Edited by Brian Fraser , Susan Vogt and Melissa Tehrani

In this issue:

  • The First CRTC Guidelines on CASL Released
  • Are You Compliant? Online Behavioural Advertising in Canada, the U.S., and Europe
  • Creating an App? There are Privacy Laws for That
  • Prepaid Payment Products Regulations
  • Amended Copyright Act — Updated Advertisers and Marketers
  • PMA Summary

THE FIRST CRTC GUIDELINES ON CASL RELEASED

While Canada's "anti-spam" legislation (CASL) has not yet been proclaimed in force, the CRTC has been busy fulfilling its mandate pursuant to that legislation. In March of this year, the CRTC issued the Electronic Commerce Protection Regulations (CRTC) (Regulations), which prescribe the form and certain information to be included in commercial electronic messages, and requests for consent to send CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs.

The CRTC has now issued two guidelines to provide detail on the content requirements for commercial electronic messages, and what practices and format it would consider acceptable to obtain consent to send a commercial electronic message.

Most interesting are the sections regarding request for consent — how to get it, and what needs to be included.

The CRTC makes it clear that each of the prohibited acts (sending a CEM, altering transmission data in electronic messages in the course of a commercial activity, and installation of a computer program on another person's computer in the course of a commercial activity) require separate and distinct consent to be obtained.

The CRTC further clarifies that consent cannot be subsumed in website terms and conditions — it must be clearly identified and separate from the consent to general terms and conditions of use or sale. Similarly, if the proper use of a product or service requires the installation of a computer program, then it should be explained in the consent request, and consent must be obtained before the product is used or sold.

The CRTC provides useful details on means and methods to obtain consent. It is clear that express consent must be an opt-in mechanism, not an opt-out mechanism. Therefore, organizations are going to have to be explicit in this regard, and a toggling mechanism that pre-checks a consent box will not be sufficient. A CEM cannot be used to elicit express consent, either. It would, however, be sufficient to require the individual to actively check a blank consent box, or type in an email address to indicate consent, with a confirmation of receipt provided to the individual.

Since most organizations currently use their general online terms and conditions or terms of use agreements to elicit deemed consent to receive commercial electronic messages from their customers (hopefully with an opt-out mechanism), the guidelines will require significant changes by these organizations in order to ensure compliance with the Regulations going forward.

The CRTC has also provided some detail on the unsubscribe mechanism to be included in a CEM. This mechanism must be "readily performed"; for emails, a link that takes the user to a webpage where the user can unsubscribe from receiving all or some types of CEM's from the sender works, as does a reply to an SMS message with the word "STOP" or "Unsubscribe", then clicking on a link to unsubscribe. Again, this will be an interesting shift from the current practice of embedding the unsubscribe mechanisms in user terms or privacy policies.


ARE YOU COMPLIANT? ONLINE BEHAVIOURAL ADVERTISING IN CANADA, THE U.S., AND EUROPE

By: Brenda Pritchard and Matthew Marinett

Online behavioural advertising (OBA) has become a hot topic for social media and Internet advertisers over the last few years, and compliance with both legal and self-regulatory regimes has never been more important. Simply put, OBA is the practice of tracking the activity of an Internet user across multiple websites in order to serve them ads that correspond with their inferred interests or preferences. The practice raises complex questions about privacy, the protection of personal information, and the transparency of Internet operators and advertisers.

While there appears to be a consensus in the Western world that consumers should be informed when their personal information is being collected and be offered the option not to be tracked, the implementation of these principles differs between nations. The practice of OBA often does not respect political boundaries, but each region addresses the issue from a unique framework of laws and a different understanding of the right to privacy. A summary of the regulation of OBA in Canada, the U.S., and the EU follows.

Canada

The Office of the Privacy Commissioner of Canada (OPC) released a new policy position on OBA in June 2012. The OPC's policy guidelines serve to inform and clarify the application of Canada's federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), to OBA.

The guidelines state that the OPC will view all information collected for OBA as "personal information" for the purposes of PIPEDA, regardless of whether that information can be reasonably used to identify an individual. However, the guidelines do allow the collection of personal information for OBA so long as certain requirements are met. Key among these requirements are the criteria that the user be informed that their information is being collected and how it is being used, and that the user be given an option to immediately and persistently opt out of being tracked for OBA. Depending on the sensitivity of the information, opt-in consent may be required instead.

Canada is also currently in the process of implementing a self-regulatory framework similar to the existing self-regulatory system in the U.S., which is described below. The framework is being established jointly by the Interactive Advertising Bureau of Canada, the Council of Better Business Bureaus and Advertising Standards Canada. The Privacy Commissioner of Canada has publicly supported the implementation of this program.

U.S.

The U.S. does not currently have any federal legislation addressing OBA. However, both the Federal Trade Commission and the White House have published privacy guidelines that are applicable to OBA. While these documents do not have legal force, they are intended to help guide future legislation and industry self-regulation.

As mentioned above, a self-regulatory program is currently in place in the U.S. The program requires participants to adhere to a number of principles, and divides up responsibilities between website operators, ad networks, and Internet service providers. The principles primarily call for participants to ensure transparency and the consent of users, and, like Canada, require an opt-out mechanism for users. To facilitate this, a single opt-out webpage has been established, where users can opt out of being tracked by any or all participating ad services. Additionally, a universal icon has been created which is to be displayed near all OBA advertisements. This icon links to a full disclosure about OBA and the collection and use of personal information, and provides access to the central opt-out page.

More information about the U.S. self-regulatory regime, and the central opt-out page, can be found at AboutAds.info.

EU

Similar to policies in both the U.S. and Canada, Europe's e-Privacy Directive requires companies collecting personal information to provide "clear and comprehensive information" about the collection and storage, including the identity of the data controller, the purposes of the data storage, and whether there is a right to access or amend the individual's stored data.

Diverging from the North American approach, however, Europe's e-Privacy Directive also requires opt-in consent for the storage of personal information, except in very limited circumstances. This requirement is often known as the "cookie law," as its implementation would prevent the placing and tracking of Internet cookies on users' computers. Twenty European nations have adopted the Directive. Some nations, like France and Cyprus, now require opt-in consent for the storage of personal information or the tracking of cookies online. Other nations, such as the U.K., Germany, Denmark, Finland and Hungary will allow implied consent. This implied consent is to be determined from a user's browser or application settings. The exact legal requirements will vary from nation to nation.


CREATING AN APP? THERE ARE PRIVACY LAWS FOR THAT

By: Nika Pidskalny

Office of the Privacy Commissioner of Canada Releases Guidance Document for Developing Mobile Apps

On October 24, 2012, the Office of the Privacy Commissioner of Canada released the guidance document "Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps," which was developed in conjunction with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia. This OPC guidance document is aimed at assisting app developers in Canada address the unique characteristics of the mobile space and the special challenges related to protecting privacy in this environment, such as the potential for comprehensive surveillance of individuals and the difficulty of conveying meaningful information about privacy on the small screen with intermittent user attention.

The OPC guidance document highlights the fact that privacy protection is not only the law, it makes good business sense. For instance, some surveys suggest that good privacy practices can be a competitive advantage, helping gain user trust and loyalty. In fact, it may even be a necessity — one survey showed that 57 per cent of app users in the United States either uninstalled an app or declined to install an app due to concerns with respect to sharing their personal information. In Canada, it appears that the majority of Canadians agree that protecting personal information will be one of the most important issues facing Canada in the next 10 years, with the overriding opinion being that businesses are requesting too much personal information, not keeping this information secure and selling the information to other organizations.

Key Privacy Considerations

Simply put: you are responsible for the personal information collected, used and disclosed through your app, regardless of the type of app you develop. Generally speaking, "personal information" means "information about an identifiable individual." According to the Federal Court, where there is a serious possibility that an individual could be identified through the use of the information, whether alone or in combination with other available information, the information is about an identifiable individual.

Where you will be collecting, using and/or disclosing personal information through your app, the following considerations are particularly relevant according to the OPC guidance document:

  1. Be accountable. Build a privacy management program, including a privacy policy, and identify someone within your company to be responsible for privacy protection. Ensure and insist on compliance with privacy laws not only internally, but in all of your business arrangements and contracts with third parties.
  2. Be transparent. Before users download your app, provide clear and accessible information with respect to what personal information you will be collecting, why you are collecting it, where it will be stored, whom it will be shared with and why, how long you will keep it, and any other relevant privacy issues. Should you make any updates or changes to your app's privacy policy after it has been downloaded by a user, provide advance notice about these changes and allow reasonable time for feedback before these changes take effect. Do not make updates that will lessen a user's privacy without notifying users. Ever.
  3. Be selective and secure. Limit the collection of personal information to what is needed to carry out legitimate purposes — you may not need to collect personal information at all. If you are having difficulty explaining how a piece of information relates to the functioning of your app, rethink collecting it. Data should not be collected simply because it may be useful in the future and data should be deleted when it is no longer necessary for the original purpose identified. After deciding what information will be collected, have controls in place, appropriate to the sensitivity of the information, to ensure its security. Provide users with a clear and easy way to refuse an update, deactivate the app and delete all the data collected about them. Delete data automatically on deactivation or deletion of the app by a user.
  4. Obtain meaningful consent. In addition to the difficulty of conveying information on a small screen, users can often suffer from "notice fatigue" and ignore notices or warnings they see too often. To reach users with the necessary information, put important details up front and embed links to the details. Also use visual cues such as graphics, colour and sound to draw a user's attention to important information.
  5. Timing is critical. Again, user attention in the smart phone world is intermittent and limited. Moreover, with so many apps available, users cannot be expected to remember information they were provided upon downloading an app. Therefore, it is important to be thoughtful and creative with respect to the timing of your privacy messages, not only telling users in advance what will happen with their information, but also informing users when they first use the app and throughout their app experience.

According to the Office of the Privacy Commissioner of Canada, with the increasing popularity of apps will likely come the increased scrutiny of the privacy practices of businesses operating in the mobile space, not only by regulators but also by consumers who are becoming increasingly informed, perceptive and influential. Therefore, implementing the recommendations set out in the OPC guidance document not only makes sense from a legal and business perspective, it may soon become a necessity.

The full OPC guidance document can be viewed at: http://www.priv.gc.ca/information/pub/gd_app_201210_e.asp


PREPAID PAYMENT PRODUCTS REGULATIONS

By: René Bissonnette

On October 27, 2012, the Department of Finance published proposed Prepaid Payment Products Regulations (Regulations) that will apply to prepaid payment products (PPPs) that are issued by a federally-regulated financial institution. PPPs are defined as physical or electronic payment cards that are – or can be – loaded with funds to make withdrawals or purchase goods or services.

The Regulations outline various disclosure requirements that financial institutions must comply with in the course of issuing PPPs and also set out prohibited practices applicable to PPPs. What follows is an analysis of the requirements in the draft Regulations, which may change before they are brought into force.

Disclosure Requirements

Under the PPP regime envisioned by the Regulations, the financial institution issuing the card must make prescribed disclosure when a consumer first applies for a PPP before it is issued. As a general consideration, in order to facilitate consumers' understanding of PPPs, the Regulations require all of the following disclosure requirements must be made using language, and presented in a manner, that is clear, simple and not misleading.

Prior to Issuance

Before a PPP is issued, the following information must be provided in writing to a person applying for a PPP in any document prepared for the issuance of the product, including on the PPP's exterior packaging (if any):

  1. The name of the issuing financial institution
  2. A toll-free number that can be used to find out about the PPPs terms and conditions
  3. Any restrictions on the use of the PPP
  4. All applicable fees, which must be prominently displayed in an information box
  5. That the PPP will not expire, with the exception of promotional PPPs which are permitted to have a stated expiry date (NB: pursuant to the Regulations, a promotional PPP is purchased by an entity and distributed by that same entity as part of a promotional, loyalty or award program)

As indicated above, a PPP obtained following an application would likely have to satisfy these disclosure requirements in both the documents provided to the potential consumer in response to the application and on the PPP's exterior packaging, if any, whereas a PPP purchased at retail that has not had any documents prepared for the issuance of the PPP, aside from exterior packaging, would likely only have to ensure these disclosure requirements have been met on the exterior packaging of the PPP, if any.

Upon Issuance

Upon issuance of a PPP, the following information must be disclosed to the consumer:

  1. All of the information outlined above
  2. Any charges that accompany the acceptance or use of the PPP
  3. The terms and conditions applicable to the PPP
  4. A description of how to verify the PPP's balance
  5. A description of, and the permitted, split payments (NB: the Regulations do not define the term "split payments," but it arguably refers to a payment for goods or services made partially using the PPP and another method of payment)

On the Product

The following information must be provided directly on the PPP or, if the product is electronic, electronically on the product holder's request:

  1. The name of the issuing financial Institution
  2. The date the PPP expires, if any
  3. For a promotional PPP, the date on which the right to use the loaded funds expire, if any
  4. A toll-free number that can be used to make inquiries about the PPP, including the balance and complaints
  5. A website address where all of the foregoing information can be obtained (including the information outlined under the headings "Upon Issuance" and "On the Product" provided above)

Prohibited Practices

In addition to disclosure requirements, the Regulations also specify certain prohibited practices in relation to PPPs.

Restrictions on Maintenance Fees

After activation, a financial institution is prohibited from imposing a fee in relation to a PPP, other than a fee associated with the holder's use of the PPP or of any service related to it, for a period of 12 months after activation, unless it is a promotional PPP.

No Expiry of Funds

It is prohibited to impose an expiry date on a PPP holder's right to use loaded funds, unless it is a promotional PPP. Consequently, it appears that a physical PPP may expire, arguably requiring the holder to obtain a new card that can be loaded with the balance of funds loaded on the expired PPP, whereas the right to use funds loaded on a PPP cannot expire, unless it is a promotional PPP.

No New or Increased Fees without Notice

A financial institution cannot increase an existing fee or impose a new fee, unless, among other things, the financial institution provides the PPP holder with at least 30 days' notice and a notice is displayed on the financial institution's website at least 60 days before the effective date of the new or increased fee.

No Overdraft or Interest Charges without Consent

It is prohibited to charge an overdraft fee or interest in respect of a PPP, unless the product holder has provided his/her express consent to such fee or interest. "Express consent" is not defined in the Regulations, as such it is unclear in what manner an organization may satisfy this requirement.

It is interesting to note that maintenance fees are the only type of prohibited fees pursuant to the Regulations (for 12 months), if proper notice is provided for any new or increased fee. Consequently, it appears that, aside from these prohibited fees, financial institutions can apply a broad range of fees to PPPs, including fees disclosed prior to activation, and new fees imposed post-activation associated with the holder's use of the PPP or any service related to it, as long as such fees otherwise comply with the Regulations, including any disclosure and notice requirements. This is a notable departure from the provincial treatment of "gift cards" where the imposition of fees would not be permitted.


AMENDED COPYRIGHT ACT — UPDATED ADVERTISERS AND MARKETERS

By: René Bissonnette

Following three previous attempts to amend the Copyright Act, Bill C-11 came into force on November 7, 2012. The legislative changes to Canadian copyright law ushered in by Bill C-11 are far ranging (for a summary of the changes, see: http://bit.ly/SqR97L). What follows is a summary of the most important changes in terms of their potential impact on the advertising and marketing industry.

Ownership of Copyright in Commissioned Photographs

Previously, if a photographer was commissioned to take photographs, the person or entity that commissioned the photographs was the owner of copyright in the photographs. Bill C-11 has changed this arrangement so that now the photographer will own the copyright in the photographs, absent any contractual provision that specifies otherwise. Consequently, contracts for a photographer's services should be reviewed to ensure they contain provisions indicating both that the photographer assigns copyright ownership in the photographs that will be created and undertakes to execute further agreements to give effect, confirm and evidence such assignment.

New Categories of Fair Dealing: Parody and Satire

Previously, the categories of fair dealing were limited to private study, research, criticism and news reporting. Bill C-11 has expanded the categories of fair dealing to include parody, satire and education. Although education will be of limited application in the advertising and marketing industry, parody and satire can be used in innumerable ways in the course of an advertising campaign. However, dealing with works for the purpose of parody or satire must still be "fair" in all the circumstance. Further, it is important to keep in mind that the categories of fair dealing permit a person to use a work without infringing copyright. Therefore, despite falling within the ambit of a fair dealing category, a person may still infringe the moral rights in a work where the work is distorted, mutilated or otherwise modified to the prejudice of the honour or reputation of the creator (note: this is not an exhaustive list of the ways moral rights may be infringed).  

The "Mash-up" Exception

Bill C-11 also creates a new exception whereby individuals will be permitted to use existing copyrighted works in the creation of new user-generated content (UGC). However, one of the main conditions that must be satisfied in order to avail oneself of the exception is that the creation of the new UGC must be done solely for non-commercial purposes. As such, this exception will likely have limited application to the advertising and marketing industry.

Statutory Damages

Previously, statutory damages ranged from $500 up to a maximum of $20,000 per work infringed, regardless of the commercial versus non-commercial purpose of the infringement. Bill C-11 has modified the amount of statutory damages available to the copyright owner in that the previous range of statutory damages only applies where the infringement was for commercial purposes. Bill C-11 limits the range of statutory damages in cases of infringement for non-commercial purposes to between $100 and $5,000 for all infringements in a single proceeding regardless of the number of different works infringed.


PMA SUMMARY

By: Daniel Cole

November 2012 – Many global marketing leaders met recently in Chicago for the Promotion Marketing Association's (PMA – now "Brand Activation Association") Annual Marketing Law Conference entitled "Converging Platforms and Diverging Laws." Attendees heard from a wide variety of speakers, including representatives of the world's largest brands, the Federal Trade Commission, technology pioneers and leading law firms. The agenda was chock-full of presentations designed to address the seemingly never-ending challenges that lawmakers and practitioners face while trying to keep pace with new technology and practices. Topics ranged from traditional advertising concerns, to challenges with ever-changing social media and digital platforms, to disclosure requirements in mobile app development.

Perhaps the most commonly discussed theme, however, was that of data privacy — particularly, concerns surrounding online/mobile tracking and targeting. It is clear that data privacy issues present unique challenges to an advertising industry that now relies heavily on highly targeted ads.

In the United States, it's been reported that almost 200 class action lawsuits have been filed against publishers, ad servers and advertisers. In addition, the Federal Trade Commission is pushing for the industry to adopt a 'Do Not Track' option for consumers. Meanwhile, the European Union has imposed strict consent rules for tracking and targeting. Here in Canada, the Office of the Privacy Commissioner has released a policy position on online behavioural advertising (OBA). Despite stating that all information collected for OBA will be considered as "personal information" for the purposes of Canada's privacy legislation (regardless of whether that information can be reasonably used to identify an individual), the guidelines do purport to allow for the collection of personal information for OBA so long as certain requirements are met (e.g., that users be given notice of the option to immediately and persistently opt-out of being tracked). Speaking on a behavioural advertising panel, Brenda Pritchard (head of the Firm's Manufacturing and Industry Group) advised that Canada will be following a self-regulatory model similar to the U.S. — so, expect to see an OBA icon on Canadian websites soon.

Overall, there are many legal challenges that face a global advertising industry as changes in the law and regulatory action intersect with changes in technology and media. In addition to educating each other through conferences like PMA's Annual Marketing Law Conference, it is imperative that the industry work together to educate consumers and provide them with sufficient notice and choice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.