Sometimes legislative or regulatory definitions create ambiguity rather than clarity. The definition of “family relationship” in the draft Industry Canada regulations regarding Canada’s Anti-Spam Legislation (CASL) is a case in point.

CASL is not yet in force. When it comes into force (no date set yet as of the date of this post), CASL will provide exemptions for a commercial electronic message (CEM) sent to a recipient with whom the sender has a “family relationship”. CASL typically requires express opt-in consent to CEMs and requires CEMs to contain prescribed information, including an unsubscribe mechanism. Those requirements won’t apply to CEMs to “family relationship” recipients.

What constitutes a “family relationship” for the purposes of CASL has been left to Industry Canada. The draft regulations did not disappoint for complexity, adopting, in part, definitions from Canada’s Income Tax Act. Does the complexity deprive the exemption of utility? Possibly. Take the question of whether your sister’s boyfriend will be able to send you his monthly business newsletter (without first getting your consent). If he wants to use the family relationship exemption, its availability seems to depend on where your sister and her boyfriend live in Canada, whether they are in a conjugal relationship, and how long they have lived together in that conjugal relationship! Or, in some cases, it might be relevant whether they have a child.

The draft Industry Canada regulations released in December 2012 contained the following definition:

“family relationship” means the relationship between individuals who are connected by

(i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or is of collateral descent from the other individual’s grandparent,

(ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,

(iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual, or

(iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual;

So, an electronic newsletter from your sister’s boyfriend could be exempt if you and your sister’s boyfriend are in a “family relationship”. You will be in a “family relationship” with your sister’s boyfriend, according to the draft regulations, if your sister and her boyfriend are in a common law partnership, since (taking the ordinary meaning of “sister”) you would be connected by a blood relationship to your sister.

The draft regulation assumes that there is something easily identifiable as a “common law partnership” in Canada. That’s an assumption worth examining.

Typically, whether an intimate or interdependent relationship is recognized as having marriage-like qualities depends on provincial legislation. When Canada’s Parliament wishes to impose a uniform definition, it does so through a defined term. For example, subsection 248(1) of the Income Tax Act defines a “common-law partner” as two people who are cohabiting in a conjugal relationship for a continuous period of at least one year. (To make matters complicated, there is another definition involving persons who have a child.)

Provinces also define types of de facto marriage relationships for specific purposes, typically family law support obligations. However, the term “common law partnership” is not a term of legal art.

In Ontario, for example, section 29 of the Family Law Act recognizes individuals as spouses of one another for certain family support obligations if they have lived in a conjugal continuously with one another for a period of not less than three years or are the natural or adoptive parents of a child and are living in a relationship of “some permanence”.

By contrast the period of conjugal relationship in subsection 3(1) of the British Columbia Family Law Act is two years.

By further contrast, the Alberta Interdependent Relationships Act recognizes interdependent relationships of three years or more but there is no necessity for the relationship to have a conjugal element.

In yet another variation, individuals may simply register their relationship as common law under the Manitoba Vital Statistics Act.

So what definition of common law partnership will be read into CASL? Family law where the couple lives? The commonly used federal legislative definition? Something else developed by the regulators or the courts?

The sky won’t fall, of course. There is also a “personal relationship” exemption. The proposed definition for this exemption is very broad. However, it does require direct, voluntary, two-way communications and enough factors to suggest that the relationship is personal. Relevant factors include whether there are shared interests, experiences, opinions and information “evidenced in the communications, the frequency of the communication, the length of time since the parties communicated and if the parties have met in person”. So, the exemptions may not quite overlap.

Canada’s Anti-Spam Legislation (CASL) restricts the ability of organizations to send commercial electronic messages without the consent of the recipient.

A critical step in the decision tree is, therefore, to determine what constitutes a “commercial electronic message”. Here’s the definition of a “commercial electronic message” in subsection 1(2) of CASL:

(2) For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in paragraph (a) or (b); or

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

When designing a compliance policy, care must be taken not to consider the items listed in (a) to (d) as being exhaustive. Instead, the critical part of the definition is the portion that is bolded –that is, “it would be reasonable to conclude [that the message] has as its purpose, or one of its purposes, to encourage participation in a commercial activity”.

“Commercial activity” is broadly, albeit ambiguously defined in subsection 1(1). A commercial activity does not require profit-making or even a profit-making motive. It involves any transaction, act or conduct or regular course of conduct that is of a “commercial character”.

The difficulty for organizations, particularly non-profit organizations, is that determining what is of a “commercial character” is not straightforward. Indeed, this seems to be acknowledged by the need to expressly exclude such activities as law enforcement, public safety, the protection of Canada and the conduct of international affairs or the defence of Canada.

Historically, Canadian courts have interpreted “commerce” as any activity involving the exchange for money, or by barter, of products. The debate has been whether a one-off transaction would be considered commerce. CASL seems to suggest that even a one-off transaction could be commerce, given the reference to a “particular” transaction, act or conduct. In the context of CASL, any electronic message that “encourages participation” in a commercial activity will be a CEM.

If a broad scope is given to the meaning of “commercial character”, the definition may sweep in many types of messages that would not be commonly understood as such. For many organizations, branding is critical. Emails will frequently include at least some form of information to invite the reader to visit a website for a hyper-link or announce or promote a product or service. Once CASL comes into force, it will be important for organizations to have strict controls over the content of electronic messages and approvals for content. Choices may need to be made between promotional “add-ons” and ensuring consent is obtained or the organization has a viable exception to consent.

Transition periods for new legislation are often critical in taking the sting out of compliance costs. But some transition periods are better than others. In the case of Canada’s Anti-Spam Legislation (CASL), organizations should consider the transition periods – not only what the cover, but also what they don’t. There are definitely winners and losers.

When CASL eventually comes into force, there will be two separate transition periods. The first is for consent to commercial electronic messages (CEMs) and the other is for the installation of computer programs. This Spam Smart Tip examines the transition period for CEMs and existing business relationships.

Section 66 provides for implied consent to CEMs for the shorter of:

• three years after the coming into force of the legislation; or

• the recipient’s “unsubscribe” or indication that they no longer.

An organization may relied on the transitional implied consent to CEMs if:

• the person has an “existing business relationship”; and

• that relationship includes CEMs

What’s an “existing business relationship”? For the purposes of the transition period, the existing business relationships that will be applicable to most enterprises are ones that arises out of:

• the purchase or lease of a product, goods, a service, land or an interest or right in land by the person to whom the message is sent from the person who sent the message or caused the message to be sent (the “purchaser / lease exception”);

• the acceptance by the person to whom the message is sent of a business, investment or gaming opportunity offered by the person who sent the message or caused the message to be sent (the “investment / gaming opportunity exception”);

• a written contract entered into between the person to whom the message is sent and the person who sent the message or caused the message to be sent (and that is not already covered by the purchaser / lease exception or the investment / opportunity exception);

• an inquiry or application made by the person to whom the message is sent to the person who sent the message or caused the message to be sent regarding the purchaser / lease exception or the investment / gaming opportunity exception.

Usually, there is a sunset provision for an existing business relationship under CASL. For example, an existing business relationship in respect of an inquiry or application ends 6 months after the inquiry or application for the purposes of implied consent for any new relationships after CASL comes into force. But that isn’t the case for those existing at the time of CASL coming into force. The sender may rely on implied consent for three years.

This is a significant transition period. Three years is a long time to refresh consents for existing business relationships and existing non-business relationships. Organizations may wish to consider this in planning priorities in their compliance strategy.

However, the story isn’t uniformly a good news one. Organizations should also carefully review the scope of the relationships captured by the transition period. The definition of an existing business relationship certainly does not cover the field of relationships that enterprises may have with individuals to whom they send CEMs. Notably, the transition period may not be of assistance to professions or enterprises with very long lead times to make sales.

On December 18, 2012, the UK Information Commissioners’ Office (ICO) issued an enforcement report on compliance with the rules regarding obtaining consent to the use of cookies and similar technologies.

North Americans accessing UK-based websites that are not distinguishing between IP addresses of EU visitors and North American users, may have noticed “cookie banners” when they visit the UK website. These “cookie banners” respond to the requirements of the Privacy and Electronic Communications (EC Directive (Amendment) Regulations of 2011, which the UK Information Commissioner’s Office began to enforce in May 2012. Typically the banner will appear at the top of the web page or float semi-transparently on the web page until closed by the visitor. The banner provides information on the use of cookies on the website, links to further information, including methods of opting out.

The ICO has helpfully provided examples of cookie banners that it considers to be compliant with the cookie rules.

The Office of the Privacy Commissioner of Canada (OPC) has made it clear in recent decisions and in its guidance on behavioural advertising that organizations must be transparent about their use of cookies and should consider alternative methods than privacy policies for explaining that cookies are being used, the purpose for their use and the ability of the website user to opt-out of tracking cookies. Although not yet in force, Canada’s Anti-Spam Legislation (CASL) provides that an organization must have express consent to install a computer program on a person’s computer. A “computer program” has been defined broadly to include a cookie. An organization will be considered to have expressly consent if the person’s conduct “is such that it is reasonable to believe” that the person has consented to the installation of the cookie.

Although the UK cookie rules are not directly applicable in Canada, organizations may consider reviewing the ICO’s enforcement report when considering revising their cookie disclosure practices in light of the OPC’s guidance and the requirements in CASL.

Draft Regulations recognize CASL should not apply to ”regular business communications” 

Industry Canada has published long-awaited draft Regulations that would lessen the impact of Canada’s Anti-Spam Law (CASL) on businesses.  Or in the words of the Regulatory Impact Analysis Statement, to: 

provide relief to businesses through targeted exemptions where the broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation.

Under the heading “Proposed exemptions to address stakeholder concerns”, the Statement explains:

Since it applies broadly to commercial electronic messages, the Act captures some regular business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the Regulations include business to business exemptions for commercial electronic messages that are sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients. These proposed exemptions address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.

The Canadian government has not issued a formal entry into force date for the Anti-Spam law, and the date has been a moving target since CASL was passed into law in December 2010.  Informally, CASL, the CRTC Regulations, and the proposed Industry Canada Regulations are expected to enter into force late in 2013.

Industry Canada’s Proposed Approach

Comments are due on February 4 on the proposed Regulations.  Here is a summary of Industry Canada’s proposed approach to clarify the application of the Act, and more importantly, to carve out “non-threatening” commercial electronic messaging.

1.  Limited Exemptions for Certain Types of Message

Exemptions are proposed for CEMs sent:

• within a business;
• between businesses already in a business relationship, sent by employee, representative, contractor or franchisee, where message is relevant to business, role, function or duties of recipient;
• by foreign businesses and accessed by a visitor to Canada;
• as a response to an inquiry; and
• due to a legal obligation, or to enforce a legal right.

2.  Third-Party Referrals

Existing business relationship (also non-business, personal or family relationship) would permit third-party referral. 

Example:  Client of Company and Potential Client of Company have a business, non-business, personal or family relationship.  Client refers Potential Client to Company.  Company sends a single consent request message to Potential Client, including name of Client and identification and unsubscribe requirements set out in the Act and CRTC Regulations.

3.  Clarifying What is Required where Sender is an “Unknown Third Party”

CASL permits consent to be obtained to receive messages from a third party unknown to the recipient, in certain circumstances.  The proposed Regulations specify that the recipient must have the ability to unsubscribe and alert the “original requester” that he has withdrawn his consent.  That “original requester” must notify each third party sender that the recipient’s consent has been withdrawn.

4.  Membership in a Club, Association or Voluntary Organization

The proposed Regulations clarify the definition and scope of these “non-business relationships”, and include references to the purpose and not-for-profit status of these organizations.

5.  Limited Exemptions for Protecting, Upgrading and Updating Computer Networks

The proposed Regulations include new definitions for computer programs that are to be excluded from the “installation consent” requirements:  those installed (i) to prevent illegal activites that present an imminent risk to network security; and (ii) to update and upgrade an entire network.

Certain Questions Clarified

The Regulatory Impact Statement clarifies that not all messages sent “in a commercial context” are necessarily CEMs.  For example, Industry Canada notes that:

• a CEM is a message that “encourages participation in a commercial activity”: therefore a message such as a courtesy SMS or an unsubscribe notification (without that encouragement) is not a CEM;
• a CEM is a message sent to an electronic address:  “…[t]he publication of blog posts or other publications on microblogging and social media sites is not within the intended scope of the Act”.

What Industry Canada has Not Done

Industry Canada has rejected stakeholder requests to:

• “grandfather” consents obtained under PIPEDA (rejected as the CASL consent requirements are much more stringent than PIPEDA’s);
• send CEMs from Canada to recipients outside Canada on behalf of foreign companies (rejected as a potential loophole to be exploited by spammers);
• permit manufacturers to send CEMs to end-users of their products (rejected as potentially too broad);
• revise the “unknown third party” approach to make it less complex and burdensome (rejected as tracking and managing consents is not “unduly onerous”).

A growing number of businesses in Canada, the United States and elsewhere has become involved in weighing in on the proposed Regulations.  The outcome of the current regulatory review will be worth watching, for all those impacted by CASL. 

Canada’s Anti-Spam Law (CASL) is expected to enter into force in 2013, together with two sets of regulations that will address certain detailed requirements under the Act. Industry Canada Regulations are still underway. The Canadian Radio-television and Telecommunications Commission (CRTC) is further ahead: it enacted its Electronic Commerce Protection Regulations in March 2012.

The CRTC has moreover issued two Information Bulletins on its Regulations. The new guidelines address practical aspects of obtaining consent to send commercial electronic messages (CEMs), and providing an effective unsubscribe mechanism.

1. OBTAINING CONSENT

Specific requests for consent must be clearly identifiable to the user and indicate that the user’s consent can be withdrawn at any time. Consent can be obtained orally or in writing, and must be positive and explicit. In other words, it must be “opt-in”.

Acceptable: an icon or an empty toggle box that must be actively clicked or checked.

Not Acceptable: an opt-out mechanism (i.e. unchecking a pre-checked box); a CEM in the form of a subscription email, text message, or other equivalent form to request express consent

2. UNSUBSCRIBE MECHANISM

The unsubscribe mechanism must be consumer-friendly, simple, easy to use, and must be set out clearly and prominently. Under the Regulations it must be capable of being “readily performed”.

Email Example: a link takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

SMS Example: the user should have the choice between clicking a link, or replying to the SMS with the word “STOP” or “Unsubscribe”.

For more information, please see:

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

Wondering how Canada’s Anti-Spam Law compares to the U.S. CAN-SPAM requirements? Check out http://www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law

Today the Canadian Bar Association held an update session for members on Canada’s Anti-Spam Legislation (“CASL”).  An oral presentation was provided by Andy Kaplan-Myrth, a Policy Advisor in the Digital Policy Branch at Industry Canada and a member of the team that developed and is implementing CASL.

Here’s what we heard from the discussion.  [Please note that information and comments provided by Mr. Kaplan-Myrth and other participants are intermingled with my own below.  The following is not intended as a verbatim report on the presentation.]

• Industry Canada is targeting the release of further draft regulations for comment by the summer; however the ultimate timing depends in part on internal government processes including Treasury Board approval;
• The regulations will reflect some concerns heard during and since last year’s comment process on the last draft regulations.  As we noted in past posts, many industry stakeholder believed that the earlier draft regulations did not go far enough to clarify obligations and provide needed exemptions;
• Industry Canada is focusing on exempting activities that clearly do not constitute “spam”, where a line can clearly be drawn to define permitted activities and exclude others;
• Industry Canada welcomes comments on the regulations, and beyond that process, is also seeking input from stakeholders on what areas of CASL and definitions should be clarified in information bulletins;

More substantive questions discussed:

Q:  Does it make sense for the “form and content” (ie. contact information and unsubscribe) requirements to apply to messsages: sent within businesses, to their employees?  sent B2B, such as banking transactions? that must be sent by law?  that are responses to an inquiry?

A: In some cases…not really.  The forthcoming draft regulations may address these.

Q:  How do you set up third-party referrals under CASL?

A: Referral marketing can be done with appropriate consent, but don’t forget that consent must meet both CASL and PIPEDA requirements.

If it’s a “refer a friend” scenario, and the person is truly a friend or family under the law, then CASL will not apply.  (As some have suggested, CASL will legally define for us who our true friends are.)  Under regulations to come, the definition of a “friend” may be broadened to include virtual friends met online.

Q:  What’s required to get express consent, and document it?

A:  Oral consent, and even a check-box is acceptable (perhaps even pre-checked, if the request for consent is clearly conveyed).  Australia has provided some practical guidance for business under its Spam Act 2003 on obtaining consent, and a range of other topics.  Although Canada’s legislation is different from Australia’s, the CRTC may provide similar forms of guidance on practices to obtain consent and related issues.  As mentioned above, both Industry Canada and the CRTC are interested to hear from stakeholders on where guidance is most needed.

As for documenting consent:  this will be up to clear internal policies and practices.  These are intentionally not spelled out anywhere, to give organizations the latitude to find what works for them…while meeting the CASL requirements.

Q:  Can organizations rely on PIPEDA consents under CASL?

Remember that CASL “overrides” PIPEDA, to the extent of any conflict (s. 2 of CASL).  And that CASL expressly requires a high standard of consent to send commercial electronic messages.  Therefore organizations can’t rely on “grandfathering” PIPEDA consents under CASL, broadly speaking.

If however, existing PIPEDA consent also meets the CASL requirements for implied consent – for example an “existing business or non-business relationship” – then that is sufficient.  Many organizations can and will rely on implied consents to send many of their CEMs during the transition years, the first three years after CASL enters into force (see s. 66 of CASL).

What’s Next?

Although CASL won’t enter into force until 2013, there is a significant amount of preparation going on this year, as noted above, and here.

We have also heard reports that many organizations outside of Canada have not even heard of CASL, so clearly more needs to be done to raise awareness.  For those organizations that are familiar with the U.S. Can-Spam Act requirements, our comparison of CASL to CAN-SPAM may assist.

As many of us now know, Canada’s Anti-Spam Law is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

As we noted in previous posts here and here, while businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the Industry Canada regulations as originally published for comment, nor the CRTC regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer.  The CRTC is expected to issue information bulletins in the coming weeks to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

1. Participate in the comment process on the coming draft Industry Canada regulations
2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation and an earlier article of ours can help explain the basics. 

This is the third post in a series dealing with promotional activities in which a user of a website or mobile app is requested to provide e-mail addresses of their contacts or allow access to the user’s address book for the purpose of sending an e-mail invitation to a contact of the user.  In the first post, I discussed the privacy by design principle.  In the second post, I discussed the implications of treating the contact information as the personal information of the user and the non-user. 

As I mentioned in previous posts, this whole area is fraught with difficulty and will become more so once Canada’s Anti-Spam Legislation is in-force.  Legal advice should be sought for these types of promotion to ensure compliance.

So the invitation has gone out to the non-user.  Now what? 

Resist the urge to build a profile for the non-user.

The user has not yet agreed to join.  Typically, an organization will want to build privacy protections to avoid building a user profile for the non-user until the user consents to join.  If the purpose of collection was to send an e-mail invitation, it may be difficult to justify the collection of the non-user’s street address or telephone number.

There may be more subtle ways of building a profile, such as by cross-referencing the user’s e-mail address against other users’s address books or searching out other available information on the Internet.  If the website or mobile application’s design involves building a profile for the non-user as part of the promotional activity to invite the user to join, care should be taken to deploy privacy protections. In particular, the organization should avoid “using” the non-user’s personal information for purposes other than making the invitation until the organization has made privacy disclosures to the non-user.

In a recent decision of the Office of the Privacy Commissioner of Canada (“OPC”), the OPC considered Facebook’s practices with respect to generating friend suggestions for non-users in invitations.  At the time of the investigation, Facebook would bundle friend suggestions within the first invitation to the non-user.  The OPC found it significant that by doing so Facebook had already “used” the non-users’ e-mail address to generate friend suggestions without providing any information on how the non-user’s personal information was being used and any opt-out mechanism. 

During the investigation, Facebook changed its practices to something more acceptable to the OPC.  No additional friend suggestions were made in the initial invitation.  There was a more prominent opt-out notice and a notice and link to information regarding the use of the e-mail address for generating friend suggestions.  The non-user’s e-mail address was only used to make additional friend suggestions to the non-user once those disclosures had been made and the non-user given an opt-out opportunity.

Destroy the e-mail address once the purpose for the collection has been fulfilled.

Another issue is what to do with the e-mail addresses of non-users who do not respond either to join or to opt-out.  Organizations should consider whether the purpose for which the e-mail address has been collected has been fulfilled.  If so, then privacy legislation in Canada would instruct the organization to destroy (delete) the non-user’s contact information. 

There will be instances where the website or mobile app stores the contact information for another purpose as a service to the user.  However, if the sole purpose of the collection was to make the invitation, then the organization should consider what would constitute a reasonable period of time to keep the non-user’s contact information.

This is the second in a series of posts on privacy and anti-spam implications of organizations engaging in promotional activities in which the user of a website or mobile app is asked to supply e-mail addresses of contacts in order to invite those contacts to the website or to download the mobile app.

In the last post, I wrote about building privacy into the design of the website or mobile app.  This post deals with a few considerations regarding consent.  Upcoming posts will deal with anti-spam and other issues.

Treat the contact information as the personal information of the user (owner of the address book).

Most organizations understand that it is necessary to obtain the consent of the owner of the address book to use contact information for the purposes of soliciting those contacts. Obtaining consent from the user is generally straightforward. In most contexts, there will be a transparent way for the organization to ask for permission to use the user’s contacts. If privacy considerations have been built into the promotional program, asking for permission to use contact information or asking the user to input the contact information for the purpose of “inviting a friend” to the site can be accompanied by disclosure of how the information is going to be used. If the user is going to be provided with the opportunity to customize the message to the recipient, the use will be transparent.

What might not be obvious is any on-going use that the organization may intend to make of the information that is supplied. Consideration should be given to providing relevant information about on-going uses, if any, at the point of request regarding the proposed use and direction to the organization’s more detailed data use policy governing the life-cycle of the requested information.

Treat the contact information as the personal information of the contact (the owner of the email address).

The personal information being collected through “Suggest to a Friend” promotions is also personal information of the non-user.  This is frequently overlooked in the design of these marketing initiatives.

The Office of the Privacy Commissioner of Canada has previously stated that organizations that actively solicit non-users’ e-mail addresses from users with the intention of using them for their own purposes must take some responsibility for obtaining consent of the non-users.

The requirement to obtain the recipient’s consent may not be obvious to an organization. The e-mail is, after all, being sent as an invitation from the user. However, in a “suggest a friend” promotion, the substance of the communication is a commercial.  The organization is processing the e-mail address for a promotional purpose to invite the recipient to sign-up or join the organization’s site. This use of the e-mail address is likely to be governed by Canadian privacy legislation.

How to Obtain Consent from the Recipient

An e-mail address, on its own, is generally not considered to be sensitive personal information. If the e-mail address will only be used for the purpose of sending an invitation by a user to a non-user who the user knows, the use of the e-mail address by the organization will not be considered to be sensitive. Leaving aside anti-spam legislation, which will be discussed in upcoming posts, the organization soliciting the e-mail addresses may rely on the users to obtain express or implied consent of the non-users.

However, the organization must demonstrate reasonable due diligence to ensure that non-user’s consent has been obtained. Reasonable due diligence varies in the circumstances.  In most contexts it will consist (at a minimum) of making sure that users are aware that they must not disclose the non-users’ e-mail address unless the user knows the non-user personally and the non-user would want to receive the e-mail.

If more than one e-mail will be generated (for example, reminder e-mails), that information must be disclosed to the user so that the user can consider whether that use of their contact’s e-mail address would be appropriate.  This information should also be disclosed to the recipient.

Due diligence also requires that the organization confirm whether the recipient has in fact expressly or impliedly consented to the use of his or her e-mail address in this manner. This is not an impossible task.  For example, when the e-mail is sent to the non-user, the organization could explain why the e-mail is being sent, what use will be made of the e-mail address (reminders, permanent links to the user who sent the message, etc.).

If the recipient objects to this use of the e-mail address (in effect, withdrawing the implied consent), the recipient non-user should be given a way of opting out of further communications. In other words, consideration should be given to allowing the recipient to put himself or herself on a “do not contact” list. In addition, or in the alternative, consideration might be given to permitting the recipient to request deletion from the organization’s system.

Issues relating to non-user consent can be tricky.  The organization should consider all uses of the e-mail address and the life-cycle of that use and consult a lawyer to ensure the promotion is compliant.

A not uncommon Web-based marketing tool is to invite users to suggest the website to their friends and family. The user inputs e-mail addresses or allows the website or mobile app to harvest the user’s address book information to generate a list of potential contacts. Organizations planning to implement this type of marketing program should seek legal advice to ensure that they remain on side privacy and anti-spam regulations. This is the first in a series of posts in which I will comment on a few notable issues relating to these types of promotional activities.

Employ the “privacy by design” principle.

The starting point when designing these types of promotions is to assess privacy implications of each aspect of the promotion and build privacy protections into the administrative and technological design of the promotion.

By assessing the privacy implications of the marketing program at the outset, the process of ensuring that the marketing tool will be privacy compliant will be simplified. Employees in the marketing group will know what questions to ask of vendors and IT professionals will be better positioned to implement systems to ensure privacy compliance.

To take a simple example, organizations should consider whether they have a legal obligation to provide the recipient of a promotional e-mail invitation a way of opting-out from further e-mail communications. The non-user may expect to be given the opportunity to permanently opt-out of further communications from not only the friend who sent the invitation that any other friends who may use the organization’s services. The technological ability to provide that permanent opt-out mechanism would need to be built into the design of the system.

Moreover, as will be discussed in subsequent posts, the organization will not have consent to send the recipient further promotional material other than perhaps a reminder e-mail, until the recipient takes a positive step to accept the invitation. This means that the organization must have the technological capability to prevent the non–user’s e-mail address from being mixed into the database for general promotional communications.

Are you one of those who have been monitoring the progress of Canada’s Anti-Spam Law (CASL)?  

If so, you may also have given some thought to the difference between the existing U.S. rules under the CAN-SPAM Act, and the new Canadian rules under CASL coming into force in 2012.  After all, the CAN-SPAM rules have been in place for years, and have become accepted industry practice for marketers and others in the U.S., and to a certain extent, informally, in Canada. 

CASL and CAN-SPAM are similar in some basic respects, but they are very different in important ways.  As we’ve explained in earlier posts, CASL has broader application, a higher standard for consent, greater penalties, and a clearer out-of-country reach than the U.S. CAN-SPAM Act. 

Our SlideShare overview, Comparing CASL to CAN-SPAM, has received over 1,000 views to date.  We’ve just updated the overview to reflect the recently finalized CRTC regulations which set out requirements for consent and message content.  Take a look at the updated Comparing CASL to CAN-SPAM and let us know if it answers your questions.

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL).  The regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

• businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
• CEMs are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

• simply include the name by which they carry on business (rather than both that and their legal name);
• include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
• include the information in the above point on a website that “is readily accessible” (rather than via a single click);
• use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
• simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

Canada’s Anti-Spam Legislation (CASL) was enacted in December 2010. Heard about it?  It’s quite likely that you have, given its broad application to online communications, its significant penalties, and its reach outside of Canada.    

This widely-anticipated legislation is not yet in force, and may be delayed until later this year. 

Last fall, the government issued two sets of draft regulations for public comment. Many stakeholders responded by commenting not only on the specifics of the draft regulations, but also on what the regulations didn’t say or do, for example: 

• how do I interpret key terms?
• why does the Act target all commercial electronic messages, making permissible activities “exceptions” to the rule?
• will companies have any lead time before the legislation comes into force, to put measures and policies in place?

The government has since received further input from interested stakeholders, and is expected to issue new regulations in the coming weeks. We’ll provide updates to you here on new developments. 

For more background on CASL, see Canada’s New Anti-Spam Act – Raising the Bar for Online Business Communication and Online communications in Canada – Comparing Canada’s new Anti-Spam Law to the U.S. CAN-SPAM Act.

Data Privacy Day is observed annually on January 28th in a number of jurisdictions with varying formality and support by government officials.  Privacy professionals and consumers use this day annually to raise awareness regarding best privacy practices, to educate consumers and to reflect on the complexity of privacy issues in our global and electronically interconnected economy. 

To learn more about Data Privacy Day, a great strating point with a collection of resources is the Privacy Commissioner of Canada’s website.  Also, check out the U.S. National Cyber Security Alliance website.

January 28, 2012 is World Data Privacy Day. Privacy is interconnected with anti-spam, data management and records retention issues for many industries, particularly those operating in the e-commerce environment.  

To mark this year’s World Data Privacy Day, Fraser Milner Casgrain LLP (FMC) is launching this new blog on data governance.  FMC is a national Canadian law firm with offices in the principal economic centres of Canada.  Our focus in this blog will be to provide interested followers with information on how privacy, anti-spam, records management and e-commerce interact in the Canadian legal environment.  Along the way, we will provide updates on worldwide developments that we think may be of particular interest to businesses operating in Canada with global e-commerce connectivity.

Please check back frequently.  Or better yet, subscribe!

If you operate or have customers in the U.S. market, you are already likely familiar with the requirements of the U.S. CAN-SPAM Act, introduced in 2003. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

• More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

• More steps will be needed under CASL to be permitted to communicate online.

• Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability:

This presentation contains examples of the kinds of issues companies dealing with anti-spam could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.