Fall into ComplianceCanada’s Anti Spam Law (CASL)

Presented by:

David Fowler | Act-On Chief Privacy & Deliverability Officer

david.fowler@act-on.net

Chat or Q/A

#AOWEB

Todays Agenda

• Legal Disclaimer • CAN-SPAM Review• The Canadian Anti-Spam Law (CASL)

– Tenants of the Law – Disclosure and Consent – Key Differences

• Next Steps – For CASL and You

• Notable Quotes • Wrap Up – Q&A

Disclaimer

Act-On Software does not provide legal advice or counsel pertaining to this subject or any related legislation or

compliance issue. We always recommend that should you require a legal opinion you should seek counsel form a

qualified legal resource.

CAN-SPAM Review

CAN-SPAM Review

• The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM or the Act).

CAN-SPAM REQUIREMENTS

Types of MessagesThe CAN-SPAM Act covers commercial email messages, the primary purpose of which is the advertisement or promotion of a commercial product or service.

Permission | Opt-In Requirements

Under CAN-SPAM, direct marketing email messages can be sent to anyone, without permission, until the recipient explicitly requests that they cease ("opt-out").

Unsubscribe | Opt-Out Requirements

Every message must include opt-out instructions. The sender must honor the opt-out requests of recipients within 10 days. 2008 Rule Provision:An email recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any steps other than sending a reply email message or visiting a single Internet Web page to opt out of receiving future email from a sender

CAN-SPAM Review

CAN-SPAM REQUIREMENTS

Sender Identity

The CAN-SPAM Act bans false or misleading header information. The email's "From", "To" and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.The Act prohibits open relay abuses, falsifying header information, generating multiple email addresses to send from, deceptive subject headers, address harvesting and dictionary attacks, and other fraudulent ways of sending spam.2008 Rule Provision:The definition of "sender" was modified to make it easier to determine which of multiple parties advertising in a single email message is responsible for complying with the Act's opt-out requirements.A definition of the term "person" was added to clarify that the CAN-SPAM Act's obligations are not limited to natural persons.

CAN-SPAM Review

CAN-SPAM REQUIREMENTS

Subject Lines | Labeling

Deceptive subject lines are prohibited. The subject line cannot mislead the recipient about the contents or subject matter of the message. Identification that the message is an advertisement or solicitation is required.

Contact Information Postal Address

Yes, a valid physical postal address is required.2008 Rule Provision: A "sender" of commercial email can include an accurately registered PO box or private mailbox established under United States Postal Service regulations to satisfy the Act's requirement that a commercial email display a "valid physical postal address".

CAN-SPAM Exemptions

• As discussed the act applies to 100% commercial email• But what about transactional or hybrid messaging?

– Commercial + Transactional | Cross Selling

• The “primary purpose” rule comes into effect– The recipient decides on the primary purpose

• If the recipient determines the message is commercial in nature then the message has to be compliant– Consider the 80/20 rule– 80% transactional | 20% commercial

• Place the offer below the fold as not to dominate the real estate

Canadian Anti Spam Law (CASL)

Canadian Anti-Spam Law (CASL)

• Enacted in 2010 and scheduled to go into effect in 2013• Intended to promote ecommerce by deterring spam,

identity theft, phishing, spyware, viruses, botnets and misleading representations online

• CASL creates new offenses, enforcement mechanisms and penalties

• The last of the G8 to introduce a law on Spam• It’s one of the strictest ecommerce laws globally

– Higher consent standards for all – Detailed content requirements – High penalties: $10M fines a possibility for non compliance

Tenents of the Law

• Permission: – CASL Requires you obtain permission (consent) prior to sending any

communication. You also need to have proof of opt-in including source and time

• Scope of the law, who does it apply to?– Senders of any form of commercial electronic messaging, for example: email,

voice, text messaging and social media

• Location: – Where does it apply? CASL is unique in that it regulates any message sent from

or received in Canada. – So if a recipient opted-in the USA, CASL would still apply if the commercial

message was accessed in Canada. – This provision requires marketers to be cognizant of where their email subscribers

are opening their campaigns.

• Unsubscribing:– All commercial messages sent must contain an opt-out method, one difference

being that you cannot confirm the opt-out request via a follow up method.

• Exceptions: – Quotes, estimates, pre-existing transaction material and factual information about

loans, memberships and accounts are exempt

Disclosure Requirements

• Electronic Messages being sent from or to Canada must: – Clearly identify the sender of the message– Have a clear, applicable, and relevant subject line and 'From'

name that reflect the purposes of the email– A notice that the message is for commercial purposes (if

applicable)– Contain a physical address as well as a URL, email address, or

phone number where the sender can be reached and that is valid for up to 60 days after the message has been sent

– Contain a valid and working mechanism that will unsubscribe the recipient within 10 days (just like Can-Spam) and is available for at least 60 days after the messages have been sent 

Consent Requirements

• Implied and Express consent • Must clearly and simply set out purpose(s) for consent: • Must obtain express consent to send CEMs unless there is

– Existing business relationship OR – Existing non-business relationship – An email user must express consent by opting-in to receive

communications from the sender.

• You can rely on implied consent to send CEMs to recipients with an existing business or non-business relationship – EBR lasts for 2 years from the last transaction

Violations and Enforcement

• CRTC: primary enforcement agency, including administrative monetary penalties (AMPs) – Maximum penalty is $10m, for an organization per violation – Relevant factors include purpose of penalty, nature & scope of

violation, history, financial benefit ability to pay – May enter into compliance undertaking with the CRTC

• Directors and officers liability | Employers liability • Importance of “due diligence” taken to prevent the

violation

CASL vs. CAN-SPAM – Key Differences

Address a broad range of internet issues Applies to all form of electronic messaging (email,

SMS, IM etc.) Prior permission based Private right of action available to anyone (individuals,

businesses etc.)

Addresses spam only Apples only to email, contains SMS domain opt-out You can technically email any person at least once No private right of action, available to ISPs and

Government to bring lawsuits

CASL: Summary

Prior consent required Prohibits unsolicited commercial electronic messages

Prohibits program installations without consent No false information allowed Sender or subject lines No harvesting or dictionary attacks More than email | IM, SMS, Social Media, Voice

CASL Summary

Other Requirements: – Unsubscribe no longer than 10 business days– Postal address required – Private right of action included – Officers of organizations can be held accountable for their

organizations messages

Exemptions– Family or personnel relationship | business or inquiry relationship

Enforcement – Cross boarder can’t hide under HQ location – Protection for “honest” mistakes

Next Steps for CASL

• CASL expected to become law in 2013 • Implementation of a Spam Reporting Center:

– Once operational will accept messages, analyze trends in spam and other threats to electronic commerce

• New roles & responsibilities for three government agencies: – CRTC | Competition Bureau | Privacy Commissioner

– International agency cross boarder cooperation | Including the FTC

• Interpretive guidelines– Many definitions and requirements under CASL remain broad and

unclear

Next Steps For You

• Update your website and privacy policy• Update form and procedures that document consent • Address unsubscribe requirements and timeframes• Update existing customer service processes• Develop and included information and training for

employees, management and respective associates • Review and amend any third party contract requirements

– Limitation of liability, representations and warranties, including address rental

• If operating in North America meet BOTH CASL & CAN-SPAM requirements

Notable Client Quotes

Notable Quotes

"Should you be worried about CASL? I don't know if worried is the right term, but if you are sending or receiving email to or from Canada you need to read up on CASL. Unlike CAN-SPAM the new CASL law is opt-in based, not just about giving the client the ability to unsubscribe. It also deals with social media and SMS so it has a lot wider scope than CAN-SPAM."

Kent M, 1ShoppingCart 

Notable Quotes

There is an opt-in law, but don't be alarmed. It does not establish some arduous new standard for permission. The law states that "it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied." Implied consent seems to basically be defined as "existing business relationship," and there is a defined two year period after which you cannot assume an existing business relationship. We recommend that all clients adhere to opt-in permission to avoid having to cease mail to customers after the two year period expires.

• Al Iverson, ExactTarget

Notable Quotes

C-28 does not change a thing where deliverability is concerned. C-28 is all about permission, but there's nothing in the SMTP protocol that allows the sender to meaningfully, verifiably assert that they had permission to send. The real impact of C-28 is on e-mail marketing itself. And the impact will be enormous.

• Andrew Barrett, iContact (Vocus)

More Info & Resources

• Government of Canada: – http://fightspam.gc.ca/eic/site/030.nsf/eng/home

• Industry Canada: – http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00521.html

• FMC Law Group | Margot Patterson:– www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law

• Email Karma | Matt Vernhout: – http://emailkarma.net

• Port 25: – www.port25.com

Thank Youdavid.fowler@act-on.net