Apr 28, 2011

Global spam compliance considerations

Error in deserializing body of reply message for operation 'Translate'. The maximum string content length quota (8192) has been exceeded while reading XML data. This quota may be increased by changing the MaxStringContentLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader. Line 1, position 8591.
Error in deserializing body of reply message for operation 'Translate'. The maximum string content length quota (8192) has been exceeded while reading XML data. This quota may be increased by changing the MaxStringContentLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader. Line 1, position 9016.

This is a guest post by Richard B. NewmanAffiliate Marketing Lawyer

Late last year, Canada passed federal anti-spam legislation known as “Canada’s Online Protection Legislation (“COPL”).  In doing so, Canada has become the last of the G8 countries (Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States) to implement specific legislation to combat unsolicited commercial e-mail (“UCE”).

UCE and SMS text messages have rapidly become a global sensation.  However, it is oftentimes difficult to hold senders of these electronic messages accountable – thus, spammers are ubiquitous.  The consequences are typically borne by e-mail account holders and ISPs.

Global legislation has taken differing approaches with respect to dealing with UCE.  As a general rule, national legislation protects all resident e-mail account holders, and thus also applies to e-mail senders that may reside abroad.  The challenge that this creates is one with respect to global direct marketing programs because as anti-spam laws of various jurisdictions differ (e.g., acquisition of e-mail addresses and other personal data, when/whether prior opt-in consent from an e-mail account holder is required,  how UCE must be labeled and accompanied by opt-out mechanisms, and how compliance enforcement).

For example, European Union law restricts the collection of personal data, including e-mail addresses. The legality of building databases for marketing purposes without express individual consent, or at least prior notice, is questionable at best.  It may be permissible to collect e-mail addresses from public sources if the interest of the e-mail account holder in keeping his or her address out of the data base does not outweigh the interest of the data collector to commercialize the data base.  However, prior notice is generally required for data collection, and some European Union Member States require prior affirmative opt-in consent before personal data is used for any marketing purposes.

By contrast, in the United States, companies are generally free to collect and process e-mail addresses and personal information for marketing purposes, with the exception of specific flagrant forms of harvesting and unauthorized access to websites and servers – prohibited by the CAN-SPAM Act and the Computer Fraud and Abuse Act.  At least for now, prior notice to e-mail account owners regarding the collection of their addresses is generally not required and cookie placement practices should be disclosed in website privacy statements, but companies are not required to obtain affirmative prior consent – again, for now…stay tuned.

The CAN-SPAM Act also generally permits companies to send unsolicited e-mails, so long as recipients are not deceived and receive certain disclosures and an opportunity to opt-out of receiving further e-mails. 

 The Canadian legislation contemplates a prior opt-in requirement, more similar to the European than the U.S. approach, although exceptions to be further developed in the implementing regulations could effectively create more of a middle ground between the restrictive European system and the more permissive (currently) U.S. approach.  It is anticipated that COPL will come into force when implementing regulations are adopted toward the end of this year.

While COPL will create a comprehensive regulatory regime primarily enforced by the federal communications regulator, it will almost certainly establish a range of new offenses and penalties.  While its primary objective is almost certainly to reduce “the most damaging and deceptive” spam and related online threats that discourage the use of electronic commerce and undermine privacy, the broad scope of COPL may have unintended consequences upon legitimate online business activities and subsequently require careful assessment of the requirements and revised procedures to ensure compliance.

Specifically, COPL generally prohibits individuals and organizations from sending, causing or permitting to be sent unsolicited “commercial electronic messages” to any recipient (including both personal and business e-mail addresses) who has not provided prior consent.  Businesses must generally obtain express opt-in consent from recipients before sending any electronic commercial messages, including a message containing a request to obtain consent.  Reliance on implied consent will be permitted in certain situations, including pre-existing business relationships and where an electronic address was conspicuously disclosed in a business context.   The definition of a “commercial” electronic message is very broad, encompassing any message one of whose purposes could reasonably be construed to encourage participation in a commercial activity.

In all non-exempt commercial electronic messages, COPL will mandate detailed disclosure requirements in order to obtain consent, as well as a mandatory unsubscribe mechanism.  Generally, unsolicited commercial messages will be required to identify the party sending the message and, if different, the identity of the party on whose behalf the message is sent, as well as their respective contact information.  The unsubscribe mechanism will be required to include either a specified electronic address or a hyperlink valid for at least 60 days.  Unsubscribe requests will need to be given effect no later than 10 business days after being sent.

The prohibitions placed on unsolicited commercial electronic messages will apply regardless of the medium used for transmission.  E-mail, instant messaging, and text messaging will be captured, regardless of whether the message is in the form of text, sounds, image, or video.  COPL will not apply to commercial electronic messages delivered via a broadcast undertaking, two-way voice communications between individuals, or “broadcast” faxes or voice recordings sent to a telephone account. However, the legislation does include provisions that would allow COPL requirements to be extended to telemarketing calls in the future.

COPL does not limit how an e-mail address itself can be collected, other than by amending existing privacy legislation to prohibit e-mail address harvesting, discussed below.  However, existing private sector privacy legislation generally requires prior consent to the collection of personal information, including e-mail addresses.  Since such consent can be implied, there may be situations where businesses have consent to collect e-mail addresses under privacy legislation but lack the consent necessary under COPL to use them for marketing communications.

COPL will be enforced jointly by the Canadian Radio-television and Telecommunications Commission, the Canadian Competition Bureau and the Office of the Privacy Commissioner of Canada. Significant civil administrative monetary penalties will be available to address non-compliance, which can reach up to C$1 million ($1 million) in the case of individuals and C$10 million ($10.2 million) in the case of businesses for the most egregious offences.  Officers and directors of a corporation may be liable in certain circumstances, including if they authorized or acquiesced in the commission of an offence. As well, employers may be held liable for violations committed by their employees or agents acting within the scope of their employment or authority.  A “due diligence” defense will be available to demonstrate that steps were taken to prevent alleged violations.  COPL will also provide a private right of action for parties to claim actual losses, damages or expenses and authorize Canadian courts to order compensation, as well as statutory damages.

……………………………………………………………………………………
Richard B. Newman is an Internet Law Attorney and
Business Litigation Lawyer at Hinch Newman LLP
……………………………………………………………………………………

*Advertising Disclosure Policy*

View the original article here

No comments: