1 / 52

Canada’s Anti-Spam Law and Privacy Compliance WHAT YOU NEED TO KNOW

Canada’s Anti-Spam Law and Privacy Compliance WHAT YOU NEED TO KNOW. Chris Oates, Associate, Gowling Lafleur Henderson LLP Lexpert Social Media Conference June 2, 2014. Outline. Canada’s Anti-Spam Law (“CASL”): How do you request consent to send commercial messages?

tashya-palmer
Download Presentation

Canada’s Anti-Spam Law and Privacy Compliance WHAT YOU NEED TO KNOW

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Canada’s Anti-Spam Law and Privacy Compliance WHAT YOU NEED TO KNOW Chris Oates, Associate, Gowling Lafleur Henderson LLP Lexpert Social Media Conference June 2, 2014

  2. Outline Canada’s Anti-Spam Law (“CASL”): • How do you request consent to send commercial messages? • What do messages need to contain? • How do you handle your existing list? • Collecting, using and disclosing personal information online • Your privacy obligations • Information transfers and responding to privacy breaches

  3. Preparing for Compliance with Canada’s Anti-Spam Law

  4. Canada’s Anti-Spam Legislation Legislative Background: CASL comes into force on July 1, 2014 and will take a prohibitive approach to “Commercial Electronic Messages”, prohibiting all but those messages that comply with its requirements. In some cases, existing, valid consent may not survive when CASL is in force. Under CASL: • Electronic messages require consent from the recipient, either express or implied; • The message must contain prescribed disclosure; and • The message must contain an unsubscribe mechanism in prescribed form.

  5. Canada’s Anti-Spam Legislation To which messages does CASL apply? CASL applies to Commercial Electronic Messages (“CEMS”) that are sent by any means of telecommunication, including a text, sound, voice or image message, to an “electronic address”: • an electronic mail account; • an instant messaging account; • a telephone account; or • any similar account. “Any similar account” may capture new forms of communication, such as social media and BBM. The key question is whether the message is sent to something akin to an “electronic address”. Messages that are not sent to an electronic address are not subject to CASL. Tweets and Facebook wall postings appear to be published rather than sent to an address; however, ‘direct messages’ appear to go to an address.

  6. Canada’s Anti-Spam Legislation Is the Electronic Message Commercial? CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit. • Messages that offer to sell a product or service; • Messages that advertise a product or service; • Messages that promote a person or corporation; • Messages that seek to gather consumer or market information; • Messages that seek consent to send further messages.

  7. Canada’s Anti-Spam Legislation What is not a Commercial Electronic Message? CASL will not apply to several classes of message: • Interactive two way voice communications; • Messages sent via facsimile to telephone accounts; and • Voice recordings sent to a telephone account. These messages are currently subject to the CRTC’s oversight via the Telecommunications Act and the Unsolicited Telecommunications Rules. CASL contains a provision that permits the government to repeal this exception AND the National Do Not Call List at a later date. If exercised, this would make unsolicited commercial telephone calls subject to the CASL requirements.

  8. Canada’s Anti-Spam Legislation Which messages will be exempt? The Regulations provide that the following message classes are exempt from both the consent and in message disclosure requirements: • messages sent between employees of an organization relating to the affairs of the organization; • messages sent between employees of two organizations with a relationship, where the message relates to the affairs of the recipient organization; • messages that respond to an inquiry, complaint, or other solicitation from the recipient; • fundraising messages sent by or on behalf of a registered charity;

  9. Canada’s Anti-Spam Legislation Which messages will be exempt? The Regulations provide that the following message classes are exempt from both the consent and in message disclosure requirements: • messages where the person sending the message reasonably expects it to be received in a foreign state listed in the Regulations, if the message complies with the law of that state; • messages sent to a secure account to which only the person providing the account may send messages; • messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements; • messages sent to satisfy a legal obligation.

  10. Penalties Administrative monetary penalties for violations: • A fine of up to $1,000,000 for a violation by an individual. • A fine of up to $10,000,000 for a violation by a corporation. CASL also creates a private right of action for persons who allege they have been affected by a violation. If the action is successful in court, the court may order: • Compensation equal to the actual loss or damage suffered; and • $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred. The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017. The CRTC may seek to impose administrative monetary penalties following July 1, 2014.

  11. Express Consent Under CASL

  12. The CRTC’s Position on Express Consent The CRTC takes the position that express consent must be “positive or explicit”. Note that a check box is not specifically required, other mechanisms that amount to an explicit indication of consent may be used.

  13. The CRTC’s Position on Express Consent “Assumed” consent through a pre-checked box or an opt-out mechanism would not be accepted.

  14. Implied Consent Under CASL Implied Consent under CASL:

  15. Implied Consent- “Existing Relationships” • An “Existing Business Relationship” iswhere the recipient of the message: • Purchased a good or service from the message sender within the prior two years. • Accepted a business opportunity from the message sender within the prior two years; • Has a written contract with the message sender in respect of a matter other than a purchase, lease, or business opportunity; • Made an inquiry or application to the message sender regarding a purchase, lease, or business opportunity within the six months prior the message • An “Existing Non-Business Relationship” iswhere the recipient of the message: • Made a donation or preformed volunteer work for the sender, which is a registered charity; • Has a Membership with the sender, and the sender is a club, association or voluntary organization that: • is a non-profit organization organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder (with an exception for amateur athletics)

  16. Exceptions to the Need for Consent CASL creates an exception to the need for consent for certain “transactional” messages. This exception will apply to messages that solely: • provide a quote or estimate for the supply of a product or service; • facilitate, complete or confirm a previously agreed upon commercial transaction; • provide warranty information, product recall information or safety or security information about a product the recipient uses or had purchased; • provide notification of factual information about the ongoing use by recipient of a product or a service offered under a subscription, membership, account, loan or similar relationship by the sender. These messages remain subject to the message content requirements.

  17. Message Content under CASL Service providers sending electronic messages on behalf of third parties that do not have control over the message content or recipient list would not need to be identified. The required contact information must remain current for a minimum of 60 days after the message is sent.

  18. Unsubscribe mechanism CASL requires CEMs to set out an unsubscribe mechanism that allows the message recipient to indicate at no cost, the wish to unsubscribe from all CEMs or a specified class of CEMs. This mechanism must: • Use the same electronic means as the message, or if not practicable, other electronic means; • Give an electronic address or a web link for unsubscribe requests • Be set out clearly, must be able to be “readily” performed • Be effective “without delay”, no later than 10 business days The required contact information must remain current for a minimum of 60 days after the message is sent.

  19. Exceptions to the Disclosure Requirements The General Exception “If it is not practicable to include the information (…) in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.” This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email.

  20. The Family and Personal Relationship Exception Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent “by”or “on behalf” of a person who has a “personal” or “family” relationship with the recipient. This exception will only apply to businesses in unusual cases. Examples I have seen include refer-a-friend type promotions, and customizable holiday greeting cards.

  21. Referral Messages The Regulations include an exception that permits a single referral message to be sent where: • The referral is made by an individual who has an existing business relationship, existing non-business relationship, family, or personal relationship with the message recipient; • The referrer has one of those relationships with the sender of the message; and • The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral. The referral message must also comply with the standard CASL message disclosure requirements.

  22. Third Party Mailing Lists • CASL expressly allows consent to obtained on behalf of unknown third parties. However, it limits how this consent may be obtained and used: • The party that seeks consent is required to comply with the standard CASL requirements for obtaining consent, including stating the purpose for the collection, and providing their name and contact information. • A person who relies on such a consent must meet additional disclosure and unsubscribe mechanism requirements for the messages they send.

  23. Third Party Mailing Lists • Message content when consent is obtained from a third party, such as a list broker. • When an email list is purchased from a third party, messages sent pursuant to such consent are subject to additional disclosure requirements: • The message must identify the person who obtained the original consent as well as the person who sent the message, in addition to providing the standard prescribed contact information. • The unsubscribe mechanism must allow the recipient to remove consent from both the person who sent the message, the person who obtained the original consent or any other person authorized to use the consent. It is essential that such a list be used separately from the company’s own opt-in lists.

  24. Further implications of CASL CASL has prohibitions that apply to actions other than sending CEMs: • Anti-phishing • Altering or causing to be altered the transmission data in an electronic message so it’s delivered to a destination other than or in addition to that specified by sender • Anti-malware • Cannot install a program on someone’s computer without their prior express consent. • The provisions relating to computer program installation come into force on January 15, 2015.

  25. Does CASL apply to businesses outside Canada? • CASL applies both when sending CEMs from a computer in Canada or where the CEMs are received on a computer system in Canada even if the sender is located outside of Canada. • This is also true for other CASL prohibitions, including those related to the installation of computer programs.

  26. Maintaining Contact Lists The regulatory impact statement for the Regulations confirms Industry Canada’s position that valid express consent obtained before CASL comes into force “will be recognized as being compliant with CASL”. However, Industry Canada also expressly noted that in some cases email addresses that may be used under the current privacy legislation may no longer be used under CASL. Email addresses are most likely to be unusable following July 1, 2014 where an organization is relying on ‘implied’ consent under PIPEDA, and that consent does not fall into one of the defined categories of implied consent in CASL. Implied consent under CASL is much more narrow- it exists only in cases of existing “business relationships” or “non-business relationships”. Where an organization is relying on “implied consent” under PIPEDA that is not recognized under CASL, it would not be able to send CEMs to those addresses following July 1.

  27. Maintaining Contact Lists CASL places the burden of proving consent on the organization claiming to have it. As such where an organization is unable to prove it has express consent or valid implied consent in relation to its current list, it may not be able to rely on it following July 1, 2014. Organizations should consider the manner in which their current email list had been established to assess the ability to continue to use it after CASL comes into force. Prior to July 1, 2014, there will be an opportunity to seek to express consent in cases where implied consent is currently relied on.

  28. Transitional Provisions When CASL comes into force on July 1, 2014, there will be an extended period of three years during which “implied consent” will survive in cases of “existing business relationships”, as defined in CASL, that predate CASL andthat include the sending of commercial messages when CASL comes into force. • Existing business relationships that are established after CASL will survive for two years following a purchase, or six months following an inquiry. • The transitional period provides an extended timeline for perfecting pre-existing implied consent (as defined in CASL) by seeking express consent. • Any attempts to perfect implied consent following July 1, 2014 would need to be carried out in compliance with CASL.

  29. Preparing for CASL Compliance Compliance with CASL will become a legal requirement on July 1, 2014. Organizations should be bringing their electronic communications practices into compliance now, both due to the magnitude of the potential penalties, and to help establish an express consent list that will survive the coming into force of the Act.

  30. Preparing for CASL Compliance To prepare for compliance with CASL, it is essential for organizations to audit their existing practices regarding commercial electronic messages and the continued validity of their existing consents: • Determine if you are sending CEMs; • Identify the channels through which you send CEMs; • Assess if you have implied or express consent to send CEMs or if an exemption applies; • If you conclude you have consent, assess your ability to prove it in the face of a challenge; • Develop a plan to obtain any required consents. This plan should address both the treatment of current lists, as well as how the organization will continue to acquire consent after July 1, 2014;

  31. Preparing for CASL Compliance • Ensure your CEMs contain the content required by CASL, except where an exception applies; • Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs; • Revise your policies, processes and systems as required; • Keep an audit trail, since CASL contains a “due diligence” defense.

  32. Collecting, using and disclosing personal information online

  33. Regulatory Framework • The Personal Information Protection and Electronic Documents Act (“PIPEDA”) • Regulates the collection, use, and disclosure of personal information in the private sector. • PIPEDA applies to the collection, use, and disclosure of “personal information” by federal works, undertakings and businesses, and by all private sector organizations in provinces that do not have “substantially similar” private sector privacy legislation. • PIPEDA also applies to private organizations in any province in cases where personal information is transferred across provincial or national borders.

  34. Regulatory Framework What is ‘Personal Information’? “Personal information” is broadly defined in PIPEDA to include any “information about an identifiable individual”, whether public or private, with limited exceptions. The Privacy Commissioner has repeatedly held personal information to include email addresses, including business addresses. 34 34

  35. Regulatory Framework • ‘Anonymous’ Information • Personal Information must be thoroughly de-identified before it is no longer “personal information”. The standard is high, and care must be taken that it is no longer possible to link the information back to an individual. • A decision under PIPEDA held: • Personal information that has been de-identified does not qualify as anonymous information if it is still possible to link the de-identified data back to an identifiable individual. • Information will be about an identifiable individual if there is a serious possibility that someone could identify the available information.  It is not necessary (…) to demonstrate that someone would (…) actually do so.  • (…) de-identified data will not constitute “truly anonymous information” when it is possible to subsequently link the de-identified data back to an identifiable individual.

  36. Regulatory Framework • ‘Public’ Information • Personal Information that can be accessed from a ‘public’ source remains subject to the requirement for consent in most cases. • PIPEDA provides only limited exceptions: • A name, address and telephone number in a telephone directory • A name, title, address and telephone number in a professional or business directory • A registry collected under statutory authority or a record/document of a judicial body • A publication including a magazine, book or newspaper available to the public, where the individual provided the information. If the individual can refuse to have their information in the directory. If the information is used for the purpose for which it appears in the directory. If the information is used for the purpose for which it appears in the registry or document.

  37. Regulatory Framework Provincial Privacy Legislation Alberta and British Columbia have enactedprivacy legislation (in both, the Personal Information Protection Act (“PIPA”))which applies generally to private sector entities. Alberta’s PIPA was declared invalid by the Supreme Court of Canada in November 2013. Québec’s private sector privacy legislation, an Act respecting the protection of personal information in the private sector, is similar in principle to PIPEDA; however, there are important differences indetail. The Québec Privacy Act applies to all private sector organizations with respect tocollection, use and disclosure of personal information (not just with respect to commercialactivities) and to employee information. Also applies to private sector collection, use anddisclosure of personal health information. 37

  38. Key Principles The four key private-sector statutes apply similar principles to comply with these obligations. Privacy legislation: • States that personal information may only be collected, used or disclosed with the knowledge and consent of the individual; • Limits the collection of personal information to what is necessary for purpose(s) identified; and • Requires that personal information be collected by fair and lawful means.

  39. Key Principles PIPEDA sets out 10 principles that are key to compliance: • Consent • Accountability • Identifying Purposes • Limiting Collection • Limiting Use, Disclosure and Retention • Accuracy • Safeguards • Openness • Individual Access • Challenging Compliance

  40. Collecting Personal Information The overarching principles of privacy law apply regardless of where personal information is collected. Generally, Canadian privacy law is technology neutral. Always: • Disclose the purposes for which you collect information; • Obtain consent to those purposes; • Use personal information only in accordance with the purposes disclosed; • Provide adequate security for the information you collect, proportionate to its sensitivity.

  41. Collecting Personal Information Consider: • What information are you collecting? • More sensitive information requires clearer consent, and increased security. • Beware of over collection from loose coding in third party applications. • How are you obtaining consent? • Remember, consent must be in relation to the purposes you disclose to the individual. • How are you disclosing your privacy policy?

  42. Challenges for Mobile Advertisers • This application does collect precise information about the location of your device. [INSERT A GENERAL DESCRIPTION OF HOW THIS IS DONE IN A WAY THAT IS CLEAR TO AN AVERAGE CONSUMER.] • We use your location information to Provide requested location services, and [INSERT A LIST OF OTHER USES (E.G., TO ALLOW TAGGING, OR TO CHECK-IN) AND IF APPLICABLE, DESCRIBE THE CIRCUMSTANCES WHERE PRECISE LOCATION DATA IS SHARED WITH THIRD PARTIES FOR THEIR INDEPENDENT USE.] • [IF APPLICABLE] You may at any time opt-out from further allowing us to have access to your location data by [state how user can manage their location preferences either from the app or device level]. For more information, please see the section below entitled “opt-out rights.” • Mobile Marketing Association 2011 Mobile applications present a particular challenge. Consider the need for your terms and policies to be readable using a small viewing screen. MMA MOBILE APPLICATION PRIVACY POLICY FRAMEWORK

  43. Challenges in Social Media Consider what social media site are you using: Different sites will have different terms that apply to the information that users share on them: • Facebook prohibits using user information obtained from Facebook in advertisement, and prohibits any use of information obtained from a Facebook Ad, expect on an aggregate basis to assess Ad performance. • Facebook permits the use of user information provided directly to a developer IFthe user is provided with clear notice and provides their consent. • YouTube users provide a flow-through licence for other users to “use, reproduce, distribute, display and perform” their content as permitted under the YouTube Terms.

  44. Behavioural Advertising Behavioural Advertising and Tracking “Tracking consumers’ online activities over time in order to deliver advertisements targeted to their inferred interests” The Privacy Commissioner has issued guidelines: • Behavioural advertising CAN comply with PIPEDA, • The overall requirements to identify your purposes and obtain informed consent apply, • The form of consent can vary- opt-in or opt-out consent may be acceptable, considering the sensitivity of the information, • As a best practice, children should not be tracked, • Behavioural advertising should not be a condition of service.

  45. Behavioural Advertising Behavioural Advertising and Tracking Privacy Commissioner Guidelines for opt-out consent: • The individual must be made aware of the purposes for which you are collecting personal information. • The individual must be informed at the time or before information is collected and informed of the parties involved. • There must be an easily available opt-out, that takes effect immediately and is persistent. • The information is not sensitive. • The information is de-identified or destroyed as soon as possible. A clause buried in a privacy policy would not be adequate!

  46. IAB Canada IAB Canada, an industry group with many large advertisers, agencies, and media groups as members, has also published a framework for behavioural advertising: • Transparency: Provide notice when websites are supplying behavioural advertising. • Education: Provide web based information about behavioural advertising. • Choice: Provide a one click opt-out. • Accountability: Retain opt-put preferences.

  47. Mitigating Risk Mitigating Risk : Ensure your privacy compliance program addresses your actual collection and use of personal information. • Ensure your privacy policy identifies the purpose for any collection, use, or disclosure of personal information, seeks consent for these activities, and addresses the need to protect personal information. • Depending on the circumstances, additional measures should be taken. Compliance in the mobile space and when engaging in behavioural tracking is particularly challenging. • Ensure your employees, as well as your service providers, are aware of your policies, how to apply them, and the consequences of failing to do so. • Reconsider your compliance policy when you change your practices or purpose for the collection, use, or disclosure of personal information.

  48. Data Protection and Transfers PIPEDA requires organizations to implement physical, organizational and technological measures to ensure adequate safety. • In an increasingly digitized world, technological measures are key to compliance. These may include data encryption, passwords, and access keys. • Organizational data protection measures will include ensuring that only certain personnel have access, or the access keys, to personal information. • Physical data protection mechanisms may include restricting access to secure locations. • Certain market sectors have industry standards that provide specific security standards, for example, the PCI DSS is used in the payment cards industry.

  49. Data Protection and Transfers Third Party Service Providers Organizations are responsible for personal information in their possession or custody, including information that has been transferred to a third party. An organization must consider the activities of the companies it retains to store personal information, to build platform integrations or applications, to moderate content, advertising agencies, and public relations companies. Be aware that the legal onus is on an outsourcing organization to ensure that service provider to whom personal information is transferred complies with Canadian privacy laws.

  50. Data Protection and Transfers Breach Notification The federal Privacy Commissioner has published voluntary guidelines regarding responding to security breaches. The guidelines state four key steps when responding to a breach: • Contain the breach by taking immediate steps to stop any further information from being disclosed. Undertake a preliminary assessment of the situation; • Evaluate the risk associated with the breach by considering the sensitivity of the information involved, whether it was encrypted, how it may be used, and the risks to the individual resulting from that use; • Notifying the individualsif the privacy breach creates a risk of harm to the individual; and • Develop a plan for the prevention of future breaches.

More Related