CASL and Common Sense: Coming to Grips With Canada’s Anti-Spam Law professor michael geist university of ottawa, faculty of law
The law business hates…
…and consumers love
both are wrong
CASL not the end of the marketing
but also not the end of spam
What is it?
The CASL concerns
What’s really the issue?
Consent
CASL Task Force conclusion - opt-in consent backed by penalties Long delay in responding to recommendations ECPA introduced in May 2009; dies with prorogation FISA (re)introduced in May 2010 Bill receives royal assent in December 2010 Regs introduced in June 2011 Regs reintroduced in January 2013 Law took effect in July 2014 Phased-in – elements take effect in 2015, 2017
CASL - The Basics Only applies to commercial electronic messages
CASL - The Basics Only applies to commercial electronic messages: –Having regard to content, links, etc.: (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so. Exception for law enforcement
CASL - The Basics Key prohibition – no sending CEMs unless: 1.Consent 2.Form requirements 3.Opt-Out
CASL - The Basics Key prohibition - send or cause or permit to be sent to an electronic address a commercial electronic message unless: (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) message meets form requirements –Identifies sender –Sender contact information (valid for 60 days) –Unsubscribe mechanism Enable person to unsubscribe via at no cost Offer a web-based unsubscribe function Must take off list within 10 days Does not matter if message is received
CASL - The Exceptions Lots of exceptions -Full exceptions -Form reqs -Opt-in vs. Opt-out
CASL - The Exceptions Personal or family relationships Business-to-business (if consists solely of inquiry related to commercial activity) Quote or estimate for product or service if requested by recipient Confirms previously completed commercial transaction Warranty information Product recall information Safety or security information about a product Factual information on ongoing transaction such as subscription, membership, account, loan, etc. Employment relationship Product upgrades Telco providers merely providing telecommunications services
CASL – The Exceptions (via Regs) Numerous additional exceptions: –Charities –Third party referrals –Broad definition for personal relationship –Legal or juridical obligations –Expanded business-to-business –Jurisdiction
CASL- The Consent Can be implied consent if: –Existing business relationship Purchase or lease of any product, service, etc. over prior 2 year period Business, investment, gaming opportunity over prior 2 year period Bartering of good, service, etc. Written contract Inquiry within past six months –Existing non-business relationship Donation or gift to registered charity over prior 2 year period Donation or gift to political party or candidate over prior 2 year period Volunteer work over prior 2 year period (charity, political party, candidate) Membership in a club, association, etc. over 2 year period (in regs) –Person conspicuously publishes address –Person discloses address to sender
CASL - Additional Prohibitions Many provisions that fall outside basic anti-spam rules
CASL - Additional Prohibitions No altering transmission data without consent –Exception for network management No installing computer programs without consent No installing computer programs and using to send electronic messages
CASL- Additional Prohibitions Statute identifies requirements for express consent –For computer programs includes describing function and purpose of the program –Additional express consent requirement (w/description) if program: Collects personal information Interferes with control of personal computer Changes settings Interferes with data Communicates with other computers without consent Installs another program Doesn ’ t apply: – to computer upgrades where user has given broad consent –cookies, HTML, JavaScripts, OS –Where reasonable to assume has given consent
CASL - Additional Prohibitions Competition Act violations –New false or misleading representations in electronic message Sender information Content Locator information –These apply whether or not deceived PIPEDA Violations –Collection of addresses if used by program designed to capture addresses –Use of addresses if collected from program (as above) –Commissioner has some discretion on investigation Telecommunications Act –Possible replacement of do-not-call list
CASL - Penalties/Enforce Big penalties and new enforcement powers
CASL - Penalties/Enforce Preservation orders - may require telco to preserve data –Valid for 21 days –May be extended once –May limit disclosure of preservation order for up to six months –Telco must preserve for up to six months; destroy thereafter –Within 5 days, can ask CRTC to review if undue burden –CRTC can vary, rescind, etc. Production order –May require production of document or data –Similar standards as preservation orders (no disclosure, CRTC review) Warrants –Enter premises to ensure compliance, investigate violations
CASL - Penalties/Enforce AMPs –$1,000,000 for individual per violation –$10,000,000 for corporation per violation Undertakings –Essentially a settlement of forthcoming notice of violation Notice of Violation –Set out violations, penalties, etc. Injunctions
CASL- Private Right of Action Can bring action to court within three years of violation No action against someone who has agreed to an undertaking CRTC, Competition Bureau, OPC may all intervene Court can order up to $1,000,000 per violation
The CASL concerns (aka in defence of the law)
Is spam still a problem?
How will the CRTC enforce the law?
Will this kill marketing?
What’s really the issue?
Complexity & Cost
Can’t be database/basic compliance
Can’t be jurisdiction
Consent
Rethinking Consent
@mgeist