Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
O T T A W A V A N K L E E K H I L L A L E X A N D R I A K I N G S T O N
CASL Update: Not-for-profits and Charities
NOVEMBER 27, 2014
KIMBERLEY CUNNINGTON-TAYLOR
613-231-8299
nelligan.ca
Agenda
Anti-Spam
• What is a CEM
• Prohibitions, Exemptions and Consents
• Directors and Officers Liability
• Compliance Checklist
Software Installation Rules
2
nelligan.ca
Introduction
Dates: • July 1, 2014 – Commercial Electronic Messages
• January 15, 2015 – Software Installation Rules
• July 1, 2017 – Civil Actions
Purpose • Help protect Canadians from spam while ensuring
businesses can continue to adapt and compete efficiently in global marketplace
• Regulate conduct that discourages use of electronic commercial activities by compromising privacy and undermining confidence
3
nelligan.ca
Introduction, cont’d.
CASL (attempts to) prohibit:
• Sending unsolicited commercial electronic messages
(CEMs)
• Installation of computer programs without express
consent
• Altering transmission data or rerouting messages
without express consent
4
nelligan.ca
What is a CEM?
What is a CEM? • Electronic messages sent for the purpose of
encouraging participation in commercial activity
• Commercial activity is defined in the Act as follows • any particular transaction, act or conduct or any regular course of conduct
that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada
5
nelligan.ca
What is a CEM? cont’d.
What is a CEM? cont’d. • Electronic message is defined in the Act
as follows • a message sent by any means of telecommunication, including a text,
sound, voice or image message
If a particular message does not meet the definition of a CEM, then CASL does not apply to that message • Example
• electronic communications sent to members of a not-for-profit corporation for the purpose of compliance with various legal obligations likely will not constitute a CEM as those electronic messages will not include a commercial purpose
6
nelligan.ca
What is a CEM? cont’d.
Question: • Is the content of the electronic message I am about to
send a CEM? • Is there a commercial character to the message. In other words, is there an
encouragement to purchase a good or service?
• If no, then CASL does not apply at all
Analysis not easy
7
nelligan.ca
Prohibitions
General Prohibition (s. 6) • S. 6 contains two components:
• the consent requirement, and
• the content requirement
• Section 6 says, in essence, that a CEM cannot be sent unless: • the consent requirement: the person to whom the
electronic message is sent has consented to receiving it, whether the consent is express or implied:
– recipient has expressly consented to receiving electronic messages from you;
– you have implied consent from the recipient based on the type of relationship you have with the recipient, or based on a deeming provision in CASL; or
– CASL or the regulations to CASL provide an exemption from the consent requirements which applies to the corporation
8
nelligan.ca
Prohibitions, cont’d.
General Prohibition (s. 6), cont’d. • the content requirement: the electronic message contains
specific information set out in the Act, which states that each CEM must include the following: • the sender’s information (name, address, telephone number, website
address, e-mail, etc.)
• easy unsubscribe mechanism, such as the following:
If you do not want to receive further e-mails from us, please click here / reply by typing UNSUBCRIBE into the subject line of the message
9
nelligan.ca
Consents and Exemptions
Exemptions from all of Section 6 of CASL (both the content and consent requirements) include CEMs sent: • to friends or to family
• within or between organizations that have a relationship
• by registered charities and political organizations for fundraising purposes • exemption does not extend to non-profit organizations, Registered
Amateur Athletic Associations, or Registered National Arts Organizations
• these organizations must be careful and find other exemptions (either full or partial) that may apply to them, or be prepared to fully comply with CASL
• …
10
nelligan.ca
Consents – Express and Implied
Express Consent
• Written or oral
• Allows organization to send electronic messages to the
recipient unless/until the recipient withdraws consent
(in other words, express consent does not expire)
• Even with express consent, organizations still must include
the content in each electronic message required
by section 6
11
nelligan.ca
Consents – Express and Implied, cont’d.
Implied Consent • A type of consent that is given based on the type of
relationship one has with others (a type of conduct, etc.)
• CASL and the regulations to CASL provide a number of different scenarios in which implied consent can be given, or is deemed to have been given
• It has included implied consent to take into consideration relationships that organizations have and has provided a transition period to allow organizations time to turn implied consent into express consent
12
nelligan.ca
Consents and Exemptions, cont’d.
Exemption from consent requirement of CASL available if organization has implied consent from recipient of CEM
Implied consent must be turned into express consent within 3 years of CASL coming into effect (July 1, 2017). Types of implied consent:
• Existing business relationship
• Existing non-business relationship
• Person provides his/her e-mail address and does not say he/she does not want to receive CEMs
13
nelligan.ca
Consents and Exemptions, cont’d.
Existing non-business relationship
• the receiver of the CEM • made a donation or gift to
• volunteered for
• attended a meeting organized by
• the registered charity sending the CEM • Within 2 years prior to the day the CEM was sent
Note: • exemption available only to registered charities; not available
for non-profit organizations, RCAAAs, Registered National Arts Organizations or other types of organizations with similar characteristics of a registered charity, but is not a registered charity pursuant to the definition in the Income Tax Act
14
nelligan.ca
Implied Consent – Types of Relationships
Charities are necessarily non-profit organizations
Non-profit organizations are not necessarily charities
Must be a registered charity under the Income Tax Act (meaning, not a charity at common law)
Registered Canadian Amateur Athletic Associations, Registered National Arts Associations and other organizations with charity like attributes and privileges, but not registered as charities under the Income Tax Act are excluded from any specific exemption • These organizations must find partial or full exemptions in other ways (i.e. is it
reasonable to conclude that an RCAAA would not be a non-profit organization?)
15
nelligan.ca
Implied Consents, cont’d.
Existing non-business relationship
• the receiver of the CEM was a member of the organization
sending the CEM, within the immediate 2-year period prior to
the day the CEM was sent • membership is defined in the regulations to CASL as
– the status of having been accepted as a member of a club, association or
voluntary organization in accordance with its membership requirements
(Reg. s. 7(1))
• organization is also defined in the regulations to CASL as
– a club, association or voluntary organization … (Reg. ss. 7(2))
16
nelligan.ca
Implied Consents, cont’d.
Note:
• definition of organization not identical to definition
of non-profit organization in the Income Tax Act,
• Definition in CASL broader • Allows for application to charities, RCAAAs, Registered National Arts
Organizations and other types of organizations with similar characteristics
of a non-profit organization and who may have members
17
nelligan.ca
Fundraising Exemption
Fundraising Exemption • Applies only to registered charities
• Messages sent by or on behalf of a registered charity as defined in the Income Tax Act and the message has as its primary purpose raising funds for the charity
• Examples: – The charity sends messages soliciting funds
– Directors / officers / staff / volunteers fundraise on behalf of charity
• Non-profit organizations, RCAAA’s and other like organizations do not have fundraising exemption available
18
nelligan.ca
Fundraising Exemption, cont’d.
Wording from regulation:
• Section 6 does not apply to a commercial electronic
message that
… • is sent by or on behalf of a registered charity as defined in subsection 248(1)
of the Income Tax Act and the message has as its primary purpose raising
funds for the charity
19
nelligan.ca
Fundraising Exemption, cont’d.
Section 248(1) of the ITA defines registered charity as • a charitable organization, private foundation or public
foundation, within the meanings assigned by subsection 149.1(1), that is resident in Canada and was either created or established in Canada, or
• a branch, section, parish, congregation or other division of an organization or foundation, described in paragraph 248(1) “registered charity” (a), that is resident in Canada and was either created or established in Canada and that receives donations on its own behalf,
that has applied to the Minister in prescribed form for registration and that is at the that time registered as a charitable organization, private foundation or public foundation
20
nelligan.ca
Fundraising Exemption, cont’d.
Non-profit organizations, RCAAAs, Registered National Arts
Organizations, and other types of organizations that may be
exempt from the payment of income tax are described in other
clauses in the ITA
The fundraising exemption is not available to these
organizations because they are not registered charities
Because these other organizations do not have available to
them the exemptions that a registered charity has, care must
be taken in working with CASL
21
nelligan.ca
Directors and Officers Liability
Directors and officers can be held liable if
penalties assessed because of non-compliance
and directors and officers authorized, instructed
or acquiesced in delivery of message
Directors and officers can also be held
vicariously liable for the actions of their
employees
Due diligence defence available
22
nelligan.ca
Directors and Officers Liability
CRTC says they are going to work on a ‘compliance continuum’ and are not interested in groups that make mistakes in compliance; will work on education and guidance before punishing with penalties
Important that board be involved in CASL compliance projects
Should have • Decision tree (documented reasoning behind decisions
taken in respect of CEMs)
• CASL Compliance Policy
23
nelligan.ca
Directors and Officers Liability
As of July 1, 2017 private right of action commences • Class action law suits (likely)
• Questions: • how many claims will be certified
• is there an identifiable group that suffered damage or loss
• what types of charities and non-profit organizations may be affected by private right of action?
Check with D&O insurer to determine whether or not non-compliance with CASL covered, if special coverage will be required, or if insurance not covering CASL related claims
24
nelligan.ca
Decision Tree and Compliance Checklist
Is the message I am about to send a CEM?
• Yes - next question
• Not Sure - next question
• No - CASL does not apply to message
Is there an exemption available to the whole of
Section 6?
• Yes - no need to comply with either
content or consent requirements
• No - next question
25
nelligan.ca
Decision Tree and Compliance Checklist, cont’d.
Is there an exemption available to part of
Section 6?
• Yes - no need to comply with
consent requirements
• No - next question
Do I already have express consent?
• Yes - can send CEMs unless or until recipient
withdraws consent
• No - next question
26
nelligan.ca
Decision Tree and Compliance Checklist, cont’d.
Do I already have implied consent?
• Yes • When will implied consent expire?
• Can I turn implied consent into express consent
by July 1, 2017?
• No • Delete e-mail address from mailing list
27
nelligan.ca
Compliance Checklist
Conduct inventory of all contacts (mailing list,
outlook contacts, etc.)
Categorize by • Main purpose of electronic communication
• Type of contact (donor, volunteer, member, client, sponsor, business or other type
of relationship)
• Type of consent you already have (express or implied)
Implement compliance strategy • Are you relying on implied consent
• Are you going to try to get express consent from everyone
• Are you going to include content requirements on all electronic communications
even if an exemption applies?
28
nelligan.ca
Compliance Checklist, cont’d.
Update your mailing / contact lists based
on compliance strategy
Develop a consent request template
Develop a CEM template
29
nelligan.ca
Compliance Checklist, cont’d.
Develop CASL compliance policies (don’t forget
third party service providers)
Include board in decisions
Keep written record of decision tree
(due diligence)
Train staff, board, volunteers, etc.
30
nelligan.ca
Tips
Tips • Review CRTC’s FAQ (last updated August 8, 2014)
• Understand difference between regular e-mail messages and CEMs • How many of your day to day e-mails are going to contain
commercial content?
• The fact that you may provide a service is not enough, on its own, to make something a CEM
31
nelligan.ca
Software Installation Rules
Comes into force January 15, 2015
Section 8 of CASL
Guidance published by CRTC as of
November 18, 2014
Applies to computer programs installed on
another person’s computer system (definitions of
‘computer program’ and ‘computer system’
come from the Criminal Code (s. 342.1)
32
nelligan.ca
Software Installation Rules, cont’d.
Must be in the course of a commercial activity
The person installing or directing the installation of the computer program must be in Canada, or the computer system must be in Canada
May install or cause to be installed a computer program if • You have express consent
• You have a court order
33
nelligan.ca
Software Installation Rules, cont’d.
Commercial activity is defined in the Act as follows • any particular transaction, act or conduct or any regular
course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada
34
nelligan.ca
Software Installation Rules, cont’d.
CASL does not apply to programs or apps
owners or authorized users download themselves
to install on their own computer or device, or
updates they install for those programs
(self-installed software)
• CASL only applies when you install or cause the installation
of a computer program on another person's device in the
course of commercial activity
35
nelligan.ca
Software Installation Rules, cont’d.
Examples from Guidance
• an app is purchased and downloaded to a mobile device
from an app store
• software on a CD is purchased from a store and installed
on a computer
• software from a website is downloaded and installed on a
device
• software is installed by a small business on its devices
used by its employees
• a previously-installed app offers an update, and the user
installs the update • Note that, in this case, the Guidelines state that if the app installs the update
in the background, without prompting or informing the user, then CASL
applies
36
nelligan.ca
Software Installation Rules, cont’d.
“Deemed Consent” – s. 10(8) of CASL
• You are considered to already have express consent if
your program is included in the following list: • Cookies, HTML, JavaScript, An operating system
• Any other program that is executable through another program that was
already consented to
• If you are a telecommunications service provider (as defined in CASL) and
you are installing software to:
– protect the security of all or part of your network from a current and
identifiable threat; or
– update or upgrade all or part of your network
– Software installed solely to correct a failure in a computer system (e.g.,
bug fixes)
37
nelligan.ca
Software Installation Rules, cont’d.
The person’s conduct must indicate that they
consent. Examples:
• No consent for a person who disables JavaScript
in their browser
• No consent for a person who disables cookies
in their browser
38
nelligan.ca
Software Installation Rules, cont’d.
Consent
• If you do not have “deemed consent”, you must request consent before installing the software
• When seeking consent for the installation you must clearly and simply set out: • the reason you are seeking consent;
• who is seeking consent (i.e., the name of the organization; or if consent is sought on behalf of another person, that person's name);
• if consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
• the mailing address and one other piece of contact information (i.e., telephone number, email address, or web address);
• a statement indicating that the person whose consent is sought can withdraw their consent; and
• a description in general terms of the functions and purpose of the software to be installed.
The person who has obtained consent has the responsibility to prove it • Tip: The person who seeks consent should keep a record of it
39
nelligan.ca
Software Installation Rules, cont’d.
Owner and Authorized User • the Guidance offers the following non-exhaustive list of
examples: • in the context of an employment relationship, the employer would be the
owner and the employee would be the authorized user
• if an individual owns a computer but provides it to their child, spouse, or other relative for their sole use, the child, spouse or other relative is the authorized user of the computer
– the Guidance does not indicate whether and how a minor child can give valid consent
• if someone leases a device, the lessor will retain ownership of the device for the purposes of CASL and the lessee is the authorized user
• if a device is sent out for repair, the person conducting the repair is an authorized user under CASL, but only to the extent that they perform the agreed-upon repairs to the device
40
nelligan.ca
Software Installation Rules, cont’d.
What about software that was installed before January 15, 2015?
• Under CASL, if a computer program was installed on a person's computer system before January 15, 2015, the person's consent to the installation of an upgrade or update is implied until January 15, 2018, unless the person notifies you that they no longer consent to the installation of future updates or upgrades
• If you obtained valid express consent prior to January 15, 2015, you will be able to rely on that express consent for the purpose of section 8 of the Act
Important: the onus of proving consent rests with the person installing the computer program
41
nelligan.ca
First Investigation Complete
CRTC completed first investigation in early fall:
See notice from CRTC
Numerous complaints received of unsolicited and
malicious e-mail messages from small company in
Saskatchewan
CRTC determined the messages were spam and
CASL had been breached
42
nelligan.ca
First Investigation Complete, cont’d.
CRTC discovered server of company in question
had been hacked
Outcome
• Penalties / fines not warranted
• Instead, CRTC helped company and its ISP clean up server,
get rid of malware, and upgrade security
Question
• If the server had been hacked and malware installed, how
could the company itself have breached CASL if it did not
know about it / did not do it itself?
43
nelligan.ca 44
Questions Answers
O T T A W A V A N K L E E K H I L L A L E X A N D R I A K I N G S T O N
nelligan.ca
Kimberley Cunnington-Taylor
is a member of the Business Law and
Not-for-profit and Charity Law Practice Groups