1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Recent enforcement under Canada’s anti-spam legislation (CASL) by the Canadian Radio-Television and Telecommunications Commission (CRTC) is keeping the spotlight on this new legislation, which came into force just last year. While the CRTC is responsible for the bulk of enforcement under CASL, organizations should remember that CASL also brought in changes to Canada’s federal privacy law,  the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information (including individuals’ email addresses).

The federal Office of the Privacy Commissioner of Canada (OPC) is responsible for investigating violations related to the new provisions under PIPEDA that target the practice of address harvesting. Address harvesting generally involves collecting electronic addresses through the use of a computer program, such as through web scraping, spyware, or automatic generation.

The OPC recently issued a guide and tip sheet for organizations on pratical steps to take to avoid contravening the PIPEDA requirements, including:

1. Obtain consent: Organizations must ensure that individuals are informed clearly and accurately at the point of collection about how their email addresses will be used. Just because an email address is posted online, it cannot be assumed that the individuals at the addresses posted have provided consent to receive email marketing. It is also useful to remember that there is no exception for address harvesting of business email addresses; PIPEDA’s definition of personal information includes business addresses.

2. Due Diligence with Service Providers: If an organization buys a list of email addresses from a vendor or employs service providers to conduct email marketing on their behalf, they should take due diligence steps by asking key questions, such as:

  • How was consent obtained? Appropriate consent at the time of collection must be obtained to use email addresses. Ensure that email marketing service providers utilize a clear consent process. If buying or using a list from a list vendor, were the email addresses collected through web scraping or automatic generation?
  • How is the email address list kept up to date? Unless otherwise permitted under the law, individuals should be permitted to withdraw consent to the use of their personal information at any time, such as by unsubscribing from an email list, and this functionality should be made available. Organizations that use a purchased list of email addresses should ensure that any unsubscribe requests will be communicated to them so that the email can be removed from the list that they use.

3. Maintain written records: An organization should document all email marketing compliance measures, including due diligence steps taken when contracting with a list vendor or email marketing company. Ensure that the service agreements with these organizations expressly require compliance with CASL and applicable privacy laws.

Conclusion

Organizations are responsible for ensuring that all individuals that receive email marketing from them have provided appropriate consent for the collection and use of their address for marketing . The OPC will review reports to the Spam Reporting Centre to identify email harvesters and spyware collecting personal information without consent. Organizations should take steps to comply with PIPEDA to avoid being caught by an OPC investigation, which could lead to being named in the OPC’s reports of its findings and recommendations.

, , ,

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Copyright v. Privacy: Voltage Pictures LLC v. John Doe and Jane Doe

The recent Federal Court of Canada decision in Voltage Pictures LLC v. John Doe and Jane Doe (2014 FC 161) has already received considerable attention for its approach to deterring so-called “copyright trolls”: plaintiffs with “improper motives” who file multitudes of infringement lawsuits to extort quick settlements.  While less headline-worthy, the decision is also important for its practical approach to weighing copyright against privacy rights.  The central question was: are individuals who are suspected of engaging in illegal P2P downloading entitled to expect that their ISP will shield their identity from the copyright owner?

In the result, the Court ordered Ontario-based ISP TekSavvy to disclose the names and addresses of some 2,000 subscribers suspected of unauthorized copying and sharing of Voltage’s movies, including The Hurt Locker.  To arrive at this result, the Court had to balance two competing rights that are sometimes considered to be “proprietary” by those who assert them:  copyright and privacy.

The Court’s legal balancing act engaged provisions of the Copyright Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).  On the copyright side, the provisions at issue were sections 35 and 38, which the Court characterized as “a complete code for the recovery of damages for copyright infringement”.  Under the 2012 amendments to the Copyright Act, statutory damages for infringement range from $100 to $5000.  On the privacy side, the Court considered subsection 7(3) of PIPEDA, which (among other things) permits an organization to disclose personal information without knowledge or consent where the disclosure is required to comply with a court order or otherwise required by law.

The Court addressed the issues in two parts.  First, it determined that the plaintiff Voltage had established a bona fide claim, and that enforcement of its rights as a copyright holder outweighed the privacy interests of the subscribers.  Second, the Court considered how to ensure that privacy rights would be “invaded” as little as possible in the circumstances.  To do this, the Court considered case law in the United Kingdom and the United States.  One of the Court’s observations was that

[w]ith respect to privacy concerns, the cases in both jurisdictions suggest that such issues are of secondary importance as the law generally does not shield wrongdoing for reasons of privacy.

The Court concluded that it should give consideration to principles gleaned from Canadian cases, notably, the P2P file-sharing case BMG Canada Inc. v. Doe (2005 FCA 193), as well as cases from the U.S. and UK:

to weigh and balance the privacy rights of potentially innocent users of the internet versus the right of copyright holders to enforce their rights.  The Court ought to balance these rights in assessing the remedy to be granted.

Having determined that an order would be made to obtain subscriber contact information, the Court “built in” important qualifications “to protect or minimize the invasion of the privacy interests of internet users”.  Therefore, the order provides that:

  • disclosure is limited to the names and addresses associated with IP numbers (and not telephone numbers or email addresses);
  • the released information will remain confidential and may be used only in connection with the claims in the present action; and
  • the plaintiff may not disclose any of the information obtained to the general public by making or issuing a media statement.

For an interesting counterpoint on the balance between disclosure and privacy for ISP subscribers, see also our earlier post, The Fake Facebook Profile and the Veiled Victim.

, ,

Copyright v. Privacy: Voltage Pictures LLC v. John Doe and Jane Doe

Canadian Advertisers Self-Regulate Online Behavioural Advertising

Call to Action on OBA

The Office of the Privacy Commissioner (OPC) is aware of the challenges associated with balancing privacy in the online advertising environment, and wants the ad industry to step up.  On the day Privacy Commissioner of Canada Jennifer Stoddart announced the publication of a new set of guidelines on Privacy and Online Behavioural Advertising in late 2011, she said that:

[t]o best address these complexities, all stakeholders in the advertising community, including website operators and browser developers, have a role to play to ensure that the issues of transparency and meaningful consent are addressed.

The following year, the OPC followed up with more specific expectations in its Policy Position on Online Behavioural Advertising.

Industry Response: Self-Regulation

Led by the Digital Advertising Alliance of Canada (DAAC), the advertising industry has responded with the Canadian Self-Regulatory Program for Online Behavioural Advertising, with a website geared to consumers and companies alike at http://youradchoices.ca/.  The Program is not quite “made-in-Canada”, nor should it be, considering the need to integrate data governance solutions across borders.  It is based on the U.S. Digital Advertising Alliance (DAA) OBA Ad Choices program and principles.  It also shares some common principles and approaches with the European Advertising Standards Alliance (EASA) OBA Framework.  For consistency and broad consumer recognition, the “Ad Choices” program in participating countries use the identifying icon consisting of a lower case letter “i” within a blue triangle.

The DAAC Program has been tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The non-profit industry body Advertising Standards Canada (ASC) will be responsible for monitoring compliance, dealing with complaints, initiating investigations, and publishing reports.  The OPC will no doubt be watching closely – particularly as the program takes its first steps in Canada – to come to its own conclusions on whether industry self-regulation is meeting its expectations under PIPEDA and its OBA guidelines.  However, once the Program has matured and proved itself, there is precedent for a regulator to stand down and consider the self-regulatory body to be at least the “first resort” for complaints in the area.  The Canadian Radio-television and Telecommunications Commission (CRTC) generally takes this position with the ASC’s review of advertising standards.

The Canadian Self-Regulatory Program for Online Behavioural Advertising incorporates the following principles:

  1. Education [both individuals and businesses]
  2. Transparency [clear, meaningful, prominent notice to consumers]
  3. Consumer Control [the ability to exercise choice with respect to the collection, use and disclosure of data for OBA purposes]
  4. Data Secutity  [safeguards, data retention, and treatment of OBA data]
  5. Sensitive Data  [children and sensitive personal information]
  6. Accountability [accountability program is managed and operated by the ASC in accordance with its Online Behavioural Advertising Compliance Procedure]

Self-regulation does not, however, cover the whole OBA territory.  Certain types of activities are expressly excluded from the Program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

While legal compliance may have been the main driver for the implementation of the new Program, the DAAC also points to the benefits for consumers:

As an online consumer, you can find out more about online behavioural advertising and how it helps provide you with more relevant ads on the websites that you visit. You’ll learn how online behavioural advertising supports the content, products and services that you use on the web, what online ad choices you have, and how to use browser controls to enhance your privacy.

In short, while the Office of the Privacy Commissioner has noted that some consumers find OBA “creepy”, the DAAC and its member associations know that many consumers don’t mind OBA as long as it’s transparent:  they don’t want to see irrelevant ads, and they’re OK with the idea of the right ads “finding them”.

It’s early days for the DAAC Program.  As it rolls out and expands, Canadians will become increasingly familiar with the Ad Choices icon appearing on web pages.  Advertisers – and the OPC – have a lot at stake in that little blue icon.

, , , , ,

Canadian Advertisers Self-Regulate Online Behavioural Advertising

Anti-Spam Update – Proposed New Exemptions on the Way

Today the Canadian Bar Association held an update session for members on Canada’s Anti-Spam Legislation (“CASL”).  An oral presentation was provided by Andy Kaplan-Myrth, a Policy Advisor in the Digital Policy Branch at Industry Canada and a member of the team that developed and is implementing CASL.

Here’s what we heard from the discussion.  [Please note that information and comments provided by Mr. Kaplan-Myrth and other participants are intermingled with my own below.  The following is not intended as a verbatim report on the presentation.]

  • Industry Canada is targeting the release of further draft regulations for comment by the summer; however the ultimate timing depends in part on internal government processes including Treasury Board approval;
  • The regulations will reflect some concerns heard during and since last year’s comment process on the last draft regulations.  As we noted in past posts, many industry stakeholder believed that the earlier draft regulations did not go far enough to clarify obligations and provide needed exemptions;
  • Industry Canada is focusing on exempting activities that clearly do not constitute “spam”, where a line can clearly be drawn to define permitted activities and exclude others;
  • Industry Canada welcomes comments on the regulations, and beyond that process, is also seeking input from stakeholders on what areas of CASL and definitions should be clarified in information bulletins;

More substantive questions discussed:

Q:  Does it make sense for the “form and content” (ie. contact information and unsubscribe) requirements to apply to messsages: sent within businesses, to their employees?  sent B2B, such as banking transactions? that must be sent by law?  that are responses to an inquiry?

A: In some cases…not really.  The forthcoming draft regulations may address these.

Q:  How do you set up third-party referrals under CASL?

A: Referral marketing can be done with appropriate consent, but don’t forget that consent must meet both CASL and PIPEDA requirements.

If it’s a “refer a friend” scenario, and the person is truly a friend or family under the law, then CASL will not apply.  (As some have suggested, CASL will legally define for us who our true friends are.)  Under regulations to come, the definition of a “friend” may be broadened to include virtual friends met online.

Q:  What’s required to get express consent, and document it?

A:  Oral consent, and even a check-box is acceptable (perhaps even pre-checked, if the request for consent is clearly conveyed).  Australia has provided some practical guidance for business under its Spam Act 2003 on obtaining consent, and a range of other topics.  Although Canada’s legislation is different from Australia’s, the CRTC may provide similar forms of guidance on practices to obtain consent and related issues.  As mentioned above, both Industry Canada and the CRTC are interested to hear from stakeholders on where guidance is most needed.

As for documenting consent:  this will be up to clear internal policies and practices.  These are intentionally not spelled out anywhere, to give organizations the latitude to find what works for them…while meeting the CASL requirements.

Q:  Can organizations rely on PIPEDA consents under CASL?

Remember that CASL “overrides” PIPEDA, to the extent of any conflict (s. 2 of CASL).  And that CASL expressly requires a high standard of consent to send commercial electronic messages.  Therefore organizations can’t rely on “grandfathering” PIPEDA consents under CASL, broadly speaking.

If however, existing PIPEDA consent also meets the CASL requirements for implied consent – for example an “existing business or non-business relationship” – then that is sufficient.  Many organizations can and will rely on implied consents to send many of their CEMs during the transition years, the first three years after CASL enters into force (see s. 66 of CASL).

What’s Next?

Although CASL won’t enter into force until 2013, there is a significant amount of preparation going on this year, as noted above, and here.

We have also heard reports that many organizations outside of Canada have not even heard of CASL, so clearly more needs to be done to raise awareness.  For those organizations that are familiar with the U.S. Can-Spam Act requirements, our comparison of CASL to CAN-SPAM may assist.

, , , ,

Anti-Spam Update – Proposed New Exemptions on the Way