At the end of June, Industry Canada and the CRTC released their proposed regulations for Canada's Anti-Spam Law (CASL), with a 60-day period for comments. While the final regulations have not yet been published, the draft regulations provide useful guidance for organizations preparing for the law, which is expected to come into force in early 2012. Some changes in the proposed regulations may be made; however it is unlikely that any changes will make the compliance requirements more onerous. Therefore, there are strong reasons for businesses to be adjusting their procedures and email formats now in anticipation of the new law, with the draft regulations serving as guidance.
CASL regulates "commercial electronic messages" (CEMs), a term that is broadly defined to include all forms of electronic communication if used for commercial purposes (including email, text and twitter).1 It also regulates downloading of software and interception or alteration of electronic messages. In the immediate time-frame however, the law's main impact will be on CEMs used by businesses to communicate with their customers and others.
Key compliance rules
Subject to limited exceptions,2 the law imposes the following key requirements for all CEMs:
- disclosure of the identity and readily-accessible contact information of the sender;
- a readily-accessible unsubscribe mechanism; and
- the recipient's prior consent to receive the CEM.
The draft regulations provide useful guidance for organizations seeking to adopt CASL-compliant procedures that respond to these requirements.
Identity and contact information
All CEMs must include sender identity and contact information, as follows:
(i) the identity of the sender and any person on whose behalf the message is sent;
(ii) a statement of the relationship between the sender and any person on whose behalf the message is sent;
(iii) disclosure of any other names by which such persons carry on business; and
(iv) contact address information for such persons, specifically:
- a physical and mailing address,
- a telephone number with access to a person or voicemail,
- an email address,
- a website address,
- any other electronic address used by them;3
all of which must be valid for at least 60 days following sending the CEM.
If it is not practicable to include the above information together with the unsubscribe mechanism (see below) within the CEM, the information may be provided via a prominently disclosed link to a web page, accessible by a "single click" or "another method of equivalent efficiency", at no cost.
Unsubscribe mechanism
All CEMs must include clearly and prominently a no-cost unsubscribe mechanism using the same media as the CEM or, if using that media is not practicable, any other electronic means enabling the unsubscribe request, and must specify an electronic address or link to a web page to which the request may be sent. Any unsubscribe request must be able to be performed in no more than two "clicks" or other method of equivalent efficiency.
Consent to receive CEMs
Subject to specified exceptions,4 sending of CEMs is prohibited unless the intended recipient has consented, in advance, to receiving them from the sender or a person on whose behalf they are sent. Consent must be express – i.e. "opt-in", unless implied consent has been given. CASL does not define express consent. However implied consent is defined.5
Requests for consent
If a sender does not have implied consent, it must obtain prior, opt-in, express consent from the intended recipient. CASL, in subs. 6(b), sets out certain requirements for information to be included in any request for consent.6 These requirements are supplemented by the draft regulations, which include certain form requirements.
All requests for consent must:
(i) be in writing (which would include electronic communications);
(ii) state the purposes for which consent is sought (i.e. what is or are the reason(s) for which CEMs are intended to be sent);
(iii) identify the requestor and any person on whose behalf the requestor is seeking consent and describe the nature of their relationship (e.g. requestor is an email marketing service provider);
(iv) identify any other names under which the requestor and its client (as applicable) carry on business;
(v) provide the following contact information for the requestor and its client (as applicable):
- physical and mailing addresses,
- a telephone number having either an active person response or voicemail capacity,
- an email address,
- a website address,
- any other electronic address used by them; and
(vi) state that the recipient may withdraw their consent by using any of the required contact information.
Action items for compliance
The government's release of the CASL draft regulations enables organizations to focus their compliance strategies. The following are key action items for organizations to consider.
1. Conduct a comprehensive inventory of email contact lists, categorizing each addressee by CASL exceptions and consent qualifications, such as:
(i) existing customer or donor relationship and timeline of most recent transaction;
(ii) inquiry or application and date made;
(iii) express consent obtained.
2. Email contact lists that include both Canadian and non-Canadian addressees may require scrubbing either to exclude Canadian addressees or to identify them for CASL compliance – may require due diligence to go behind the email address.
3. Databases that do not qualify according to CASL categories will require upgrading (technology, software) and protocols for evergreen scrubbing (i.e. deletions as qualifications expire).
4. Develop strategies for capturing express consents (e.g. email response, website sign up, application forms, agreements, email policies).
5. For email contacts within existing databases that cannot be CASL-qualified, initiate email opt-in consent programs immediately (i.e. prior to CASL in-force date).
6. Develop internal compliance procedures, forms, policies and controls.
As we have noted previously,7 CASL will require organizations to adjust substantially their email communications procedures and practices. While it is anticipated that a period of flexible compliance expectations may characterize the government's early enforcement approach, ultimately the potentially severe penalties for non-compliance will have an impact. As well, the law's private right of action poses the threat of substantial financial costs to non-compliers.
Footnotes
1 The term includes telephone communications but this application is excepted from the Act, currently.
2 The requirements do not apply to CEMs sent within personal or family relationships (defined terms), to inquiries or applications sent to a business, or to other categories of CEMs that may be prescribed by regulation (none to date). The definition of a "personal relationship" as set out in the draft regulations would require both an in-person meeting and, within the previous two years, a two-way communication. This potentially limiting definition has significance for "refer-a-friend" or viral marketing campaigns which might be able to rely on the exemption to avoid consent requirements. However, in this age of Skype and other electronic communications, it has been argued that requiring an in-person meeting to establish a personal relationship is out of step with current realities.
3 This requirement, set out in the draft regulations, to disclose all other electronic addresses used by the sender appears to be excessive and unnecessary. The CRTC has received comments on the draft regulations to this effect. Likewise, the requirement to provide a website address may create an onerous and unnecessary burden for many small businesses that currently do not maintain websites.
4 Consent is not required for CEMs that:
(i) solely respond to a request for a quote or estimate;
(ii) confirm a commercial transaction;
(iii) provide warranty, recall or safety information;
(iv) provide factual information relating to the ongoing use of a product or service;
(v) provide information relating to an employment relationship;
(vi) deliver a product, service or upgrades; or
(vii) are sent for purposes set out in the regulations (none, to date).
5 Consent is implied only in the following specific circumstances: (i) where there is an existing business or non-business relationship (also defined terms), (ii) where the recipient has conspicuously posted or sent a message disclosing an email address to which the CEM may be sent without indicating a desire not to receive unsolicited CEMs, or (iii) as set out in regulations (none, to date).
6 Several considerations should be noted respecting requests for consent. Most importantly, once CASL comes into force, requests for express consent cannot be made by email unless the sender already has another (e.g. implied) consent to send CEMs. This means that organizations having substantial portions of email contact lists that do not qualify for implied consent should consider email strategies to obtain consent in advance of the Act coming into force. Secondly, organizations should review any express consents that they have currently; CASL does not define what constitutes express consent and currently existing consents may qualify. Note that CASL, s. 14 imposes an onus on the person claiming to have consent to prove that they have it. While, therefore, consents obtained via requests made prior to CASL's in-force date likely do not need to comply with the CASL-specified requirements, it is recommended that procedures to obtain consent be followed, if possible.
7 "Canada's anti-spam legislation ("CASL") – advance preparation is needed now", McMillan Bulletin, May 2011.
The foregoing provides only an overview. Readers are cautioned against making any decisions based on this material alone. Rather, a qualified lawyer should be consulted.
© Copyright 2011 McMillan LLP