Anti-Spam RequirementsPreparing to Comply with CASL Chris Oates, Associate, Gowling Lafleur Henderson LLP Prepared, January 15, 2014 Outline Canada’s anti-spam law • To what does the law apply? • How do you ask for consent? • What do electronic messages need to contain? • How do you maintain your contact list when the law comes into force? Disclaimer • This presentation is intended to assist you in flagging legal issues relating to Canada’s Anti-Spam Law. • This is ONLY a guide and legal counsel should be consulted for specific situations. 2 Canada’s Anti-Spam Legislation Canada’s Anti-Spam Legislation Legislative Background: CASL comes into force on July 1, 2014 and will take a prohibitive approach to “Commercial Electronic Messages”, prohibiting all but those messages that comply with its requirements. In some cases, existing, valid consent may not survive when CASL is in force. Under CASL: • Electronic messages require consent from the recipient, either express or implied; • The message must contain prescribed disclosure; and • The message must contain an unsubscribe mechanism in prescribed form. 4 Canada’s Anti-Spam Legislation To which messages does CASL apply? Commercial Electronic Messages - a message sent by any means of telecommunication, including a text, sound, voice or image message, to an “electronic address” including: • an electronic mail account; • an instant messaging account; • a telephone account; or • any similar account. CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit. 5 Canada’s Anti-Spam Legislation Is the Electronic Message Commercial? CASL will only apply to electronic messages that are “commercial”. This will include all messages that, based on their content, including links, and contact information, have as one of their purposes encouraging participation in commercial activity, regardless of whether this is done with the expectation of profit. • • • • Messages that offer to sell a product; Messages that advertise a product; Messages that promote a person or corporation; Messages that seek to gather consumer or market information; • Messages that seek consent to send further messages. 6 Canada’s Anti-Spam Legislation What is not a Commercial Electronic Message? CASL will not apply to several classes of message: • Interactive two way voice communications; • Messages sent via facsimile to telephone accounts; and • Voice recordings sent to a telephone account. These messages are currently subject to the CRTC’s oversight via the Telecommunications Act and the Do Not Call List. CASL contains a provision that permits the government to repeal this exception AND the National Do Not Call List at a later date. If exercised, this would make unsolicited commercial telephone calls subject to the CASL requirements. 7 Canada’s Anti-Spam Legislation Which messages will be exempt? The Regulations provide exceptions for the following message classes: • • • • • • • messages sent between employees of an organization relating to the affairs of the organization, and messages sent between two organizations with a relationship, where the message relates to their affairs messages that respond to an inquiry, complaint, or other solicitation from the recipient fundraising messages sent by a registered charity messages where the person sending the message reasonably expects it to be received in a foreign state listed in the Regulations, if the message complies with the law of that state messages sent to a secure account to which only the person providing the account may send messages messages sent on a platform that includes compliant disclosure and an unsubscribe mechanism in its interface are exempt from the message requirements, but not the consent requirements. messages sent to satisfy a legal obligation 8 Penalties Administrative monetary penalties for violations: • A fine of up to $1,000,000 for a violation by an individual. • A fine of up to $10,000,000 for a violation by a corporation. CASL also creates a private right of action for persons who allege they have been affected by a violation. If the action is successful in court, the court may order: • Compensation equal to the actual loss or damage suffered; and • $200 for each contravention, not exceeding $1,000,000 for each day on which a contravention occurred. The private right of action has a delayed coming into force date, and will not be in place until July 1, 2017. 9 Express Consent Under CASL Requirements for a Request for Express Consent 1. Provide the purpose for which the consent is sought; 2. Provide the name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business; 3. If applicable, identify which person is seeking consent, and on whose behalf consent is sought; 4. Provide the mailing address, and one (or more) of a telephone number, website, or email address of either the person seeking consent, or if different, the person on whose behalf consent is sought 5. State that consent may be withdrawn. Requests for consent may be made orally (e.g. through personal and direct contact, at the point the relationship began) or in writing (incl. electronic forms). In all cases these disclosures must be made. 10 Express Consent Under CASL In all cases, the burden of proof to establish consent rests on the party claiming to have consent. For example, a party may demonstrate oral consent in cases where: i. it can be “verified by an independent third party”; or ii. “where a complete and unedited audio recording of the consent is retained by the person seeking consent” (or a client of the person seeking consent). Note that audio recording and the purpose for it must be disclosed under existing privacy law. Written consent can be satisfied where either paper or electronic form consent is obtained, including by checking a box on a web page to give consent (with a record of the date, time, purpose, and manner of consent stored in a database). 11 The CRTC’s Position on Express Consent • The CRTC takes the position that express consent must be “positive or explicit”. 12 The CRTC’s Position on Express Consent • “Assumed” consent through a pre-checked box or an opt-out system would not be accepted. 13 Implied Consent Under CASL Implied Consent under CASL: Requirements for Implied Consent 1.There is an existing business or non-business relationship between the sender and the recipient, or 2.The recipient has conspicuously published their address, or has disclosed it to the sender and: • has not indicated they do not wish to receive commercial messages; and, • the message is relevant to the recipient’s business, role, functions or duties 14 Implied Consent Under CASL Both “existing business relationship” and “existing non-business relationship” are narrowly defined in the legislation: “Existing business relationships” exist only where the recipient: i. Purchased, leased or bartered products, goods, services or land from the sender within two years before a message is sent; ii. Accepted a business, investment or gaming opportunity from the sender within two years before a message is sent; iii. Has a existing written contract with the sender about a matter other than i or ii or such a contract expired in the two years prior to the message; or iv. Made an inquiry or application for products, goods, services, etc. within six months before the message “Existing non-business relationships” exist only where the recipient: i. Made a donation, gift or volunteered for a registered charity or political party who sends the message; or ii. Is a member in a club, association or voluntary organization that sends the message and is operated for social welfare. 15 Exceptions to the Need for Consent CASL creates an exception to the need for consent for certain “transactional” messages. This exception will apply to messages that solely: • provide a quote or estimate for the supply of a product or service; • facilitate, complete or confirm a previously agreed upon commercial transaction; • provide warranty information, product recall information or safety or security information about a product the recipient uses or had purchased; • provide notification of factual information about the ongoing use by recipient of a product or a service offered under a subscription, membership, account, loan or similar relationship by the sender. 16 Message Content under CASL Commercial Electronic Message Content under CASL: Message Content 1.Identify the person who sent the message and, if applicable, the person on whose behalf it was sent; 2.Provide prescribed contact for one of these persons; and 3.Include an unsubscribe mechanism. The required contact information must remain current for a minimum of 60 days after the message is sent. 17 Message Content under CASL Prescribed Disclosure Requirements for Electronic Messages 1. The name under which the person seeking consent carries on business, and if different, the name under which the person on whose behalf consent is sought carries on business; 2. If applicable, an indication which person sent the message and on whose behalf it was sent; 3. The mailing address, and one (or more) of a telephone number, website, or email address of either the person sending the message, or if different, the person on whose behalf it is sent; and 4. An unsubscribe mechanism. The Regulations do not make any exceptions for service providers sending electronic messages on behalf of third parties. 18 Unsubscribe Mechanisms Unsubscribe Mechanisms The unsubscribe mechanism included in a CEM must: (i) allow recipients to indicate that they no longer want to receive any CEMs or any class of CEMS from the sender or – if different – the person on whose behalf the message was sent; (ii) using the same electronic means (or if not possible any other electronic means enabling the same result); and (ii) specify an electronic address or web link to unsubscribe. The electronic address or webpage for unsubscribing must be valid for a minimum of 60 days. Recipients who unsubscribe must also be unsubscribed “without delay” and no later than 10 business days after asking to be unsubscribed. The CRTC Regulations require that an unsubscribe mechanism must be “set out clearly and prominently” and “must be able to be readily performed.” According to CRTC guidelines, for an unsubscribe mechanism to be “readily performed” it must be “accessed without difficulty or delay and should be simple, quick and easy for the consumer to use”. 19 Third Party Mailing Lists CASL expressly provides for consent obtained on behalf of an unknown third party; however, it limits how this consent may be obtained and used: • The party that seeks consent is required to comply with the standard CASL requirements for obtaining consent, including stating the purpose for the collection, and providing their name and contact information. • A person who relies on such a consent must meet additional disclosure requirements for the message content. 20 Third Party Mailing Lists Message content when consent is obtained from a third party. When a consumer list is purchased from a third party, it is essential that such a list be used separately from the company’s own opt-in lists, as messages sent pursuant to such consent are subject to additional disclosure requirements: • The message must identify the person who obtained the original consent as well as the person who sent the message. • The unsubscribe mechanism must allow the recipient to remove consent from both the person who sent the message, the person who obtained the original consent or any other person authorized to use the consent. 21 Exceptions to the Disclosure Requirements The General Exception “If it is not practicable to include the information (…) in a commercial electronic message, that information may be provided by a link to a web page on the World Wide Web that is clearly and prominently set out and that can be accessed by a single click or another method of equivalent efficiency at no cost to the person to whom the message is sent.” This exception will be essential for electronic messages that are subject to space restraints such as text messages. It is not likely to apply to messages not subject to such restraints, such as email. 22 The Family and Personal Relationship Exception Neither the requirement to obtain consent, nor the requirement to disclose information regarding the sender, will apply where an electronic message is sent by or “on behalf” of a person who has a “personal” or “family” relationship with the recipient. “Family” Marriage; A common-law partnership; A legal parent/child relationship; where: Those persons have had a direct voluntary two way communication. “Personal relationship” Must have had direct, voluntary two way communications; Must be reasonable to conclude the relationship is personal considering relevant factors. This exception will only apply in unusual cases. Examples we have seen include refer-a-friend type promotions, and customizable holiday greeting cards. 23 Referral Messages The Regulations include an exception that permits a single referral message to be sent where: • The referral is made by an individual who has an existing business relationship, existing non-business relationship, family, or personal relationship with the message recipient; • The referrer has one of those relationships with the sender of the message; • The message states the full name of the person who made the referral, and states that the message was sent as a result of the referral 24 Maintaining Contact Lists CASL will narrow the ability to rely on Implied Consent CASL expressly provides for reliance on implied consent primarily in cases of existing “business relationships” or “non-business relationships”. These are defined categories that are much more narrow than the ability to rely on the “reasonableness” test for implied consent under the federal privacy legislation, PIPEDA. • Under PIPEDA, where a consumer sends a request for information by email, it would be reasonable to conclude that you have their implied consent to respond using their email address. • Under CASL, a consumer question regarding a potential purchase would constitute an “existing business relationship”, provided a response is sent within six months from the date of the question. Further, a response (as opposed to other commercial messages) would also be subject to an exception in draft regulations. 25 Maintaining Contact Lists The regulatory impact statement for the Regulations confirms Industry Canada’s position that valid express consent obtained before CASL comes into force “will be recognized as being compliant with CASL”. However, Industry Canada also expressly noted that in some cases email addresses that may be used under the current privacy legislation may no longer be used under CASL. This is most likely to occur where an organization is relying on ‘implied’ consent under PIPEDA- implied consent under CASL is much more narrow. Organizations should consider the manner in which their current email list had been established to assess the ability to continue to use it after CASL comes into force. Prior to July 1, 2014, organizations will have an opportunity to seek express consent in cases where implied consent is currently relied on. 26 Transitional Provisions When CASL comes into force on July 1, 2014, there will be an extended period of three years during which implied consent will survive in cases of “existing business relationships”, as defined in CASL that include the sending of commercial messages. • After this period, the existing business relationships will survive for two years following a purchase, or six months following an inquiry. • The transitional period provides an extended timeline for perfecting existing implied consent (as defined in CASL) by seeking express consent. • Any attempts to perfect consent within this period would need to be carried out in compliance with CASL. 27 Application Compliance with CASL will become a legal requirement on July 1, 2014. Organizations should be bringing their electronic marketing practices into compliance now, both due to the magnitude of the potential penalties, and to help establish an express consent list that will survive the coming into force of the Act. 28 Thank You Chris Oates Associate Gowling Lafleur Henderson LLP chris.oates@gowlings.com 416-369-7333 montréal ottawa toronto hamilton waterloo region calgary vancouver moscow london