New Canadian Anti-Spamming Legislation Affects How Canadians do Business
The new Canadian Anti-Spamming Legislation (CASL) expected to come into force in 2013 establishes a regulatory regime over commercial electronic conduct to protect the online environment from the installation of unwanted software programs and unsolicited commercial electronic messages. As a result, CASL creates new obligations for Canadian business organizations that make use of online marketing and business practices.
CASL prohibits the sending, causing or permitting to be sent of a commercial electronic message (CEM) to an electronic address unless the recipient has given consent to receive the CEM and the message complies with the prescribed requirements.
If the purpose, or one of the message’s purposes, is to encourage participation in a commercial activity, it will be considered a CEM. (e.g. offers or advertisements to purchase a product, offers to provide a business investment opportunity, promotion of a person as a buyer of goods, etc.)
An electronic address is any address used in connection with the transmission of an electronic message (e.g. email, instant messaging, or any similar service).
A message communicated by telecommunication, text, email, sound, voice or image is an electronic message. This includes Facebook, Twitter and the like.
CASL, however, only restricts electronic messages that are connected to commercial activities.
A commercial activity includes any transaction, act or conduct, or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so with the expectation of profit. Exceptions include any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
Given commercial activity is defined broadly and not coupled with the unnecessary expectation of profit, CASL’s jurisdiction applies widely. Individuals, small to large businesses, charities and not for profit organizations are all captured.
Obtaining Consent from the Intended Recipient
Under CASL, consent can be express or implied. CASL dictates that the request for an express CEM consent must:
describe the purpose of the CEM;
identify the sender or the person on whose behalf the message is sent and an explanation of how they are related;
provide detailed contact information which may include, but is not limited to, a mailing address, telephone number, email and/or website and which the contact information provided must be valid for a minimum of 60 days after the message is sent; and
provide the recipient with a simple free electronic means to withdraw his or her consent to the CEM through either the contact information provided or another express unsubscribe mechanism.
This type of consent is known as “opt-in” because the recipient must consent before a CEM is sent. The onus is on the sender to demonstrate that the express opt-in consent was obtained and that the legislative requirements were met. Once CASL is in full force, it will be a violation to obtain consent by sending the request through an electronic message, as it will be considered a CEM.
Obtaining consent from every business relation can translate into a large undertaking, especially from the point of view of smaller businesses and not-for profit organizations. CASL, however, provides exclusions and exemptions to the prior express consent requirement that alleviate some of this burden.
Exclusions from Express Prior Consent
Consent is not required for CEMs that are solely for the purposes of:
providing a quote or estimate for the supply of a product, goods or a service, land or an interest or right in land, if the quote or estimate was requested by the recipient;
facilitating, completing or confirming an existing commercial transaction between the parties;
providing warranty, product recall or safety or security information about a product, good or a service that the recipient uses, has used or has purchased;
providing notification of factual information about the ongoing use or ongoing purchase of a product, good or a service offered under a subscription, membership, an account or a loan;
providing information directly related to an employment relationship or related benefit plan; or
delivering a product, good or a service, including updates or upgrades that the recipient was entitled to receive because of an existing business relationship with the sender.
Exemptions from Express Prior Consent
Consent is implied when:
a CEM is sent in the context of an existing business or non-business relationship between the sender and the recipient;
the recipient has either conspicuously published an electronic address to which a message is sent or disclosed an electronic address to which a message is sent, without a statement or indication that the recipient does not want to receive CEMs and the message is relevant to the person’s business, role, function or duties in a business or official capacity; or
the sender has a personal or a family relationship with the recipient.
Existing Business or Non-Business Relationship (EBR & ENBR)
In the context of implied consent, an EBR exemption will apply if the sender and recipient have engaged in any of the following business transactions in the two years preceding the date the message is sent:
purchased or leased a product, good, a service, land or an interest or right in land;
accepted a business, investment or gaming opportunity;
bartered for any matter mentioned above;
entered into a written contract for matters not mentioned above; or
where the recipient of the message has made an inquiry in the previous six months with respect to the above.
The ENBR exemption will apply if, in the two years preceding the date the message is sent, the recipient has:
made a donation or a gift, performed volunteer work for, or attended a meeting organized by the sender, who is a registered charity, a political party or an organization, or a candidate for a publicly elected office; or
a membership with the sender who is a club, an association or a voluntary organization.
Consent in these categories is implied until the recipient indicates he/she no longer want to receive CEMs or until three years after CASL comes into force, whichever is earlier. This transitional period affords the opportunity to contact individuals electronically and request consent to become compliant under CASL.
A CASL compliant CEM includes:
The Identity and Contact Information of the Sender and any person on whose behalf the message is sent
same as that provided when obtaining consent; and
must be valid for at least 60 days after the message has been sent.
An Unsubscribe Mechanism
must enable the recipients to indicate, at no cost, that they no longer wish to receive CEMs through either the same electronic means by which the CEM was sent, or any other electronic means that will enable the same objective;
specify an electronic address or link to a web page where the recipients can send their indication;
such indications should be effective no later than 10 business days from it being sent; and
the electronic address or web page for the unsubscribe mechanism must be valid for a minimum 60 days.
Enforcement & Penalties
While administrative penalties for individuals are up to $1 million and as much as $10 million for businesses, CASL’s approach to enforcement is based on a compliance continuum. Minor infractions will receive warnings and be subject to an undertaking or light penalties while the more flagrant infractions or repeated abuses will be handed high penalties to send a strong message.
How to Prepare for CASL
Determine how CASL applies to your operations and marketing activities by reviewing your electronic communications:
identify electronic messages that fall under the definition of “commercial”;
Vet for CEMs that can be excluded from the consent requirements;
Vet for CEMs that fall under an exemption category (implied consent);
Identify recipients of CEMs for which express opt-in consent might have already been obtained; and
Identify recipients of CEMs which express consent can be easily secured.
Educate personnel about CASL and implement policies and guidelines for compliance.
Develop procedures for obtaining and maintaining express consents
Keep accurate and up to date lists of consenting recipients for each kind of CEM.
Develop procedures for obtaining and maintaining implied consents
secure express permission from implied consent CEM recipients;
manage time limits for this category; and
edit recipient lists to remove customers who have not been active for two years.
Establish procedures to ensure CEMs comply with the proscribed formalities for:
sender and contact information;
unsubscribe mechanism; and
implementing unsubscribe requests
Establish procedures to ensure express consent proscribed formalities are satisfied.
Set up procedures to ensure CEMs are not misleading as CASL creates new offences under the Competition Act for false or misleading subject lines or sender particulars.
Revise contracts with third parties who may send a CEM on your behalf (agents, distributors and marketing agencies) to require compliance with CASL.
Establish due diligence procedures for the organization’s directors and officers to manage personal liability risk.
Acquire insurance for liability arising from violations of CASL may be called for as penalties are severe.
The foregoing commentary is of a general nature, and is not intended nor should it be used as a substitute for legal advice or legal opinions which can be rendered only when related to specific fact situations.
By Lucie Krumova
Lucie Krumova practices in the areas of corporate/commercial law, securities and mining law with McLean & Kerr LLP, Toronto.
Edited by Lucie Krumova with thanks to Teresa Mateus, former articling student, for her substantial contribution to drafting this article.