casl and common sense: coming to grips with canada’s anti-spam law professor michael geist...
TRANSCRIPT
CASL and Common Sense:Coming to Grips With Canada’s Anti-Spam Law
professor michael geist
university of ottawa, faculty of law
The law business hates…
…and consumers love
both are wrong
CASL not the end of the email marketing
but also not the end of spam
What is it?
The CASL concerns
What’s really the issue?
Consent
CASL• Task Force conclusion - opt-in consent backed by penalties• Long delay in responding to recommendations• ECPA introduced in May 2009; dies with prorogation• FISA (re)introduced in May 2010• Bill receives royal assent in December 2010• Regs introduced in June 2011 • Regs reintroduced in January 2013• Law took effect in July 2014• Phased-in – elements take effect in 2015, 2017
CASL - The Basics
Only applies to commercial electronic messages
CASL - The Basics• Only applies to commercial electronic messages:
– Having regard to content, links, etc.:(a) offers to purchase, sell, barter or lease a product,
goods, a service, land or an interest or right in land;(b) offers to provide a business, investment or gaming
opportunity;(c) advertises or promotes anything referred to in
paragraph (a) or (b); or(d) promotes a person, including the public image of a
person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
• Exception for law enforcement
CASL - The Basics
Key prohibition – no sending CEMs unless:
1. Consent2. Form requirements3. Opt-Out
CASL - The Basics• Key prohibition - send or cause or permit to be sent to an
electronic address a commercial electronic message unless:(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and(b) message meets form requirements– Identifies sender– Sender contact information (valid for 60 days)– Unsubscribe mechanism
• Enable person to unsubscribe via email at no cost• Offer a web-based unsubscribe function• Must take off list within 10 days
• Does not matter if message is received
CASL - The Exceptions
Lots of exceptions
- Full exceptions- Form reqs- Opt-in vs. Opt-out
CASL - The Exceptions• Personal or family relationships• Business-to-business (if consists solely of inquiry related to
commercial activity)• Quote or estimate for product or service if requested by recipient• Confirms previously completed commercial transaction• Warranty information• Product recall information• Safety or security information about a product• Factual information on ongoing transaction such as subscription,
membership, account, loan, etc.• Employment relationship• Product upgrades• Telco providers merely providing telecommunications services
CASL – The Exceptions (via Regs)• Numerous additional exceptions:
– Charities– Third party referrals– Broad definition for personal relationship– Legal or juridical obligations– Expanded business-to-business– Jurisdiction
CASL- The Consent• Can be implied consent if:
– Existing business relationship• Purchase or lease of any product, service, etc. over prior 2 year period• Business, investment, gaming opportunity over prior 2 year period• Bartering of good, service, etc.• Written contract• Inquiry within past six months
– Existing non-business relationship• Donation or gift to registered charity over prior 2 year period• Donation or gift to political party or candidate over prior 2 year
period• Volunteer work over prior 2 year period (charity, political party,
candidate)• Membership in a club, association, etc. over 2 year period (in regs)
– Person conspicuously publishes email address– Person discloses email address to sender
CASL - Additional Prohibitions
Many provisions that fall outside basic anti-spam rules
CASL - Additional Prohibitions
• No altering transmission data without consent– Exception for network management
• No installing computer programs without consent• No installing computer programs and using to send
electronic messages
CASL- Additional Prohibitions• Statute identifies requirements for express consent
– For computer programs includes describing function and purpose of the program
– Additional express consent requirement (w/description) if program:• Collects personal information• Interferes with control of personal computer• Changes settings• Interferes with data• Communicates with other computers without consent• Installs another program
• Doesn’t apply:– to computer upgrades where user has given broad consent– cookies, HTML, JavaScripts, OS– Where reasonable to assume has given consent
CASL - Additional Prohibitions• Competition Act violations
– New false or misleading representations in electronic message• Sender information• Content• Locator information
– These apply whether or not deceived• PIPEDA Violations
– Collection of email addresses if used by program designed to capture email addresses– Use of email addresses if collected from program (as above)– Commissioner has some discretion on investigation
• Telecommunications Act– Possible replacement of do-not-call list
CASL - Penalties/Enforce
Big penalties and new enforcement powers
CASL - Penalties/Enforce• Preservation orders - may require telco to preserve data
– Valid for 21 days– May be extended once– May limit disclosure of preservation order for up to six months– Telco must preserve for up to six months; destroy thereafter– Within 5 days, can ask CRTC to review if undue burden– CRTC can vary, rescind, etc.
• Production order– May require production of document or data– Similar standards as preservation orders (no disclosure, CRTC review)
• Warrants– Enter premises to ensure compliance, investigate violations
CASL - Penalties/Enforce• AMPs
– $1,000,000 for individual per violation– $10,000,000 for corporation per violation
• Undertakings– Essentially a settlement of forthcoming notice of violation
• Notice of Violation– Set out violations, penalties, etc.
• Injunctions
CASL- Private Right of Action• Can bring action to court within three years of violation• No action against someone who has agreed to an
undertaking• CRTC, Competition Bureau, OPC may all intervene• Court can order up to $1,000,000 per violation
The CASL concerns(aka in defence of the law)
Is spam still a problem?
How will the CRTC enforce the law?
Will this kill email marketing?
What’s really the issue?
Complexity & Cost
Can’t be database/basic compliance
Can’t be jurisdiction
Consent
Rethinking Consent
@mgeist