240 likes | 536 Views
Canadian Anti-Spam Law (CASL) Employee Training. Canada’s Anti-Spam Legislation (CASL). This mandatory employee training is being provided so that Equifax Canada can meet its obligations under the new law. In this training, you will learn: What is spam? What is CASL?
E N D
Canada’s Anti-Spam Legislation (CASL) This mandatory employee training is being provided so that Equifax Canada can meet its obligations under the new law. In this training, you will learn: • What is spam? • What is CASL? • What are our obligations as employees of Equifax?
What is spam? Spam is not just the world’s largest selling canned meat (having sold over more than 7 billion cans over the past 75 years). When we talk about the law, and in particular Canada’s new Anti-Spam Law (CASL), “spam” means any unsolicited commercial electronic message. • What’s the problem? • Spam has been used as a vehicle for the delivery of other online threats such as viruses, spyware, phishing and malware • Industry Canada reports that spam makes up nearly 90% of worldwide e-mail traffic • Network threats and oversaturation of spam threaten the stability of the Internet and confidence of consumers to conduct business online
Purpose of the Canadian Anti-Spam Legislation (CASL) Much like the Monty Python skit, where 2 customers in a greasy spoon are overwhelmed by the amount of spam included in every menu option, Canadians have been overwhelmed by the amount of unwanted solicitations in their electronic accounts (e.g. e-mail). In response, the Canadian government has introduced CASL to discourage the sending of spam from and to Canada. The legislation is drafted in a broad manner to create a prohibition against unsolicited commercial electronic messages (“CEMs”). CASL also prohibits undesired installations of computer programs (such as malware or spyware).
What is a Commercial Electronic Message (CEM)? • A CEM is essentially an electronic message that at it’s purpose, or one of its purposes is intended to encourage participation in a commercial activity. • Electronic Messages include: • E-mails • Text/voice/sound messages • Instant messages • Direct social media messages
What is a CEM? (cont.) CASL defines commercial activity broadly. It may include: • Broad definition • Offers to purchase or sell a product, good, or service or to advertise or promote them • Any publication that is sent to members of the public could be caught if it contains an advertisement, endorsement, or promotion of a product or service, or does so indirectly such as providing links that give contact information about where to find a product or service • Even linking to a home page of a business can be enough to be considered “encouraging a commercial activity”! In effect, all organizations carrying on business in Canada have had to review all messaging and marketing practices to determine whether any of the obligations or requirements of CASL apply to a particular type of message.
How is CASL enforced? • Three government agencies are tasked with enforcing CASL: • Competition Bureau of Canada • Office of the Privacy Commissioner of Canada • Canadian Radio-Television and Telecommunications Commission (CRTC) • The penalties for failing to comply with CASL are steep. Administrative fines can be up to $1 Million for individual offenders and $10 Million for companies for each breach. • Officers and directors can be held liable for a violation if they directed, authorized or participated in the violation.
Important Dates • The prohibition against sending unsolicited CEMs comes into effect on July 1, 2014. • However, there is a transition period for the first three years which allow a sender presume that it has consent to send a CEM to a recipient that it has a business relationship with, as long as the sender and recipient had communication within those three years. • Additional prohibitions against the installation of unwanted computer programs comes into effect on January 15, 2015. • Consumers and businesses will be able take civil action (i.e. start a law suit) against anyone who violates CASL as of July 1, 2017.
What requirements will Equifax Canada need to comply with? There are 2 key requirements to ensure Equifax Canada complies with the CEM regulations: (1) Obtain express consent when needed, and (2) Ensure the CEM meets the Form and Content requirements of CASL. Consent: • The sender of a CEM must ensure that the recipient has consented to the receipt of the CEM prior to sending the CEM. • The general rule requires that recipients expressly opt-in to receive the message. However, for certain types of CEMs and scenarios, the sender can rely on “deemed” consent under CASL. This means that the legislation has listed specific instances in which express consent is not required. Form and Content: • All CEMs must set out certain identifying information about the sender(s) of the message (e.g. the name, mailing address, web address, etc.) • All CEMs must contain a functional unsubscribe mechanism, which enables the recipient to indicate that they no longer wish to receive that type of CEM.
Obtaining Opt-In Express Consent Express consent can be obtained orally or in writing. However, oral consents are more difficult to keep track of. When obtaining express consent, the recipient must provide an affirmative action that they wish to receive the CEMs. In addition, the request for express consent must contain: • The purpose or purposes for which the consent is being sought; • The name by which the person seeking consent carries on business, if different from their name, if not, the name of the person seeking consent; • If the consent is sought on behalf of another person, the name by which the person on whose behalf consent is sought carries on business, if different from their name, if not, the name of the person on whose behalf consent is sought; • If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought; • The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought; and • A statement indicating that the person whose consent is sought can withdraw their consent.
Exemptions from CASL CASL does not apply to certain types of messages, including: • Where the message does not encourage commercial activity • Where the message is not sent by means of telecommunications • Employee-to-employee messages, where the employees work for the same organization and message is about the organization • Messages responding to inquiries, complaints or that are otherwise solicited by the recipient • Messages to provide notice or enforce a legal right, court order, judgment or tariff • Messages sent to a limited access secure and confidential account where only the person providing the account can send messages to the person who receives the message This means that neither express consent, nor the form and content requirements apply!
Deemed Consent A recipient’s consent is deemed where: • There is an existing business relationship (as defined in CASL). • The recipient conspicuously posted their electronic address (without a statement explicitly indicating that they do not want to receive unsolicited CEMs) and the message relates to the recipient’s business, role or function in their business. • The recipient handed out their business card. • The message is to provide a quote or estimate for the supply of goods or services, if the quote was requested. • The message facilitates, completes or confirms a commercial transaction. • The message provides warranty information, product recall information or safety or security information about a product, good or service. • The message provides factual information about the ongoing use of a product, goods, or a service offered under a subscription, membership,account, etc. or the subscription, membership or account itself. • Messages that provide information directly related to an employment relationship or benefit plan. • Messages that deliver a product, goods or a service, including product updates or upgrades.
“Existing Business Relationship” is an important definition… As most of Equifax Canada’s business activities involve existing customers or prospective customers who have reached out to Equifax for services. Under CASL, “existing business relationship” arise from: • The purchase or lease of a product, goods or service by the recipient within the two-year period immediately before the day on which the message was sent (“two year period”). • The acceptance by the recipient within the two year period of a business opportunity offered by the sender. • An inquiry or application, within the six-month period, immediately before the day on which the message was sent, made by the recipient to the sender. • An ongoing contract (and you can continue to send CEMs for 2 years after the contract is terminated)! In these instances, consent is deemed (which means you do not need to seek express consent).
So, what are my obligations as an Equifax employee? Equifax Canada can has published the Equifax Canada-CASL Policy. This Policy (“Policy”) provides an overview of CASL and outlines the company’s policies and procedures that have been implemented to ensure compliance with CASL and applicable legislation. Review this Policy and use the tools to ensure you are compliant. • Policy Tools: • Express Consent Guidelines: outlines when express consent is needed and how to obtain it (includes templates) • Form and Content Guidelines: outlines the requirements for all CEMs, including a signature template. • CEM Inventory Guide: provides an overview of all CEMs currently sent by Equifax Canada and the compliance requirements. • CEM Inventory Template: Sending a message not on the CEM Inventory Guide? Use this template to assess the requirements.
Equifax Canada CASL Policy HIGHLIGHTS • Each employee is responsible for complying with the Policy when sending CEMs. At a very high level, this means: • Obtaining express consent when needed prior to sending any CEM; • Reviewing Equifax’s “unsubscribe” list to ensure you do not send any unwanted CEMs to recipients who have unsubscribed • Ensuring your CEM complies with the Form and Content requirements; • Refraining from sending any CEMs from your Equifax issued mobile device; and • Not using any Equifax technology or devices for non-Equifax commercial activity! • The Policy is a living document that will be updated by Legal as appropriate. You may refer to the Policy and its tools to help guide your individual compliance. However, the Policy and tools does not replace legal advice. If you are unsure, book an appointment with legal to review prior to sending any CEM. • Compliance with the Policy will be monitored on a continuous basis. • The company will train all new hires on the Policy and will conduct training annually and/or as needed.
THANK YOU! THANK YOU FOR YOUR PARTICIPATION! PLEASE COMPLETE THE QUIZ!