Canada’s Anti-Spam Legislation: What It Means to Hit Send Presented by: Robin Cassel (RBC) and Alice Tseng and Wendy Mee (Blake, Cassels & Graydon LLP) February 27, 2014

Overview Key Dates Overview of the Law Liability and Penalties Compliance Strategies Pop Quiz

Key Dates Anti-spam provisions July 1, 2014 Installation of computer programs without consent January 15, 2015 Private Right of Action July 1, 2017

Overview of the Law Key prohibitions –sending unsolicited commercial electronic messages (CEMs) to an electronic address –altering transmission data without express consent –installing computer programs without express consent –making false and misleading representations in e-message –collecting e-addresses using computer programs without consent –collecting personal information through unauthorized access to a computer system

A. CEM Prohibition What is prohibited? –sending a commercial electronic message to an electronic address, unless: Consent (express or implied) has been obtained and Form and content requirements are met

A. CEM Prohibition (cont’d) What is a CEM? –message sent by any means of telecommunication (e.g., text, sound, voice or image) that has as its purpose, or one of its purposes, to encourage participation in a commercial activity –CEMs include electronic messages that request consent to send a CEM

A. CEM Prohibition (cont’d) What qualifies as an “electronic address”? –an –an instant messaging account –a telephone account ☎ –any similar account … social media?

B. Consent Requirements How is express consent obtained? –requires active “opt-in” –may be obtained orally or in writing –request for express consent must set out clearly and simply: purpose(s) for which consent is being sought specific information about the person seeking consent and, if applicable, the person on whose behalf consent is being sought statement that the person can withdraw their consent

B. Consent Requirements (cont’d) Example used in Compliance and Enforcement Information Bulletin CRTC

B. Consent Requirements (cont’d) Consent must be “sought separately” for each of the following acts: –sending CEMs –alteration of transmission data –installation of a computer program

B. Consent Requirements (cont’d) Example used in Compliance and Enforcement Information Bulletin CRTC

B. Consent Requirements (cont’d) When is consent implied? –existing business relationships –existing non-business relationships –conspicuous publications –voluntary disclosures

C. Form and Content Requirements What information must be provided in a CEM? –specific information that identifies the sender or person on whose behalf the CEM is sent –statement indicating which person is sending the CEM and which person on whose behalf the message is being sent, if applicable –information enabling the recipient to contact the sender of the CEM, valid for 60 days –a functional unsubscribe mechanism that meets prescribed requirements

Example used in Compliance and Enforcement Information Bulletin CRTC C. Form and Content Requirements (cont’d)

D. Full Exemption from CASL What types of messages are generally exempt from the application of the law? –personal and family relationships –inquiries sent to a person engaged in a commercial activity in relation to such activity –intra-business messages as long as certain conditions are met –inter-business messages as long as certain conditions are met –responses to individual requests, inquiries or complaints –messages sent to satisfy certain legal obligations

D. Full Exemption from CASL (cont’d) –messages sent and received on an electronic messaging service as long as certain requirements are met –messages sent to a limited-access secure and confidential account where messages can only be sent by the person who provides the account –messages that the sender reasonably believes will be accessed in a listed foreign state and that comply with the foreign law that addresses substantially similar conduct –messages sent by a registered charity for primary purpose of fundraising –messages sent by a political party, organization or candidate for the primary purpose of soliciting a contribution

E. Exemption from Consent Certain messages are exempt from the requirement of obtaining consent (must still comply with form and content requirements) if they solely: −provide a requested quote or estimate −facilitate or confirm a previously agreed-upon commercial transaction −provide warranty/safety information −provide factual information about an ongoing subscription/membership etc… −provide information related to an employment relationship etc… −deliver a product, good or service under a prior transaction

E. Exemption from Consent (cont’d) First messages sent through a third-party “referral” are exempt if certain conditions are met

F. Transitional Provision Three-year transitional provision if: −existing business relationship or existing non-business relationship exists (without regard to the time limits that normally apply) −relationship includes the communication of CEMs

Liability and Penalties ViolationPenaltyPrivate Right of Action Sending unsolicited CEMs (or aiding and abetting) Maximum per breach: C $1-million for individuals C $10-million for corporations Maximum: C $200 per breach, not to exceed C $1-million per day

Liability and Penalties (cont’d) Note: –an officer, director or other mandatory of a corporation can be held liable for a violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation –a person can be held liable for a violation by their employee/agent acting within the scope of their employment/authority Due diligence is a defence

Compliance Strategies Compliance and Audit –Establish CASL implementation committees (enterprise / legal entity) –Develop and adopt anti spam policy –Update existing policies and procedures impacted by CASL –Develop and implement audit methodology –Establish roles and responsibilities for ongoing compliance

Compliance Strategies (cont’d) CEM Analysis –Conduct electronic message inventory –Identify CEMs –Apply exemptions –For CEMs caught by CASL Consider updating consent Develop method to meet form and unsubscribe requirements

Compliance Strategies (cont’d) Technology Solutions –Consent database (accessible, connected and authoritative) –Process for sending CEMs and applying CEM footer –CASL-compliant unsubscribe mechanism –Retention of CASL data during record retention period

Compliance Strategies (cont’d) Communication & Training –Inform executives about CASL requirements, fines and deadlines –Educate all individuals who send CEMs or need to be aware of CASL –Develop templates and standards for express consent (oral, written, electronic) and CEM footer –Create a formal employee training program

Compliance Strategies (cont’d) Third Party Contract Management –Marketing and sponsorship agreements –Third party service providers –Co-branded or cross-sell initiatives

Pop Quiz 1.Historically, your organization has used an opt-out form of consent to send marketing communications. Will these consents continue to be valid once CASL comes into force? a.Yes, during the three-year transitional period. b.Yes, opt-out consent constitutes express consent, so it continues to be valid once CASL comes into force. c.No, only opt-in express consents continue to be valid once CASL comes into force. Plus, the organization can continue sending CEMs as long as consent can be implied (e.g., an EBR exists, business card exception applies, etc.).

Pop Quiz (cont’d) 2.A customer purchases a product from your online store. During the checkout process, the customer provides his or her address for the purpose of obtaining an e-receipt. Can you add this customer to your marketing list? a.Answer (b) is technically correct, but from a customer relations perspective, a customer that did not agree to receive marketing s when purchasing a product online may be annoyed to receive marketing s (as opposed to receiving a request to receive marketing s). b.Yes, the customer bought something so you have an EBR with them and, under CASL, you have implied consent to send them marketing s. c.No, the customer only provided their address for the purpose of obtaining an e-receipt, and not for the purpose of receiving marketing s.

Pop Quiz (cont’d) 3.A customer bought a sweater from you 10 years ago. Do you have implied consent to send a CEM to that customer during the transitional period? a.No, implied consent based on an EBR is only available if the purchase occurred in the last two years. b.Yes, although implied consent based on an EBR is generally only available if the purchase occurred in the last two years, during the transitional period, the two year time period does not apply. c.Yes, but only if you had sent electronic communications to the customer before CASL comes into force. Although the implied consent based on an EBR is generally only available if the purchase occurred in the last two years, for the purposes of the transitional period, the two year time period does not apply.

Pop Quiz (cont’d) 4.You are an investment advisor and would like to send a CEM to John, who was referred to you by Mary. Can you? a.Yes, as long as Mary first asked John whether he consents to her providing his information to you. b.Yes, as long as Mary and you have a prescribed relationship (i.e., EBR, ENBR, personal relationship, family relationship) and Mary and John have a prescribed relationship and you only send one CEM to John, and that CEM states that you were referred by Mary and otherwise complies with CASL’s form and content requirements. c.Yes, as long as you include an unsubscribe mechanism in your CEM, since you were referred to John by someone.

Pop Quiz (cont’d) 5.Your company offers courier services, and you would like to send an to small businesses to inform them of your services. Can you? a.Yes, CASL only applies to electronic communications to consumers, not businesses. b.No, because the business did not expressly consent to receiving CEMs from you. c.Yes, if the business has “conspicuously published” its electronic address, has not indicated it does not want to receive unsolicited CEMs, and the CEM is relevant to the recipient’s business, or an exception otherwise exists.

Pop Quiz (cont’d) 6.You have a loyalty program and require applicants to agree to the terms and conditions of the loyalty program when signing up. Do you have implied consent to send a CEM to a member of your loyalty program during the transitional period? a.Yes, as long as you sent CEMs to the member prior to July 1, 2014, since during the transitional period, the normal time periods for an EBR do not apply. b.Yes, as long as the person is still a member of the loyalty program or only ceased being a member of the loyalty program in the last 2 years. c.Yes, but only if the person is still a member of the loyalty program.

Pop Quiz (cont’d) 7.A customer bought a camera from your store and opted-out of receiving CEMs. The customer subsequently bought a camera bag from you. Can you send a CEM to this customer based on implied consent? a.No, since she opted-out of receiving CEMs. b.Yes for 2 years, since each time a customer buys a product from you, you have a new EBR and you can rely on that for implied consent to send a CEM even if the customer had previously opted out of receiving CEMs. c.Legally, you can send a CEM to the customer since each time a customer buys a product, an EBR is created. However, from a customer relations perspective it may be preferable not to send CEMs to customers who previously opted-out of receiving CEMs.

Pop Quiz (cont’d) 8.Your website offers visitors the option of sending links to content on your website to third parties. The message will come from the visitor and you will not collect any addresses or send the message. Are you at risk? a.No, because the message is sent by the visitor. b.Yes, because you have permitted the message to be sent. c.Potentially yes, since CASL prohibits aiding in a violation of CASL. The risks could be mitigated by asking visitors to only send messages to recipients with whom they have a personal or family relationship, since such messages are exempt from CASL.

Pop Quiz (cont’d) 9.A Canadian company wants to send CEMs to recipients in the US and Mexico. U.S. is listed in the Schedule, but Mexico is not. Does CASL apply? a.No, assuming the Canadian company is sending the CEM to the recipients in the U.S. and Mexico in compliance with the foreign countries’ laws governing substantially similar conduct. b.CASL does not apply to the CEM being sent to the US resident if the CEM is being sent in compliance with the U.S. CAN-SPAM Act but CASL does apply to the CEM being to the resident in Mexico. c.No, CASL only applies to Canadian recipients.

Robin Cassel Alice Tseng Wendy Mee Contact Us