Canadian Anti-SPAM Legislation February 25, 2014 Introductions and Outline • Canada Anti-SPAM Legislation (CASL) • • • • Commercial Electronic Messages Spyware / Malware Penalties and enforcement What do we do now? CASL - Scope • Three broad prohibitions: • SPAM > Commercial electronic messages require consent • Malware > Illegal to install any computer program without express consent and means to remove • Spyware > Illegal to install program that transmits data without express consent and means to remove CASL – Scope • Three additional prohibitions: • Message routing > Illegal to alter transmission data or to rout a message to unintended destination • Misrepresentations > Illegal to make false or misleading representations in headers, subject lines, etc. • Automatic collection > Illegal to automatically collect electronic addresses What is “SPAM”? What is “SPAM”? • Unsolicited commercial electronic message • Reasonable to conclude that one of the purposes is to encourage the recipient to engage in commercial activities Commercial Electronic Messages • s. 6 Prohibits sending a commercial electronic message to an electronic address unless: • Recipient has consented – express, opt-in or defined “implied consent” category and • Conforms with prescribed requirements Identifies sender and contact information > Unsubscribe mechanism (including www site) > Unsubscribe Complete Exclusions • • • • • • • • Personal or family relationship Enquiry or application Closed messaging systems Fundraising messages from registered charities Telco in providing transmission services Enforce a legal right or due to legal obligation Intra-organization Inter-organization (if existing relationship) Consent • Express consent • Purpose • Identification of person seeking consent • Implied consent • Existing business relationship or non B-R • Published electronic address without disclaimer and related to capacity of recipient • Referrals “Existing Business Relationship” • Implied consent where • Engaged in commercial activity • Existing written contract within previous 2 years “Non-Business Relationship” • Implied consent if • Made donation, gift, provided volunteer work, member • Prescribed by regulations • In past 2 years Consent Exclusions • • • • • • Quote responding to request Completes or confirms transaction Provides warranty, recall or safety info Provides factual info about ongoing use Provides employment info Delivers a product (incl. upgrades) requested Jurisdiction and Onus • S. 6 prohibitions - CEM • If message sent or received in Canada • Person alleging consent has onus of proof • The “problem” of proof Competition Act • CASL adds to existing Competition Act provisions prohibiting false or misleading representations to promote a business interest of the supply or use of a product • Numbering of Competition Act amendments is particularly confusing • Investigation/enforcement by Competition Bureau • Bureau has sought and obtained sizeable fines in the past for deceptive marketing practices • e.g. $10m fine against Rogers for alleged misleading advertising Competition Act new s. 74.011 and s. 52.01 • prohibits representation that is false or misleading in a material respect in electronic message • prohibits false or misleading representation in • sender information in electronic message • subject matter information in electronic message • locater • look at general impression and literal meaning • only first prohibition states “in a material respect” • no “to the public” concept • no concept of exception for consent or existing business relationship Competition Act: Discussion Examples • Subject Matter Information • Fly Ottawa to Calgary for $299 return • Lose 20 Pounds in 3 Weeks • Our best sale of the year • Exclusive Upgrade Offer • Aggressive e-mail subject matter language poses risk to senders Practical Issues • Are any existing consents still valid? • How to get fresh consent • Information management: • what data / proof is required • managing exclusions (i.e. business relationship) • Message format compliance • Vicarious liability Enforcement • Regulatory agencies: • CRTC • Competition Bureau • OPC • Spam Reporting Centre • 2017: Private Right of Action CRTC Enforcement Tools • Purpose of the legislation is to promote compliance, not punish • Education will play a significant role, particularly in the early stages • Range of regulatory tools • Letters of warning (not provided for in legislation) • Administrative Monetary Penalties (AMPs) • Undertakings (similar to consent agreements under the Competition Act) • Notice of Violation CRTC Enforcement Powers: AMPs • Section 20 • Persons who contravene sections 6 to 9 are liable to pay AMPs • Similar to scheme for violations of the Unsolicited Telecommunications Rules (including the Do-Not-Call-List provisions) under the Telecommunications Act CRTC Enforcement Powers: AMPs • Maximum penalty is $1M in the case of an individual and $10M for any other person such as a corporation • Factors in determining amount include: • • • • • • Purpose of penalty Nature and scope of violation History of previous violations Financial benefits of the violation Ability to pay Whether voluntary compensation made CRTC Enforcement Powers: Undertakings • Target can enter into undertakings with the designated person • No Notice of Violation (and hence AMPs) may be issued if undertaking entered into and any existing notice of violation is extinguished to the extent of the undertaking • Undertakings may include conditions and a requirement to pay a specified amount CRTC Enforcement Powers: Notices of Violation • Limitation period: 3 years • Mandatory information set out in ss. 22(2) • Target has 30 days to make representations to CRTC • If: (1) penalty is paid or (2) penalty is not paid and no representations are made, target is deemed to have committed the violation CRTC Enforcement Powers: Notices of Violation • No liability if due diligence demonstrated • Common law defences apply to any violation • If representations are made, CRTC must decide whether target committed the violation and, if so, can confirm, reduce or waive the penalty, or can suspend payment of the penalty subject to conditions • CRTC may also issue an order directing target to cease contravening the provision(s) – s.26 Private Right of Action 2017: “Lights go out on Broadway” • Persons affected can apply for compensation to a court of competent jurisdiction • Compensation: • Actual damages • Statutory damages > > > $200 per contravention of Section 6, not exceeding $1M per day $1M/day for contraventions of Sections 7 and 8 Same maximum amounts for person who aids or abets contrary to section 9 Private Right of Action • Statutory damages not available if undertaking or notice of violation has been issued • Conversely, once private right of action is commenced, no undertaking or notice of violation can be made • Due diligence and common law defences available • Class actions ??? What do we do now? What do we do now? 1. 2. 3. 4. Assess your electronic communications Do you have consent? Identify exclusions Data management: assess and establish systems to manage and preserve records 5. Prepare unsubscribe mechanisms What to do cont’d… 6. Obtain consents required 7. Format CEMs 8. Content oversight 9. Staff education 10.Review and audit Questions? Discussion? Sign up for BHT newsletters!!! Go to: www.bht.com