1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines

 

, ,

Private Right of Action under CASL coming July 2017

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

On September 13, 2016, the New York Department of Financial Services introduced a new rule that would require banks, insurance companies and other financial institutions regulated by the Department to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of New York’s financial services industry.  The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance.

Under the proposed rule, regulated financial institutions would be required to:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer responsible for implementing and overseeing the new cybersecurity program and policy; and
  • Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-parties.

Establishment of a Cybersecurity Program

According to the proposed rule, regulated financial institutions will need to establish a “cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:”

  • Identification of cyber risks.
  • Implementation of policies and procedures to protect unauthorized access / use or other malicious acts.
  • Detection of cybersecurity events.
  • Responsiveness to identified cybersecurity events to mitigate any negative events.
  • Recovery from cybersecurity events and restoration of normal operations and services.

Additional requirements for each “cybersecurity program” include:

  • Annual penetration testing and vulnerability assessments.
  • Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
  • Limitations and periodic reviews of access privileges.
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
  • Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
  • Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
  • Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
  • Monitoring of authorized users and cybersecurity awareness training for all personnel.
  • Encryption of all nonpublic information held or transmitted.
  • Written incident response plan to respond to, and recover from, any cybersecurity event.

Adoption of a Cybersecurity Policy

The new rule would require regulated financial institutions to adopt a written cybersecurity policy, setting forth “policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:”

  • Information security.
  • Data governance and classification.
  • Access controls and identity management.
  • Business continuity and disaster recovery planning and resources.
  • Capacity and performance planning.
  • Systems operations and availability concerns.
  • Systems and network security.
  • Systems and network monitoring.
  • Systems and application development and quality assurance.
  • Physical security and environmental controls.
  • Customer data privacy.
  • Vendor and third-party service provider management.
  • Risk assessment.
  • Incident response.

Creation of Chief Information Security Officer

The new rule would require regulated financial institutions to designate a qualified individual to serve as a CISO, responsible for “overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.”  The new rule also would require the CISO to “report to the board, at least bi-annually to:”

  • Assess the confidentiality, integrity and availability of information systems.
  • Detail exceptions to cybersecurity policies and procedures.
  • Identify cyber risks.
  • Assess the effectiveness of the cybersecurity program.
  • Propose steps to remediate any inadequacies identified.
  • Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Third Party Protections

The new rule also would require regulated financial institutions to have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, including the following:

  • Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
  • Minimum cybersecurity practices required to be met by such third-parties.
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties.
  • Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.

A draft of the proposed rule is here.

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

The Connected Retail Store

In the battle for consumer engagement, brick-and-mortar retailers and shopping centres are investing in new technologies to gather data on their customers and offer new shopping centre experiences. According to the Toronto Star, retailers are finding that millennials have a different approach to luxury than previous generations. No surprise – it is a more social and experiential understanding of luxury. Retailers are not stopping with social listening. Recent articles in the National Post and on the CBC describes technologies, such as those offered by Eyeris, that retailers can use to analyze and track emotions and engagement levels using in-store cameras. Another technology, offered by Stefanka, allows for 3D body scans to assist salespersons to find apparel that will fit the customer’s body.

Dentons, with special guests from Deloitte, will be tackling the legal issues pertinent to a successful Connected Retail Store in a half-day program to be held in Toronto on April 14, 2016. Dentons and Deloitte will address:

  • Omnichannel marketing issues and trends
  • Bringing eyeballs to the screens and feet to the stores
  • Privacy issues in tracking shoppers in stores
  • Negotiating percentage rent when dealing with online sales
  • Supply chain challenges and cross-border fulfillment

Learn more at http://www.dentons.com/en/whats-different-about-dentons/connecting-you-to-talented-lawyers-around-the-globe/events/2016/april/14/the-connected-retail-store

The Connected Retail Store

The TPP Agreement and Privacy

The Trans-Pacific Partnership Agreement (the “TPP Agreement”) is a regional trade and investment agreement negotiated by 12 Pacific Rim countries representing 40 percent of the global economy. Canada, the United States, Mexico, Japan, Malaysia, Vietnam and Australia are signatories. The TPP Agreement, which has 30 Chapters, ushers in a comprehensive program of tariff reduction for goods and services and establishes binding rules in a wide-range of subject areas, including financial services, cross border trade in services, investment, competition policy, intellectual property, telecommunications and electronic commerce. The TPP Agreement also touches on a number of privacy-related issues, including the cross-border flow of information, spam and encryption technology.

Cross-Border Flow of Information

The free flow of information across borders is important for international commerce and the trade in services, particularly information technology services. However, a number of countries regulate the export of data to other jurisdictions and/or require that service providers use local data servers, equipment and infrastructure as a condition of doing business. This has raised concerns that restrictions on cross-border information flows and data localization requirements may be misused as disguised trade barriers to favour domestic service providers.

Under the TPP Agreement, each Party must allow the cross-border transfer of information by electronic means, including personal information, in the course of business activities. In addition, no Party can require a service provider to use or locate computing facilities in its territory as a condition for conducting business in the territory. Exceptions are permitted in order to achieve a legitimate public policy objective, provided that the measure adopted is proportional to the objective and the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.

Unsolicited Commercial Electronic Messages

Unsolicited commercial electronic messages (CEMs) – also known as spam – can be exploited to deliver malware, spyware and other related network threats, which can undermine network security and privacy. The TPP Agreement requires each Party to adopt or maintain measures to minimize unsolicited CEMs, but provides each Party with flexibility on how to address the problem. A Party may either require organizations that send CEMs to obtain prior consent from recipients or provide recipients with the ability to prevent ongoing reception of those messages (unsubscribe mechanism).

Canada’s current anti-spam legislation (“CASL”) meets (and far exceeds) the obligations under the Agreement. CASL generally requires both opt-in consent and an unsubscribe mechanism for CEMs and sets out a myriad of disclosure and form requirements. It also implemented a strict enforcement regime.

Encryption

Encryption protects the security, confidentiality and privacy of data by converting data (plaintext) into unreadable data (ciphertext) through the use of a cryptographic algorithm. The use of encryption technology is a major policy issue with technology companies adopting strong encryption for devices (full-disk encryption) and communications on the internet (end-to-end encryption) to ensure data security and protect user privacy. National security agencies and law enforcement allege though, that the use of encryption undermines their ability to investigate criminals and terrorists, and are subsequently pressuring technology companies (and lawmakers) to allow for access to decrypted data (“backdoors”).

The TPP Agreement wades into this debate to ensure that encryption policies are not obstacles to trade, particularly with respect to Information and Communication Technology (ICT) products. Under the Agreement, a Party is not permitted to require a manufacturer or supplier of a commercial product that uses encryption to transfer a decryption key to the Party or integrate a particular encryption in the product as a condition for conducting business in the territory.

However, there are a number of important exceptions to this rule. First, the section does not apply to products used by a government entity. Second, the section does not preclude law enforcement authorities from requesting unencrypted communications pursuant to lawful authority (i.e. court order).  Third, the section does not apply to investigations by financial market regulators. Finally, the section is subject to the Security Exception in Chapter 29 of the TPP Agreement that permits a Party to apply any measure that it considers necessary to maintain or restore international peace and security, including the protection of its own essential security interests.

The TPP Agreement demonstrates that with the growth in digital trade and electronic commerce, international trade and investment agreements will increasingly address privacy-related issues.

For more information on the TPP Agreement or any of the subjects covered in this note, please contact a member of our team.

, , , ,

The TPP Agreement and Privacy

Online Advertisers Take Notice – Recent Canadian Decisions

The Office of the Privacy Commissioner (OPC) has released two important decisions this year on online behavioural advertising (OBA or interest-based advertising) so far this year.

On March 25, 2015, the OPC released its Report of Findings regarding an investigation into Ganz’s interactive website for children. On April 7, 2015, the OPC released its Report of Findings regarding Bell Canada’s relevant advertising program. Some might argue that this is a misplaced priority given the OPC has yet to make a convincing case of harm, but it is clearly one that has captured the attention of the OPC. At least in the case of Bell Canada’s relevant advertising program, the OPC may not have the last word. A class action has been commenced and the OPC aspects of the issue are before the Canadian Radio-television and Telecommunications Commission (CRTC).

Background on the Cases

In the Ganz Report of Findings, one of the issues was whether Ganz’s website for its Webkinz toy pets was allowing third-party advertisers to track and profile children using the website for the purposes of serving targeted advertising to children. Ultimately, it appears that the OPC was satisfied that children were not tracked for the purpose of conducting interest-based advertising. However, the OPC concluded that Ganz had not conducted sufficient due diligence with respect to the third parties that were permitted on its site as a result of its advertising program.

In the Bell Canada Report of Findings, the most contentious issues were whether Bell’s use of network usage information and account/demographic information to support sales of advertising to its customers was an appropriate use of personal information and whether express opt-in consent was required for that use. Ultimately, the OPC concluded that the use of the information for advertising programs was an appropriate purpose but concluded that express opt-in consent was required because of the potential sensitivity of the browsing behaviour being used by Bell and the OPC’s view that the reasonable expectations of consumers would be that their telecommunications service provider would seek such consent before making use of that information.

Key Points for Online Advertisers

1. Organizations must monitor and conduct due diligence regarding tracking technology on their sites.

To demonstrate accountability, organizations must ensure that they monitor tracking technology on their site. They must conduct due diligence on the third parties and ensure that third parties do not use personal information collected through cookies and other technologies contrary to the purposes identified to the users of those sites. The OPC expects to see contractual provisions or other means to prevent misuse by third-parties involved in interest-based advertising.

2. Interest-based advertising can be an appropriate use of personal information.

The OPC has now stated clearly in the Bell Report of Findings that it accepts that the objective of maximizing advertising revenue and improving a customer’s online experience through targeted advertising can be a legitimate business objective. In general the use of personal information for that purpose is not inappropriate.

3. But use of credit information for interest-based advertising is likely not appropriate.

The use of credit scores whether on an individual basis or an aggregate basis is not appropriate for targeted advertising. The use of this information may not be permitted by consumer reporting legislation for this purpose. The OPC recommended, and Bell agreed, to discontinue the use of that information.

4. Children remain a concern.

In the Ganz Report of Findings, the OPC continues to take the position that websites that are targeted at children should not permit tracking technologies for online behavioural advertising purposes. The OPC’s position is that young children are incapable of consenting.

5, Opt-Out consent must be meaningful – no rainy day retention.

If a customer opts out of Bell’s interest-based advertising program, the information must be deleted and not further collected. Bell had proposed to continue to collect the information but not use it unless the customer opted-back in. The OPC recommended against this since opt-out must mean opt-out.

6. Opt-Out consent is not a universal rule.

Previously, the OPC said in its online behavioural advertising guidance that opt-out consent would be appropriate for online behavioural advertising if the information used was not sensitive and there was an effective opt-out mechanism. However, in the Bell Report of Findings, the OPC confirmed that opt-in consent may be required if the scope of the information being collected is very broad and the reasonable expectations of the consumer would be to expect opt-in consent.

7. Broad collection creates sensitivity.

In the OPC’s view, the scope of collection could result in the information being collected being sensitive. The OPC believed that Bell could track virtually all of its customers’ online activities and, therefore, this information was, in the aggregate, sensitive.

8. The reasonable expectations of consumers are relevant to whether opt-in consent is required.

The OPC has reintroduced its primary/secondary purposes analysis through the guise of a reasonable expectations analysis. In the Bell Report of Findings, the OPC just couldn’t get past the fact that Bell is paid for Internet services. Unlike a free service, such as Facebook, Bell charged for its services.  As a result, the OPC viewed Bell as making a secondary use of personal information and commodifying customer information for purposes other than the delivery of telecommunications services.

9. Time-limited retention won’t eliminate sensitivity.

Even though Bell only kept 90 days’ worth of behavioural information, the information was, in the OPC’s view, still sensitive in the aggregate.

Conclusion

The OPC’s decision on Bell’s program is unlikely to be the final word. There are deeply problematic aspects of the decision. For reasons that go beyond the scope of this blog post but will be published separately, it is arguable that the requirement for opt-in consent is seriously flawed.

In the meantime, however, organizations in the interest-based advertising ecosystem should sit up and take notice.

Online Advertisers Take Notice – Recent Canadian Decisions