Date post: | 08-Aug-2015 |
Category: |
Documents |
Upload: | lisa-abe-oldenburg-bcomm-jd |
View: | 17 times |
Download: | 1 times |
Data and Software Provisions of CASL
Understanding the New Canadian Anti-Spam Legislation ("CASL")
Lisa Abe-Oldenburg, B.Comm., JD.
CIPS Ontario AGM
March 20, 2014
Agenda
Why should you care about CASL?
Introduction to Canada's Anti-Spam Legislation: What is it?
Anti-Spam Provisions
Transmission Data Alteration Provisions
Installation of Computer Program Provisions
Compliance strategies
Q & A
2
2
This presentation was prepared by Bennett Jones LLP to provide general information about the anti-spam legislation in Canada. Due to the general nature of this presentation, nothing herein should be relied upon as legal advice.
CASL consists of a lengthy Act and Regulations, which must be read together. They are complicated, legally very technical, contain ambiguities and will be evolving as more regulations and interpretations are created.
The fine print
3
3
WHY SHOULD YOU CARE about casl?
4
4
INCREASED LIABILITY
INCREASED COST OF DOING BUSINESS
Actual costs:
Developing and implementing compliance and policies
Updating or purchasing new customer relationship management software
Investigating targets in due diligence associated with M&A activity
Indirect costs:
Finding alternative ways to advertise or do business
Revising software update and upgrade distribution and installation processes and support services.
5
Why should you care about CASL?
23 May 2014
doc #
5
Administrative Monetary Penalties:
Maximum penalty for corporations and organizations = $10,000,000.00 per violation
Maximum penalty for an individual = $1,000,000.00 per violation
Vicarious liability:
An employer may be liable for a violation committed by an employee acting within the scope of the employment.
Personal liability:
Officer, director, agent who directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.
6
Liabilities
23 May 2014
doc #
6
Private Right of Action
For violations of CASL, as well as specified violations under PIPEDA and the Competition Act.
Liability includes :
Compensation in an amount equal to the actual loss or damage suffered or expenses incurred; and
A maximum of $200.00 for each contravention of CEM provisions, not exceeding $1,000,000.00 for each day the contravention occurred; and
A maximum of $1,000,000.00 for each day a contravention of the data or computer software provisions occurred.
A maximum of $1,000,000 per s.9 contravention (aiding, inducing, procuring)
That's enough to make anyone
7
Liabilities (con't.)
23 May 2014
doc #
7
8
Now that we have your attention.
scream!
8
INTRO TO casl
9
9
Key Dates
July 1, 2014
Anti-spam requirements
Altering transmission data requirements
January 15, 2015
Installation of computer program requirements
July 1, 2017
Private right of action
Scope
The Act and Regulations:
prohibit sending "commercial electronic messages" to an electronic address without consent (though exceptions may apply);
prohibit the alteration of transmission of data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender without consent;
prohibit installing a computer program on any other persons computer system without consent and certain requisite notice;
prohibit causing a program on any persons computer system to send an electronic message without consent; and
capture activities that aid, induce, procure or cause to be procured any of the foregoing.
11
23 May 2014
doc #
11
Key Definitions
What is a CEM?
An electronic message means a message sent by any means of telecommunication, including a text, sound, voice or image message.
A commercial electronic message is defined as an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that(cont.):
12
23 May 2014
doc #
12
.(cont.):
(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming opportunity;
(c) advertises or promotes anything referred to in paragraph (a) or (b); or
(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
NOTE: a CEM includes an electronic message that asks for consent to be given
13
Key Definitions
23 May 2014
doc #
13
commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
An electronic address is an address used in connection with the transmission of an electronic message to:
(a) an electronic mail account;
(b) an instant messaging account;
(c) a telephone account; or
(d) any similar account (e.g. social media?)
14
Key Definitions
23 May 2014
doc #
14
It is prohibited to send (or cause or permit to be sent ) to an electronic address a commercial electronic message unless:
An exemption to the prohibition applies;
OR
(a) the person to whom the message is sent has consented to receiving it or the CEM is exempt from consent; and
(b) the message meets the formality requirements.
Core Anti-Spam Provisions
15
23 May 2014
doc #
15
The anti-spam prohibition under the Act does not apply to:
messages that are not CEMs
commercial electronic messages where the recipient:
has a family or personal relationship (as defined in the regulations) with the sender; or
is engaged in commercial activity and the message from the sender consists solely of an inquiry or application related to that activity.
Telecommunications Service Providers enabling the transmission of a message as part of a telecommunications service (safe harbour for intermediaries);
General Exemptions
16
16
Family relationship definition: 2 people related through marriage, common law, or legal parent-child, and who have had direct, voluntary two-way communications.
Personal relationship definition: 2 people who have had direct, voluntary two-way communication where it would be reasonable to conclude that the relationship is personal.
Reasonable test based on a non-exhaustive list of factors provided in the Regulations
Must be close relationship
No provision in the Act or regs for individuals to "opt-out" of the exemptions
17
Existing Family and Personal Relationships
23 May 2014
doc #
17
CEMs that are:
whole or partial interactive two-way voice communication between individuals;
sent by fax to a telephone account;
voice recordings sent to a telephone account;
sent by personnel within an organization, and it concerns the activities of the organization (intra-business);
General Exemptions
18
18
CEMs that are:
sent by personnel of one organization to the personnel of another organization if the organizations have a relationship at the time, and it concerns the activities of the recipient organization (inter-business);
solicited by the recipient (i.e. response to a request, inquiry or compliant);
sent to a person in a foreign jurisdiction (that is listed in the Regs), and the CEM conforms to the laws of that foreign state which must be substantially similar;
General Exemptions
19
19
CEMs that are:
sent in relation to satisfy, provide notice of or enforce a legal or juridical obligation or right;
messages sent and received on an electronic messaging service as long as certain requirements are met;
sent within a limited-access, secure and confidential account (one-way only);
sent on behalf of registered charity for primary purpose of raising funds as defined in the Income Tax Act; or
sent on behalf of political party for primary purpose of soliciting contributions, as defined in the Elections Act.
General Exemptions
20
20
Exemptions from Consent Requirements
NOTE: You must still comply with formality requirements!
CEM that solely:
provides a requested quote or estimate for the supply of a product, or service;
facilitates, completes or confirms a commercial transaction that recipient previously agreed to enter into;
provides warranty information, product recall information or safety or security information about a product or a service that the recipient uses, has used or has purchased;
provide notification of factual information about the ongoing use or ongoing purchase by the recipient of products or services offered under a subscription, membership, etc.
Exemptions from Consent Requirements
NOTE: You must still comply with formality requirements!
CEM that solely:
provides information directly related to the recipient's current employment relationship or related benefit plan;
delivers a product or service, including upgrades or updates, that the recipient is entitled to receive under the terms of a previous transaction;
communicates (first time only!) for the purpose of a third party referral by an individual with an existing business or non-business relationship, family or personal relationship and the message contains certain prescribed information.
CONSENT for cemS
23
23
Unless otherwise exempt from the prohibition or from consent, one of the following must be relied upon to send a commercial electronic message:
express consent; or
implied consent.
Note: Onus is on person who alleges they have consent to prove it.
Note : Different forms of consent and each must be sought separately for each of: sending CEMs, alteration of transmission data and installation of a computer program.
24
Consent Requirements for CEMs
23 May 2014
doc #
24
When seeking express consent, the following information must be set out clearly:
the purpose(s) for which consent is being sought;
information identifying who is requesting consent;
a statement that the person can withdraw their consent; and
other prescribed information.
requires active opt-in (pre-checked boxes not permitted)
may be obtained orally or in writing
Note: Once the law is in force you cannot send a CEM to request express consent, unless one of the exemptions apply or you already have implied consent.
25
Express Consent requirements for CEMs
23 May 2014
doc #
25
Consent may be implied and allow for the sending of a commercial electronic message in the following situations:
The recipient:
has conspicuously published (e.g. on a website) the electronic address to which the message is sent;
has not included in their publication a statement that they do not wish to receive unsolicited commercial electronic messages at that electronic address; and
the electronic message is relevant to the recipient's official business, role, functions or duties; OR
26
Implied Consent for CEMs
23 May 2014
doc #
26
2. The recipient:
has disclosed to the sender (e.g. provide a business card) the electronic address to which the message is sent;
has not indicated that they do not wish to receive unsolicited commercial electronic messages at that electronic address; and
the electronic message is relevant to the recipient's official business, role, functions or duties; OR
3. The sender has an existing business relationship or an existing non-business relationship with the recipient.
27
Implied Consent for CEMs (cont.)
23 May 2014
doc #
27
"Existing business relationship" means a business relationship between the recipient and sender of a message, arising from:
the purchase, lease or barter of a product or a service, land or an interest or right in land, within 2 years immediately prior to the day on which the message was sent;
the acceptance by the recipient, within 2 years immediately prior to the day on which the message was sent, of a business, investment or gaming opportunity;
a written contract between the parties if the contract is currently in existence or expired within 2 years immediately prior to the day on which the message was sent; or
an inquiry or application by the recipient, within the six-month period immediately before the day on which the message was sent.
28
Existing business relationships
23 May 2014
doc #
28
"Existing non-business relationship" means a non-business relationship between the recipient and the sender arising from
a donation or gift made by the recipient to the sender within 2 years immediately prior to the day on which the message was sent, where the sender is a registered charity, a political party or organization;
volunteer work performed by the recipient, or attendance at a meeting organized by sender, within the 2 years immediately prior to the day on which the message was sent, where the sender is a registered charity, a political party; or
Membership of the recipient in the sender's club, association or voluntary organization, as defined in the regulations, within the 2 years immediately prior to the day on which the message was sent.
29
Existing non-business relationships
23 May 2014
doc #
29
FORMALITIES of cems
30
30
Formalities of CEMs
A commercial electronic message must contain:
the name of the sender or the name under which the sender carries on business;
If sent on behalf of another person, CEM must contain that name or the name under which that person carries on business;
If sent on behalf of another person, must contain a statement indicating which person is sending the message and which person on whose behalf the message is sent;
the mailing address, and either:
A telephone number;
An email address; or
A web address; AND
A functional unsubscribe mechanism that meets the prescribed requirements.
Contact info must be valid for 60 days
31
31
Alteration of transmission Data and installation of computer program PROVISIONS
32
32
ALTERING TRANSMISSION DATA
In force July 1, 2014
INSTALLATION OF COMPUTER PROGRAMS
In force January 15, 2015
33
23 May 2014
doc #
33
ALTERING TRANSMISSION DATA
CASL prohibits the alteration of transmission data in an electronic message in the course of a commercial activity, without express consent
Where message is delivered to a destination other than, or in addition to, that specified by the sender
To aid, induce, procure or cause to be procured is also prohibited
Applies to any computer system located in Canada that is used to send, route or access the electronic message
34
23 May 2014
doc #
34
ALTERING TRANSMISSION DATA
data means signs, signals, symbols or concepts that are being prepared or have been prepared in a form suitable for use in a computer system
transmission data means data that :
(a) relates to the telecommunications functions of dialling, routing, addressing or signalling;
(b) either is transmitted to identify, activate or configure an apparatus or device, including a computer program, in order to establish or maintain a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and
(c) does not reveal the substance, meaning or purpose of the communication.
35
23 May 2014
doc #
35
ALTERING TRANSMISSION DATA
Express consent is required from the sender or the person to whom the message is sent, i.e. the authorized email account holder
Burden of proof is on the person who alleges that they have consent
Note: no implied consent possible, like with CEMs
Consent must meet the formalities set out in the Act and the Regulations, including describing the purpose for the consent, the persons seeking it, the period of consent, and such other information as set out in the regulations
Consent must also include a withdrawal mechanism in the form prescribed by the Act and the regulations
Any request for withdrawal must be implemented within 10 business days of receipt
36
23 May 2014
doc #
36
ALTERING TRANSMISSION DATA
General Exemption: if the alteration is made pursuant to a court order, or by a telecommunications service provider (TSP) for the purposes of network management
TSPs are broadly defined under the Act to include any providers of services or features by telecom facilities
Examples were provided in the RIAS of GM's OnStar or Ford's Sync systems
37
23 May 2014
doc #
37
INSTALLATION OF COMPUTER PROGRAMS
CASL prohibits the installation of a computer program on any other persons computer system, in the course of commercial activity
CASL also prohibits installed computer programs to cause the sending of an electronic message from a computer system
Without express consent, unless pursuant to court order
To aid, induce, procure or cause to be procured is also prohibited
Applies to any computer system or person (whether contravening or directing) located in Canada at the relevant time
Computer program and computer system are Criminal Code definitions
Note: CASL does not apply to user's own installation. Query who is doing the installation in a web download or with pre-installed software?
Note: CASL does not apply to computer programs installed for public safety purposes. Query whether auto braking systems are public safety, as per RIAS?
38
23 May 2014
doc #
38
INSTALLATION OF COMPUTER PROGRAMS
Express consent is required from the owner or authorized user of the computer system
Burden of proof is on the person who alleges that they have consent
Note: no implied consent, like with CEMs, except in very narrow circumstances prior to January 15, 2015
Problematic where there is no user interface to receive messages or provide disclosure notices
Consent must meet the formalities set out in the Act and the Regulations, including describing the purpose for consent, the persons seeking it, the functions and purposes of the computer program, and such other information as set out in the regulations
For certain "invasive" software (with special functions listed in ss.10(5)), it gets more complicated. You must include additional information and actions set out in the Act and the regulations.
39
23 May 2014
doc #
39
INSTALLATION OF COMPUTER PROGRAMS
Invasive software - Subsection 10(5) Functions:
Knowledge and intent that the software will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user and:
Collects stored personal information
Interferes with control of the computer system
Changes or interferes with settings, preferences or commands
Changes or interferes with stored data
Communicates with another computer system or device
Installs a computer program that may be activated by a third party; or
Performs any other function specified in the regulations.
40
23 May 2014
doc #
40
INSTALLATION OF COMPUTER PROGRAMS
Consent must be clear and simple
For software with ss. 10(5) functions, one must add additional information:
set out clearly and prominently, and separately and apart from the license agreement and the consent:
(i) description of the computer program's material elements that perform the function(s), including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system;
(ii) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner; and
41
23 May 2014
doc #
41
INSTALLATION OF COMPUTER PROGRAMS
(iii) obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.
Such additional information not required if the function only collects, uses or communicates transmission data or performs an operation specified in the regulations
CASL contains complicated rules for requesting and ensuring the removal or disabling of certain software with ss. 10(5) functions, including providing assistance at no cost, within a one year period
42
23 May 2014
doc #
42
INSTALLATION OF COMPUTER PROGRAMS
Deemed express consent (no separate consent required) for:
Cookies, HTML code, Java Scripts, operating systems, any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or any other programs specified in the regulations
IC Regulations have added several additional classes of programs, mainly for telecom network security and upgrades, as well as correction of failures of computer systems and programs
Provided it meets the reasonability test: the persons conduct is such that it is reasonable to believe that they consent to the programs installation
Many issues with what constitutes an operating system, a cookie, a telecom network, an upgrade/update or a failure
43
23 May 2014
doc #
43
INSTALLATION OF COMPUTER PROGRAMS
Special rules for installation of software updates and upgrades
May be deemed consent if TSP is installing an update to their network or if required for safety/failure correction purposes
Consent to install updates or upgrades can be requested in advance, e.g. at the same time as the original installation, or when the user is downloading, as long as consent is requested in accordance with the specific formalities of CASL and the upgrades or updates are installed in accordance with those terms.
Implied consent until January 15, 2018 to installation of update or upgrade if the software being updated was installed prior to January 15, 2015 and no notice of withdrawal of consent is given.
44
23 May 2014
doc #
44
TRANSITIONAL PROVISIONS
45
45
The majority of CASL is coming into force on July 1, 2014; however
A persons consent to receiving CEMs is implied until (i) notified otherwise or (ii) July 1, 2017, whichever is earlier, if :
the sender and recipient have had an existing business relationship or an existing non-business relationship at any time prior to July 1, 2014 (i.e. no 2 year limit) ; and
the relationship includes the communication of CEMs.
Also, implied consent to install software updates or upgrades until (i) notified otherwise or (ii) January 15, 2018, whichever is earlier, if the software was installed prior to January 15, 2015.
46
Transitional Provisions
23 May 2014
doc #
46
COMPLIANCE STRATEGIES
47
47
Be proactive!
Review existing communication and software practices internally as well as with applicable external service providers.
Develop a database that identifies which commercial electronic messages (and data alterations or software installations, if any):
(i) have implied consent and track duration;
(ii) require express consent and must comply with formalities;
(iii) must comply with formalities or information requirements; and
(iv) neither require consent nor compliance with formalities.
Draft, review, collect and update necessary consents, notices and acknowledgements
48
How to comply
23 May 2014
doc #
48
Ensure records of consent, written acknowledgements and notices are retained and retrievable
Create and maintain an easy-to-use and effective unsubscribe mechanism
Create templates for your business' electronic commercial messages which satisfy the prescribed requirements
Develop a CASL-compliance policy to address applicable provisions in the law and provide copies of this policy to all relevant employees and service providers provide training
Amend contracts with service providers to allocate obligations and liability risk
49
Additional considerations
49
Maintain records of all procedures and policies implemented in order to ensure compliance with the CASL .
Such documentation may later support a due diligence defense.
Contracts for sale of a business should include provisions transferring express consents as a business asset. *
* Note: We are awaiting the CRTC/IC's position on this.
Monitor development in jurisprudence and any new regulations and guidelines with respect to CASL and adapt practices as necessary.
50
Additional considerations
50
[email protected].: 416-777-7475 Visit our Anti-Spam Learning Centre at:www.bennettjones.com
This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyerwho will provide analysis and advice on a specific matter.
51