TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | CASL Regulators’ Last Warning: Check Your Lists, Onus Is On You Related reading: Notes from the IAPP Canada Managing Director, July 21, 2017

rss_feed
OneTrust_gdpr_tools_300x250_062317
PrivacyTraining_ad300x250.Promo1-01
iapp-privacycore

The three regulators seated at the speakers’ table didn’t have to say a word about the fever-pitch level of concerns they’re hearing from businesses on Canada’s new anti-spam legislation (CASL): The stuffed-to-the-gills, guess-I’ll-sit-on-the-floor conference room at the IAPP Canada Privacy Symposium spoke for itself. Even so, the regulators opened their session with the words, “It’s been a very aggressive few months.”

Emilia de Somma and Dana-Lynn Wood, legal counsel and senior enforcement officer, respectively, of Canadian Radio-television and Telecommunications (CRTC), said they see six requests a day for speaking engagements, and when they announced they were to launch a coast-to-coast tour aimed at educating the public on their expectations once the law comes into force, they had 425 e-mails within 45 minutes.

So it’s no surprise de Somma and Wood’s “CASL: Final Word from the Regulators,” also withAndré Leduc of Industry Canada—the government department that developed the legislation—and moderator Shaun Brown of nNovation, was in demand. They used it to describe what companies can expect from the enforcers once the law comes into force on July 1 and how to stay out of trouble.

CASL requires senders to obtain express consent in order to send commercial electronic messages (CEMs), that is, any messaging that promotes commercial activity. It’s a bit tricky, because while the law defines CEMs, each organization’s circumstance will be different, and it’s up to them to determine whether the message is looking to sell something. But no factors are determinative, de Somma said.

The CRTC, which has released a list of frequently asked questions in response to the panic, has been fielding questions from worried folks looking for a hard-and-fast answer about their particular message. Is it a CEM?

As far as enforcement goes, the CRTC will look at the message as a whole to determine that. If a business is sending a holiday greeting card to customers—and the company logo and a link to the company’s site is on the electronic greeting card—does it look like the company is trying to disguise promoting commerce?

Shaun Brown, André Leduc, Emilia de Somma and Dana-Lynn Wood

No, de Somma said. Those aren’t the bad apples they’re after, and they’re not looking to pick the low-hanging fruit.

“With something like a greeting card, the purpose isn’t to try and get someone to buy a certain product; it’s customer-relations and outreach,” she said. “Those are the distinctions we’ll be looking for.”

But don’t get any ideas, Wood said. Sending out a benign newsletter and then tacking on a promotion within it for 20 percent off your product could land you in hot water, for example.

Leduc said when it comes to gray areas on the details, use the sniff-test approach.

“If it smells a little bit fishy, you may be crossing the line,” he said. “Better safe than sorry. Do that sniff test, and as soon as it starts to smell a little bit like fish, it likely is.”

Wood said senders of CEM will have to do their own risk analysis, and “everything will be determined on a case-by-case basis.”

It’d be wise to do such an analysis, as the law carries a maximum penalty of $1 million AMP per violation. However, the regulators have a lot of other tools in the toolbox, too, and won’t be issuing fines July 2.

“Our approach is not linear,” Wood said, adding that enforcement action will depend on what is uncovered during the subsequent investigation. “There may or may not be a monetary component.”

While it is within the CRTC’s power to go straight to notice of a violation, it won’t notify organizations that it is investigating them. Investigations will be prompted via a SPAM reporting center, housed at the CRTC. All three enforcement agencies, the Competition Bureau, the Office of the Privacy Commissioner and the CRTC, which have entered into a memorandum of understanding, will have access to the center’s evidentiary database, allowing them to see all complaints and the size and scope of the investigation.

But if a business realizes, for example, that it sent e-mails to a group of people who had indicated they wanted to unsubscribe from messages, it could enter into an undertaking with the CRTC and potentially avoid harsher punishment, Leduc said.

“You’d go to CRTC and say, ‘Look, we just committed a huge violation; we didn’t mean to; it won’t happen again; what can we do to remedy this?” he said.

It’s not the organizations that are trying to do the right thing that seem to be the target of impending enforcement. While Wood wouldn’t comment on specifics, she said when well-meaning businesses become compliant, it frees up the regulators to go after the most egregious offenders.

Looking for more information on CASL? Check out Canada’s Anti-Spam Legislation Database Checklist in the IAPP Resource Center. Also, IAPP members can get an in-depth analysis of the new regulations here.

So what can we expect moving forward? Well, no one seems to know. It’s anyone’s guess. But de Somma said while it’s not unlikely that more specific guidance may come out for each industry involved, that will be determined as time marches on once the law is implemented. After all, part of the CRTC’s enforcement and compliance mandate is education.

“We’ll have to strike that balance between outreach and enforcement,” de Somma said. “We can’t keep up at the rate we have been but will continue to reach out.”

While organizations are right to be concerned with whether they’ve got express consent to send to users, Leduc said those who’ve already been complying with PIPEDA shouldn’t have much to worry about. That being said, now is the time for businesses to go through their lists and be sure that, should a regulator come knocking, they can prove every recipient on that list at some point gave express consent to be there. The obligation is on the sender, and while pre-checked boxes are an okay method, some kind of additional positive action on behalf of the recipient is required, such as entering in an e-mail address to confirm it’s clear the recipient understands they are indicating consent.

“What we’ve been hearing is a lot of ‘I don’t know how this person got on this list,’” Leduc said. “At the end of the day, you were already responsible for this under PIPEDA. So we were somewhat insensitive to businesses because they should already have an understanding of how people got on their lists.”

If you don’t, now’s the time to find out, he said, and that’s where recordkeeping becomes important.

“Our position at this point is valid express consent pre-CASL will continue to be valid, even if it doesn’t meet all requirements under CASL,” de Somma said

The legislation also requires senders to include an unsubscribe option with CEMs—even if the message being sent relates to a product the user has already purchased, for example, which one attendee said she fears will confuse the recipient.

The regulators weren’t very sympathetic, saying they’ve heard that concern a number of times before and while they “might not have an answer that’s pleasing to everyone,” the fact is that now it’s law, so there isn’t much room to argue.

“One way you may want to try to mitigate having recipients unsubscribing from those types of messages is to build a granular unsubscribe mechanism,” de Somma said. “But, yes it should be provided in order to facilitate unsubscribing form CEMs.”

She noted that Section 66 of the law provides exemptions in some specific cases, and businesses would be wise to see if they fall under any of those categories.

Finally, the regulators said, a review of CASL will take place three years from now to evaluate how things are going, and the CRTC will continue to publish information on its YouTube channel and via its Twitter handle.

Comments

If you want to comment on this post, you need to login.