Counting Down to Canada’s Anti-Spam Legislation (CASL) – What You Need to Know Now
February 28, 2014
By David Fraser, at McInnes Cooper
On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) take effect. CASL will apply to just about every business – from sole proprietors and independent contractors, to multinational corporations – and every person sending just about every form of commercial electronic message to, from or within Canada:
- CASL Primer. CASL and its Regulations will be phased into effect from July 2014 to January 2017 – ultimately moving Canada from an “opt-out” to an “opt-in” regime for all electronic-based commercial communications.
- “Commercial Electronic Message”. CASL only covers “commercial electronic messages” (called “CEMs”), so understanding what is and what is not a CEM is crucial to CASL compliance – and it’s not as clear as you might hope.
- Consent. The regime imposes a tricky consent management process on organizations, requiring complex coordination for all the users of any one e-mail list – and “pre-CASL” consent will need to be up to the new CASL standards.
- Content. Even if you have “consent”, every CEM must still contain both specific information about the sender and specific unsubscribe functions.
- Penalties. Those who don’t comply with CASL risk significant penalties.
If you’re not ready for CASL, the countdown is on. It’s time to act now.
Key Dates. CASL (and its Regulations) will be phased into effect on these dates:
- July 1, 2014. Most of CASL – including the “anti-spam” sections and the Regulations.
- January 15, 2015. The CASL sections dealing with the unsolicited installation of computer programs or software.
- July 1, 2017. The “private right of action” – the ability to sue – for people or corporations affected by a CASL contravention.
Opt-In Regime. CASL moves Canada from an “opt-out” to an “opt-in” regime for all electronic-based marketing: with few exceptions, if a person or business wants to send a CEM within or into Canada, it needs the recipient’s prior consent.
The Law. In 2010, the Federal Government proclaimed CASL but it didn’t take effect until the Government finalized the related Regulations – which only happened on December 4, 2013. Generally, CASL sets out the broad strokes of the new “anti-spam” and unsolicited software regime; the Regulations set out the detailed rules for CEM’s. The Canadian Radio-telecommunications Commission (CRTC) will administer most of CASL and its Regulations.
Guidance. The Federal Government published a “Regulatory Impact Analysis Statement” (RIAS) with the Regulations. It provides some explanatory notes, but it’s not law – making its value limited.
COMMERCIAL ELECTRONIC MESSAGES (“CEMs”)
CASL and its Regulations only apply to “CEMs”, so what is – and isn’t – a “CEM” is crucial to CASL compliance.
Definition. There are some inclusions and exclusions, but essentially a CEM is any electronic message that it’s reasonable to conclude has encouragement of participation in a “commercial activity” as one of its purposes, considering the:
- message content;
- hyperlinks in the message to content on a website or other database; or
- contact information in the message.
“Commercial activity”. Broadly, “commercial activity” is any transaction, act or conduct (or regular course of conduct) of a commercial character – whether or not carried out for profit.
Inclusions and Exclusions. A CEM explicitly includes an electronic message that:
- offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
- offers to provide a business, investment or gaming opportunity; or
- advertises or promotes any of the first two, or promotes a person (including the public image).
A message involving a pre-existing commercial relationship or activity and providing additional information, clarification or completes the transaction involving a commercial activity already underway, is not a CEM because it carries out – rather than promotes – commercial activity.
The Grey Area. However, the final Regulations add that certain categories of messages could imply that a solely transactional message may be a CEM. The RIAS doesn’t help: it says a message is not a CEM merely because it involves commercial activity, hyperlinks to a person’s website, or contains business-related electronic addressing information, if none of its purposes is to encourage the recipient in additional commercial activity – but it may be if it would be reasonable to conclude one of the purposes is to encourage the recipient to engage in additional commercial activities based on, for example, the prevalence and amount of commercial content, hyperlinks or contact information.
Social Media. The Federal Government hasn’t yet clarified the impact of CASL on CEMs sent via social media sites (e.g. Facebook and LinkedIn) – but if it promotes a commercial activity assume it is a CEM that must comply with CASL.
CASL is a permission-based regime. The final Regulations provide extreme protection of consumers against organizations in the business of compiling and selling email lists to third parties – and catches all CEM senders in the process. With few exceptions (see “Exceptions” below), if an electronic message falls into the definition of a CEM, the sender must obtain the recipient’s consent – either express or implied – before she can deliver it.
Express Consent. Basically, a recipient gives express consent if she has actively agreed to receive CEMs from the sender orally or in writing:
- Oral Consent. A person can ask for and obtain oral consent:
- where information is collected over the phone (e.g. call centres); or
- when an individual uses a product or service (e.g. point of sale purchases).
- Written Consent. Written consent includes both paper and electronic forms of writing. Acceptable ways to obtain written consent include:
- checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and
- filling out a consent form at a point of purchase.
Implied Consent. There are two broad relationships in which the recipient’s consent to receive a CEM from the sender is “implied” – meaning the sender doesn’t need the recipient’s express consent to send it:
- “Existing Business Relationships”. CASL is not intended to catch regular business communications in furtherance of an “existing business relationship” – relationships that involve or arose out of one of the following:
- the purchase, lease or bartering of product, goods, or services within the immediately preceding two (2) years;
- a written contract that is either in force, or that expired within the immediately preceding two (2) years; or
- a recipient’s inquiry within the immediately preceding six (6) months.
- “Existing Non-Business Relationships”. There is an “existing non-business relationship” between:
- Charities. Registered charities and people who have either donated and/or volunteered within the prior two (2) year period.
- Politics. Registered political parties and/or political candidates who have either donated and/or volunteered within the prior two (2) year period – but if the purpose of the CEM is primarily fundraising then the CEM falls within the “Exceptions” below.
- Clubs and Associations. A non-profit club, association or voluntary organization that has a purpose other than personal profit, and a person who is or was a member within the prior two (2) year period – but there are some finicky rules, and amateur athletic associations have special rules.
Fresh Consent. If a sender already obtained a recipient’s express consent under the Personal Information Protection and Electronic Documents Act (PIPEDA for short), that consent will satisfy CASL – but other forms of PIPEDA consent (such as implied consent) will not.
Again with a few exceptions (see “Exceptions” below”), all CEMs must also include certain content – even if the sender has the recipient’s consent to send it:
Disclosure. All CEMs must disclose the following information:
- the sender’s business name (if different from the sender’s name);
- if the sender sends the CEM on another person’s behalf, the name of the person on whose behalf the message is sent or by which that person carries on business (if different);
- if the CEM is sent on another person’s behalf, a statement indicating who is sending the CEM and the person on whose behalf the message is sent; a CEM sent on behalf of multiple people (i.e. affiliates), the CEM must identify all such people; and
- the sender’s mailing address and one of: the sender’s phone number (that provides access to an agent or voice messaging system), email address or web address – and the detailed contact information of the person on whose behalf the CEM was sent (if different).
Unsubscribe Mechanism. All CEMs must include a working “unsubscribe mechanism” allowing recipients to indicate they no longer want to receive CEMs from the sender. The CRTC says the unsubscribe mechanism must be consumer‐friendly, accessible without difficulty or delay, and quick and simple for consumers to use. The Regulations say it must:
- use the same electronic means by which the CEM was originally sent;
- be capable of being “readily performed”;
- function at no cost to the recipients;
- include an the electronic address or website that remains valid for at least 60 days after each CEM is sent;
- allow the recipient to unsubscribe from receiving messages from any person who has been provided with the recipient’s electronic address; and
- be implemented without delay – by 10 business days at most.
Now for the exceptions to the general rules. There are two main categories of “exemptions”:
- Consent and Content Exemptions. CASL expressly says it doesn’t apply to these CEMs , so they don’t have to comply with either the consent requirement or the content requirements:
- “Family” Relationships. CEMs sent to someone with whom the sender has a “family relationship” don’t require any kind of consent, and don’t have to comply with the content requirements – but the final Regulations have a narrow definition of a “family relationship”: it includes people connected by marriage, common-law partnership or any legal parent/child relationship, but not extended family members like siblings, aunts and uncles. Thus a person who sends her extended family a CEM must comply with both the consent and content requirements.
- “Personal” Relationships. CEMs sent to someone with whom the sender has a “personal relationship” also don’t need to comply with either of the consent or content requirements. These include relationships where the sender and the recipient have direct, voluntary, two-way communications, while taking into consideration factors such as the sharing of interests, experiences, opinions, the frequency of communication, the length of time since the parties communicated, and whether the parties have met in person.
- Response to Complaints and Inquiries. CEMs sent in response to a request, inquiry or complaint or are otherwise solicited by the person to whom the message is sent don’t need to comply with the consent or content requirements.
- Business-to-Business Messages. The “messages between organizations” exception includes CEMs between organizations that “have a relationship”, as long as the message concerns the recipient organization’s activities.
- Charitable Fundraising Purposes. CEMs that a registered charity sends (or that are sent on behalf of one) primarily for fundraising purposes.
- Closed Platform CEMs. CEMs sent on a closed platform – like instant messaging through an on-line customer service website – where the content requirements and unsubscribe mechanism are conspicuously published and readily available on the user interface through which the message is accessed, and the recipient either expressly or implicitly consents to receive the message.
- Limited Access Accounts. CEMs sent within an online portal and to a limited access account – like an online banking account – where messages can only be sent by the person who provides the account to the recipient.
- Some Foreign Bound CEMs. CEMs sent from Canada to a recipient who resides in a foreign state with its own anti-spam legislation and regulatory requirements that prohibit conduct substantially similar to the conduct that CASL prohibits, where the message conforms to the law of the foreign state.
- Consent Exemption. These CEMs are exempted from the consent requirements – but they must still comply with the content requirements:
- Business-to-Consumer Messages. CEMs sent from a business to a consumer for the purpose of:
- providing a requested quotation;
- facilitating, completing or confirming a commercial transaction that the recipient previously agreed to enter;
- providing warranty, recall or safety info about a purchase; or
- providing info about existing employment relationship or related benefits.
- Referrals. A single CEM sent to a referral by someone who has one of these relationships with both the sender and the recipient: an “Existing Business Relationship”, an “Existing Non-Business Relationship”, a “Family Relationship”, or a “Personal Relationship”. The CEM must also disclose the full name of the person who gave the sender the referral.
THE PRICE FOR NON-COMPLIANCE
Individuals and organizations that don’t comply with CASL risk significant penalties:
Monetary Penalties. The CRTC can impose penalties of up to $1M on individuals and $10M on other entities for a CASL contravention. The CRTC must take into account certain factors – including prior violations and financial benefit to the sender – when setting the amount.
Vicarious and Personal Liability. Employers could be liable for violations by employees acting in the scope of employment. Corporate directors and officers could be personally liable for a corporation’s violation if they directed or participated in the violation – though there is a due diligence defence available.
Obstruction of CASL Investigation. It is a criminal offence to fail to comply with a demand to preserve transmission data or produce documents when required.
Private Right of Action. Effective July1, 2017, a person or corporation affected by a CASL contravention can sue for it. Available remedies include monetary compensation and expenses, with maximum penalties of $200 for each CEM contravention (not to exceed $1M/day), and $1M for each day on which a software contravention occurs.
ACT NOW – OR PAY THE PRICE
The countdown to CASL is now on: individuals and organizations only have six months to create, implement or update their CASL compliance program. There is no grandfathering: every CEM sent after July 1, 2014 must comply. It’s time to act now:
- Determine whether CASL and its Regulations cover your electronic communications (and which ones).
- Determine whether your current processes comply.
- If they don’t, determine what changes you must make – and get them made.
- An electronic message asking for consent to a CEM is a CEM – so ask early.
Please contact your McInnes Cooper lawyer or any member of our McInnes Cooper CASL Team to discuss this topic or any other legal issue.
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2014. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at firstname.lastname@example.org to request our consent.
- Share with others
- Stay informed with our legal updates by subscribing.