The proliferation of consumer data collected by businesses has led to significant concerns over personal privacy. Canadian legislation including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada’s Anti-Spam Legislation (CASL), regulates how businesses collect, use and manage that information.
In November of 2020, the government of Canada tabled additional legislation, the Digital Charter Implementation Act (Bill C-11) to keep pace with the surge of digital data collection. The act, which will establish some of the toughest privacy legislation in the world, will establish new privacy laws for the private sector known as the Consumer Privacy Protection Act (CPPA). Once enacted, this new legislation will replace PIPEDA. This proposed legislation includes increasing control and transparency of personal information handled by companies and it provides the strongest fines among G7 nation privacy laws with fines up to 5% of an organization’s global revenue or $25 million, whichever is greater. This new legislation also gives the Office of the Privacy Commissioner (OPC) the right to audit any organization’s privacy practices and refer matters to a newly created Personal Information and Data Protection Tribunal, and the OPC will have the ability to impose administrative penalties up to 3% of global revenue with a maximum of $10 million, whichever is greater. Businesses will have to manage increased consumer rights and follow additional rules on how personal information is processed.
“With the plethora of consumer data available today, consumers are demanding personalized communication”, says John Leonard, V.P. Sales and Marketing, Cover-All Business Communication Management. They want offers that are unique to them, and they are willing to provide businesses with that information to receive these personalized offers. However, consumers are clear that they have an expectation that their information is used to their benefit and that their information is managed appropriately and protected.
Companies who disregard these laws are facing more severe penalties as the government sets out to make examples of them to ensure there are some teeth behind this legislation.
Personal Information Protection and Electronic Documents Act (PIPEDA) – Federal Law
The Personal Information Protection and Electronic Documents Act (PIPEDA) requires companies to obtain consumers’ expressed, or implied ‘meaningful’ consent for collecting, using, or disclosing their personal details. In order to make consent ‘meaningful’, consumers must understand what they are consenting to. In addition, the information collected can only be used for the purposes for which it was collected.
Businesses must follow the 10 fair information principles to protect personal information including:
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
Of significant note to marketers who want to use direct mail channels is they need to ensure the protection of all personal information that is transferred to a third-party such as a direct mail fulfillment company. Consumers need to know what information they have, where it is, and what they are doing with it. You need to ensure that when transferring that information, it is protected against loss, theft, or any unauthorized access, disclosure, copying, use, or modification. Selecting a company whose information security management system is ISO 27001 certified will help to protect your data.
Canadian Anti-Spam Legislation – Federal Law
Canada’s Anti-Spam Legislation (CASL) was created in 1994 and is one of the most stringent anti-spam laws in the world. CASL was designed to regulate Consumer Electronic Messages (CEM’s) including emails, text messages, and instant messages. Over 144,560 complaints were made to the Spam Reporting Centre between October 1, 2020, and March 31, 2021. Email sent without consent was the top reason for these complaints, but spam in the form of text messages is also on the rise.
CASL doesn’t just regulate bulk, unsolicited spam emails, it also creates an obligation for consent that applies to almost all electronic communication sent for business purposes.
If you are sending a commercial electronic message, you need to comply with three main requirements:
(1) obtain consent,
(2) provide identification information, and
(3) provide an unsubscribe mechanism.
The fines under CASL can pose a serious threat to your bottom line. CASL Administrative Monetary Penalties (AMP) have a maximum amount of $1 million for individuals and $10 million for a business, per violation. The largest penalty imposed on an individual under the CASL was $75,000 to Scott William Brewer for sending commercial electronic messages without recipient consent. The largest penalty imposed on a business was $1,100,000 to Compu-Finder for sending out Commercial Electronic Messages (CEM’s) without the consent of the recipients and without a proper functioning unsubscribe mechanism.
Navigating digital communication has become a minefield for businesses. If you are going to collect consumer data and engage in online marketing, ensuring that your communications are in compliance with increasingly protective privacy laws is critical to your profitability. Marketers utilizing direct mail channels also need to be aware of CASL requirements when offline marketing links to online activities. Most direct mail drives consumers towards online websites to take advantage of offers. These businesses need to ensure they are following all privacy laws as it relates to digital marketing, including receiving consent before you begin communicating with consumers. Marketers also have an obligation to ensure their suppliers have an internal information security management system such as ISO 27001 Certification to protect their data. “As the digital marketing environment sees tighter and tighter regulations, everyone has a part to play in ensuring consumer data is managed in accordance with privacy laws”, says Leonard.
For more information on data privacy laws visit the following government websites: Personal Information Protection and Electronic, Documents Act, Canada’s Anti-Spam Legislation (CASL), and Digital Charter Implementation Act.
John Leonard is V.P., Sales & Marketing for Cover-All Business Communication Management. He works with his team and clients to develop relevant and effective communications by using data and technology. Contact Cover-All Business Communication Management to find out more at (416) 752-8100.