Information Session on Canada's Anti-Spam Legislation

Video

Watch a detailed presentation on Canada’s anti-spam legislation.

A detailed presentation on Canada’s anti-spam legislation.
Transcript

Presentation

Download the presentation given at the information session.

Disclaimer

This presentation has been prepared by Commission staff to provide general information with respect to Canada’s Anti-spam Legislation (CASL). This material is not to be considered legal advice nor is it binding on the Commission itself. Further, it does not reflect an interpretation of CASL and/or its accompanying regulations by the Office of the Privacy Commissioner, the Competition Bureau or Industry Canada.

Purpose

To offer as much predictability and transparency as we can, within the limit of our confidentiality obligations. This will also enable us to be effective in the discharge of our enforcement mandate.

Highlights

Enforcement of CASL

Overview of CASL - Legislative roles

Administration Violation Addressing
CRTC The legislation includes violations respecting:
  • sending of commercial electronic messages (CEMs) without consent
  • alter transmission data in the course of a commercial activity without consent
  • Installing a computer program in the course of a commercial activity without consent
  • Spam (s.6)
  • Botnets (s.8)
  • Malware (s.8)
  • Network re-routing (s.7)
Competition
Bureau (CB)
Amends the Competition Act to include violations respecting:
  • Misleading and deceptive practices / representations, including false headers, subject lines, etc…
  • False or misleading representations online (incl. websites and addresses)
Office of the Privacy Commissioner (OPC) Amends Personal Information Protection and Electronic Documents Act (PIPEDA) to include contraventions involving:
  • The collection and use of personal address information without consent
  • The collection of personal information by illegally accessing, using, or interfering with computer systems
  • Address harvesting
    (steal email contacts)
  • Dictionary attacks (Systematically guessing email addresses to spam)
  • Spyware (Personal Info)

CASL Tripartite MOU

Agreement between 3 CASL Enforcement Agencies

The purpose is to set out a framework respecting:

Main Elements of the legislation

The legislation addresses the recommendations of the Task Force on Spam with a comprehensive regulatory regime that uses economic disincentives instead of criminal sanctions to protect electronic commerce and is modelled on international best practices. The regime includes:

Support mechanism:

CRTC Enforcement Process

Information is gathered by multiple sources and stored in the Spam Reporting Centre. These sources include: Complaints, Honeypot data, Industry Filings, International Agencies Organize and Analyze. Once in the Spam Reporting Centre, the information is sorted and categorized. The three enforcement agencies, Competition Bureau, CRTC and Office of the Privacy Commissioner will then have access to the information to support investigations related to their enforcement mandate under Canada’s Anti-Spam Legisaltion. The CRTC will then triage the information and select an enforcement tool, which could include:, Investigation, Joint Action, Warnings, Education and Alerts. The results of these actions could include: Notices of violation and administrative monetary penalties, Injunction, Undertaking and Negotiated settlement.

Consequences of a violation

Administrative Monetary Penalties (AMPs)    

Extended Liability, including:

Compliance Continuum

The CRTC has a number of tools at its disposal to fulfill the mandate. Enforcing Compliance - Voluntary: Alternative case resolution, Undertakings. Involuntary: Warnings, Notices of violation, administrative monetary penalties & injunctions. Monitoring for recidivism - Promoting Compliance
Communication & outreach: Education, Publications, Conferences, Websites Promotion of self-regulation, Voluntary codes & compliance programs Advocacy, Public consultations, Policy and research partnerships. Investigating Non-Compliance - Intel gathering: Spam Reporting Centre, Honeypots Investigative techniques, Preservation demands, Requests for information, Notices to produce, Search and seizures.

Partnership Approach

The CRTC has developed or is in the process of developing partnerships with: Non-profit organizations, Mail service providers, Telecom service providers, Email service providers & marketers, Reputation and security vendors, Government organizations & alliances.

What is Success?

Direct
Indirect

CASL Regulations

CASL Contemplates two categories of regulations:

Both sets of regulations were published in the Canada Gazette for a 60 day comment period

CRTC CASL Regulations

Information Bulletins

Purpose of Information Bulletins

The CRTC has published the following two information bulletins to help Canadian businesses better understand CASL and facilitate compliance:

  1. Certain provisions of the Electronic Commerce Protection Regulations (CRTC)
    (Compliance and Enforcement Information Bulletin CRTC 2012-548)
  2. The requirement to obtain express consent under CASL when using Toggling
    (Compliance and Enforcement Information Bulletin CRTC 2012-549)

The Electronic Commerce Protection Regulations (CRTC) Information Bulletin

Information to be included in a CEM (Reg 2)

This is an example of an unsubscribe mechanism by email. The email says I would like to unsubscribe from receiving: All messages from Company Inc. or, All promotional messages from Company Inc. I will continue to receive notifications consisting of factual information about my account and purchases. At the bottom of the message you may choose to submit your consent.
Form of CEM (Unsubscribe Mechanism) – (Reg 3)

This is an example of an unsubscribe mechanism by text message. The text from Company Inc. says- Special offer! 40% discount on all widgets. Text STOP to unsubscribe. To submit your consent, reply to the text message with the word STOP.
Information to be included in a request for consent – (“sought separately”) – (Reg 4)
This is a webpage that outlines the terms and conditions before download a computer program. The webpage gives you the option of choosing your consent by toggling the boxes beside the following statements: I accept the Terms and Conditions, I agree to the installation of Company Inc.’s Product A software. The function and purpose of Product A are to… To request removal or disabling of this computer program under certain conditions, please contact us at this electronic address. The words ‘certain conditions’ are hyperlinked another webpage where the information can be found, I agree to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time. Please refer to our Privacy Policy or Contact Us for more details. The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found.
This is a webpage access by a mobile device and gives you the option of choosing your consent by toggling the boxes beside the following statements: I consent to the Terms and Conditions of sale. The words ‘Terms and Conditions’ are hyperlinked another webpage where the information can be found, I consent to the installation of Company Inc.’s Product A application. The function and purpose of Product A are to… To request removal or disabling of this computer program under certain conditions, please contact us at this electronic address. The words ‘certain conditions’ and ‘electronic address’ are hyperlinked another webpage where the information can be found, I consent to receiving promotional message from Company Inc. about its products and services. You can withdraw your consent at any time.
Below the toggling boxes it says “See our Privacy Policy or Contact us for more information.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. Once you have given your consent to the installation of the application by toggling the second box, you may click on the install button at the bottom of the page, or select close.
Specify functions of computer programs (Reg 5)
This is a webpage accessed on a mobile device that explains the function of a computer program and asks consent for it to be installed. By toggling the two boxes, the computer program may be installed. The webpage says:
Clicking on the INSTALL button will install Company Inc.’s Product A application. The function and purpose of Product A are to. The Product A app will cause my mobile device to communication with Company Inc.’s server automatically in order to record my consent and to record usage metrics. You can withdraw your consent in the future. To request removal or disabling of this computer program under certain conditions, please contact us at this electronic address.  The words ‘certain conditions’ and ‘electronic address’ are hyperlinked another webpage where the information can be found. See our Privacy Policy or Contact us for more information. The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. You may confirm your consent by toggling the boxes beside the following statements: I have read, understand and consent to the above, I consent to the license agreement. The words ‘license agreement are hyperlinked another webpage where the information can be found. Once both the toggling boxes have been checked, you may click install or choose to close.

Use of Toggling Information Bulletin

What is Toggling?
The first message is not compliant because the toggling box is pre-checked. It says “you are about to purchase Product A for $10.00.” The toggling box is pre-checked and says “I agree to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time.” “Please refer to our Privacy Policy or Contact us for more details.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. At the bottom of the message you have the option of clicking Back or Confirm Purchase.
The second message is compliant and says “you are about to purchase Product A for $10.00.”The toggling box is not checked and says “I agree to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time.” “Please refer to our Privacy Policy or Contact us for more details.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. At the bottom of the message you have the option of clicking Back or Confirm Purchase.
The third message is compliant and says “All products 40% off for a limited time only! Enter your email below to receive Company Inc.’s newsletter containing news, updates and promotions regarding Company Inc.’s products. You can withdraw your consent at any time. Please refer to our Privacy Policy or Contact us for more details.” The words ‘Privacy Policy’ and ‘Contact us’ are hyperlinked another webpage where the information can be found. At the bottom of the message you have the option of entering your email address and clicking submit.

Additional Guidance Material

Personal and Family Relationships

Express consent obtained prior to CASL

Transitional period for implied consent

Business to Business

Quotes/estimates vs Requests, inquires and complaints

Messages sent and received on an ‘electronic messaging service’

‘Limited-access secure and confidential account’

“sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message”

CEMs sent to foreign countries

Paragraph 3(f) of the GiC Regulations excludes some CEMs sent from Canada to a foreign country from the application of section 6 of CASL (e.g. consent & unsubscribe requirements), if certain conditions are met:

  1. The foreign country must be listed in Schedule 1 to the Regulations.
    1. These are countries that have their own anti-spam legislation.
  2. The CEM must be sent in compliance with the provisions in the foreign law that address conduct that is substantially similar to the conduct prohibited in section 6 of CASL.
  3. The sender (or person who causes or permits the CEM to be sent) must reasonably believe that the CEM will be accessed in a foreign state listed in Schedule 1.

Registered Charities

Political Parties and Candidates

Third Party Referrals

Personal Relationships and Social Media

Specified Computer Programs – Network Security

Solely:
Network:
Failure:

Existing Non-Business Relationship - Membership

Communications Products

Future Informative Guidance Material

Date modified: