Adam Kardash of Osler, Hoskin & Harcourt LLP spoke about emerging privacy themes that companies should be paying attention to at our MIXX conference held on March 20, 2014.
Chat GPT Master Class - Leslie Hughes, PUNCH Media
Emerging Privacy Themes That Will Impact Your Company
1. Emerging Privacy
Themes That Will Impact
Your Company
IAB Canada Spring MIXX Conference
Thursday, March 20, 2014
Adam Kardash
Partner, Privacy & Information Management
2. Three Key Privacy Challenges Impacting
Companies in the “Digital” Sector
2
Canada’s Anti-Spam Legislation
Online Behavioural Advertising
Security Incidents
3. Canada’s Anti-Spam Legislation
3
Federal legislation imposing strict consent, notice
and content requirements for “commercial
electronic messages”.
Will impact organizations in all sectors, particularly
digital marketing practices.
Potentially severe penalties for contravention of
the statute.
4. Canada’s Anti-Spam Legislation
4
Enacted in December 2010 but not yet in force.
Commercial Electronic Message provisions in force July 1, 2014
Computer programming provisions in force January 15, 2015
Private right of action in force July 1, 2017
Details of CASL set out in 2 regulations:
CRTC Regulations finalized in March 2012.
Industry Canada Regulations finalized in December 2013.
CRTC Guidelines released in October 2012
Guidelines on the Interpretation of the Electronic Commerce
Protection Regulations (CRTC)
Guidelines on the use of Toggling as a means of Obtaining
Express Consent under CASL
CRTC FAQs released in December 2013
More FAQs, compliance guidelines expected
5. Canada’s Anti-Spam Legislation
5
Administrative Monetary Penalties
Up to $1 million per violation for individuals and $10
million for businesses.
Private Right of Action
Statutory damages up to $200 for each violation of the
prohibition against unsolicited commercial electronic
messages up to $1 million for each day on which the
violation occurred.
A single email or text message is contravention of CASL =
violation.
6. Canada’s Anti-Spam Legislation
6
Applies to any “Commercial Electronic Message”
Any means of telecommunication, including text, sound,
voice or image messages.
Reasonable to conclude that, among its purposes, the
message is aimed at encouraging participation in a
commercial activity.
Examples of commercial electronic messages:
emails
text messages
refer-a-friend
emerging forms of messaging
an email or text message that hyperlinks to content
“aimed at encouraging participation in a commercial
activity”
7. Canada’s Anti-spam Legislation
7
Prohibited to send, or cause or permit to be sent, a
commercial electronic message (CEM) to an
electronic address unless the recipient has
provided express or implied consent.
Most CEMs must also meet certain specified
content requirements, including an unsubscribe
mechanism.
8. Canada’s Anti-Spam Legislation
8
Compliance Requirements - Tackling the CASL Hassle
Engaged multi-stakeholder teams required
Inventory critical
Complicated, technical exceptions and requirements
Operational impact potentially severe
Due diligence requirement to mitigate enforcement and
class action risk
Policies, practices, protocols
Training
Contractual requirements
9. Online Behavioural Advertising
9
Office of the Privacy Commissioner of Canada is
focused on the potential privacy issues associated
with OBA.
Privacy and Online Behavioural Advertising Guidelines
Policy Position on Online Behavioural Advertising
Multiple Investigations
Report of Findings #2012-001: Social networking site for youth,
Nexopia, breached Canadian privacy law
Report of Findings #2013:003: Profiles on PositiveSingles.com
dating website turn up on other affiliated dating websites
Report of Findings #2014-001: Use of sensitive health information
for targeting of Google ads raises privacy concerns
Ongoing Bell Canada Investigation
10. Online Behavioural Advertising
10
Digital Advertising Alliance of Canada’s “Ad
Choices” Self-Regulatory Program for Online
Behavioural Advertising
Program framework based
on six key principles:
1. Education
2. Transparency
3. Consumer Control
4. Data Security
5. Sensitive Personal
Information
6. Accountability
11. Online Behavioural Advertising
11
Principles set out obligations for three different
parties involved in OBA:
First Parties
Web site Publishers or Operators
Third Parties
Ad Networks, Data Companies
Service Providers
Internet Service Providers, Browser Operators, Web
Toolbars
12. Online Behavioural Advertising
12
The DAAC has created a
website (available at
YourAdChoices.ca) that is
the hub of the Program.
Participating companies
listed on the website.
To date, over 40
companies
registered/registering.
13. Security Incidents
13
Security incident matters have now become a
business critical issue for companies across all
sectors
Key Drivers
Data explosion
Technological developments
Cybersecurity threats
Government/law enforcement/national security
authority access to personal information via private
sector companies
14. Implied Breach Notification Requirement
14
Implied Breach Notification Obligation
While there are currently no express data breach
notification requirements under PIPEDA, OPC Letters of
Finding and guidance documents suggests that a duty to
notify affected individuals is implicit within the general
safeguarding requirements under the Act:
In circumstances where material harm is reasonably
foreseeable; and
Where such notification would serve to protect
personal information from further unauthorized
access, use or disclosure
15. Express Breach Notification Requirement
15
PIPA Alberta
Organizations must report to the Commissioner any
incident involving the loss of or unauthorized access to
or disclosure of personal information where a
reasonable person would consider that there exists a
real risk of significant harm to an individual.
PIPITPA Manitoba [Not yet in force]
An organization must, as soon as reasonably practicable
and in the prescribed manner, notify an individual if
personal information about the individual that is in its
custody or under its control is stolen, lost or accessed in
an unauthorized manner.
Exceptions:
Instructions from law enforcement that is
investigating the theft, loss or unauthorized accessing
of the personal information; or
Organization satisfied that it is not reasonably
possible for the personal information to be used
unlawfully
16. Impact of Breach Notification Requirements
16
Enhanced transparency/reporting about security
incidents within organizations.
More notifications to affected individuals about
security incidents.
More media reports and general awareness about
information security (or lack thereof).
More investigations by privacy regulatory
authorities.
Increased litigation risk.
More proactive efforts by organizations to address
personal information security concerns.
Increased out-of-pocket, reputation and other
costs to organizations due to all of the above.