Information Power Point Session on Canada’s Anti-Spam Legislation

The Canadian Radio-television and Telecommunications Commission (CRTC) has released a video presentation of the CASL information sessions which have been hosted across the country in the past six months. The goal of the presentation is to aid Canadian businesses in understanding the new Anti-Spam Law that will be in place on July 1st, 2014. The presentation provides detailed information on enforcement, regulations & guidance related to CASL.

Not only is this new law important for Canadians, but it’s important for businesses who are not operating out of Canada. It’s important to stay up-to-date with new internet/anti-spam laws and having the CASL come in effect is a huge break through for Canada.

Canada has been routinely on the top 10 list of countries that produce the most spam. With this new legislation in effect businesses can be confident in running smooth and clean campaigns and being rewarding with more customer engagement. Below is the transcript from the Information Power Point Session on Canada’s Anti-Spam Legislation as well as the video.


Person 1:

Well, thank you today for participating in this information session with regards to Canada’s anti-spam legislation, but before we get into the presentation, I must provide a disclaimer that this presentation has in fact been prepared by the staff and therefore it is staff level guidance and does not bind the Commission in any way, nor does it provide interpretational guidance on behalf of the Competition Bureau, the Office of the Privacy Commissioner nor Industry Canada. Our purpose though today is of course to provide you with as much transparency and predictability when being compliant with CASL. Of course this is within the limits our confidentiality obligations. This will also enable us to be effective in the discharge of our enforcement mandate under this new piece of legislation. So some highlights today of the presentation will include of course enforcement of CASL. We will touch on undertakings a little bit, and then I will turn it over to Kelly Ann Smith of our Legal Services to talk to you about CASL regulations that were made under the legislation, the information bulletins that were issued as a result of these regulations. We’ll also provide some additional guidance material around the GIC regulations that were recently made in December 2013. Again, just a reminder that this is staff level guidance. And finally, we’ll wrap up with communication products that we have in fact issued to date and that we plan on issuing in the near future to assist you with your compliance efforts under the legislation.

So let’s start with an overview of CASL and the legislative roles for the three agencies that are mandated under CASL. Of course the Office of the Privacy Commissioner has seen its law modified to now encompass a role with regards to address harvesting, spyware dissemination, dictionary attacks, basically anything that touches on the personal information aspect of the collection of personal information under the legislation. The Competition Bureau also has a role. Under the Competition Act, it was already looking at misleading and deceptive marketing practices, representations and so forth online, etcetera. Its mandate is now expanded to include misleading header information. And so those modifications to their various Acts can be seen in the second half of CASL legislation. Brand new for the CRTC, however, is a compliance and enforcement role under CASL. And in May 2011, a Compliance and Enforcement sector was created at the CRTC. We will now be responsible for enforcing CASL as it pertains to the sending of commercial electronic messaging without consent, the altering of transmission data in the course of commercial activity, again unauthorized, and of course the installation of computer programs in the course of commercial activity without consent, all of this, again, in a commercial activity setting. So Section 6 will deal with spam, if you will. We’ll be looking at botnets and malware, the dissemination of malware and network rerouting or man-in-the-middle type of tacks. There’s also a Section 9 that deals with an aiding and abetting section, and so we will look at that as well for third parties who assist in any of these activities. The legislation will come into first on July 1st of this year, 2014 with the exception of Section 8 that will come into force on January 15th, 2015. It is also worth noting that the Private Right of Action section of the clause – of the legislation, rather, will not come into force until three years after the initial coming into force, so therefore July 1st, 2017. Now as you can well imagine, the role of each of the agencies may very well overlap, so the dissemination of spyware, for instance, which is the mandate of the Office of the Privacy Commissioner, is generally disseminated via spam, which is under the mandate of CRTC. So to deal with these types of issues, an agreement was reached between the three agencies to deal with cooperation and collaboration on enforcement activities, so it sets out a framework just for this particular situation. It also deals with the treatment of information, so when it’s shared amongst the participants, how that’s facilitated, etcetera. All of these MOU – this MOU, rather, is up on each of the agencies’ sites, so if you’re interested in information with regards to the content of that MOU, feel free to download it at either – any of the agency sites.

So let’s talk a little bit about the main elements of the legislation. In approximately 2004, a task force was convened that was comprised of industry sector, academia, government agencies, law enforcement, subject matter experts, etcetera, to look at the problem of spam and malware at the time. This task force also looked at a number of legislation in other jurisdictions, international jurisdiction to do some benchmarking. As a result, they put forward a report in 2005, which I believe is available at the fightspam.gc site, and it provided 25 recommendations, among them that this be a civil regime, so that it be flexible and responsive to the current situation in a timely fashion. It also laid out a number of new items such as new violations, administrative monetary penalties, otherwise known as AMPs, and that the level of these administrative monetary penalties be such that they were not just the cost of doing business, that they be of such a level that there would be some significant compliance should they be levied. It also allows for domestic and international cooperation. And I think this is one of the most forward-thinking sections of this new piece of legislation. Given that spam and malware and botnets are of an international global nature, these particular clauses in the legislation allow us to cooperate and assist and information share with our foreign counterparts, our national counterparts as long as the activities of the particular violation or potential violation be similar to those under CASL, there are certain conditions that must be met. As a for-instance, there has to be an agreement in writing. It has to deal with how the information will be treated in a confidential nature, etcetera, etcetera. It’s all laid out in the legislation. But this will allow us to really tackle this problem on an international front. Another section that I find very important is that of extended liability. Not only does it allow us to follow the money, as it might be, but it allows us to pierce that corporate veil and hold directors and officers accountable for their actions. It also alleviates some of the previous problems we’ve had in enforcement where a violation is laid against a particular corporation, numbered corporation, to have it just be a shell corporation and the director opens up a new company starting the next day, and we’re unable to levy the AMPs against them or collect the AMPS. As a support mechanism, we have the Spam Reporting Centre, which will allow consumers, Canadians to file a complaint and to submit their spam and SMS spam and email spam samples for use in our enforcement activities by the three agencies. This particular Spam Reporting Centre is being operationalized out of the CRTC and will support all three agencies in their enforcement mandate and indirectly our national and international counterparts. So the enforcement process is such that, as I just indicated, the three agencies, be it the Competition Bureau, the Office of the Privacy Commissioner and ourselves will be able to access the Spam Reporting Centre that will not only house these complaints and reports, but other data sources such as those provided to us by our international counterparts, by industry groups providing us data feeds and giving us insight into their network and malicious activity that is occurring there.

We will also set up honey pots so that we can derive data from those to substantiate our spam complaints or spam violations. So a number of sources may be available to us, and they may vary over time as the Spam Reporting Centre grows in terms of its database content. Once the agencies pull their data, they can perform their own triage of this particular data, either individually or collaboratively, depending on what’s decided in terms of that particular enforcement activity and then use their tool of choice, which we’ll speak to in just a moment, and eventually provide results such as could be anything from a negotiated settlement to an injunction. Perhaps the company wants to enter into an undertaking with the CRTC and of course we have our Notice of Violation that may or may not include administrative monetary penalties. So as I said, the administrative monetary penalties needed to be such that they were not just a cost of doing business. So we can see a maximum penalty per violation for an individual up to $1 million and a maximum penalty for an organization of up to $10 million. These are very significant. And of course there’s the vicarious liability and the director officer liability allowing us some extra leverage.

Now in terms of the application of the compliance continuum, it is depicted here in a circular fashion for a reason. It’s not meant to be linear in nature. In other words, we will not look at first issuing a compliance letter because it’s the first time we see a particular target or violator, potential violator. We will look at it on a case by case scenario, so if it is a very egregious activity that has a fairly serious impact, we may go straight to a Notice of Violation. If we see, however, that there seems to be a compliance issue in a sector-specific area, perhaps it’s a matter of education, and we will do an outreach session of this nature, as a for-instance, to help that industry understand what their compliance role must be under the legislation. So it’s depicted in a circular fashion. Each case will be looked at on a case by case basis, and as I said, I mean we can look at things such education, conferences, outreach activities, the promotion of self-regulation as well, so best practices, best common practices, etcetera, right into some of the involuntary compliance such as warnings, Notice of Violations, the AMPSE injunctions, etcetera. Now in this space, we recognized that we cannot act alone. We cannot – we have a finite amount of resources. Each of the agencies are in the same predicament. We look – you know, the centre spoke could very well be the Office of the Privacy Commissioner or the Competition Bureau or all three of us together. We are all working at developing partnerships to assist us in this space. So subject matter experts might be able to assist us during our enforcement activities. Service providers, telecom service providers, internet service providers and so forth, financial institutions may have an insight on their networks at to the most current vectors of attack or IP ranges that are of issue, of concern in that moment. So we will be working closely with these various groups to help us prioritize our enforcement activities and of course to move the investigation along. Now what do we see as success?

Of course, first and foremost, an increased compliance with the legislation. And then there’d be some other metrics against which we will measure, one of which of course is to hopefully change Canada’s reputation as a spam haven. There’s a very population Top 10 list that demonstrates which countries host the largest number of spammers. Canada is routinely on that Top 10 list, so we would like to see Canada removed on a very permanent, regular basis from that Top 10 list. We’d also like to work with the service providers out there in terms of a reduction in infected electronic devices. If we can reduce the number of electronic devices, we reduce the number of botnets that exist, which removes the number of malware that gets disseminated throughout the – you know, the various computers and PDAs and cell phones, etcetera, etcetera. Indirectly, as I said, we want to work with industry in terms of adopting best common practices. We want to enable them to assist us. And of course we want to create a level playing field. We want cost savings for businesses and consumers and reduced consumer losses. So some of – these are some of the things that we’ll be looking at and measuring against as we go along. We’re creating our – measuring our baseline metrics now, so that we can measure the impact that CASL will have after coming into force. So now I’m going to turn the floor over to Kelly Ann Smith, lawyer with our Legal Services, who will speak to us about CASL regulations, some extra guidance material on the GIC regs that were recently published, and our communication products. I would invite you, if you have any questions as a result of this presentation to submit them through client services. We are in fact taking these questions that are posed to us, providing them in a thematic response FAQ, if you will. We have many of the same questions that are repeated to us, and so we want to provide that guidance to everybody and address what we can address by way of staff guidance products such as FAQs.

Person 2:

Thank you very much, Lynn. I’m going to first talk about the CRTC CASL regulations. CASL contemplates two categories of regulations. There’s the governor-in-council regulations, which are the responsibility of Industry Canada, and there are the CRTC regulations, which are the responsibility of the Commission. Both sets of regulations were published for a 60-day comment period. The public was able to comment on the regulations, and then the final regulations were made. The CRTC’s regulations were made in March of 2012, and the governor-in-council regulations made by Industry Canada were made just this past December. So now I’m going to talk specifically about the five substantive provisions in the CRTC regulations.

The CRTC regulations relate solely to the CRTC’s mandate under CASL, and it relates to Sections 6 through 8, which are the violations of CASL. Regulation 2 is information to be included in a commercial electronic message. And this regulation states that if you’re sending a commercial electronic message, there’s certain information that you have to include in the message and that would be the name of the person sending the message. If the message is being sent on someone else’s behalf, you need to have the name of that individual. You also need a statement of who’s sending the message and whose behalf it’s being sent. You need a mailing address and one other piece of contact information. And if it is not practical to include all this information within the text of the message, you can include it in a link. Regulation 2 is the form of the commercial electronic message, and this is the unsubscribe mechanism. The unsubscribe mechanism must be clearly and prominent set out, and it must be able to be readily performed. And in a few slides, I’ll get into a little more detail as to what these terms means and how Commission staff interprets these terms.

Regulation 4 is the information to be included in a request for consent. Request for consent may be obtained orally or in writing. However, they must be sought separately for each of Sections 6 through 8, and you must include, similarly to the information in a commercial electronic message, the name of the person seeking consent, if consent is being sought on someone else’s behalf, the name of that individual. You also need contact details, including mailing address and one other piece of contact details. And you also need a statement that the person may withdraw their consent at any time.

Regulation 5 is specified functions of computer programs. A computer program’s material elements, if they perform a function in Section 10-5 of CASL, for example, collecting personal information, must be brought to the attention of the user separate from the information in a request for consent. In addition, you need an acknowledgement in writing that the user understands and agrees to those functions. So those are the substantive provisions in the CASL CRTC regulations. Okay. So now I’m going to talk about the information bulletins. The Commission has issued two information bulletins on CASL. The first is certain provisions of the electronic commerce protection regulations, which I just talked about. The Commission gives additional guidance on how certain provisions should be interpreted. And the second is the requirement to obtain express consent under CASL when you’re using toggling. I want to premise the information I’m going to provide with the fact that these are merely guidelines and best practices. They do not bind the Commission itself, and they’re not exhaustive. There may be other ways to comply with CASL. So the industry is free to implement other measures that it may become aware of to be compliant with the Act. As well, the Commission will assess compliance on a case by case basis in light of the specific circumstances that we face. So what follows is not an exhaustive list of the information in the information bulletins, but some highlights of some of the provisions.  And I would encourage you to go to the CRTC website and read the information bulletins thoroughly.

Okay. So Regulation 2, information to be included in a commercial electronic message. Section 2 of the regulations does not require that persons situated between the person sending the message and the person on whose behalf the message is sent to necessarily be identified. So for example, if a person so situated may facilitate the distribution of the CEM, but have no role in its content or choice of recipients, in that event, the Commission is of the view that those individuals do not need to be identified. The other point coming from the information bulletin is affiliates. If a commercial electronic message is being sent on behalf of multiple person, i.e., affiliates, all of those affiliates may be listed – must be listed, pardon me. However, they do not have to be listed in the actual body of the message if it’s not possible to fit all names. You can include a link to a website where the list of those affiliates could be found by the user. The second point, commercial electronic messages must include the sender’s mailing address. In the information bulletin, the Commission provides further information on what constitutes a mailing address, and that would be the sender’s valid current civic or street address, postal box address, rural route address or general delivery address. And of course, pursuant to CASL, that address must be valid for 60 days from the sending of the commercial electronic message. Okay, so this particular slide provides more information and some examples of the form of the commercial electronic message, the unsubscribe mechanism. As I stated, the regulations require that the unsubscribe mechanism must be set out clearly and prominently and must be able to be readily performed. In the information bulletins, the Commission provides further definition and further explanation of what readily performed means. And the Commission is of the view that readily performed means quick, easy to use, easy for the consumer to use and access without difficulty or delay. And on this particular slide, you can see two examples of what the Commission determines is an acceptable unsubscribe mechanism. So in the first example, that would be on a regular computer, the Commission here has given the opportunity to unsubscribe from receiving all promotional messages or all messages from the company. That’s not necessary as per the regulations, but the second portion of it, from receiving all promotional messages would be required. And the second example is on a mobile device. You would be able to text Stop, and that would be acceptable to meet the requirements for the unsubscribe mechanism.

Okay. Information to be included in a request for consent.  Section 4 of the regulations requires that express consent be sought separately for each of Sections 6 through 8. And the Commission was of the view that in order to meet the requirements of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated in 6 through 8. So in the examples before you on a regular computer and on a mobile device, the person is able to grant their express consent for the installation of a computer program, which is the second bullet, while at the same time refusing to grant their consent for receiving commercial electronic messages. And the second example is identical. It’s just smaller because it’s for a mobile device.

Specified functions of computer programs. As I’ve stated, if it performed the function in Section 10-5 of CASL, for example, collecting personal information, this must be brought to the attention of the user separate from other information in a request for consent. You also need an acknowledgement in writing that the person understands and agrees that the per – that the program performs those specific functions. Okay. So now I’m going to give a little bit more information on the toggling bulletin. What is toggling? Toggling, if you’re not aware, is the means of switching from one state to the other. The Commission, however, has determined that toggling cannot be used as an opt-out consent mechanism, for example, a pre-checked box. In the first example, where the X is, in this example, the user would have to uncheck the box. And in this case, this would be assuming consent. You would have to – you would have to actively or proactively do something to uncheck the box to remove your consent. And this, in the view of the Commission, is not express consent. However, in the second and third example, in the second example where you would have to actively or proactively tick the box or the third example where you would have to insert your email address and then press submit, that these would be examples of express consent, where you would have to take a proactive decision to agree to something.

Okay. So now I’m going to go through some additional guidance material that, as Lynn stated at the beginning, is – is at a staff level. So this is – this is not directed from the Commission itself, but it is Commission staff’s views.

Personal and family relationships. This refers to Section 2 of the governor-in-council regulations. Section 6 of CASL does not apply to a commercial electronic message sent to an individual with whom the sender has a personal or family relationship as defined in Paragraph 2 (b) of the GIC regulations. A personal relationship involves direct, voluntary two-way communications. In each case, the non-exhaustive list of factors set out in Paragraph 2 (b), for example, sharing of interests, frequency of communications will be taken into consideration. As explained in the REAS, and if you’re not familiar what the RIAS is, it’s a document that is attached to the GIC regulations which provides additional information on how Industry Canada is of the view that those provisions should be interpreted. The RIAS of course is not binding on the Commission and is not binding on the courts, but on this particular issue, Commission staff is in agreement with what’s in the RIAS. So as explained in the RIAS, the definition of personal relationship should remain limited to close relationships. And the purpose here is to establish limits and to prevent potential spammers from exploiting this concept in order to send CEMs without consent.

A personal relationship in Commission staff’s view is one that exists between individuals, so legal entities such as corporations cannot have a personal relationship. Someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient. Okay. Express consent obtained prior to CASL. This is a question that Commission staff has received quite a bit, and we wanted to provide some clarification on this issue. If you obtained valid express consent, for example, express consent that would be valid under PIPEDA, prior to CASL coming into force, you will be able to continue to rely on that express consent even if your request did not contain the requisite information and contact information as is required by the CASL CRTC regulations. So all CEMs sent after CASL comes into force, however, must contain the requisite information, meet all form requirements and contain an unsubscribe. CASL requires a sender to prove having obtained valid express consent, and the onus is on the sender, as I said, to prove they have consent to send the CEM. And you should also keep in mind that a request for consent cannot be obtained by sending a CEM. The transitional period for implied consent, and this is Section 66 of CASL, and this is another item which Commission staff has received quite a few questions on. And basically what I’m going to do on this slide is I’m going to explain to you how this section works.

Section 66 deems implied consent for a period of 36 months unless the recipient withdraws their consent earlier. However, in order to rely on this provision, there must be an existing business relationship or existing non-business relationship as per the definitions in CASL and the relationship must include the communication via commercial electronic messages. So what Section 66 does is during that transition period of three years, the definitions of existing business relationship and existing non-business relationship are not subject to the limitation period, which are six months and two years that would otherwise be applicable. So in theory, if you meet the definition of existing business relationship or existing non-business relationship and there’s the communication of CEMs between the individuals, you could go back 25 years in theory.

Okay. So now I’m going to talk a little bit more about some of the other exemptions. The GIC regulations contain an exemption for business to business. And the way this exemption works is commercial electronic messages sent by either an employee, representative, consultant or franchisees of an organization to another employee, representative, consultant or franchisee of the organization are exempt, but it must concern the activities of the organization or if it’s sent to an employee, representative, consultant or franchisees of another organization and those organizations have a relationship and the message concerns the activities of the organization to which the message is sent, then those commercial electronic messages are exempt. So the consent is not required to send the CEM, and there is no requirement to add the information requirements and an unsubscribe mechanism to the CEM. Okay. So in this particular slide, I’m going to distinguish between Section 3-B of the GIC regulations, which is requests, inquiries or complaints and Section 6-6 of CASL itself which is quotes or estimates. These are two provisions that are somewhat similar, and so Commission staff here is providing guidance on how to distinguish between the two. If you are sending a CEM that is a response to a request, inquiry or complaint requested by the person to whom the message is sent, you do not need to comply with Section 6 of CASL. Therefore, you do not need consent or to meet the information requirement and add an unsubscribe mechanism to the CEM. And that’s from Section 3-B of the GIC regs. However, if you are sending a CEM that provides a quote or estimate for the supply of a product, good, service, land or an interest or right in land and if the quote or estimate was requested by the person to whom the message is sent, you do not need consent, express or implied. However, you still need to – are required to meet the information requirement and to add an unsubscribe mechanism. So how do you distinguish between the two because the two sound very similar? In Commission staff’s view, the distinction lies with quote or estimate. A quote or estimate in Commission staff’s view has some financial component to it. So somebody is requesting a quote to have their antique sofa refinished, that would be an example of a quote or estimate. And it’s important to distinguish between the two because the requirements that you have to fulfill are somewhat different. Okay, moving on. Messages sent and received on an electronic messaging service, and this from Section 3-D of the GIC regulations. I guess the first question is what is an electronic messaging service? In Commission staff’s view, an example would be BlackBerry Messenger. If a messaging service by its very nature makes information required under Section 6 of the Act readily available to the recipient, then of course it would be redundant to require such information in each individual message. Such information must be readily available as part of the messaging service and not as part of the device used to access the message. However, you will need – you still require consent, express or implied. What does the term readily available mean? In Commission staff’s view, it means immediately accessible. So as an example, clicking on an icon in a messaging service platform would be readily accessible. However, requiring the user to navigate through a series of websites and links would be something that would not be considered readily available.

Okay, so this is limited access, secure and confidential accounts. And that’s from Section 3-E of the GIC regulations. An example of something that’s a limited access, secure and confidential account would be a closed network operated by a bank. So sent to a limited access, secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message, this is a full exemption. So there’s no requirement for consent information requirements or the unsubscribe mechanism. The only persons who may access such accounts consists of the person who owns or provides the account and the account holder. And the other requirement to use this exemption is that within those accounts communications in only one way, so the messages can only be sent by the person who provides the account or owns the account such as the bank to the person who is the account holder, you as the bank account holder. So the account holder would be unable to send messages to the account owner. So if you meet those two requirements, you may be able to rely on this exemption. Commercial electronic messages sent to foreign countries. This is Section 3-F of the GIC regulations. So this particular provision excludes some CEMs sent from Canada to a foreign country from the application of Section 6. So this would mean consent is not required, and you don’t have to have the information requirements or an unsubscribe mechanism, but there are three conditions you have to fulfill. The foreign country must be listed in Schedule 1 to the regulations, and these are countries that have their own anti-spam legislation. This is countries such as the UK, Australia, New Zealand. The CEM must be sent in compliance with the provisions of the foreign law that addresses conduct that is substantially similar to the conduct prohibited in CASL.

The Commission staff is of the view that substantially similar means a strong resemblance, bearing a resemblance to. It doesn’t mean that it has to be identical to the provisions of CASL. And the third requirement is that the sender or the person who permits the CEM to be sent must reasonably believe that the CEM will be accessed in the foreign state listed in Schedule 1. And reasonably believe is the reasonable person test. Given the facts, would a reasonable person come to the same conclusion? And if you’re able to fulfill these three requirements, then you can rely on this exemption, Section 3-F of CASL – of the GIC regs. Registered charities, and this is Section 3-G of the GIC regs. Commercial electronic messages sent by or on behalf of a registered charity, as defined in Section 248-1 of the Income Tax Act, are excluded from Section 6 of CASL. However, the primary purpose of the CEM must be to raise funds for the charity. If you are able to meet these conditions, that you are a registered charity in 248-1 of the Income Tax Act and the primary purpose of the CEM is to raise funds, then you’ll be able to rely on this exemption, meaning you do not need consent and you do not the information requirements or an unsubscribe. However, I want to point out – to give some direction on how Commission staff interpret the primary purpose. This is the main reason for or consequence if the chief, principal or main purpose, so there could be a secondary or a third purpose, but the main purpose of the message, the primary purpose has to be raising funds for a charity. This is Section 3-H of the GIC regs. It’s very similar to registered charities, and this is political parties and candidates. Commercial electronic messages sent by or on behalf of a political party or a person who is a candidate for publicly-elected office are excluded from Section 6 of CASL, so this means no consent, express, implied. You do not have to meet the information requirements, and you do not have to include an unsubscribe mechanism. Similarly to registered charities, the primary purpose of the CEM must be soliciting a contribution as defined in Subsection 2-1 of the Canada Elections Act. Please note that contribution means monetary or non-monetary contribution. I’d also like to point out that certain terms such as political party and candidate, further definition can be found in the Canada Elections Act.

Commission staff takes the same interpretation of primary purpose, so it’s the main reason, it’s the chief or principal reason for sending the commercial electronic message.

Okay, so now I’m going to provide a breakdown of the third party referral exemption. And this is in Section 4 of the GIC regs. Consent is not required to send the first commercial electronic message if it’s sent following a referral by an individual who has either an existing business relationship, existing non-business relationship, family or personal relationship. Any of the above relationships must exist with the person who sends the message and with the individual to whom the message is sent. You must include the full name of the individual who made the referral and a statement that the message is the result – is sent as a result of the referral and that must be in the message. And the message must still contain the requisite contact information and unsubscribe mechanism. This is basically an exemption from consent only. Important to note you can only – this is only for the first message that is sent. Personal relationships and social media. A personal relationship as defined in Section 2-B of the GIC regulations requires that the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship as opposed to instances of virtual identity or where an alias is used. Using social media or sharing a same network does not necessarily reveal a personal relationship between individuals. In Commission staff’s view, the mere use of buttons available on social media websites, such as clicking Like on Facebook, voting for or against a post on Reddit, accepting someone as a friend on Facebook or clicking Follow on Twitter will generally be insufficient to constitute a personal relationship. Social media can be used to meet a range of different needs. Depending on the features used and the circumstances of the case, however, use of social media may or may not reveal a personal relationship. And that will be looked at on a case by case basis. Okay, specified – specified computer programs, network security. Section 6 of the GIC regulations talks about specified computer programs, and these are programs that are specified for the purpose of Section 10-8 of the Act. And this is where a person is considered to expressly consent to the installation of a computer program. There are – there are certain terms that are used in Section 6 of the GIC regulations which Commission staff is going to provide you with some additional direction. Section 6-A of the GIC regulations is by or on behalf a telecommunications service provider solely to protect the security of its network from a current and identifiable threat. In

Commission staff’s view, the term solely is that if a computer program is installed for a purpose set out in the paragraphs of Section 6 of the regs and also for another purpose, then Section 6 of the regulations does not apply. It must be installed solely for that purpose. Section 6-B of the GIC regulations is upgrades or updates to the network by or on behalf a telecommunications service provider who owns or operates the network. Commission staff here is providing additional guidance on the term network. This term refers to the telecommunications service as defined in Subsection 1-1 of the Act. That is provided by a telecommunications service provider to its current clients. These services include a feature of a service delivered by means of telecommunications facilities, including network routers and servers regardless of whether the TSP owns, leases or has any interests in or right to the equipment and software used to provide the telecommunications service. And it’s important to note the definition here as the definition of TSP is different than that provided in the Telecommunications Act. The definition in the Telecommunications Act is a much more narrow definition and would be a TSP – an example of a TSP would be Bell Canada, whereas in the definition provided in CASL, an example could be – it could be OnStar provided by General Motors in your vehicle. Section 6-C is necessary to correct a failure in the operation of a computer program – pardon me, of a computer system or program installed on – and installed solely for that purpose. In Commission staff’s view, the term failure means that the computer program does not function properly and is not consistent with consumer expectations. Existing business relationship membership. This is Section 7 of the GIC regulations.

So I’m going to now break down how this particular exemption works. You may rely on the existing non-business relationship to imply consent to members of an association, club or voluntary organization. However, you must still meet the information requirements and add an unsubscribe mechanism to your commercial electronic messages. You should ensure, however, that you are only sending to members. What is members? Membership means the status of having accepted as a member of a club, association or voluntary organization in accordance with its membership requirements. And so in order to determine if someone is a member, you would look to the membership requirements of that particular organization. So you should also ensure that your association falls within the following. It’s a club, association or voluntary organization that’s not-for-profit. It’s organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit. Or no part of its income is payable for the personal benefit of a member unless the member is an organization whose primary purpose is the promotion of amateur athletics in Canada. And I should clarify that it’s not or, it’s and. You must meet those particular points.

And lastly, I’m just going to conclude by talking about some of the communications products that we have forthcoming. If you’re watching this today, then this information session has been recorded and is being – you’re watching it on the CRTC YouTube channel. So that’s one of the products that we have available. We have cross – we have done across country information sessions and speaking tours where we’ve been speaking at different organizations and we’ve had Commission-hosted events. We will be doing webinars. There will be as well or in addition to the information bulletins we’ve already published, there will be other information bulletins forthcoming in a few – in a couple of months. As well, you’ll see additional staff guidance materials such as FAQs posted on the CRTC website, and there will be info-graphics and informative videos which you’ll be able to watch. So I thank you for joining us for this information session. I hope that you found it helpful. And as Lynn said, if you do have any questions, please feel free to forward your questions to the CRTC client services and we will be posting FAQs on the website after that. Thank you very much.

The Canadian Radio-television and Telecommunications Commission (CRTC) has released a video presentation of the CASL information sessions which have been hosted across the country in the past six months. The presentation provides detailed information on enforcement, regulations and guidance related to CASL