Preparing for Canada’s New Anti-Spam Legislation
Date: January 10, 2013
Canada’s new anti-spam legislation is coming soon. Commonly referred to as “CASL”, the new legislation will impose strict obligations that apply to a range of business emails and other electronic communications that you might not consider to be “spam”. All businesses, even those without formal email marketing programs, should assess their potential exposure to CASL and, if exposed, turn their minds to compliance now.
WHAT IS CASL?
CASL is a broad piece of legislation that is designed to promote economic activity and the use of electronic commerce by targeting “spam” – unwanted electronic messages and communications that far too regularly target consumers and business. CASL also targets other threats to the internet, including the installation of spyware and other malicious code and “pharming” (which involves directing individuals to fraudulent websites).
CASL TO APPLY BROADLY
The anti-spam regulation in CASL will apply broadly. All “persons” must comply, including for-profit and not-for-profit organizations and Crown agents.
CASL regulates the sending of “commercial electronic messages” (“CEMs”). A CEM is any message that is sent by any means of telecommunication that it “would be reasonable to conclude has as its purpose, or one or more of its purposes, to encourage participation in a commercial activity.” “Commercial activity” is defined broadly to mean any conduct that is of a commercial character whether or not carried out for profit.
Examples of CEMs that would be regulated by CASL include: offers to sell, purchase or barter goods, services or land; offers to provide business or investment opportunities; and advertisements or promotions of commercial activities.
HOW CASL OPERATES
CASL will impose three primary prohibitions:
- a prohibition on sending, or causing or permitting to be sent, CEMs without the express or implied consent of the recipient and in compliance with prescribed form and content;
- a prohibition on altering transmission data in an electronic message so that it is delivered to an alternate address without express consent, unless the alteration is in accordance with a court order; and
- a prohibition on installing a computer program on another’s computer, or causing an electronic message to be sent from such a computer, again without express consent, unless this is done in compliance with a court order.
These three broad prohibitions are subject to a number of exceptions and limitations, which are detailed in the statute and in proposed regulations (discussed further below).
The remaining discussion in this FTR Now will focus on the CEM prohibition, as that prohibition stands to have the greatest impact on widespread, quite ordinary electronic business and marketing communications.
REGULATION OF COMMERCIAL ELECTRONIC MESSAGES
As noted above, CASL will prohibit the sending of commercial electronic messages unless two requirements are satisfied:
- the message conforms to certain specified criteria related to content and form; and
- the organization sending the CEM first obtains the express or implied consent of the recipient.
EXEMPTIONS FROM CEM REGULATION
Before turning a more detailed review of CASL’s regulation of CEMs, it is important to note that CASL completely exempts certain types of messages from any form of regulation: (1) messages sent to persons with whom the sender has a personal or family relationship; (2) messages sent in the actual conduct of commercial activities (recall that a CEM is sent to “encourage participation in commercial activity”); or (3) activities specified by regulation.
In early January 2013, the federal Department of Industry released draft Electronic Commerce Protection Regulations, its second attempt to put in place regulations under CASL. Among other things, the draft regulations would clarify the general exemptions to the prohibition on sending CEMs by:
- defining family relationships in terms of being connected by blood, marriage, common-law partnership or adoption;
- defining a personal relationship as based on direct, voluntary, two-way communications and other factors from which one could reasonably conclude that the relationship was personal; and
- by creating a series of new exemptions to CASL regulation of CEMs, including,
- CEMs sent by employees, representatives, contractors or franchisees of an organizations to others within the organization, provided that the CEM concerns the affairs of the organization;
- CEMs sent by employees, representatives, contractors or franchisees of an organization to another organization if there is a current business relationship between the organizations and the CEM relates to the business of the organization or the person’s role or functions within the organization;
- CEMs sent in response to requests, inquiries or complaints; and
- CEMs sent to satisfy legal obligations, to provide notice of existing rights and obligations, or to enforce rights and obligations.
PRESCRIBED INFORMATION TO BE INCLUDED IN CEMS
For CEMs that are not exempt from CASL-regulation, CASL imposes the two requirements noted above – prescribed content and form, and consent.
The required information prescribed by CASL can be found both within the text of CASL itself and in the Electronic Commerce Protection Regulations (CRTC), regulations issued by the Canadian Radio-Television and Telecommunications Commission (“CRTC”) under CASL and which will come into force at the same time that CASL takes effect (“CRTC Regulations”).
The required information includes the name and address of the company (or person) sending the message as well as information enabling the person to whom the message is sent to readily contact the sender. All CEMs must also clearly and prominently set out an unsubscribe mechanism that allows recipients to “readily perform” the unsubscribing function.
In addition to the CRTC Regulations, the CRTC has published detailed guidelines on a number of topics relating to CASL, including guidelines on what constitutes an appropriate unsubscribe mechanism. For example, the CRTC has approved the use of a link in an email that directs the recipient to a web page where he or she can easily unsubscribe. The CRTC has also approved the use of a mechanism by which individuals are able to unsubscribe be virtue of a reply message indicating an intention to do so. A message which allows a user to unsubscribe be replying “STOP” or “Unsubscribe” will also satisfy the requirement of CASL.
For CEMs that are subject to CASL-regulation, CASL will generally require either an express or implied consent to the sending of the CEM, unless one of several limited exceptions apply.
CASL establishes a default rule that senders of CEMs obtain express consent from the recipient of the CEMs. Where express consent is required, CASL also specifies certain information that must be clearly set out in the mechanism by which consent is sought. For instance, a company seeking consent must clearly set out the specific purposes for which the consent is sought as well as the name and address of the company (or person) seeking consent.
The CRTC Regulations contain further details on the information to be included in a request for consent. For example, the consent mechanism must clearly state that the person whose consent is sought can withdraw their consent at any time.
An express consent may be obtained either orally or in writing. Clearly, it will be easier to demonstrate express consent where the consent is in written form. With respect to oral consents, organizations will need to establish mechanisms to effectively record oral consents. The CRTC guidelines suggest that an oral consent could be demonstrated by verifying the consent through an independent third party or by producing a complete and unedited recording of the consent. However, the CRTC guidelines do not preclude other means of demonstrating valid oral consents.
Of particular importance for organizations is the CRTC guideline on the use of “toggling” as a means of obtaining express consent. In this context, “toggling” is a form of an “opt-out” mechanism by which a recipient is treated as having consented to receiving the CEM unless he or she takes active steps to signal non-consent. Under the CRTC guidelines, consent must be actively given, which means that “opt-out” consent systems will not be valid under CASL. If this approach is ultimately upheld, it would be a marked departure from the Personal Information Protection and Electronic Documents Act, which allows for opt-out consents to be used in some circumstances.
CASL also permits consent to be implied in a number of limited circumstances. This would have the significant benefit of avoiding the need to fulfil the more onerous express consent rules outlined in the previous section. Those circumstances include:
- where the sender and the recipient are in an existing business or non-business relationship, but only where there is commercial activity within the previous two years;
- where a person has conspicuously published an electronic address, has not expressed a wish not to receive unsolicited CEMs, and the CEM is relevant to his or her business; or
- where a person has disclosed his or her electronic address to the sender of the CEM without expressing a wish not to receive unsolicited CEMs, and the CEM is relevant to his or her business.
The limitation for “business relationships” to those with commercial activity within the previous two years is likely to significantly impact the marketing activities of many organizations that may send CEMs to a wide range of existing clients, former clients, prospective clients and other persons. Unless the stringent restrictions in the implied consent rules can be met, express consent must be sought.
EXCEPTIONS TO THE CONSENT REQUIREMENT
In addition to those situations were consent can be implied, CASL provides a number of exceptions to the consent rule altogether. In these situations, organizations will not be required to obtain consent to send CEMs, although the requirements on form and content (including, for example, the need for an unsubscribe mechanism), as outlined above, will continue to apply. The CASL consent requirement for the sending of CEMs will not apply where the CEM is sent solely for one of the following purposes:
- to provide a quote or estimate where requested by the recipient;
- to facilitate or confirm a commercial transaction that has been completed;
- to provide warranty information, product recall information or safety or security information about a product that the recipient has used or purchased;
- to provide notification of factual information the ongoing use, purchase or subscription of a product, subscription, membership or similar relationship;
- to provide information directly related to an employment relationship or related benefit plan; or
- to deliver a product, goods or service, including updates and upgrades, that the recipient is entitled to receive pursuant to a completed transaction.
In addition, the recently released draft Department of Industry regulations would establish another exception to the consent requirement for certain third party referral arrangements.
ENFORCEMENT AND PENALTIES
The anti-spam provisions of CASL will be enforced by the CRTC, which is given broad powers under the statute, including the ability to designate enforcement officers to ensure compliance and investigate allegations or suspicions of misconduct. CASL also provides for severe penalties for non-compliance. The maximum penalty per violation is $1 million for an individual and $10 million for a corporation.
A unique aspect of CASL is the creation of a private cause of action for individuals alleging a violation of the Act. This means that an individual can rely on an unsolicited CEM as the foundation for a civil action. Given the quantity of CEMs that may be sent by a single sender, there is a very real possibility of class actions being commenced under CASL.
PREPARING FOR CASL
Considering the broad application and strict penalties imposed by CASL, all organizations will need to assess the extent to which they engage in the sending of commercial electronic messages as part of their marketing and business strategies, and thus the extent to which they may be exposed to CASL regulation.
At this time, it appears that CASL will come into force at some point later in 2013. Importantly, CASL will provide for a three-year transitional period from the date CASL is proclaimed in force during which time organizations will have deemed implied consent to send CEMs to any persons with whom they have an existing business or non-business relationship that includes the communications of CEMs. This deemed implied consent will exist and can be relied upon unless it is withdrawn. It will be important for organizations to obtain any necessary express consents during this time period.
Even with this transition period, there is much work to do to ensure compliance with CASL, and organizations and businesses should be taking the following steps now:
- Review your organization’s marketing, advertising and external communication practices to determine to what extent you are sending CEMs that fall within CASL regulation.
- Consider whether consent can be implied based on an existing business or non-business relationship as defined in CASL.
- Develop a means for obtaining and appropriately recording express consents.
- Develop a system to reliably record express consents and to track any changes to consents that have been obtained.
- Similarly, develop a system to track the existence and continued validity of any implied consents being relied upon.
- Develop policy to ensure CEMs contain the prescribed information, including a valid unsubscribe mechanism.
- Ensure processes are in place to deal with unsubscribe mechanism in a timely manner.
The articles in this Client Update provide general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©