1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Recent enforcement under Canada’s anti-spam legislation (CASL) by the Canadian Radio-Television and Telecommunications Commission (CRTC) is keeping the spotlight on this new legislation, which came into force just last year. While the CRTC is responsible for the bulk of enforcement under CASL, organizations should remember that CASL also brought in changes to Canada’s federal privacy law,  the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information (including individuals’ email addresses).

The federal Office of the Privacy Commissioner of Canada (OPC) is responsible for investigating violations related to the new provisions under PIPEDA that target the practice of address harvesting. Address harvesting generally involves collecting electronic addresses through the use of a computer program, such as through web scraping, spyware, or automatic generation.

The OPC recently issued a guide and tip sheet for organizations on pratical steps to take to avoid contravening the PIPEDA requirements, including:

1. Obtain consent: Organizations must ensure that individuals are informed clearly and accurately at the point of collection about how their email addresses will be used. Just because an email address is posted online, it cannot be assumed that the individuals at the addresses posted have provided consent to receive email marketing. It is also useful to remember that there is no exception for address harvesting of business email addresses; PIPEDA’s definition of personal information includes business addresses.

2. Due Diligence with Service Providers: If an organization buys a list of email addresses from a vendor or employs service providers to conduct email marketing on their behalf, they should take due diligence steps by asking key questions, such as:

  • How was consent obtained? Appropriate consent at the time of collection must be obtained to use email addresses. Ensure that email marketing service providers utilize a clear consent process. If buying or using a list from a list vendor, were the email addresses collected through web scraping or automatic generation?
  • How is the email address list kept up to date? Unless otherwise permitted under the law, individuals should be permitted to withdraw consent to the use of their personal information at any time, such as by unsubscribing from an email list, and this functionality should be made available. Organizations that use a purchased list of email addresses should ensure that any unsubscribe requests will be communicated to them so that the email can be removed from the list that they use.

3. Maintain written records: An organization should document all email marketing compliance measures, including due diligence steps taken when contracting with a list vendor or email marketing company. Ensure that the service agreements with these organizations expressly require compliance with CASL and applicable privacy laws.

Conclusion

Organizations are responsible for ensuring that all individuals that receive email marketing from them have provided appropriate consent for the collection and use of their address for marketing . The OPC will review reports to the Spam Reporting Centre to identify email harvesters and spyware collecting personal information without consent. Organizations should take steps to comply with PIPEDA to avoid being caught by an OPC investigation, which could lead to being named in the OPC’s reports of its findings and recommendations.

, , ,

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Earlier this year we told you that Canada’s Anti-Spam Law (CASL) is not just for Canadians.

CASL is also not just about spam.  Effective January 15, 2015, CASL applies to the installation of “computer programs” – software, apps and other programs – on the computer or device of another person.  This affects software vendors, app developers, gaming and entertainment companies, and others that are in the business of providing software to businesses and individuals in Canada.

Like CASL’s spam provisions:

  • the software provisions apply where a Canadian is the recipient – in this case, the recipient of the software, app, or other program;
  • the regime is based on “express consent”, as defined by the legislation; and
  • significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.

Our overview presentation walks through CASL’s application to computer programs.

Other resources published by the Canadian Radio-television and Telecommunications Commission (CRTC):

, , , , , , ,

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Canada’s Anti-Spam Law – not just for Canadians

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1. It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“.

Are you outside Canada? It’s important to know that this law reaches beyond Canada’s borders. CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada.

As we described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada. That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions. The MOU among the Canadian CASL enforcement agencies (see also our earlier post) similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies.

In a speech yesterday, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“. The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list. The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well.

Companies that are working on their CASL compliance programs should take note of the CRTC’s recently published Anti-Spam Compliance and Enforcement Guidelines. A very helpful summary by Tim Banks, with a link to the Guidelines, is available here.

,

Canada’s Anti-Spam Law – not just for Canadians

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

Canada’s Anti-Spam Legislation (CASL) brings with it new legal violations and penalties, some of which become effective as of July 1, 2014.   The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada will have new enforcement roles with respect to these violations and penalties, in the following areas:

CRTC: spamming, traffic rerouting (altering transmission data without authorization);  malware (installation of “computer programs” without consent)

Competition Bureau: fraud (false and misleading representations online, e.g. websites and addresses)

Office of the Privacy Commissioner: harvesting (using computer system to collect addresses without consent); invasion of privacy (unauthorized access to computer system to collect personal information without consent).

On January 23, 2014, the Competition Bureau announced that it had entered into a memorandum of understanding (MOU) with the Office of the Privacy Commissioner of Canada and the CRTC the regarding the implementation of their mandates under CASL.  The MOU is dated October 22, 2013.

Nature of the MOU

The MOU fleshes out the already detailed CASL provisions on “consultation and disclosure of information” among the agencies, and with foreign states.  The provisions of CASL itself, and the requirements of the MOU, suggest that all concerned are aware that coordination will not be an easy task.  For example, CASL requires the agencies to provide the Minister of Industry with “any reports that he or she requests” on how they are co-ordinating efforts on their mandated areas.  The MOU requires agency officials to meet “at least quarterly” to discuss enforcement activities and any other matters “of mutual interest” relating to CASL.

While the MOU is not intended to be legally binding or enforceable by the courts, it does represent these three agencies’ agreement on how they intend to co-ordinate their responsibilities.  Among other things, that will affect how each agency’s staff will approach their enforcement activities on the ground.

Notification

Each agency will notify the others with respect to enforcement activities – including the conduct under investigation and CASL provisions at issue – that “may potentially affect” the others’ interests under CASL.

Enforcement Cooperation, Coordination and Information Sharing

The agencies will consult with each other, and may share information related to their enforcement activities.  Where those activities potentially overlap, they will “seek to coordinate their efforts”, whether jointly or alongside one another.  The agencies will also coordinate involvement in information requests and arrangements with foreign agencies.  Once the Private Right of Action (PRA) becomes effective as of July 1, 2017, when an agency is informed of a PRA initiated by a third party, that agency will notify the others.

Criminal Law Enforcement by the Commissioner of Competition

The Commissioner of Competition has authority under CASL to pursue enforcement activities under CASL’s criminal provisions.  Under the MOU, the Commissioner is to notify the other agencies where a decision has been made on that front.  That will in turn halt any cooperation and information sharing among the agencies on that enforcement activity.

Competing interests and Confidentiality

The MOU is not intended to override an agency’s obligations under existing laws, including the Access to Information Act.  This extends to sharing information.  Agencies will make “best efforts to share what information they can, consistent with their interests and legal obligations”.  The agencies commit to maintaining confidentiality of information received from another agency “to the fullest extent allowed by law”, and will use that information only for enforcement activities under the MOU – unless the agency that provided the information agrees to the use of the information for other purposes.

Conclusion

The MOU is another indication, in a long line of communications, guidelines, and statements, that the implementation process for CASL will be very new territory, not only for stakeholders, but for the enforcement agencies themselves.

, ,

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

A road-map to sending “commercial electronic messages” under CASL

Let’s take stock of the information currently available on Canada’s Anti-Spam Legislation (CASL).  First, there is the Act itself.  Next, there are:

If you still have questions about the circumstances in which you can send a CEM (commercial electronic message) under CASL, you are not alone. 

The following one-page overview is intended as a guide to the various scenarios contemplated under CASL.  As an “at a glance” reference, it is not intended as legal advice, and is not a substitute for consulting CASL and the various regulations and bulletins noted above.  It should, however, serve as a high level road-map through the maze.

CASL Overview Image

, , , ,

A road-map to sending “commercial electronic messages” under CASL