canada’s anti-spam legislation: what charities and not-for profits need to know before july 1,...

44
Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014 . Maanit Zemel Esq., Barrister & Solicitor [email protected] / (416) 937-9321 Webinar hosted by Techsoup Canada May 29, 2014

Upload: techsoup-canada

Post on 06-May-2015

2.631 views

Category:

Government & Nonprofit


1 download

TRANSCRIPT

Page 1: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Canada’s Anti-Spam Legislation:

What Charities and Not-For Profits

Need to Know Before July 1, 2014

.Maanit Zemel Esq., Barrister & Solicitor

[email protected] / (416) 937-9321

Webinar hosted by Techsoup Canada May 29, 2014

Page 2: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Overview

1. Overview of Canada’s Anti-Spam Legislation (CASL)

2. The Commercial Electronic Messages (CEM) Requirements

3. Tips for preparing for CASL

4. Other CASL requirements

Page 3: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

What is Canada’s Anti-Spam Legislation (“CASL”)?

The problem:

Page 4: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

What is CASL? (cont’d)

The solution: Regulate everyone! CASL regulates all “Commercial Electronic Messages”

sent or accessed from a computer in Canada

CASL also regulates broad range of electronic / online activities including:

The installation of computer programs

Misleading advertising and marketing practices

Privacy invasion via your computer

Collecting email addresses without consent (email harvesting)

Page 5: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

What is CASL? (cont’d)

Anyone can complain to the regulators by filing a complaint at:

www.fightspam.gc.ca

Page 6: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Fundamental Underlying Principles

All of the regulated activities may only be carried out:

1. With informed consent; and

2. With clear identification of the sender

“Opt-In” Regime

Page 7: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Significant Consequences for Non-Compliance

Administrative monetary penalties:

Individuals – fines up to $1 million per violation

Corporations – fines up to $10 million per violation

Private rights of action Class actions Vicarious liability of corporation for employees Liability of officers and directors for acts of

corporation Sweeping investigative powers (search and seizure

orders)

Page 8: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

When will CASL be in force?

Three important dates:

July 1, 2014: requirements respecting CEMs

January 15, 2015: requirements respecting computer programs

July 1, 2017:

End of transition period for implied consent

private rights of action

Page 9: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Regulating Bodies

1) CRTC – CEMs and installation of computer programs

2) Privacy Commissioner – collection of personal information and address harvesting

3) Competition Bureau – misleading online advertising and marketing practices

Page 10: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Commercial Electronic Messages (“CEM”s)

What is a CEM?

CEM is a message sent by any electronic means (i.e., email, text, instant message, tweet) that has, as its purpose, or one of its purposes, to encourage participation in a “commercial activity”

Page 11: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

What is a CEM (cont’d)

“Commercial activity” is:

“any particular transaction, act or

conduct that is of a commercial

character whether or not the

person who carries it out

does so in the expectation of

profit”

Page 12: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Do Charities / NPOs Transmit CEMs?

Yes!

Examples of CEMs: Emails seeking donations

Emails selling tickets to an event / lottery

Emails promoting services

Emails promoting a charitable event / activity

Electronic newsletters

Emails promoting the organization / charity

Page 13: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

CEM Requirements

You are prohibited from sending a CEM to an electronic address unless:

The receiver has already consented to the receipt of the CEM; and

The CEM contains certain prescribed information

Subject to limited exclusions / exemptions

Page 14: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

CEM Consent Requirements

CEMs may only be sent with recipient’s express or implied consent

Onus of proving consent rests with sender

Page 15: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

CEM Consent (cont’d)

An electronic message requesting

consent is a CEM and is therefore

prohibited (post July 1, 2014)

Page 16: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Express Consent

Request for express consent may be obtained orally or in writing

Request for consent must include:

The purpose for which consent is being sought (“clearly and simply”)

Sender’s identifying and contact information and/or on whose behalf consent is being sought

Statement that receiver can withdraw their consent

Page 17: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Express Consent (cont’d)

Examples of proper forms of express consent:

Paper form

Electronically, not in a form of a CEM, and cannot include a “pre-checked box”

On your website

Orally – give someone a call then ask that they email / send you their consent

Page 18: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Implied Consent

Consent may be implied when: the recipient has:

1) “conspicuously published” his/her electronic address (on a website for example)

2) has not indicated a desire to not receive unsolicited CEMs; and

3) the message is relevant to recipient’s business role, duties or functions

the recipient has:1) disclosed his/her electronic address to sender

without indicating a wish not to receive unsolicited CEMs (e.g., business card); and

2) message is relevant to person’s role or duties in business or official capacity

Page 19: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Implied Consent (cont’d) –“Non-Business Relationship”

Applies to charities and NPOs

Consent is implied when:

Sender is registered charity (as defined in ITA) and recipient made donation or performed volunteer work in preceding two years

Sender is a non-profit organization (as defined in ITA) and recipient has been a member in the preceding two years

Page 20: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Implied Consent (cont’d) –“Existing Business Relationship”

In the two years prior to the sending of the CEM, the recipient had: Purchased / leased / bartered a product / good / service

/ land from the sender;

accepted a business / investment / gaming opportunity offered by the sender; or

a written contract is created between the recipient and the sender.

Or - Six months before the message is sent, the sender received from the recipient an inquiry or application about one of the items above.

Page 21: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Implied Consent (Cont’d)

3 Year Transitional Period: For parties who are in an existing

business or non-business relationship - implied consent is extended until July 1, 2017

This means that charities and NPOs have implied consent from their donors, volunteers and members until July 1, 2017

Page 22: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Information Requirements for CEMs

All CEMs must include: Identifying and contact information of sender (or

on whose behalf CEM is sent)

A means by which to contact the sender (to be effective for at least sixty days)

An “unsubscribe” mechanism

When not practical to include in CEM, this information must be posted on a website and the CEM must include a link to that website, which is clearly and prominently set out in message and is readily accessible

Page 23: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

“Unsubscribe” Mechanism:

Must be effective for 60 days

Must be given effect within 10 days of request

Must be at no cost to requester

Page 24: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Exemptions from CEM Requirements

Registered Charities Exemption:

CEMs sent by or on behalf of a registered charity and “the message has as its primary purpose raising funds for the charity”

Page 25: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Charities Exemption

Emphasis is on “primary purpose” of message

Examples: Email that provides information about the

charity’s work and contains one sentence at the bottom asking for donations - is it for the primary purpose of raising funds? probably not

Email that sells tickets to a charitable event – is it for the primary purpose of raising funds? probably yes

Page 26: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Charities Exemption (cont’d)

What does “raising funds” mean?

Is it different than “fundraising”, as interpreted by the CRA?

CRTC likely to focus less on the intended use of the funds and more on the content of the message

“Primary purpose” is likely to be interpreted from the point of view of the receiver of the email (and not of the sender)

Page 27: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Other CEM Exemptions

1) “Personal” or “family” relationship 2) A CEM that consists solely of an inquiry or application 3) Solicited CEMs - sent in response to a request, inquiry

or complaint, or otherwise solicited by the person to whom the message is sent

4) Internal CEMs – sent within an organization / business and concerns the activities of that organization / business

5) CEMs between organizations / business – if the businesses / organizations “have a relationship” andthe CEM concerns activities of the receiver business / organization

6) CEMs sent to enforce a legal right

Page 28: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

CEM Exemptions (cont’d)

7) CEMs sent within an electronic platform where “unsubscribe” and identifying information is conspicuously published and readily available (e.g., within a social network)

8) CEM sent within a limited-access secure account by the person who provides that account (e.g., banking portals)

9) CEM sent by a political party for the primary purpose of soliciting contributions

10) CEMs sent to a foreign jurisdiction (but must comply with foreign anti-spam laws)

11) Two way voice communications12) Faxes and voicemail messages sent to telephone

accounts

Page 29: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Exemptions that must contain info and “unsubscribe”

In limited circumstances, there is no need to obtain consent but must still include prescribed information (identifying info + unsubscribe):

1) Third party referral - the first CEM sent to a person based on a referral from a third party, after which consent will be needed for added CEMs

2) Provision of quote or estimate in response to a request3) Warranty, recall or product safety information4) CEM that delivers a product or service, including updates

and upgrades5) CEM that facilitates or confirms transactions 6) CEM that provides factual information about:

• Ongoing subscription, membership, accounts, loans • Ongoing use or ongoing purchases• Employment relations or benefit plans for employees

Page 30: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Do you send

CEMs?

You may be exempt from compliance only If:

The primary purpose of CEM is to raise

funds for the charity*

Are you a

Registered

Charity?

No further action

required

Is the CEM:

• A third party referral?

• Providing a quote or estimate in

response to an request

• Providing warranty, recall or product

safety information

• delivering a product or service, including

updates and upgrades

• facilitating or confirming transactions

• Providing factual information about:

1. Ongoing subscription, membership,

accounts, loans;

2. Ongoing use or ongoing purchases;

3. Employment relations or benefit

plans for employees

No further action

required

No consent required but

CEM must include:

• Identifying information

• Unsubscribe

mechanism

Do Other Exemptions Apply?

Ex.:

• Organization to organization

• Personal / family relationship

• Internal CEM

• An inquiry / application

• A response to an inquiry / request / complaint

• To enforce a legal right

• Sent within a secured access platform

• Within a platform containing unsubscribe and ID info

• To a foreign jurisdiction (must comply with foreign

laws)

Yes Yes

Is Consent Implied?

Only if:

1. You are a registered charity / Not-for-profit org.; and

2. Recipient has been a donor, volunteer or member in the

preceding 2 years

Implied consent only good for 2 years

Need to:

1. Include prescribed info

2. Keep track of 2 years

3. Obtain express consent before 2 years expires

Yes

• Before July 1, 2014:

1. Obtain express consent

2. Include prescribed ID info and unsubscribe mechanism in all CEMs

• After July 1, 2014:

1. Obtain consent in prescribed form

2. Include prescribed ID info and unsubscribe mechanism in all CEMs

No / unsure

No

CASL

Flowchart

for

Charities/NPOs Yes

Yes

(most likely)

No (unlikely)

No

Unsure – consider next step

Page 31: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Tips for Preparing for CASL

Tip #1: Get Your Board Onboard. Decisions respecting CASL should form part of

the organization’s overall risk management strategies

Decisions must be made at board and executive levels

If you are not getting the board / ED to pay attention – remind them of the D&O liability

Page 32: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

TIPS (cont’d)

TIP #2: CONDUCT AN AUDIT

1) What forms of electronic communications does the organization use to communicate with internal and external parties?

2) On behalf of which entities does the organization send electronic communications?

3) What third-parties send electronic communications on your organization’s behalf?

4) To whom does the organization send electronic communications?

5) What do these communications contain?

6) What is the purpose of sending the electronic communications?

Page 33: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Tips (cont’d)

TIP#3: Develop and Implement CASL Compliance Policies and Procedures

Due Diligence Defence - a complete defence to CASL violations

You may rely on the due diligence defence only if you have a reasonable compliance policy

Page 34: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Compliance Policies (cont’)

Develop and implement procedures for:

• requesting, maintaining and implementing consents

• keeping track of implied consents

• implementing “unsubscribe” requests

Develop and implement CASL compliant language

Page 35: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Tips (cont’d)

TIP #4: Training and Education Train and educate management,

employees and volunteers on CASL requirements

Develop a training program

Ensure all new hires / volunteers receive training

Consider training third-parties that are sending CEMs on your behalf

Page 36: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

TIPS (cont’d)

TIP#5: Review your contracts with third parties – require CASL compliance and include indemnification provisions for non-compliance

TIP#6: Consider buying insurance for CASL

TIP#7: Consult with IT specialists

Page 37: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Other CASL Requirements (non CEM)

1) Installation of computer programs

2) Unauthorized electronic collection of personal information

3) Email address harvesting

4) Prohibition against misleading marketing / advertising in electronic format

Page 38: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Computer Programs

It is prohibited to install a computer program (e.g., software, applications etc.) on a computer or device (phone, tablet etc.) in Canada unless express consent is provided by owner

This requirement applies to upgrade and updates of the computer program

Express consent is assumed if:

Consent was provided at the time the program was installed

For telecommunication service providers

To address a failure in the system’s software or hardware

For specific types of programs (cookies, HTML code etc.)

Coming into force – January 15, 2015

Page 39: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Computer Programs (cont’d)

Does this requirement apply to your organization?

Does your organization have an app for mobile devices?

Does your organization provide services through a computer program? (e.g., instructional video games)

Does your organization provide a program for its employees, members, donors etc. to be used to internally communicate with the organization (e.g., remote access)

If the answer is yes - you must seek consent for the installation, updates and upgrades of the program

Page 40: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Computer Programs (cont’d)

Does your program:

Collect personal information?

Interfere with owner’s ability to control their device?

Change settings or preferences without the owner’s knowledge?

Interfere with data, preventing the owner from accessing it?

Cause the device to communicate with another without the knowledge of the owner?

Install any software that can be activated remotely by a third party?

If YES to any of the above - make this information clear when requesting consent

Page 41: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Electronic Collection / Use Of Personal Information and Address Harvesting

CASL prohibits anyone from using electronic systems to collect and use personal information and email addresses without the express consent of the person whose information is collected / used

Review your online marketing strategy - does it perform any of these functions?

If yes - consider eliminating the practice altogether or obtaining consent

Page 42: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

How Can We Help You?

Auditing of current and future practices Advice on developing and implementing CASL

compliance Drafting and review of compliance policies,

processes, and documentation Drafting and review of third party contracts Compliance training Representation before regulators and courts IT Consulting

(www.methodworksconsulting.com)

Page 43: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

Resources & Updates

Follow me on Twitter - @maanitzemel; @casllaw

http://www.fightspam.gc.ca/

http://www.crtc.gc.ca/eng/casl-lcap.htm

https://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00521.html

Page 44: Canada’s Anti-Spam Legislation: What Charities and Not-For Profits Need to Know Before July 1, 2014

QUESTIONS?

Maanit Zemel

[email protected] / @maanitzemel

Disclaimer: This presentation is provided as an information service and is a summary of

current legal issues. The information is not meant as legal opinion or advice and viewers

are cautioned not to act on information provided in this publication without seeking

specific legal advice with respect to their unique circumstances.

All rights reserved. This presentation may not be reproduced and redistributed without

the prior written consent of the author.