The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/117042
LEGAL REPORT/Privacy ���A lot of people mistake or confuse the requirements. They think they���re already complying with privacy legislation so they should be fine with the new anti-spam legislation, but they���re not considering them together.��� Alexandra Nicol, Borden Ladner Gervais LLP potential for online fraud. ���Because we call it anti-spam [legislation], it really gives the wrong impression,��� says Nicol. CASL prohibits the sending of commercial electronic messages unless the recipient has given express consent to receive those messages (and the message itself complies with the regulations CASL has set out, such as identification of the sender). But the legislation goes beyond that to address the collection of personal information through unauthorized access to computer systems, including compiling lists of e-mail addresses. The legislation requires consent in order to install software on devices across an entire network for update and upgrade purposes (with a proposed exemption for telecommunications service providers, for the purpose of preventing illegal activities that present a risk to the security of their networks). So what exactly does that mean for businesses? When CASL comes into force, it will require businesses to obtain opt-in express consent for sending commercial electronic messages and limit the ability to install new software without permission. Practices developed under PIPEDA are no longer adequate in terms of sending commercial electronic messages, says Michael Fekete, a partner at Osler Hoskin & Harcourt LLP and co-chairman of the firm���s technology group. ���There���s a lot of recognition that the anti-spam legislation changes the rules.��� PIPEDA sets out general privacy principles, while the rules in CASL are prescriptive, he says. And where PIPEDA allows for an assessment of the appropriate form of consent, CASL imposes express consensual requirements, including an optin standard of consent. Bulletins from 48 April 2013 www.CANADIAN the Canadian Radio-television and Telecommunications Commission go one step further and limit the types of express consent that are acceptable. Under PIPEDA there is an understanding you can rely on opt-out consent for marketing materials, as long as you meet certain conditions set out by the privacy commissioner such as providing an opt-out mechanism that is easy to use and immediate for the consumer, says Wendy Mee, an associate with Blake Cassels & Graydon LLP who practises advertising and marketing law. Consent standards under PIPEDA are much more lax than CASL; as a result, most organizations don���t have the information they need in each individual case to show a particular e-mail can be tied back to an existing customer relationship. So businesses have to re-qualify those relationships or get fresh consent from individuals. ���Businesses need to do an audit of how they���re collecting information and tracking consent and how they���re using the information subsequently,��� says Mee. ���Can they link a person���s e-mail address to whether or not they���re a customer? Do they have that sophistication? If they don���t, they need to go out and get express opt-in consent.��� But once CASL comes into force, businesses can���t use electronic means to request consent, making it even more difficult to get that express opt-in consent. Adding to the complexity is the fact the regulations for the law have not yet been finalized. ���There are a number of interpretation issues, fundamental questions that remain outstanding, that make complete compliance planning impossible at this stage,��� says Fekete. ���Most [companies] are undertaking a gap analysis so when the regulations become final they���ll be able to more L a w ye r m a g . c o m fully implement compliance efforts.��� The definition of a commercial electronic message also remains outstanding, and the definition is currently so broad as to be unhelpful, he adds. Companies have received conflicting definitions from the CRTC and Industry Canada; if an e-mail includes a link to a web page, for example, it���s not clear whether that constitutes a commercial electronic message. Because of the scope of the new legislation, it will involve the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner �����which adds complexity, but also offers some advantages. ���It���s designed in such a way that a number of agencies or regulatory enforcement authorities will be involved in the administration and will ultimately be working together,��� says Nicol. ���If there is an investigation, the privacy commissioner can properly refer complainants to the enforcement mechanisms set out in CASL.��� In the event of a conflict between CASL and PIPEDA, CASL would prevail. If there was a complaint about receiving an e-mail that was not consented to, for example, it would fall under CASL ��� and the penalties under CASL are much more significant than under PIPEDA. The anti-spam law provides for fines that could reach up to $10 million per violation and statutory damages up to $1 million a day. ���Under PIPEDA, the commissioner would look at the situation and tell you what to do to come into compliance and perhaps publish the findings,��� says Mee. This could potentially result in reputational damage, but otherwise the penalties are not considered harsh. With CASL, a business could be fined by the regulator and sued by an individual; there���s also the potential for class actions. However,