The lay person's definition of "spam" likely contemplates advertisements for questionable drug enhancement products and solicitation from individuals set to receive a substantial inheritance; however, Canada's anti-spam legislation tackles more than just these quintessential stereotypes. The law takes the approach of forbidding almost all commercial electronic messages ("CEM"s) and then setting out only selected exemptions. This article will survey the current state of the various prohibitions and exemptions, and potential effects on organizations which use CEMs.
What is commonly referred to as Canada's Anti-Spam Law (the "CASL") was passed in 2010, but it is not expected to come into force until sometime in 2013. The new legislation, fully entitled "An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, is designed to deter the most dangerous forms of spam in Canada, such as identify theft, phishing, and spyware. The full text of the CASL can be found here.
The CASL adopts recommendations from the government-initiated Task Force on Spam, which combined consumer commentary with academic and industry analysis on how to prevent and fight threats to the digital economy. At the same time, the CASL by its own terms is not intended to negatively impact legitimate business practices. To achieve this balance, numerous stakeholders commented on the 2011 first draft of the proposed CASL regulations. The draft regulations are now being revised in light of those comments, which has delayed the in-force date of the CASL.
The scope of the CASL is far-reaching with significant implications for entities carrying on business in Canada and foreign entities that send CEMs into Canada. Spam, malware, spyware, false and misleading representations associated with electronic messages, and the harvesting of electronic address and personal information will all be regulated under the CASL. The Government of Canada has indicated that it drafted the CASL to be technology neutral. However, commentators have expressed concerns that despite the "technology neutral" intent of the drafters, the CASL framework is modelled on regulating electronic messages that are sent via email and that this may create uncertainty about other forms of electronic communication, such as social media networks like Twitter or Facebook. For instance, the required "unsubscribe" mechanisms required by the CASL may not translate easily to electronic formats other than email.
GENERAL PROHIBITION – DON'T SEND UNSOLICITED CEMS
Unauthorized "spam" is effectively defined in section 6(1) of the CASL as any unsolicited CEM, subject to certain enumerated exceptions.
6. (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) the message complies with subsection (2) [form and content requirements].
GENERAL REQUIREMENT – CONTENT OF MESSAGES
Section 6(2) of the CASL requires a CEM to be in a form that must:
(a) set out prescribed information that identifies the person who sent the message and the person — if different — on whose behalf it is sent;
(b) set out information enabling the recipient to readily contact one of the persons referred to in paragraph (a); and
(c) set out an unsubscribe mechanism complying with subsection 11(1) of the CASL.
Organizations will want to undertake a review of the content of their CEMs to ensure they comply with these provisions. Existing unsubscribe mechanisms may not meet the new standards set out in the CASL. In addition, there is a duty to ensure that the contact information about the sender remains valid for at least 60 days.
Having cast a broad net of prohibition, the CASL provides some relief by designating certain exceptions. Firstly, the general prohibition on sending CEMs does not apply to a CEM sent in a personal or family relationship or sent as an inquiry relating to the recipient's commercial activity. In addition, the general prohibition does not apply to CEMs that solely:
a) provide requested product/service quotes;
b) further or complete an ongoing commercial transaction previously agreed to;
c) provide product warranty, recall, upgrade or similar information;
d) deal with onoging subscriptions, memberships or similar relationships; or
e) concern an employment relationship.
Certain interactive voice communications are also exempted, and there is scope for further exemptions to be prescribed by regulation. Also, a telecommunications service provider is not caught merely because it enables CEM transmissions.
The CASL also prohibits the alteration of certain transmission data relating to a CEM, and prohibits the installation of computer programs on recipient computers. Again, certain exceptions are prescribed.
As noted above, with consent, CEMs can be sent. The CASL sets outs guidelines for obtaining consent, either express or implied. A person seeking consent must provide to the recipient certain information regarding the purpose for which consent is sought. Further, prescribed information identifying the person seeking consent must be disseminated to recipients. Therefore, consents previously obtained and relied on to populate existing email databases might not continue to be valid.
Organizations will have to ensure on an ongoing basis that the purposes for which consent was originally obtained continue to apply to the substance of all the CEMs subsequently sent. This may limit the ability to use database lists in the future for a secondary use, and when subsequently modifying CEMs a check-back may be required to the scope of the initial consent obtained.
Consent will be implied in certain circumstances (s. 10(9)), creating further de facto exemptions for:
a) "existing business relationships", as defined
b) "existing non-business relationships", as defined
c) circumstances where the email address of the recipient was made publicly available or voluntarily provided; and
d) as may be prescribed by regulation.
Commercial organizations will need to focus on the definition of "existing business relationship" set out in section 10(10) of the CASL. That definition relies on relationships which are "current", defined as being within the past two years (or an inquiry or application made in the last six months). As a result, "stale" entries on customer mailing lists (i.e. inactive for over two years) may need to be purged unless another exemption or consent provision can be relied on.
The definition of "existing non-business relationship" is found in section 10(13) of the CASL and deals with memberships, volunteers, and donations. It establishes a similar two year purge rule.
PHASING IN THE CASL
For existing relationships involving CEMs, the CASL will provide for a three-year transition period under which consent can continue to be implied (unless expressly revoked).
WHY SHOULD I CARE? – PENALTIES
Violators of the CASL can be liable to onerous administrative monetary penalties of up to $10 million per organization and up to $1 million per individual. Directors and officers of organizations will want to inform themselves of the potential risks for vicarious liability (section 45). Certain conduct also constitutes a statutory offence (section 46) and section 47 authorizes private rights of action.
Enforcement of the CASL and its administrative monetary penalties has been delegated to the Canadian Radio- Telecommunication Commission ("CRTC"), the Competition Bureau, and the federal Privacy Commissioner.
The CRTC is generally responsible for regulating the operation of telecommunication networks in Canada. The CASL amends the Telecommunications Act (Canada) giving the CRTC responsibility to administer, among other things, sending of unsolicited commercial text messages. This includes not only nuisance spam but also spam containing malware and viruses. In light of its expanded authority and mandate, the CRTC has published its policy and requirements relating to the CASL here, outlining the form and content to be included in messages and setting out other requirements on the alteration of transmission data in electronic messages, and the installation of computer programs on recipient computers. These regulations will come into force together with the CASL.
WHAT'S NEXT – REDRAFTED REGULATIONS
In 2011 the government issued draft regulations for the CASL proposing detailed definitions of various terms such as "family relationship", "personal relationship" and "membership". That draft was the subject of considerable commentary and has been retracted. The government is working on new regulations. It is not known at this time how different the final form of regulations (expected later in 2012, or perhaps in early 2013) will be, or what additional exemptions might be prescribed in them. However, there is an expectation that effort will be made to reduce unintended or unduly onerous consequences of the CASL provisions, and to respond to the significant feedback generated by the 2011 draft regulations.
START PLANNING NOW
The CASL allows for a transition period to give organizations time to adapt. However, best practices dictate that all existing mass electronic mailing lists will need to be updated sooner rather than later and purged of all contacts for which consent cannot be implied or proved, or for which no legislative exception exists. Organizations should not wait for the CASL to come into force before beginning to consider such compliance procedures.
Organizations that purchase email lists may not be able to ensure that the vendor has been in compliance. This will be a new area of risk analysis to be considered on a case by case basis. It may be necessary to start including CASL compliance as a representation and warranty of the vendor in such transactions.
FOREIGN ORGANIZATIONS – YOU TOO...
Once in force, the CASL will regulate anyone sending CEMs to Canadian recipients. Entities outside of Canada, such as U.S. businesses, could be susceptible to penalties under this legislation. There is nothing in the CASL which limits its effect to domestic senders of CEMs. Many American companies may be unaware that compliance with "Do Not Call" legislation does not necessarily make them automatically compliant with the new CASL rules.
The author would like to acknowledge the assistance of articled student Natalie Climenhaga in the preparation of this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.