used separately from the company’s own opt-in lists, as messages sent pursuant to such consent are subject to additional disclosure requirements:

• The message must identify the person who obtained the original consent as well as the person who sent the message.

• The unsubscribe mechanism must allow the recipient to remove consent from both the person who sent the message, the person who obtained the original consent or any other person authorized to use the consent.

Page 22: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

22

Exceptions to the Disclosure Requirements

The General Exception

“If it is not practicable to include the information (…) in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.”

This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email.

Page 23: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

23

The Family and Personal Relationship Exception

“Family” “Personal relationship” Marriage; A common-law partnership; A legal parent/child relationship;

where: Those persons have had a

direct voluntary two way communication.

Must have had direct, voluntary two way communications;

Must be reasonable to conclude the relationship is personal considering relevant factors.

Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent by or “on behalf” of a person who has a “personal” or “family” relationship with the recipient.

This exception will only apply in unusual cases. Examples we have seen include refer-a-friend type promotions, and customizable holiday greeting cards.

Page 24: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

24

Referral Messages

The Regulations include an exception that permits a single referral message to be sent where: • The referral is made by an individual who has an existing business relationship, existing non-business relationship, family, or personal relationship with the message recipient; • The referrer has one of those relationships with the sender of the message;• The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral

Page 25: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

25

Maintaining Contact Lists

CASL will narrow the ability to rely on Implied Consent

CASL expressly provides for reliance on implied consent primarily in cases of existing “business relationships” or “non-business relationships”.

These are defined categories that are much more narrow than the ability to rely on the “reasonableness” test for implied consent under the federal privacy legislation, PIPEDA.

• Under PIPEDA, where a consumer sends a request for information by email, it would be reasonable to conclude that you have their implied consent to respond using their email address.

• Under CASL, a consumer question regarding a potential purchase would constitute an “existing business relationship”, provided a response is sent within six months from the date of the question. Further, a response (as opposed to other commercial messages) would also be subject to an exception in draft regulations.

Page 26: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

26

Maintaining Contact Lists

The regulatory impact statement for the Regulations confirms Industry Canada’s position that valid express consent obtained before CASL comes into force “will be recognized as being compliant with CASL”.

However, Industry Canada also expressly noted that in some cases email addresses that may be used under the current privacy legislation may no longer be used under CASL.

This is most likely to occur where an organization is relying on ‘implied’ consent under PIPEDA- implied consent under CASL is much more narrow.

Organizations should consider the manner in which their current email list had been established to assess the ability to continue to use it after CASL comes into force.

Prior to July 1, 2014, organizations will have an opportunity to seek express consent in cases where implied consent is currently relied on.

Page 27: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

27

Transitional Provisions

When CASL comes into force on July 1, 2014, there will be an extended period of three years during which implied consent will survive in cases of “existing business relationships”, as defined in CASL that include the sending of commercial messages.

• After this period, the existing business relationships will survive for two years following a purchase, or six months following an inquiry.

• The transitional period provides an extended timeline for perfecting existing implied consent (as defined in CASL) by seeking express consent.

• Any attempts to perfect consent within this period would need to be carried out in compliance with CASL.

Page 28: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

28

Application

Compliance with CASL will become a legal requirement on July 1, 2014.

Organizations should be bringing their electronic marketing practices into compliance now, both due to the magnitude of the potential penalties, and to help establish an express consent list that will survive the coming into force of the Act.

Page 29: Anti-Spam Requirements- Preparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014

montréal · ottawa · toronto · hamilton · waterloo region · calgary · vancouver · moscow · london

Thank YouChris OatesAssociateGowling Lafleur Henderson [email protected]