Monday, April 7, 2014

Canadian Anti-Spam legislation (Including software instalation) (Part II)

This blog is a continuation of a previous post concerning the new Canadian Anti-Spam Legislation (CASL). Part I can be found here.

This part will deal with how to prepare for this new legislation.

First of all, the question comes to mind on what should we do to prepare for this law. One must first understand that this law deals with ALL commercial electronic communication from companies, organizations, non-profits, individuals etc, that send out email and install software programs.

Lets take an example or three.

Your company has a booth at a trade show. You have a fish bowl at your booth for a prize draw. After the show, you take all the names of those people who entered the draw and add them to a mailing list. Then as you prospect these potential clients you send out an email soliciting for their business. Unless they have specifically 'signed' permission to allow you to do this (OPT-IN), your company can be found in contradiction of the law and be fined up to $5 million dollars.

Another example:

You have a web site where potential customers can download marketing material on the goods or services you provide. However, you require these web surfers to register before that material would be made available for download. At the bottom of the webpage you have a check box (which is already pre-checked for the user) allowing the company in question to email further updates. This case could be interpreted as being an OPT-OUT option because the check box is already prefilled. This would satisfy the CAN-SPAM Act (US) but would not be deemed complaint with the new Canadian law that requires an explicit OPT-IN option. And once again the company could be liable for millions of dollars in fines.

And one final example:

You bought a software application to be installed on your Smart Phone (or PC or IPAD or Mac or Tablet). When you start installing the package, there is no explicit consent to allow for the installation, therefore the software company would be liable. Also note that an End User License (EUL) acceptance may not be enough to satisfy the requirements.

Find below a few suggestions that, I believe, would help to start planning for compliance.

1) Take an inventory of all commercial messages that your organization is currently, or planning on sending out. This includes text messaging, Facebook campaigns, emails etc.

2) Discuss and create policies and guidelines that define what a Commercial Electronic Message (CEM) (as per CASL) is within your organization. If there are any exceptions that are applicable these should also be noted within the new policy.

3) Create an all-encompassing list of computer programs that your company directly, or indirectly installs on any electronic device.

4) If applicable, create a list of all computer products (and services) that your organization is involved with. This includes not only the initial software installation but any updates/upgrades that are part of your business process.

5) Discuss and create policies and guidelines that determine when your organization needs to obtain consent for installation of some software. Also note, while there are some exceptions (which should also be documented), all the information will need to be retained for review at a later date.

6) Review current consent that has been collected and see if it complies with the new legislation. If not, a process may need to be created to obtain consent using the new polices. This is further complicated because of the three year transition period mentioned within the law.

7) Document, create, clarify, create a process where the end user can agree to enter into a commercial arrangement, yet withhold consent to CEM.

8) Retain documentation/proof that a written consent was obtained. This includes date, time and manner of consent. Further consideration may also be needed if your organization allows for verbal consent rather than written. Given the strong penalties that can be doled out, every type of consent must be tracked.

9) Update the avenues of interaction between the organization and the end user to reflect the new polices (see above). This includes templates that are used to send out CEM, websites, social media etc. Also be aware that mandatory identity and contact information must be included in any future CEM.

10) Create a process so that the end user can rescind any previous consent. Remember that the withdrawal of consent must then also be forwarded to any third parties and associated companies, if applicable.

Consider the above as only a guideline on how to proceed. Again, I emphasize that this is not legal advice nor is it intended to be all encompassing. Every situation is different.

If you have any questions, concerns  feel free in contacting me.

Monday, March 31, 2014

Canadian Anti-Spam legislation (Including software instalation) A world wide concern (Part I)


 & Software Installation

 On July 1 2014 the new Canadian Anti-Spam legislation (CASL) will begin to be enforced(first of three phases). Why should I care if I live outside Canada, or what does it mean if I am a Canadian Business, or should I care if I am a SMB, as this is only  for spammers/the 'bad' guys?

Well you will be very surprised at the answers to these questions. So let’s get started.

One of the first things that most experts agree with is that the 'new' Canadian legislation/regulations is one of the strongest invoked anywhere in the world that is concerning commercial messaging.

But I am getting ahead of myself.  In the 1st part what is exactly CASL? In the best non-legal verbiage, CASL establishes the rules concerning commercial electronic messages (CEM). ALL  CEM, with exceptions (see below for some examples), must have explicit consent (OPT-IN) before the CEM is sent. It also deals with installation of software programs just to make things more interesting. (This last part is something that should worry software development companies. In fact I would hazard a guess that most software developers are not aware of this implication (more on this later)).

Now let’s try to address some of the not so obvious parts of this quagmire.

1) 'Well, this legislation deals with spamming, which we don't do' !!

Very wrong. It covers everyone, individuals, corporations, unincorporated businesses not-for profit organizations, and everyone else who sends messages for commercial purposes. And CEM is not only email, but Instant Messages, Facebook, Instagram, Twitter, SMS to name just a few. OH, by the way, it could also apply to telephone calls.

2) I am not located in Canada,why should I care?

The answer may surprise you. As long as either the sender or the RECEIVER of any CEM,  'lands' on a computer that is located in Canada,  is covered under the act. In the atmosphere of globalization, extraterritorial laws are becoming more and more prevalent. Examples abound in today's society. Just look at the EU Data Protection Directive. It has been argued as long as the information (PII) concerns a citizen of an EU country, the EU privacy legislation will apply, even though the company in question has no presence within the Europe Union. In fact the new regulation, EU's General Data Protection Regulation, that has been proposed and awaiting passing, explicitly mentions this. But I transgress. So being located outside Canada does not exempt you from the regulations.

3) Let’s dispel another issue. 

The US anti-spam legislation (CAN-SPAM ACT) replies on an OPT-OUT consent (it is assumed you want commercial email unless you say otherwise), CASL requires an OPT-IN consent. In fact, not only that, but sender information, consent requirements and contact info must also be listed as part of the notice/consent request. So even though your commercial email is designed to comply with the US rules, it will not be compliant with the Canadian regulations.

4) Provisions concerning installation of software programs in Canada. 

The legislation also covers consent concerning software programs that are installed in Canada, whether the person installing the program is located in Canada or Not (remote control of sites as an example). Even more about this later.

5) There are exceptions to the OPT-IN consent requirements. 

They are some exceptions for example, if the CEM concerns a requested quote or estimate for a service or product, help/confirm/complete a commercial transaction or provide warranty information. But be forewarned, the law does not have a very extensive exception list. There are some rules concerning implied consent as well. They include: if there is a business relationship within a period of time, if there is a written contract and is only valid for  a couple of years following termination of the contract or if there has been an inquiry made by the recipient in the prior six months.

6)  So can a check box fulfill the requirements of the legislation?

This actual gets a little sticky. There is no mention within either the legislation, or the regulations that were published in Dec 2013, that a check box OPT-IN would suffice. HOWEVER in a non-binding enforcement guideline, issued by the CRTC (Canadian Radio-Television Telecommunication Commission), it was suggested that a check box is not enough to comply with the requirement.

7) Additional Computer 'stuff'.

Previously I mentioned needing consent to install software on to a computer. The definition of a computer is more all encompassing that you may think. It includes smart phones, tablets, or in fact any computer based device. Now there are some exceptions to this. Certain classes of programs are exempt. The list includes cookies, operating systems, java scripts, sub-routines, HTML code, etc. Also I would be remiss if I did not mention that installation of programs like anti-virus software can also be an exception to the regulation requirments, but only if it was done by, or for,  a telecommunication service provider[1]. Also, a one shot program to fix an issue may be an exemption.

8) EUL (End user License).

There is nothing about EUL within either the legislation or regulation concerning CASL However, the CRTC issued an non binding guideline, that accepting a EUR is in itself can not to be considered explicit consent. Rather a separate agreement dealing with consent needs to be created for review and acceptance by the end user. In that way the consumer can refuse or give informed consent.

In my next blog, I will be dealing with additional items to consider and what should companies do to prepare for CASL.

In the mean time, if there are issues (non legal advice) you may want me to address, questions you may have feel free in contacting me

I also invite you to review my other blog posts concerning Data, Security and Privacy.

Please note, do not consider this  legal advice, nor does it address individual circumstances. These blog entries are solely for the purpose to address generalized questions concerning the subject. I STRONGLY suggest that you do your due diligence concerning this matter.

[1] A service, or a feature of a service, that is provided by means of telecommunications facilities, whether the telecommunications service provider owns, leases or has any other interest or right respecting the telecommunications facilities and any related equipment used to provide the service.