The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Start preparing for Canada’s anti-spam legislation

Canada’s Anti-Spam Law (CASL) is expected to enter into force in 2013, together with two sets of regulations that will address certain detailed requirements under the Act. Industry Canada Regulations are still underway. The Canadian Radio-television and Telecommunications Commission (CRTC) is further ahead: it enacted its Electronic Commerce Protection Regulations in March 2012.

The CRTC has moreover issued two Information Bulletins on its Regulations. The new guidelines address practical aspects of obtaining consent to send commercial electronic messages (CEMs), and providing an effective unsubscribe mechanism.


Specific requests for consent must be clearly identifiable to the user and indicate that the user’s consent can be withdrawn at any time. Consent can be obtained orally or in writing, and must be positive and explicit. In other words, it must be “opt-in”.

Acceptable: an icon or an empty toggle box that must be actively clicked or checked.

Not Acceptable: an opt-out mechanism (i.e. unchecking a pre-checked box); a CEM in the form of a subscription email, text message, or other equivalent form to request express consent


The unsubscribe mechanism must be consumer-friendly, simple, easy to use, and must be set out clearly and prominently. Under the Regulations it must be capable of being “readily performed”.

Email Example: a link takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

SMS Example: the user should have the choice between clicking a link, or replying to the SMS with the word “STOP” or “Unsubscribe”.

For more information, please see:

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

Wondering how Canada’s Anti-Spam Law compares to the U.S. CAN-SPAM requirements? Check out

Leave a comment

FTC Aggressively Enforcing COPPA Compliance

The FTC meant what it said about aggressively targeting COPPA violators. It announced on Thursday that celebrity fan website operator, Artist Arena, will pay a $1 million penalty for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). This penalty is significantly more than the $250,000 fine in last March’s settlement against RockYou, and demonstrates the FTC’s increasing commitment toward COPPA compliance.

COPPA regulates operators of commercial websites or online services directed to children under the age of 13 that collect, use, and/or disclose children’s personal information. Among other things, the rule requires that these operators post a privacy policy outlining its data collection and use practices, provide notice of these practices directly to parents, and obtain verifiable parental consent prior to collecting data from children under 13.

Artist Arena operates fan websites for teen and “tween” pop-star celebrities such as,,, and http://www.SelenaGomez. Members can create profiles, “friend” other members, and post comments on members’ walls. To register, users must provide their personal information, including their names, addresses, email addresses, birthdates, and gender. According to the FTC’s complaint, Artist Arena represented in its privacy policy that it would not collect children’s personal information or activate their registration without verifiable parental consent. Despite these representations, Artist Arena allegedly registered over 25,000 children under 13 without parental notice and consent, and collected and maintained the personal information from almost 75,000 additional children who began, but did not complete the registration process.

This is the first of likely many high-stakes enforcement actions for alleged COPPA violators. In fact, the FTC is pushing to expand the liability of operators for third-party violations. Back in August, the FTC issued a Notice of Proposed Rulemaking seeking comments on proposed changes to COPPA. In pertinent part, the FTC wants to expand the definition of “operator” under the rule to include personal information “collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.” The FTC believes that a website operator that uses a third-party service to collect personal information from children under 13 – without itself engaging in such collection – should be considered a covered operator under the Rule. In this instance, although the operator does not own, control, or have access to the information collected, the data is collected on its behalf and for its benefit.

Given the FTC’s demonstrated commitment to prosecute alleged COPPA violators and its push for expanded liability under the rule, operators of websites directed to children under 13 that collect children’s personal information, either by itself or through a third-party service, should align its collection and use practices in accordance with COPPA to avoid being the next FTC enforcement target.

1 Comment

Rep. Markey Introduces Mobile Device Privacy Act

On September 12, Reps. Markey (D-MA) and DeGette (D-CO) introduced the Mobile Device Privacy Act, H.R. 6377.  If enacted, the bill would place obligations on the mobile phone industry to disclose the use of tracking software, and to obtain consumer consent before the software is downloaded onto a device.

In a press statement introducing the legislation, Rep. Markey – who is co-Chair of the Bipartisan Congressional Privacy Caucus – stated that "Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information.  This is especially true for parents of children and teens, the fastest growing group of smartphone users. This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to transmission."  Opponents of the legislation, such as the Software & Information Industry Association, have argued that it "would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism."

The Markey bill would create new regulatory authority for the Federal Trade Commission to oversee aspects of the mobile industry.  The bill would require the FTC, in consultation with the FCC, to issue rules requiring mobile device manufacturers, service providers, mobile operating system developers, and app developers to make disclosures to users about "monitoring software" installed on a mobile device.  Monitoring software is broadly defined to include all software that "has the capability to monitor the usage" of the device, the user’s geolocation, and to transmit this information elsewhere.  In the same vein, the bill also envisages FTC rules requiring device sellers and app developers to obtain a user’s "express consent" before monitoring or transmitting any information collected.  The bill also envisages that all entities in receipt of monitoring data (i.e. first and third parties) implement information security policies and practices spanning data collection, retention, and disposal.

Enforcement authority under the bill goes primarily to the FTC, with secondary authority being given to the FCC and the states.  The bill does not exclude private enforcement actions by individuals.  Statutory damages for these breaches would vary between $1,000 per unintentional violation, and $3,000 per intentional violation.

The bill will not likely receive further attention from this Congress, which went into recess over the weekend pending the November elections.


Leave a comment

Senate Hearing Addresses Privacy Implications of Facial Recognition Technology

On July 19, 2012, the U.S. Senate Judiciary Committee, Subcommittee on Privacy, Technology and the Law, held a hearing entitled “What Facial Recognition Technology Means for Privacy and Civil Liberties”.  Individuals from academia, industry, and federal agencies examined the use of facial recognition technology and its potential impact on privacy and civil liberties. 

Social media giant Facebook has been the impetus behind the facial recognition movement.  In 2010, Facebook acquired the licensing to create unique “face prints” for its nearly 800 million users – without their knowledge or consent – in a program called “tag suggestions.”  Outside of social media, companies are increasingly relying on facial recognition technology to gauge viewer response to video content, confirm user identities at ATMs, and identify consumer trends for brand loyalty and rewards programs.

In line with the privacy principles articulated in the Federal Trade Commission’s (FTC) March 2012 Privacy Report, panelists discussed the need for transparency in facial recognition technology use and opt-in requirements for these services.  In particular, panelists disagreed on the extent to which conventional opt-in requirements should be applied in the facial recognition context.  In his staunch opposition, FTC Commissioner J. Thomas Rosch testified that a rigorous cost-benefit analysis should be conducted before the FTC embraces an opt-in requirement and imposes “best practices” for facial recognition services on the grounds of potential misuse. 

Despite Commissioner Rosch’s dissent, the FTC is said to release a report later this year setting forth recommended best practices and the extent to which “affirmative express consent” will be required for the collection and use of data made available through facial recognition technology. 

Written with assistance by Jalyce Mangum. 

Leave a comment

Google to Pay Record $22.5 Million to Settle FTC Privacy Charges

Just ten months after it entered into a consent decree with the the FTC in a case charging that it violated its privacy promises when it launched Google Buzz, Google has agreed to pay $22.5 million to settle charges that it violated that agreement by making misrepresentations to Apple Safari users. In addition to the $22.5 million civil fine – the largest ever obtained by the FTC for a violation of one of its orders – the settlement agreement requires that Google disable all the tracking cookies it said it would not place on user’s computers.

According to the FTC complaint, Google told Apple Safari users that the browser’s default privacy options would protect them from being tracked by Google’s DoubleClick advertising network – stating that Safari’s default settings were effectively the same thing as opting out of DoubleClick tracking. Google then went ahead and placed advertising tracking cookies on Safari user’s computers anyway – in many cases by utilizing an exploit to circumvent the privacy protections built into Safari. These misrepresentations, the FTC charged, violated the earlier consent decree that barred Google from misrepresenting the extent to which consumers can control collection of their information.

This case is just the latest in which the FTC brings its enforcement power to bear in ensuring companies respect their own privacy policies and representations. As FTC Chairman Jon Leibowitz states in the FTC press release, “all companies must . . . keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

In an interesting twist, though, Google was allowed a fairly strongly worded denial of liability in the consent decree.  Paragraph 2 of the decree states that Google "denies any violation of the FTC Order, any and all liability for the claims set forth in the Complaint, and all material allegations of the Complaint save for those
regarding jurisdiction and venue."  This language, rather than the more common "neither admit nor deny" formula, caused Commissioner J. Thomas Rosch to issue a fairly strongly worded dissent.  Pointing out that the FTC had essentially charged Google with contempt and that it was Google’s "second bite at the [deceptive conduct] apple", Commissioner Rosch found the Commission’s acceptance of Google’s denial of liability "inexplicable."

Leave a comment

7th Circuit: Parking Ticket Practice Violates Privacy Law

Many drivers know the futility of trying to fight a parking ticket, but one Illinois driver came up with an attack against his that has ended up with the Seventh Circuit Court of Appeals, sitting en banc, backing him up in an opinion released this past Monday. At 1:35 a.m. on August 20, 2010, a Palatine, Illinois, police officer ticketed Jason Senne’s illegally parked car and placed the ticket on the car windshield. Mr. Senne retrieved the ticket about five hours later and, not willing to pay the $20 fine and move on, fought back by filing suit against Palatine for violation of the Driver’s Privacy Protection Act, 18 U.S.C. §§2721-25 (“DPPA”).

DPPA, which was enacted after a stalker obtained the home address of actress Rebecca Schaeffer from the California DMV and then used the information to find and kill her, places strict limits on how and why personal information contained in state DMV records can be released. It restricts not only disclosure by DMV employees, but also disclosure by those who lawfully obtain information from the DMV (in the Schaeffer matter, the stalker had hired a private investigator to obtain the information).

It turns out that in Palatine, when a police officer writes a parking ticket, information about the car’s owner is downloaded from the DMV and then printed on the parking ticket itself. This information includes the owner’s full name, address, driver’s license number, date of birth, sex, height, and weight. The parking ticket is then placed on the windshield of the car. Mr. Senne contended that placing the ticket on the windshield, in public view, constituted a disclosure of that private information in violation of DPPA and filed suit in Federal District Court. Palatine moved to dismiss the suit for failure to state a claim. It contended that the parking ticket was not a disclosure and that, even if it was, it was permitted under a specific exception in DPPA. The District Court agreed with Palatine and dismissed the case, a decision that was affirmed on appeal. The Seventh Circuit Court then agreed to rehear the case en banc and, in a decision issued this past Monday, reversed the District Court.

Palatine argued that placing the ticket on the windshield did not constitute a disclosure because Mr. Senne had failed to allege that anyone other than himself had actually seen it. The Court, in rejecting Palatine’s argument, stated that the effect of placing the ticket on the windshield made the information available to any passer-by. The Court ruled that whether or not anyone else saw it is irrelevant, the act of placing it on the windshield is itself a publication that is prohibited by DPPA. The Court’s opinion is available here.

Leave a comment

Toward a Federal Breach Notification Law? Data Security and Breach Notification Act of 2012 Introduced in U.S. Senate

Senator Pat Toomey [R-Pa] introduced on June 21 a bill, the Data Security and Breach Notification Act of 2012 (the Data Breach Act), which could become the Federal data breach notification law. If enacted, entities collecting and maintaining personal information would have to secure this information, and would also have to provide notice to individuals affected by a breach of security involving personal information.

The Data Breach Act would preempt State laws (Section 6), and would take effect one year after its enactment.

Senator Tooney published a statement explaining why he believes such a law is needed:

"A number of recent high-profile data breaches combined with the messy patchwork of 46 different state laws highlight how difficult it is for consumers to know their personal information is secure. Congress needs to provide businesses and consumers with certainty and establish a single reasonable standard for information security and breach notification practices. Our bill would eliminate the burden of complying with varying standards and laws, ensuring that all consumers and their personal information are afforded the same level of protection."  

Scope of the Data Breach Act

The bill would cover entities over which the Federal Trade Commission (FTC) has authority pursuant to section 5(a)(2) of theFTC Act, and also common carriers subject to the Communications Act of 1934.

Howvever,financial institutions subject to Title V of the Gramm-Leach-Bliley Act would be exempt from the Data Breach Act, as would entities covered by the regulations issued under 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the extent that such entities are subject to the requirements of such regulations with respect to protected health information.

Information Security

The covered entities would have to “take reasonable measures to protect and secure data in electronic form containing personal information” (Section 2).  The bill does not, however, define what these ‘reasonable measures’ should be, which could lead to uncertainty for businesses.

Personal information would not include information “encrypted, redacted, or secured by any other method or technology that renders the data elements unusable” (Section 5(5)(B)(ii)). Therefore, it seems that encrypting personal information would serve as a safe harbor for covered entities.

Notification of Information Security Breach

The Data Breach Act would define a “breach of security” as an “unauthorized access and acquisition of data in electronic form containing personal information” (Section 5(1)).

Each covered entity owning or licensing personal data would have to notify individuals of a security breach, if their personal data was or may have been affected by the breach. Entities would have only to notify American citizens or residents, Section 3(a)(1).  Therefore, if a breach on an U.S. system affects the data of, say, international clients of a company, a covered entity could argue that it does not have to notify them of the breach. In practice, though, international clients could not be ignored without some public relations damage.  The entity would also have to inform the FBI of any breach of security which may affect more than 10,000 persons, Section 3(a)(2).  

If the system where the breach occurred is maintained by a third party, the third party will have to notify the covered entity of the breach, which in turn will notify individuals, Section 3 (b)(1)(A).  ISPs would not be considered a third party by the Act, Section 3(b) (1) (C). However, an ISP becoming aware of a breach involving data owned by one of its entity-customers would have to notify the entity of the breach, if the covered entity can be ‘reasonably identified.’

Timeliness of Notification

Covered entities would have to notify individuals affected by the security breach “as expeditiously as practicable and without unreasonable delay,” Section 3 (c) (1). However, the notification may be delayed if a Federal law enforcement agency requests so in writing in order to avoid that the notification impedes a civil or a criminal investigation, or if a Federal national security agency requests it in writing if the notification would threaten national or homeland security. In both cases, the notification may be held for a “reasonably necessary period,” which would be determined by the Federal agency requesting the delay, Section 3(c)(2)(A) et Section 3(c)(2)(B).

Method and Content of Notification

The notification could be accomplished by mail, telephone, or by email. It would have to contain the date or the estimated date of the breach, as well as the range of the breach. It would also have to contain a description of the personal information that was accessed and the contact information an individual affected by the breach may use to learn more about the breach, and to find out which personal data was held the entity covered by the breach, Section 3 (d).

A substitute notification would be authorized instead of a direct notification to the affected individual if a direct notification is not feasible because of excessive cost relative to the entity’s resources, or if the entity does not have sufficient contact information for the individual affected by the breach.  Such substitute notification could be a “conspicuous notice” on the entity’s web site, or a notification published or broadcast by major media in the areas where the affected individuals may live, Section 3 (d)(2).

In practice, this may lead to some disparities. If a deep-pocket company suffers a breach, but is unable to contact the affected individuals directly because it does not have their contact information, it could then choose to publish or broadcast the notification. It would have to do so at least all around the U.S. territory, and one could even argue that it would have to be done around the world, as U.S. citizens living abroad may be affected by the breach as well.  

An entity with lesser means may not be able to do so, as such publication would be quite expensive.  A direct notification might not be feasible because of the high cost for the company, yet a substitute notification would be even more expensive if the entity does not have enough information about the affected individuals to contact them. Some small companies process a huge volume of personal data, yet may not have the financial capacity to notify all the individuals concerned by the breach.


Violating section 2 and section 3 of the Data Breach Act would be considered unfair or deceptive acts or practices under the FTC Act, and the FTC would have the power to enforce the Data Breach Act.

The maximum civil penalty for a covered entity having violated the Data Breach Act would be $500,000 for all violations of section 2 and $500,000 for all violations of section 3 resulting from a single breach of security, Section 4 (c) (3)(A)&(B). There would be no private cause of action against a person for violation of the Data Breach Act, Section 4 (d).

It is not the first time that such a bill has been introduced in Congress. Last year, S. 1207, the Data Security and Breach Notification Act of 2011, was introduced by Senator Mark Pryor [D-AR}, which itself was a re-introduction of S. 3742 during the 111th Congress. S1207 was not enacted. It remains to be seen if Senator’s Toomey’s bill is to have the same fate.

However, the bill has already received the support of AT&T, in a statement by Tim McKone, Executive Vice President of Federal Relations, which read:

The security of our customers’ personal information is of utmost importance to us and is a priority in how we conduct our business. That is why we are pleased by Senator Toomey’s thoughtful and comprehensive bill, the ‘Data Security and Breach Notification Act of 2012.’  It is a common sense bill that will eliminate uncertainties and ultimately consumer confusion by establishing uniform requirements.”

 The CTIA, the Wireless Association, also supports the bill. Jot Carpenter, its Vice President of government affairs issued this statement:

CTIA welcomes the introduction of Senator Toomey’s bill. By advancing a proposal that offers a comprehensive, uniform approach to data security and breach notification, Senator Toomey demonstrates that it is possible to protect consumers while providing clear, consistent guidelines to businesses.”

Another data breach notification bill, H.R. 3730, sponsored by Rep. Joe Donnelly [D-IN], the Veterans Data Breach Timely Notification Act, has recently passed the House Veterans’ Affairs Subcommittee.  The bill is not as inclusive as the Data Security and Breach Notification Act, as it would only require the Secretary of Veterans Affairs to provide notice to veterans whose sensitive personal information is involved in a data breach.

Leave a comment

Class Action Suit Filed Against Google, Alleges Email Interception and Eavesdropping under California’s CIPA

A class action suit has been filed last month against Google in the Superior Court of California. The class is all California residents who are not Gmail subscribers, and who have sent an email to Gmail subscribers using a non-Gmail email account.

The complaint alleges that Google intentionally intercepted emails sent by individuals who are not Gmail subscribers to Gmail subscribers. Google then reviewed the words, the content and thought processes of these emails.

According to the complaint, while Gmail subscribers consented to their emails being reviewed by Google, including their incoming email, senders of these non-Gmail emails have not given Google their consent to intercept emails sent from their non-Gmail accounts. As this interception is done before the email is delivered to the Gmail subscriber, the complaint alleges that it constitutes wiretapping and eavesdropping in violation of California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq.

Cal. Penal Code § 630 states the intent for CIPA:

The Legislature hereby declares that advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society. The Legislature by this chapter intends to protect the right of privacy of the people of this state.”

Wiretapping: Cal. Pen. Code § 631 provides for the liability of "[a]ny person who … willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state." The complaint claims that Google violated § 631.

Eavesdropping: If Google conduct is not wiretapping, the complaint states that Google has violated § 632 of Cal. Pen. Code which makes it illegal to engage in eavesdropping on e-mail conversations.

The Complaints seeks an order requiring Google to cease violating CIPA, and also seeks an award of statutory damages for each member of the class.

The case will be interesting to follow, as a California Court held last April that the Federal Wiretap Act does not completely preempt California’s Invasion of Privacy Act, Cindy Leong v.  Carrier IQ Inc et al, Carey Eckert  v. Carrier IQ Inc et al, CV 12-01564, United States District Court, C.D. California. In that case, defendant had filed a notice of removal, arguing that "[c]ourts in both the Central and Northern Districts of California have held that the Federal Wiretap Act, as amended by the ECPA in 1986, comprehensively regulates privacy claims concerning electronic communications."  The Court was not convinced by the arguments, stating that the California law is more restrictive than the Federal law, and that the Federal law supersedes state law only to the extent that state law offers less protection.

Leave a comment

FTC Brings Action against Wyndham Hotels for Failure to Protect Consumers’ Personal Information

The Federal Trade Commission (FTC) filed a complaint on June 26 against Wyndham Worldwide Corporation and three of its subsidiaries, alleging failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information. The FTC claims that because of this failure, intruders were able to obtain unauthorized access to the Defendants’ computer networks. This led to fraudulent charges on consumers’ accounts, incurring more than $10.6 million in losses, and the exporting  of credit card account information to a domain registered in Russia.

Defendants Controlled the Hotels’ Computer Systems

Independent hotels operating under a franchise agreement with Wyndham Hotels had to use a property management system designed by Defendants, which stored consumers’ personal information, including payment information. This system was linked to the Wyndham Hotel corporate network, much of it located at a Phoenix, Arizona data center, operated by Wyndham Hotels. Only Defendants had administrator access to control the property management systems of the independent hotels. Defendants also had direct control over the computer networks of the Wyndham-branded hotels managed by one of the Defendants, Hotel Management.

Privacy Policies

Wyndham Worldwide was responsible for creating information security policies for itself and for its subsidiaries, and for overseeing subsidiaries’ information security programs.

Defendants have published privacy policies on their websites since at least 2008, claiming that they will safeguard the customers personally identifiable information “by using standard industry practices,” and that it will “take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards” to protect customers’ information.

Inadequate Data Security Practices

However, the FTC claims that Defendants’ data security practices were inadequate, and thus unnecessarily exposed consumers’ personal data to unauthorized access and theft. Defendants’ security failures led to fraudulent charges on consumers’ accounts.

The FTC alleges such shortcoming as storing credit card information in clear readable text, failure to limit access between the different property management systems, or failure to secure the Defendants’ servers. Also, Defendants did not require the use of complex passwords to access the property management systems, and allowed the use of easily guessed passwords.

The FTC claims that these shortcomings allowed intruders to gain unauthorized access into Wyndham Hotels’ computer networks on three separate occasions, using similar techniques in each of the three occurrences.  After discovering each of the first two breaches, Defendants failed to take appropriate measures to prevent another breach.

Violations of the FTC Act

The representations made by Defendants’ privacy policies were thus inadequate according to the complaint. The FTC alleges that even though Defendants represented to their customers that they had implemented reasonable and appropriate measures to protect their personal information against unauthorized access, they had not in fact implemented these measures, and thus the representations made to the customers were unfair and deceptive and violated the FTC Act. The FTC also claims that this failure to safeguard consumers’ personal information caused or was likely to cause substantial injury to consumers.



Leave a comment

Canada’s Anti-Spam Law is coming – and will affect US businesses

Canada’s Anti-Spam Law (CASL) is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

While businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the draft Industry Canada regulations, nor the Canadian Radio-Television and Telecommunications Commission (CRTC) regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer. 

The CRTC is expected to issue information bulletins in the coming weeks and months to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

  1. Participate in the comment process on the coming draft Industry Canada regulations
  2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
  3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation can help explain the basics.