Cardware Conference presentation on BIG DATA June 17-18 2014
CIPS ON CASL presentation Mar 20 2014
1. Understanding the New
Canadian Anti-Spam Legislation ("CASL")
Lisa Abe-Oldenburg, B.Comm., JD.
CIPS Ontario AGM
March 20, 2014
2. Agenda
• Why should you care about CASL?
• Introduction to Canada's Anti-Spam Legislation: What is it?
• Anti-Spam Provisions
• Transmission Data Alteration Provisions
• Installation of Computer Program Provisions
• Compliance strategies
• Q & A
2
3. • This presentation was prepared by Bennett Jones LLP to provide
general information about the anti-spam legislation in Canada. Due to
the general nature of this presentation, nothing herein should be relied
upon as legal advice.
• CASL consists of a lengthy Act and Regulations, which must be read
together. They are complicated, legally very technical, contain
ambiguities and will be evolving as more regulations and
interpretations are created.
The fine print…
3
5. • INCREASED LIABILITY
• INCREASED COST OF DOING BUSINESS
• Actual costs:
• Developing and implementing compliance and policies
• Updating or purchasing new customer relationship
management software
• Investigating targets in due diligence associated with M&A
activity
• Indirect costs:
• Finding alternative ways to advertise or do business
• Revising software update and upgrade distribution and
installation processes and support services.
5
Why should you care about CASL?
6. 1. Administrative Monetary Penalties:
• Maximum penalty for corporations and organizations =
$10,000,000.00 per violation
• Maximum penalty for an individual = $1,000,000.00 per
violation
2. Vicarious liability:
• An employer may be liable for a violation committed by an
employee acting within the scope of the employment.
3. Personal liability:
• Officer, director, agent who directed, authorized, assented to,
acquiesced in or participated in the commission of the violation,
whether or not the corporation is proceeded against.
6
Liabilities
7. 4. Private Right of Action
• For violations of CASL, as well as specified violations under PIPEDA
and the Competition Act.
• Liability includes :
• Compensation in an amount equal to the actual loss or damage
suffered or expenses incurred; and
• A maximum of $200.00 for each contravention of CEM provisions,
not exceeding $1,000,000.00 for each day the contravention
occurred; and
• A maximum of $1,000,000.00 for each day a contravention of
the data or computer software provisions occurred.
• A maximum of $1,000,000 per s.9 contravention (aiding,
inducing, procuring)
That's enough to make anyone…
7
Liabilities (con't.)
10. Key Dates
July 1, 2014
• Anti-spam requirements
• Altering transmission data requirements
January 15, 2015
• Installation of computer program requirements
July 1, 2017
• Private right of action
11. Scope
• The Act and Regulations:
• prohibit sending "commercial electronic messages" to an electronic
address without consent (though exceptions may apply);
• prohibit the alteration of transmission of data in an electronic message so
that the message is delivered to a destination other than or in addition to
that specified by the sender without consent;
• prohibit installing a computer program on any other person’s computer
system without consent and certain requisite notice;
• prohibit causing a program on any person’s computer system to send an
electronic message without consent; and
• capture activities that aid, induce, procure or cause to be procured any of
the foregoing.
11
12. Key Definitions
• What is a CEM?
• An “electronic message” means a message sent by any means of
telecommunication, including a text, sound, voice or image
message.
• A “commercial electronic message” is defined as an electronic
message that, having regard to the content of the message, the
hyperlinks in the message to content on a website or other
database, or the contact information contained in the message,
it would be reasonable to conclude has as its purpose, or one of
its purposes, to encourage participation in a commercial
activity, including an electronic message that…(cont.):
12
13. ….(cont.):
(a) offers to purchase, sell, barter or lease a product, goods, a
service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming opportunity;
(c) advertises or promotes anything referred to in paragraph (a) or
(b); or
(d) promotes a person, including the public image of a person, as
being a person who does anything referred to in any of paragraphs (a)
to (c), or who intends to do so.
NOTE: a CEM includes an electronic message that asks for consent to
be given
13
Key Definitions
14. • “commercial activity” means any particular transaction, act or
conduct or any regular course of conduct that is of a commercial
character, whether or not the person who carries it out does so in the
expectation of profit, other than any transaction, act or conduct that is
carried out for the purposes of law enforcement, public safety, the protection
of Canada, the conduct of international affairs or the defence of Canada.
• An “electronic address” is an address used in connection with the
transmission of an electronic message to:
(a) an electronic mail account;
(b) an instant messaging account;
(c) a telephone account; or
(d) any similar account (e.g. social media?)
14
Key Definitions
15. • It is prohibited to send (or cause or permit to be
sent ) to an electronic address a commercial
electronic message unless:
• An exemption to the prohibition applies;
• OR
(a) the person to whom the message is sent has
consented to receiving it or the CEM is
exempt from consent; and
(b) the message meets the formality
requirements.
Core Anti-Spam Provisions
15
16. • The anti-spam prohibition under the Act does not apply to:
• messages that are not CEMs
• commercial electronic messages where the recipient:
• has a family or personal relationship (as defined in
the regulations) with the sender; or
• is engaged in commercial activity and the message from
the sender consists solely of an inquiry or application
related to that activity.
• Telecommunications Service Providers enabling the
transmission of a message as part of a telecommunications
service (safe harbour for intermediaries);
General Exemptions
16
17. • Family relationship definition: 2 people related through
marriage, common law, or legal parent-child, and who have had
direct, voluntary two-way communications.
• Personal relationship definition: 2 people who have had
direct, voluntary two-way communication where it would be
reasonable to conclude that the relationship is personal.
• Reasonable test based on a non-exhaustive list of factors
provided in the Regulations
• Must be close relationship
• No provision in the Act or regs for individuals to "opt-out" of
the exemptions
17
Existing Family and Personal Relationships
18. • CEMs that are:
• whole or partial interactive two-way voice communication between
individuals;
• sent by fax to a telephone account;
• voice recordings sent to a telephone account;
• sent by personnel within an organization, and it concerns the
activities of the organization (intra-business);
General Exemptions
18
19. • CEMs that are:
• sent by personnel of one organization to the personnel of another
organization if the organizations have a relationship at the
time, and it concerns the activities of the recipient
organization (inter-business);
• solicited by the recipient (i.e. response to a request, inquiry or
compliant);
• sent to a person in a foreign jurisdiction (that is listed in the Regs),
and the CEM conforms to the laws of that foreign state which must
be substantially similar;
General Exemptions
19
20. • CEMs that are:
• sent in relation to satisfy, provide notice of or enforce a legal or
juridical obligation or right;
• messages sent and received on an electronic messaging service as
long as certain requirements are met;
• sent within a limited-access, secure and confidential account (one-
way only);
• sent on behalf of registered charity for primary purpose of raising
funds as defined in the Income Tax Act; or
• sent on behalf of political party for primary purpose of soliciting
contributions, as defined in the Elections Act.
General Exemptions
20
21. Exemptions from Consent Requirements
• NOTE: You must still comply with formality requirements!
• CEM that solely:
• provides a requested quote or estimate for the supply of a
product, or service;
• facilitates, completes or confirms a commercial transaction
that recipient previously agreed to enter into;
• provides warranty information, product recall information or safety
or security information about a product or a service that the
recipient uses, has used or has purchased;
• provide notification of factual information about the ongoing
use or ongoing purchase by the recipient of products or services
offered under a subscription, membership, etc….
22. Exemptions from Consent Requirements
• NOTE: You must still comply with formality requirements!
• CEM that solely:
• provides information directly related to the recipient's current
employment relationship or related benefit plan;
• delivers a product or service, including upgrades or updates, that
the recipient is entitled to receive under the terms of a
previous transaction;
• communicates (first time only!) for the purpose of a third party
referral by an individual with an existing business or non-
business relationship, family or personal relationship and
the message contains certain prescribed information.
24. • Unless otherwise exempt from the prohibition or from consent, one of
the following must be relied upon to send a commercial electronic
message:
1. express consent; or
2. implied consent.
• Note: Onus is on person who alleges they have consent to prove it.
• Note : Different forms of consent and each must be sought separately
for each of: sending CEMs, alteration of transmission data and
installation of a computer program.
24
Consent Requirements for CEMs
25. • When seeking express consent, the following information must be set
out clearly:
• the purpose(s) for which consent is being sought;
• information identifying who is requesting consent;
• a statement that the person can withdraw their consent; and
• other prescribed information.
• requires active “opt-in” (pre-checked boxes not permitted)
• may be obtained orally or in writing
• Note: Once the law is in force you cannot send a CEM to request express
consent, unless one of the exemptions apply or you already have implied
consent.
25
Express Consent requirements for CEMs
26. • Consent may be implied and allow for the sending of a commercial
electronic message in the following situations:
1. The recipient:
• has conspicuously published (e.g. on a website) the
electronic address to which the message is sent;
• has not included in their publication a statement that
they do not wish to receive unsolicited commercial electronic
messages at that electronic address; and
• the electronic message is relevant to the recipient's
official business, role, functions or duties; OR
26
Implied Consent for CEMs
27. 2. The recipient:
• has disclosed to the sender (e.g. provide a business card)
the electronic address to which the message is sent;
• has not indicated that they do not wish to receive unsolicited
commercial electronic messages at that electronic address;
and
• the electronic message is relevant to the recipient's official
business, role, functions or duties; OR
3. The sender has an existing business relationship or an
existing non-business relationship with the recipient.
27
Implied Consent for CEMs (cont.)
28. • "Existing business relationship" means a business relationship
between the recipient and sender of a message, arising from:
• the purchase, lease or barter of a product or a service, land or an
interest or right in land, within 2 years immediately prior to the day
on which the message was sent;
• the acceptance by the recipient, within 2 years immediately prior to
the day on which the message was sent, of a business, investment or
gaming opportunity;
• a written contract between the parties if the contract is currently in
existence or expired within 2 years immediately prior to the day on
which the message was sent; or
• an inquiry or application by the recipient, within the six-month
period immediately before the day on which the message was sent.
28
Existing business relationships
29. • "Existing non-business relationship" means a non-business relationship
between the recipient and the sender arising from
• a donation or gift made by the recipient to the sender within 2 years
immediately prior to the day on which the message was sent, where the
sender is a registered charity, a political party or organization;
• volunteer work performed by the recipient, or attendance at a
meeting organized by sender, within the 2 years immediately prior
to the day on which the message was sent, where the sender is a
registered charity, a political party; or
• Membership of the recipient in the sender's club, association or
voluntary organization, as defined in the regulations, within the 2 years
immediately prior to the day on which the message was sent.
29
Existing non-business relationships
31. Formalities of CEMs
• A commercial electronic message must contain:
• the name of the sender or the name under which the sender carries on
business;
• If sent on behalf of another person, CEM must contain that name or
the name under which that person carries on business;
• If sent on behalf of another person, must contain a statement
indicating which person is sending the message and which person on
whose behalf the message is sent;
• the mailing address, and either:
• A telephone number;
• An email address; or
• A web address; AND
• A functional unsubscribe mechanism that meets the prescribed
requirements.
• Contact info must be valid for 60 days
31
33. • ALTERING TRANSMISSION DATA
• In force July 1, 2014
• INSTALLATION OF COMPUTER PROGRAMS
• In force January 15, 2015
33
34. ALTERING TRANSMISSION DATA
• CASL prohibits the alteration of
transmission data in an electronic
message in the course of a commercial
activity, without express consent
• Where message is delivered to a destination
other than, or in addition to, that specified
by the sender
• To aid, induce, procure or cause to be procured
is also prohibited
• Applies to any computer system located in
Canada that is used to send, route or access the
electronic message
34
35. ALTERING TRANSMISSION DATA
• “data” means signs, signals, symbols or concepts that are
being prepared or have been prepared in a form suitable for
use in a computer system
• “transmission data” means data that :
(a) relates to the telecommunications functions of
dialling, routing, addressing or signalling;
(b) either is transmitted to identify, activate or
configure an apparatus or device, including a computer
program, in order to establish or maintain a
communication, or is generated during the
creation, transmission or reception of a
communication and identifies or purports to identify the
type, direction, date, time, duration, size, origin,
destination or termination of the communication;
and
(c) does not reveal the substance, meaning or
purpose of the communication.35
36. ALTERING TRANSMISSION DATA
• Express consent is required from the sender or the person to whom the
message is sent, i.e. the authorized email account holder
• Burden of proof is on the person who alleges that they have consent
• Note: no implied consent possible, like with CEMs
• Consent must meet the formalities set out in the Act and the Regulations,
including describing the purpose for the consent, the persons seeking it, the
period of consent, and such other information as set out in the regulations
• Consent must also include a withdrawal mechanism in the form
prescribed by the Act and the regulations
• Any request for withdrawal must be implemented within 10 business
days of receipt
36
37. ALTERING TRANSMISSION DATA
• General Exemption: if the alteration is made pursuant to a
court order, or by a telecommunications service provider
(TSP) for the purposes of network management
• TSPs are broadly defined under the Act to include any providers
of services or features by telecom facilities
• Examples were provided in the RIAS of GM's OnStar or Ford's
Sync systems
37
38. INSTALLATION OF COMPUTER PROGRAMS
• CASL prohibits the installation of a computer program on any other
person’s computer system, in the course of commercial activity
• CASL also prohibits installed computer programs to cause the
sending of an electronic message from a computer system
• Without express consent, unless pursuant to court order
• To aid, induce, procure or cause to be procured is also prohibited
• Applies to any computer system or person (whether contravening or
directing) located in Canada at the relevant time
• Computer program and computer system are Criminal Code definitions
• Note: CASL does not apply to user's own installation. Query who is doing
the installation in a web download or with pre-installed software?
• Note: CASL does not apply to computer programs installed for public safety
purposes. Query whether auto braking systems are public safety, as per
RIAS?
38
39. INSTALLATION OF COMPUTER PROGRAMS
• Express consent is required from the owner or authorized user of the
computer system
• Burden of proof is on the person who alleges that they have consent
• Note: no implied consent, like with CEMs, except in very narrow
circumstances prior to January 15, 2015
• Problematic where there is no user interface to receive messages or provide
disclosure notices
• Consent must meet the formalities set out in the Act and the Regulations,
including describing the purpose for consent, the persons seeking it, the
functions and purposes of the computer program, and such other
information as set out in the regulations
• For certain "invasive" software (with special functions listed in
ss.10(5)), it gets more complicated. You must include additional
information and actions set out in the Act and the regulations.
39
40. INSTALLATION OF COMPUTER PROGRAMS
• Invasive software - Subsection 10(5) Functions:
• Knowledge and intent that the software will cause the
computer system to operate in a manner that is
contrary to the reasonable expectations of the
owner or an authorized user and:
• Collects stored personal information
• Interferes with control of the computer system
• Changes or interferes with settings, preferences or
commands
• Changes or interferes with stored data
• Communicates with another computer system or device
• Installs a computer program that may be activated by a
third party; or
• Performs any other function specified in the regulations.
40
41. INSTALLATION OF COMPUTER PROGRAMS
• Consent must be clear and simple
• For software with ss. 10(5) functions, one must add additional
information:
• set out clearly and prominently, and separately and apart from
the license agreement and the consent:
(i) description of the computer program's material
elements that perform the function(s), including the
nature and purpose of those elements and their
reasonably foreseeable impact on the operation of
the computer system;
(ii) bring those elements to the attention of the person
from whom consent is being sought in the prescribed
manner; and
41
42. INSTALLATION OF COMPUTER PROGRAMS
(iii) obtain an acknowledgement in writing from the
person from whom consent is being sought that they
understand and agree that the program performs the
specified functions.
• Such additional information not required if the function only
collects, uses or communicates transmission data or performs an
operation specified in the regulations
• CASL contains complicated rules for requesting and ensuring
the removal or disabling of certain software with ss. 10(5)
functions, including providing assistance at no cost, within a one
year period
42
43. INSTALLATION OF COMPUTER PROGRAMS
• Deemed express consent (no separate consent required) for:
• Cookies, HTML code, Java Scripts, operating systems, any other
program that is executable only through the use of another computer
program whose installation or use the person has previously expressly
consented to, or any other programs specified in the regulations
• IC Regulations have added several additional classes of programs,
mainly for telecom network security and upgrades, as well as
correction of failures of computer systems and programs
• Provided it meets the reasonability test: the person’s conduct is such
that it is reasonable to believe that they consent to the program’s
installation
• Many issues with what constitutes an operating system, a cookie, a telecom
network, an upgrade/update or a failure
43
44. INSTALLATION OF COMPUTER PROGRAMS
• Special rules for installation of software updates and upgrades
• May be deemed consent if TSP is installing an update to their network
or if required for safety/failure correction purposes
• Consent to install updates or upgrades can be requested in advance, e.g.
at the same time as the original installation, or when the user is
downloading, as long as consent is requested in accordance with the
specific formalities of CASL and the upgrades or updates are installed
in accordance with those terms.
• Implied consent until January 15, 2018 to installation of update
or upgrade if the software being updated was installed prior to
January 15, 2015 and no notice of withdrawal of consent is given.
44
46. • The majority of CASL is coming into force on July 1, 2014; however…
• A person’s consent to receiving CEMs is implied until (i) notified
otherwise or (ii) July 1, 2017, whichever is earlier, if :
• the sender and recipient have had an existing business relationship
or an existing non-business relationship at any time prior to
July 1, 2014 (i.e. no 2 year limit) ; and
• the relationship includes the communication of CEMs.
• Also, implied consent to install software updates or upgrades
until (i) notified otherwise or (ii) January 15, 2018, whichever is
earlier, if the software was installed prior to January 15, 2015.
46
Transitional Provisions
48. • Be proactive!
• Review existing communication and software practices internally as
well as with applicable external service providers.
• Develop a database that identifies which commercial electronic
messages (and data alterations or software installations, if any):
(i) have implied consent and track duration;
(ii) require express consent and must comply with formalities;
(iii) must comply with formalities or information requirements; and
(iv) neither require consent nor compliance with formalities.
• Draft, review, collect and update necessary consents, notices and
acknowledgements
48
How to comply…
49. • Ensure records of consent, written acknowledgements and notices
are retained and retrievable
• Create and maintain an easy-to-use and effective unsubscribe
mechanism
• Create templates for your business' electronic commercial messages
which satisfy the prescribed requirements
• Develop a CASL-compliance policy to address applicable provisions
in the law and provide copies of this policy to all relevant employees
and service providers – provide training
• Amend contracts with service providers to allocate obligations and
liability risk
49
Additional considerations…
50. • Maintain records of all procedures and policies implemented in
order to ensure compliance with the CASL .
• Such documentation may later support a due diligence defense.
• Contracts for sale of a business should include provisions
transferring express consents as a business asset. *
* Note: We are awaiting the CRTC/IC's position on this.
• Monitor development in jurisprudence and any new regulations and
guidelines with respect to CASL and adapt practices as necessary.
50
Additional considerations…
51. Abe-oldenburgL@bennettjones.com
Tel.: 416-777-7475
Visit our Anti-Spam Learning Centre
at:
www.bennettjones.com
• This presentation
contains statements of
general principles and
not legal opinions and
should not be acted
upon without first
consulting a lawyer
who will provide
analysis and advice on a
specific matter.