Canada: Be Prepared: You Are Not Immune! How Canada's Anti-Spam Legislation Impacts The Health Industry

Canada's Anti-Spam Legislation or "CASL" is one of the toughest laws of its kind and will be in force July 1, 2014.  Health industry clients have a short period of time in which to prepare.     

Many health industry clients do not realize the broad reach of this legislation.  Despite what its unofficial name may suggest, CASL is not restricted to unsolicited mass emails or "spam". 

CASL has the potential to impact any organization that sends commercial electronic messages (or "CEMs") to an electronic address.  This includes, for example, email, text, messaging and social media messages.  CASL applies to CEMs sent between organizations, within the organization, from an organization to its clients or consumers or between individuals.

In terms of application, a threshold issue is whether the electronic message is "commercial" in nature.  CASL clearly applies to businesses that provide goods and services within the health industry, or that promote or advertise such goods and services.  It also captures CEMs sent by both for profit or not-for-profit health service providers, charities and foundations, professional and industry associations and broader public sector organizations, including hospitals.      

The penalties for non-compliance with CASL are high.  They include monetary penalties of up to $10 million per violation for corporations or $1 million per violation for individuals.  There is extended liability for corporate officers and directors, who may be held personally liable for corporate violations.  Corporations are vicariously liable for any violations committed by their employees or agents.  As of July 1, 2017, there will be a right of private action, which will include class action lawsuits.  This is in addition to the reputational risk to an organization that these high profile cases are bound to attract.

Time is short to get ready for CASL.  If you have not done so already, as a first step, you will need to:

• conduct an electronic message audit to determine what electronic messages are sent by the organization and whether they are "commercial" in nature
• determine whether you install, either directly or indirectly, any computer programs (i.e. software or apps) for a commercial purpose
• where the activities are commercial in nature, determine what types of CEMs are sent, to whom and why.  This will help you determine what forms of consent are necessary, and determine whether any exemptions under CASL are available 

What are the requirements of CASL?

CASL prohibits a number of fraudulent or malicious activities that discourage electronic commerce, such as malware, spyware, phishing and email harvesting.  It also regulates several activities such as the sending of commercial electronic messages (or "CEMs") or the installation of computer programs on someone else's computer system.  Most of the provisions come into force on July 1, 2014; with the provisions relating to computer programs taking effect on January 15, 2015.  

The anti-spam provisions of CASL affect a wide variety of "electronic messages" including text, sound, voice or image messages.  CASL prohibits the sending of a CEM to an electronic address without the recipient's consent, unless an exemption applies.  In addition, every CEM must include certain information requirements as well as a mechanism to to opt out or unsubscribe from further messages.  After July 1^st, 2014, it will be an offence to seek consent by electronic means, as that electronic message would be considered a CEM. 

Consent is also required for the installation of a computer program on someone else's computer system for commercial purposes.  This may be as simple as the installation of an app on a personal device or downloading a program to enable others to join an online webinar.  When you consider the widespread use of technology in the health industry, however, the broader implications are enormous.  Monitoring and diagnostic equipment and other medical devices are replete with software, as are information communication and security systems.

Consent under CASL may be express or implied.  For express consent, CASL requires specific "opt in" or "positive" consent.  CASL includes provisions for implied consent between parties that have an "existing business relationship" or "existing non-business relationship".  That said, the implied consent provisions are quite specific and have time frames associated with them that must be tracked.  As a result, health industry clients will need to carefully examine the types of consent they use. 

Are your electronic messages "commercial" in nature?  

In determining whether CASL will apply to an organization, a threshold issue is whether the electronic message or installation is "commercial" in nature.  In some cases, this will be relatively straight forward.  For not-for-profit health organizations, charities, volunteer organizations and broader public sector health organizations, the answer is not so simple. 

A key challenge for many health industry clients will be to determine which of their activities and associated electronic messages concern commercial activity.  The nature of the entity is not determinative of whether or not it is a CEM.  Rather, it is necessary to look at the nature of the message and the activity. 

Under CASL, a message is commercial if it encourages "participation in a commercial activity", such as the selling or purchase of goods or services or advertising or promoting such activities.  "Commercial activity" is further defined as any "transaction, act or conduct or regular course of conduct that is of a commercial character, whether or not done in expectation of profit. 

CASL is purposively broad.  There is no general "carve out" for not-for-profit organizations, charities, associations or broader public sector organizations.  There is a limited exemption for Canadian registered charities in relation to fundraising activities.   

Currently, there is no guidance from the regulators on the application of CASL to different types of entities.  It may well be that a similar approach is taken in considering "commercial activity" under CASL as that taken under the federal privacy legislation, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), which has a similar definition of "commercial activity". 

With respect to PIPEDA, for example, different rules apply to the activities of health industry clients in different settings.  Both Industry Canada and the Privacy Commissioner of Canada have recognized that the "core" activities of publicly funded entities such as hospitals and non-profit long-term care homes are not commercial in nature.  In contrast, health care professionals who operate private practices or clinics, retail pharmacies and private laboratories are engaged in commercial activity.  A physician working in a hospital setting and a physician working in private practice may have different obligations under PIPEDA, even though their ultimate funding source may be the same.

Even where an organization's "core" activities are not commercial, they may be involved in activities that are commercial in nature, particularly as the health industry looks at opportunities to develop alternate sources of revenue.  For example, the operation of a parking garage, gift shop or rental service would be a commercial activity.  Health industry clients may be involved in joint venture relationships, public/private partnerships, shared service organizations or research activities that are commercial in nature.  These activities would be subject to CASL. 

Even if a health industry client does not send CEMs directly, CASL may still apply to them in unexpected ways.  Since an organization is responsible for the actions of its employees, it may be exposed to potential liability where its employees send CEMs through the employer's electronic systems.  For example, if an employee is involved in a volunteer organization and uses their work email to solicit memberships, any non-compliance with CASL could come back to the employer. 

It is important for organizations to analyze the potential risks of this legislation prior to July 1^st, 2014.  For more information on CASL and how organizations can comply, please visit Miller Thomson's CASL page with links to resources, articles, and presentations or contact a member of our CASL team.  You may also access our Coffee Talk Seminar audio podcast entitled " Canada's Anti-Spam Laws and Implications for the Health Industry." 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.