Data and Software Provisions of CASL
Understanding the New Canadian Anti-Spam Legislation
("CASL")
Lisa Abe-Oldenburg, B.Comm., JD.
CIPS Ontario AGM
March 20, 2014
Agenda
Why should you care about CASL?
Introduction to Canada's Anti-Spam Legislation: What is it?
Anti-Spam Provisions
Transmission Data Alteration Provisions
Installation of Computer Program Provisions
Compliance strategies
Q & A
2
This presentation was prepared by Bennett Jones LLP to provide
general information about the anti-spam legislation in Canada. Due
to the general nature of this presentation, nothing herein should
be relied upon as legal advice.
CASL consists of a lengthy Act and Regulations, which must be
read together. They are complicated, legally very technical,
contain ambiguities and will be evolving as more regulations and
interpretations are created.
The fine print
3
WHY SHOULD YOU CARE about casl?
4
INCREASED LIABILITY
INCREASED COST OF DOING BUSINESS
Actual costs:
Developing and implementing compliance and policies
Updating or purchasing new customer relationship management
software
Investigating targets in due diligence associated with M&A
activity
Indirect costs:
Finding alternative ways to advertise or do business
Revising software update and upgrade distribution and
installation processes and support services.
5
Why should you care about CASL?
Administrative Monetary Penalties:
Maximum penalty for corporations and organizations =
$10,000,000.00 per violation
Maximum penalty for an individual = $1,000,000.00 per
violation
Vicarious liability:
An employer may be liable for a violation committed by an
employee acting within the scope of the employment.
Personal liability:
Officer, director, agent who directed, authorized, assented to,
acquiesced in or participated in the commission of the violation,
whether or not the corporation is proceeded against.
6
Liabilities
Private Right of Action
For violations of CASL, as well as specified violations under
PIPEDA and the Competition Act.
Liability includes :
Compensation in an amount equal to the actual loss or damage
suffered or expenses incurred; and
A maximum of $200.00 for each contravention of CEM provisions,
not exceeding $1,000,000.00 for each day the contravention
occurred; and
A maximum of $1,000,000.00 for each day a contravention of the
data or computer software provisions occurred.
A maximum of $1,000,000 per s.9 contravention (aiding, inducing,
procuring)
That's enough to make anyone
7
Liabilities (con't.)
8
Now that we have your attention.
scream!
Key Dates
July 1, 2014
Anti-spam requirements
Altering transmission data requirements
January 15, 2015
Installation of computer program requirements
July 1, 2017
Private right of action
Scope
The Act and Regulations:
prohibit sending "commercial electronic messages" to an
electronic address without consent (though exceptions may
apply);
prohibit the alteration of transmission of data in an electronic
message so that the message is delivered to a destination other
than or in addition to that specified by the sender without
consent;
prohibit installing a computer program on any other persons
computer system without consent and certain requisite notice;
prohibit causing a program on any persons computer system to
send an electronic message without consent; and
capture activities that aid, induce, procure or cause to be
procured any of the foregoing.
11
Key Definitions
What is a CEM?
An electronic message means a message sent by any means of
telecommunication, including a text, sound, voice or image
message.
A commercial electronic message is defined as an electronic
message that, having regard to the content of the message, the
hyperlinks in the message to content on a website or other
database, or the contact information contained in the message, it
would be reasonable to conclude has as its purpose, or one of its
purposes, to encourage participation in a commercial activity,
including an electronic message that(cont.):
12
.(cont.):
(a) offers to purchase, sell, barter or lease a product, goods,
a service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming
opportunity;
(c) advertises or promotes anything referred to in paragraph (a)
or (b); or
(d) promotes a person, including the public image of a person,
as being a person who does anything referred to in any of
paragraphs (a) to (c), or who intends to do so.
NOTE: a CEM includes an electronic message that asks for consent
to be given
13
Key Definitions
commercial activity means any particular transaction, act or
conduct or any regular course of conduct that is of a commercial
character, whether or not the person who carries it out does so in
the expectation of profit, other than any transaction, act or
conduct that is carried out for the purposes of law enforcement,
public safety, the protection of Canada, the conduct of
international affairs or the defence of Canada.
An electronic address is an address used in connection with the
transmission of an electronic message to:
(a) an electronic mail account;
(b) an instant messaging account;
(c) a telephone account; or
(d) any similar account (e.g. social media?)
14
Key Definitions
It is prohibited to send (or cause or permit to be sent ) to an
electronic address a commercial electronic message unless:
An exemption to the prohibition applies;
OR
(a) the person to whom the message is sent has consented to
receiving it or the CEM is exempt from consent; and
(b) the message meets the formality requirements.
Core Anti-Spam Provisions
15
The anti-spam prohibition under the Act does not apply to:
messages that are not CEMs
commercial electronic messages where the recipient:
has a family or personal relationship (as defined in the
regulations) with the sender; or
is engaged in commercial activity and the message from the
sender consists solely of an inquiry or application related to that
activity.
Telecommunications Service Providers enabling the transmission
of a message as part of a telecommunications service (safe harbour
for intermediaries);
General Exemptions
16
Family relationship definition: 2 people related through
marriage, common law, or legal parent-child, and who have had
direct, voluntary two-way communications.
Personal relationship definition: 2 people who have had direct,
voluntary two-way communication where it would be reasonable to
conclude that the relationship is personal.
Reasonable test based on a non-exhaustive list of factors
provided in the Regulations
Must be close relationship
No provision in the Act or regs for individuals to "opt-out" of
the exemptions
17
Existing Family and Personal Relationships
CEMs that are:
whole or partial interactive two-way voice communication between
individuals;
sent by fax to a telephone account;
voice recordings sent to a telephone account;
sent by personnel within an organization, and it concerns the
activities of the organization (intra-business);
General Exemptions
18
CEMs that are:
sent by personnel of one organization to the personnel of
another organization if the organizations have a relationship at
the time, and it concerns the activities of the recipient
organization (inter-business);
solicited by the recipient (i.e. response to a request, inquiry
or compliant);
sent to a person in a foreign jurisdiction (that is listed in
the Regs), and the CEM conforms to the laws of that foreign state
which must be substantially similar;
General Exemptions
19
CEMs that are:
sent in relation to satisfy, provide notice of or enforce a
legal or juridical obligation or right;
messages sent and received on an electronic messaging service as
long as certain requirements are met;
sent within a limited-access, secure and confidential account
(one-way only);
sent on behalf of registered charity for primary purpose of
raising funds as defined in the Income Tax Act; or
sent on behalf of political party for primary purpose of
soliciting contributions, as defined in the Elections Act.
General Exemptions
20
Exemptions from Consent Requirements
NOTE: You must still comply with formality requirements!
CEM that solely:
provides a requested quote or estimate for the supply of a
product, or service;
facilitates, completes or confirms a commercial transaction that
recipient previously agreed to enter into;
provides warranty information, product recall information or
safety or security information about a product or a service that
the recipient uses, has used or has purchased;
provide notification of factual information about the ongoing
use or ongoing purchase by the recipient of products or services
offered under a subscription, membership, etc.
Exemptions from Consent Requirements
NOTE: You must still comply with formality requirements!
CEM that solely:
provides information directly related to the recipient's current
employment relationship or related benefit plan;
delivers a product or service, including upgrades or updates,
that the recipient is entitled to receive under the terms of a
previous transaction;
communicates (first time only!) for the purpose of a third party
referral by an individual with an existing business or non-business
relationship, family or personal relationship and the message
contains certain prescribed information.
Unless otherwise exempt from the prohibition or from consent,
one of the following must be relied upon to send a commercial
electronic message:
express consent; or
implied consent.
Note: Onus is on person who alleges they have consent to prove
it.
Note : Different forms of consent and each must be sought
separately for each of: sending CEMs, alteration of transmission
data and installation of a computer program.
24
Consent Requirements for CEMs
When seeking express consent, the following information must be
set out clearly:
the purpose(s) for which consent is being sought;
information identifying who is requesting consent;
a statement that the person can withdraw their consent; and
other prescribed information.
requires active opt-in (pre-checked boxes not permitted)
may be obtained orally or in writing
Note: Once the law is in force you cannot send a CEM to request
express consent, unless one of the exemptions apply or you already
have implied consent.
25
Express Consent requirements for CEMs
Consent may be implied and allow for the sending of a commercial
electronic message in the following situations:
The recipient:
has conspicuously published (e.g. on a website) the electronic
address to which the message is sent;
has not included in their publication a statement that they do
not wish to receive unsolicited commercial electronic messages at
that electronic address; and
the electronic message is relevant to the recipient's official
business, role, functions or duties; OR
26
Implied Consent for CEMs
2. The recipient:
has disclosed to the sender (e.g. provide a business card) the
electronic address to which the message is sent;
has not indicated that they do not wish to receive unsolicited
commercial electronic messages at that electronic address; and
the electronic message is relevant to the recipient's official
business, role, functions or duties; OR
3. The sender has an existing business relationship or an
existing non-business relationship with the recipient.
27
Implied Consent for CEMs (cont.)
"Existing business relationship" means a business relationship
between the recipient and sender of a message, arising from:
the purchase, lease or barter of a product or a service, land or
an interest or right in land, within 2 years immediately prior to
the day on which the message was sent;
the acceptance by the recipient, within 2 years immediately
prior to the day on which the message was sent, of a business,
investment or gaming opportunity;
a written contract between the parties if the contract is
currently in existence or expired within 2 years immediately prior
to the day on which the message was sent; or
an inquiry or application by the recipient, within the six-month
period immediately before the day on which the message was
sent.
28
Existing business relationships
"Existing non-business relationship" means a non-business
relationship between the recipient and the sender arising from
a donation or gift made by the recipient to the sender within 2
years immediately prior to the day on which the message was sent,
where the sender is a registered charity, a political party or
organization;
volunteer work performed by the recipient, or attendance at a
meeting organized by sender, within the 2 years immediately prior
to the day on which the message was sent, where the sender is a
registered charity, a political party; or
Membership of the recipient in the sender's club, association or
voluntary organization, as defined in the regulations, within the 2
years immediately prior to the day on which the message was
sent.
29
Existing non-business relationships
Formalities of CEMs
A commercial electronic message must contain:
the name of the sender or the name under which the sender
carries on business;
If sent on behalf of another person, CEM must contain that name
or the name under which that person carries on business;
If sent on behalf of another person, must contain a statement
indicating which person is sending the message and which person on
whose behalf the message is sent;
the mailing address, and either:
A telephone number;
An email address; or
A web address; AND
A functional unsubscribe mechanism that meets the prescribed
requirements.
Contact info must be valid for 60 days
31
Alteration of transmission Data and installation of computer
program PROVISIONS
32
ALTERING TRANSMISSION DATA
In force July 1, 2014
INSTALLATION OF COMPUTER PROGRAMS
In force January 15, 2015
33
ALTERING TRANSMISSION DATA
CASL prohibits the alteration of transmission data in an
electronic message in the course of a commercial activity, without
express consent
Where message is delivered to a destination other than, or in
addition to, that specified by the sender
To aid, induce, procure or cause to be procured is also
prohibited
Applies to any computer system located in Canada that is used to
send, route or access the electronic message
34
ALTERING TRANSMISSION DATA
data means signs, signals, symbols or concepts that are being
prepared or have been prepared in a form suitable for use in a
computer system
transmission data means data that :
(a) relates to the telecommunications functions of dialling,
routing, addressing or signalling;
(b) either is transmitted to identify, activate or configure an
apparatus or device, including a computer program, in order to
establish or maintain a communication, or is generated during the
creation, transmission or reception of a communication and
identifies or purports to identify the type, direction, date, time,
duration, size, origin, destination or termination of the
communication; and
(c) does not reveal the substance, meaning or purpose of the
communication.
35
ALTERING TRANSMISSION DATA
Express consent is required from the sender or the person to
whom the message is sent, i.e. the authorized email account
holder
Burden of proof is on the person who alleges that they have
consent
Note: no implied consent possible, like with CEMs
Consent must meet the formalities set out in the Act and the
Regulations, including describing the purpose for the consent, the
persons seeking it, the period of consent, and such other
information as set out in the regulations
Consent must also include a withdrawal mechanism in the form
prescribed by the Act and the regulations
Any request for withdrawal must be implemented within 10
business days of receipt
36
ALTERING TRANSMISSION DATA
General Exemption: if the alteration is made pursuant to a court
order, or by a telecommunications service provider (TSP) for the
purposes of network management
TSPs are broadly defined under the Act to include any providers
of services or features by telecom facilities
Examples were provided in the RIAS of GM's OnStar or Ford's Sync
systems
37
INSTALLATION OF COMPUTER PROGRAMS
CASL prohibits the installation of a computer program on any
other persons computer system, in the course of commercial
activity
CASL also prohibits installed computer programs to cause the
sending of an electronic message from a computer system
Without express consent, unless pursuant to court order
To aid, induce, procure or cause to be procured is also
prohibited
Applies to any computer system or person (whether contravening
or directing) located in Canada at the relevant time
Computer program and computer system are Criminal Code
definitions
Note: CASL does not apply to user's own installation. Query who
is doing the installation in a web download or with pre-installed
software?
Note: CASL does not apply to computer programs installed for
public safety purposes. Query whether auto braking systems are
public safety, as per RIAS?
38
INSTALLATION OF COMPUTER PROGRAMS
Express consent is required from the owner or authorized user of
the computer system
Burden of proof is on the person who alleges that they have
consent
Note: no implied consent, like with CEMs, except in very narrow
circumstances prior to January 15, 2015
Problematic where there is no user interface to receive messages
or provide disclosure notices
Consent must meet the formalities set out in the Act and the
Regulations, including describing the purpose for consent, the
persons seeking it, the functions and purposes of the computer
program, and such other information as set out in the
regulations
For certain "invasive" software (with special functions listed
in ss.10(5)), it gets more complicated. You must include additional
information and actions set out in the Act and the regulations.
39
INSTALLATION OF COMPUTER PROGRAMS
Invasive software - Subsection 10(5) Functions:
Knowledge and intent that the software will cause the computer
system to operate in a manner that is contrary to the reasonable
expectations of the owner or an authorized user and:
Collects stored personal information
Interferes with control of the computer system
Changes or interferes with settings, preferences or commands
Changes or interferes with stored data
Communicates with another computer system or device
Installs a computer program that may be activated by a third
party; or
Performs any other function specified in the regulations.
40
INSTALLATION OF COMPUTER PROGRAMS
Consent must be clear and simple
For software with ss. 10(5) functions, one must add additional
information:
set out clearly and prominently, and separately and apart from
the license agreement and the consent:
(i) description of the computer program's material elements that
perform the function(s), including the nature and purpose of those
elements and their reasonably foreseeable impact on the operation
of the computer system;
(ii) bring those elements to the attention of the person from
whom consent is being sought in the prescribed manner; and
41
INSTALLATION OF COMPUTER PROGRAMS
(iii) obtain an acknowledgement in writing from the person from
whom consent is being sought that they understand and agree that
the program performs the specified functions.
Such additional information not required if the function only
collects, uses or communicates transmission data or performs an
operation specified in the regulations
CASL contains complicated rules for requesting and ensuring the
removal or disabling of certain software with ss. 10(5) functions,
including providing assistance at no cost, within a one year
period
42
INSTALLATION OF COMPUTER PROGRAMS
Deemed express consent (no separate consent required) for:
Cookies, HTML code, Java Scripts, operating systems, any other
program that is executable only through the use of another computer
program whose installation or use the person has previously
expressly consented to, or any other programs specified in the
regulations
IC Regulations have added several additional classes of
programs, mainly for telecom network security and upgrades, as well
as correction of failures of computer systems and programs
Provided it meets the reasonability test: the persons conduct is
such that it is reasonable to believe that they consent to the
programs installation
Many issues with what constitutes an operating system, a cookie,
a telecom network, an upgrade/update or a failure
43
INSTALLATION OF COMPUTER PROGRAMS
Special rules for installation of software updates and
upgrades
May be deemed consent if TSP is installing an update to their
network or if required for safety/failure correction purposes
Consent to install updates or upgrades can be requested in
advance, e.g. at the same time as the original installation, or
when the user is downloading, as long as consent is requested in
accordance with the specific formalities of CASL and the upgrades
or updates are installed in accordance with those terms.
Implied consent until January 15, 2018 to installation of update
or upgrade if the software being updated was installed prior to
January 15, 2015 and no notice of withdrawal of consent is
given.
44
TRANSITIONAL PROVISIONS
45
The majority of CASL is coming into force on July 1, 2014;
however
A persons consent to receiving CEMs is implied until (i)
notified otherwise or (ii) July 1, 2017, whichever is earlier, if
:
the sender and recipient have had an existing business
relationship or an existing non-business relationship at any time
prior to July 1, 2014 (i.e. no 2 year limit) ; and
the relationship includes the communication of CEMs.
Also, implied consent to install software updates or upgrades
until (i) notified otherwise or (ii) January 15, 2018, whichever is
earlier, if the software was installed prior to January 15,
2015.
46
Transitional Provisions
Be proactive!
Review existing communication and software practices internally
as well as with applicable external service providers.
Develop a database that identifies which commercial electronic
messages (and data alterations or software installations, if
any):
(i) have implied consent and track duration;
(ii) require express consent and must comply with
formalities;
(iii) must comply with formalities or information requirements;
and
(iv) neither require consent nor compliance with
formalities.
Draft, review, collect and update necessary consents, notices
and acknowledgements
48
How to comply
Ensure records of consent, written acknowledgements and notices
are retained and retrievable
Create and maintain an easy-to-use and effective unsubscribe
mechanism
Create templates for your business' electronic commercial
messages which satisfy the prescribed requirements
Develop a CASL-compliance policy to address applicable
provisions in the law and provide copies of this policy to all
relevant employees and service providers provide training
Amend contracts with service providers to allocate obligations
and liability risk
49
Additional considerations
Maintain records of all procedures and policies implemented in
order to ensure compliance with the CASL .
Such documentation may later support a due diligence
defense.
Contracts for sale of a business should include provisions
transferring express consents as a business asset. *
* Note: We are awaiting the CRTC/IC's position on this.
Monitor development in jurisprudence and any new regulations and
guidelines with respect to CASL and adapt practices as
necessary.
50
Additional considerations
[email protected].: 416-777-7475 Visit our
Anti-Spam Learning Centre at:www.bennettjones.com
This presentation contains statements of general principles and
not legal opinions and should not be acted upon without first
consulting a lawyerwho will provide analysis and advice on a
specific matter.
![Refinement trees: Calculi, Tools and Applications€¦ · Language for CASL", WADT 2004 [CASL-Ref] IP. Ho man - \Architectural Speci cation Calculus", Chapter IV.5 of CASL Reference](https://img.dokumen.tips/doc/110x75/5feb7004e6531d35071d31a6/refinement-trees-calculi-tools-and-applications-language-for-casl-wadt.jpg)
