The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

New Developments on Canadian Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

  • businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
  • CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

  • simply include the name by which they carry on business (rather than both that and their legal name);
  • include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
  • include the information in the above point on a website that “is readily accessible” (rather than via a single click);
  • use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
  • simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

Leave a comment

Comparing CAN-SPAM to Canada’s new Anti-Spam Law

Those who operate or have customers in the U.S. market, are already familiar with the requirements of the 2003 CAN-SPAM Act. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation linked below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

More steps will be needed under CASL to be permitted to communicate online.

Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability:

Leave a comment

FTC Requests Court Shut Down Text Message Spammer

Yesterday, the FTC filed a complaint in the U.S. District Court for the Central District of California requesting a permanent injunction against Philip Flora, alleging violations of §5 of the FTC Act and CAN SPAM.

According to the complaint, the defendant sent millions of text messages, selling loan modification assistance, debt relief, and other services.  In a single 40-day period, the defendant sent more than 5.5 million spam text messages.  The text messages instructed consumers to reply to the message or to visit one of the defendant’s websites.  The defendant collected information from consumers who responded, then sold their contact information to marketers as debt settlement leads.  The FTC alleged that consumers were harmed as a result of the defendant’s spam text messages because many must pay fees to their mobile carriers to receive the unwanted messages.

The Commission charged that the defendant violated the FTC Act by sending unsolicited text messages to consumers and misrepresenting that he was affiliated with a government agency.  The Commission also charged the defendant with violating CAN SPAM by sending emails that advertised his text message blast service that failed to include an opt-out mechanism and the physical mailing address of the sender.

The FTC also acknowledged the "invaluable assistance" it received from Verizon Wireless, AT&T, and CTIA – The Wireless Association in its press release.

Leave a comment

Cell phone marketing and privacy

Another good privacy article in the papers today, this one addressing the huge potential market for cell phone ads, and the privacy and consumer issues that will make it more difficult to tap.

Carriers currently allow only limited targeting based on subscriber zip codes, age or other demographic information. But some consider it only a matter of time before they begin targeting ads based on geolocation data (which the FCC required carriers to collect in its 1996 E911 proceedings, or which can be obtained when subscribers manually input it to use location-based services). Of course, the personal nature of this data raises privacy red flags and could be more annoying than usual to consumers.

CTIA and the Mobile Marketing Association are working on guidelines for notice, consent and periodic tracking reminders, and some carriers are exploring ways to take advantage of profiles without sharing identifiable data. In the meantime, industry participants are moving cautiously to avoid the backlash greeting so many new advertising programs recently.

The article mentions that US subscribers may be becoming more open to this kind of advertising because they’re more frequently embracing data services like their European counterparts (and it notes that Yahoo is working with UK-based Vodaphone to demographically target). But it doesn’t mention the EU ePrivacy directive, which puts strict data protection standards around the use of traffic and location data derived from public communications services and networks.

Leave a comment

Facebook settles case for texting “recycled” cell phone numbers

A novel case settled yesterday involving Facebook’s “Facebook Mobile” service.  Facebook Mobile is a feature of Facebook’s social networking service that enables Facebook users to send text messages to each other via Facebook’s web interface. The trouble is, apparently, when a Facebook user who has subscribed to the service later changes his or her mobile phone number, and the old phone number is “recycled” (i.e., issued to another wireless subscriber) by the carrier, the new subscriber will begin to receive the Facebook text messages that were subscribed to by the previous holder of the phone number.
In October 2007, one woman in Indiana brought suit against Facebook in connection with this activity. In fact, she brought suit in the form of a class action on behalf of other wireless subscribers who are in the same predicament.  Here is a copy of her complaint
According to the complaint, in order to provide Facebook Mobile, Facebook struck a deal with the various wireless carriers, and allegedly derives revenue from the text messages that are sent. The complaint alleges causes of action under the California Computer Crime Law, California’s Unfair Competition Law, Unjust Enrichment, and Trespass to Chattels. 
Interestingly, the plaintiff did not make a claim under the Telephone Consumer Protection Act (TCPA). Perhaps the plaintiff’s lawyers were deterred by another recent holding under the TCPA which found that the TCPA does not apply to Internet-to-phone text messages. (See my previous blog post on this case.) Or maybe they thought it would be difficult to successfully allege that it was Facebook, as opposed to their users, who sent the messages. 

As part of the settlement, Facebook agreed to make it easier for recipients of text messages to block future messages originating from Facebook’s social network, and to work with carriers to monitor recycled numbers. Additionally, Facebook agreed to pay the plaintiff’s attorneys fees. Facebook did not admit any wrongdoing.