Electronic marketing under Bill C-28,

the Fighting Internet and Wireless

Spam Act

Shaun Brown – Counsel, Law Office of Kris Klein

Matthew Vernhout – Director, Delivery and ISP

Relations, Thindata 1:1

Goals

• General understanding of the legislation

– Substantive requirements

– Enforcement regime– Enforcement regime

• Practical guidance

• Address potential fears

How we got here

• May 2004 - IC establishes Task Force on Spam

• May 2005 – Task Force presents final report to IC

• April 24, 2009 – Bill C-27, the Electronic Commerce Protection • April 24, 2009 – Bill C-27, the Electronic Commerce Protection

Act (FISA) introduced in the HoC

• November 30, 2009: passed House with unanimous support;

amended as a result of consultation and committee meetings

• December 15, 2009: passed 2nd reading in Senate

• December 30, 2009: Parliament prorogued

• May 25, 2010 – reintroduced as the Fighting Internet and

Wireless Spam Act

Fighting Internet and

Wireless Spam Act

FIWSA

Fy-za

Why anti-spam legislation?

• Last G8 country to enact anti-spam legislation

• Spam costs time and money

– Spam is well over 90% of all email (Microsoft - Security Intelligence Report, version 8 - April 2010)

• Canada is a ‘spam haven’ – 10th in the world in terms of spam production (Spamhaus)

• Establish trust and confidence in the use of e-marketing – benefits those who play by the rules

FISA: overview

• Standalone legislation (FISA), and amendments to:

PIPEDA; Competition Act; Telecommunications Act;

CRTC Act CRTC Act

• Regulatory regime that applies to commercial

activity: based on general branch of the Federal

Trade and Commerce Power (91(2))

Substantive violations

• Section 7: regime for sending a commercial electronic

message (CEM)

• Section 8: prohibition against unauthorized altering of

transmission datatransmission data

• Section 9: prohibition against installation of computer

programs without consent

• False and misleading information (content or sender info)

• PIPEDA amendments: address harvesting; dictionary attacks;

collection of personal information through unauthorized

access to a computer systems

Section 7 - commercial electronic message

regime: Overview • Based on experiences and best practices

• CEM broadly defined to include any message with any semblance of commercial activitysemblance of commercial activity

• More than email: IM; SMS; social media; voice*, etc.

• General rule: Consent (opt-in) required to send CEM

• Other requirements: identification; contact information; unsubscribe mechanism

• Certain messages exempted altogether: family or personal relationship; business inquiry

• No minimum # to be classified as spam

• Message to request consent deemed to be CEM

Section 7 - commercial electronic message

regime: Implied (deemed) consent • No true implied consent clause

• Consent is deemed in a number of circumstances:

1. Existing business relationship1. Existing business relationship

2. Existing non-business relationship

3. Conspicuous publication of electronic address

4. Recipient has provided electronic address to the sender

• No implied consent for referrals

• In most cases implied consent last for 2 years – window of

opportunity to obtain express consent

Section 7 - commercial electronic message

regime: no consent required• Quotes or estimates, if requested

• Facilitates commercial transaction

• Warranty or safety information• Warranty or safety information

• Information about ongoing subscription, membership, etc.

• Information related to employment relationship or benefit plan

• Delivers good or service

Questions for compliance, re: consent

1. Does section 7 apply?

2. If so, do I need consent (other requirements still

apply)?apply)?

3. If not, can I rely on implied consent?

4. If not, how do I obtain opt-in (express) consent?

Jurisdiction

• Section 12: “A person contravenes section 6 only if a

computer system located in Canada is used to send

or access the electronic message.”or access the electronic message.”

• Thus, FISA applies to US (International) senders who

send messages into Canada

Defining Sent

• FISA states that an electronic message is considered to have been sent once its transmission has been initiated and that it is irrelevant if the intended initiated and that it is irrelevant if the intended recipient address exists or if message reaches its intended destination.

This reference makes bounce management even

more important for mailers to monitor and clean

from your list.

Identification Requirements

• All messages being sent must;– Clearly identify the person who sent the message

• Add your physical postal address and company name to all emails

– The messages must provide a method where the recipient can readily contact the person(s) responsible for sending the message

• Set replies to go to your customer service, stop using

NoReply@client.com

• MUST be active for 60 days after the messages was sent

– Provide a working unsubscribe mechanism that removes an address within 10 days

Managing Unsubs

• The unsubscribe mechanism must specify an

electronic address to which the unsubscribe notice

may be sent or provide a hyperlink by means of may be sent or provide a hyperlink by means of

which the recipient can provide their opt-out notice.

Providing both options: an email unsubscribe and a

web enabled unsubscribe is highly recommended

Oversight and enforcement: 3 Agencies• Canadian Radio-television and Telecommunications Commission (CRTC)

– Primary enforcement agency

– Can make preservation demands on TSPs

– Administrative monetary penalties (AMPS): up to $1 million for individuals and $10 million in all other cases per violation

– Administrative monetary penalties (AMPS): up to $1 million for individuals and $10 million in all other cases per violation

• Competition Bureau

– False and misleading representations online

– Deceptive marketplace practices including false headers and website content

– AMPS regime already exists in the Competition Act: $750,000 for individuals and $10 million for corporations

• Office of the Privacy Commissioner (OPC)

– Enforcement of provisions in PIPEDA (address harvesting; dictionary attacks; collection of personal information through unauthorized access to a computer systems)

– No AMPS

Oversight and enforcement: Private Right

of Action (PRA)• PRA can be exercised by any person affected by a

violation of FISA as well as provisions in Competition

Act and PIPEDA Act and PIPEDA

• Remedies:

– Damages suffered and expenses incurred

– Statutory damages of $200 per violation, up to $1 million

per day

Oversight and enforcement: Protection for

‘Honest Mistakes’Three mechanisms:

1. Undertakings & Compliance (s.22)1. Undertakings & Compliance (s.22)– At any time– Restricts all other action (notice of violation and PRA)

2. Due Diligence Defence and Common Law Principles (s.34)– Cannot be found liable– Justification or excuse consistent with the Act

3. Factors to be Considered re: AMPs (s.21)– Nature and scope of violation– Financial benefit– Any relevant factor

Oversight and enforcement: Domestic and

International Cooperation

• Coordination and consultation between 3 enforcement agencies responsible for compliance

• Information sharing and consultation between the three agencies and their international equivalents

• A broadly defined Canadian link which stipulates that FISA would apply to electronic messages sent to, through or from Canada

FISA vs. CAN-SPAM: Similarities

• Requirement to accurately identify sender

• Prohibition false and misleading transmission • Prohibition false and misleading transmission data/subject lines

• Requirement for unsubscribe mechanism

• Liability for brands who knowingly allow spam to be sent on their behalf

FISA vs. CAN-SPAM: Key Differences

FISA CAN-SPAM

Addresses broad range of Internet issues

(spam, spyware, pharming, etc.)

Addresses spam only

(spam, spyware, pharming, etc.)

Applies to all forms of electronic

messaging (email, SMS, IM, etc.)

Applies only to email

Primarily opt-in; permission based Opt-out; you can technically mail any

person at least once

PRA available to anyone (individuals,

businesses, etc.

PRA available only to ISPs

FISA and Social Networks

• Most social networks are self directed opt-in/out

solutions that allow individuals to manage their own

preferencespreferences

– Follow/Unfollow

– Friend/Un-friend

– Like/Unlike

Why prepare now?

• Most marketing programs are planned several

months in advance, don’t be caught of guard

• Plan your changes now and get them into your • Plan your changes now and get them into your

project development plans

• Your Email Service Provider needs to plan as well

– Work with your third party vendors to get any necessary

changes on their road map for development

Why Marketers Need Not Fear

• International laws are already being followed by most

– Identification (Postal address), 10 day Unsubscribe, No – Identification (Postal address), 10 day Unsubscribe, No misleading information

• PIPEDA already requires consent to collect PI

– Email, Name, Phone numbers, etc…

• Important exemptions

– Personal communications with family, friends and replies to inbound inquiries

• Protection for honest mistakes

Questions?

Shaun Brown

Law Office of Kris Klein

Matthew Vernhout, CIPP/C

Thindata 1:1

sbrown@krisklein.com mvernhout@thindata.com

Twitter: @emailkamra