On October 10, 2012, the Canadian Radio-television and Telecommunications Commission (CRTC) published two Compliance and Enforcement Information Bulletins regarding Canada's Anti-Spam Legislation (CASL). The Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)and the Guidelines on the use of toggling as a means of obtaining express consent under Canada's anti-spam legislation (collectively, the Guidelines) provide some much needed guidance on several issues that have been raised by industry and commentators with respect to CASL as well as the Electronic Commerce Protection Regulations (CRTC) that were finalized in March 2012 (the CRTC Regulations). In particular, the Guidelines provide significant further interpretation of the requirements regarding express consent.
The anti-spam provisions of CASL prohibit, subject to limited exceptions, the sending of a commercial electronic message (CEM) unless the recipient has consented to receiving the message and the message meets certain form and content requirements. Except where CASL explicitly allows consent to be implied, companies must obtain express consent in order to send CEMs. Please refer to our concurrently published Blakes Bulletin which sets out an overview of CASL and the CRTC Regulations. CASL is expected to come into force in 2013, possibly four to six months after Industry Canada regulations have been finalized.
REQUESTS FOR EXPRESS CONSENT
Separate Opt-In Consent Required
The CRTC has made clear in the Guidelines that "a positive or
explicit indication of consent is required" to comply with the
express consent requirements of CASL and therefore "express
consent cannot be obtained through opt-out consent
mechanisms". This impacts the common industry practice of
using a "pre-checked" box on a computer or device screen
that assumes the user's consent unless the user takes the
active step to "un-check" the box. The Guidelines state
that such practice is not an acceptable form of express consent
under CASL. Instead, if a check box is used, the user must actively
check it to indicate his or her consent. Another consent mechanism
deemed acceptable under the Guidelines would be where the
individual actively enters his or her email address into an
electronic field to indicate consent where it is explicit that the
individual is entering his or her address for this purpose.
While the Guidelines do not explicitly comment on this issue, in the illustrated figures that are provided as examples, the mandatory contact information of the person requesting consent appears to be included in a "Contact Us" link rather than on the same screen or page with the check box/address field and "Submit" button. This implicitly suggests that the requirements in the CRTC Regulations about providing the contact information of the person requesting consent can be satisfied by means of a link to that information.
The Guidelines also state that requests for consent may not be "subsumed in, or bundled with requests for consent to the general terms and conditions of use or sale". Rather, the request for consent to do one of the acts contemplated by sections 6 to 8 of CASL must be clearly and separately identified. The Guidelines provide that people must, for example, be able to grant consent to terms and conditions of use but may refuse to grant consent for receiving CEMs.
Clarification of "Sought
Separately"
The CRTC Regulations require that express consent must be sought
separately for each act described in sections 6 (sending CEMs), 7
(altering transmission data in electronic messages) and 8
(installing a computer program on another person's computer) of
CASL. The Guidelines clarify that this means consent must be sought
separately for each act in sections 6 to 8 and that a person must
be able, for example, to grant consent for the installation of a
computer program separately from consent to receive CEMs. However,
consent does not need to be sought separately for each
instance of an act.
Oral or Written Consent
The CRTC Regulations provide that a request for express consent
may be obtained orally or in writing. The Guidelines set out two
ways that oral consent can be established, namely where (1)
verification may be made by an independent third party or (2) a
complete and unedited audio recording of the consent is retained by
the person seeking consent. These are not necessarily the only ways
a sender of a CEM can establish that oral consent has been
provided, but these are the only methods set out in the Guidelines.
Given the difficulty in many situations of satisfying the
requirements in the Guidelines for establishing oral consent (for
example, at point of sale in a retail context), reliance on oral
consent may not be practical for many organizations.
The Guidelines state that written consent may be electronic, provided that the date, time, purpose and manner of the consent is stored in a database.
Following receipt of express consent, the Guidelines state that confirmation should be sent to the person whose consent was sought, although this requirement does not appear in either CASL or the CRTC Regulations.
FORM AND CONTENT REQUIREMENTS
Identifying Information
The CRTC Regulations provide that every CEM must set out
information that identifies the sender of the message and, if
applicable, the person on whose behalf the message is sent.
Prescribed contact information for such persons must be set out in
the CEM. The Guidelines state that this "does not require that
persons situated between the person sending the message and the
person on whose behalf the message is sent need necessarily be
identified. For example, persons so situated who may facilitate the
distribution of a CEM but have no role in its content or choice of
recipients." Accordingly, service providers such as those who
merely provide an email or other software platform but are not
ultimately in control of the sending do not generally need to be
identified.
The Guidelines are clear that when a CEM is sent on behalf of multiple persons, including on behalf of multiple affiliates, all such persons must be identified.
Unsubscribe Mechanism
The CRTC Regulations require that an unsubscribe mechanism must be
set out clearly and prominently in each CEM and must be able to be
"readily performed". The Guidelines state that an example
of an unsubscribe mechanism that can be readily performed is a link
in an email that takes the user to a web page where he or she can
unsubscribe from receiving all or some types of CEMs from the
sender. With SMS texts, the Guidelines state that the user should
have the choice between replying "Unsubscribe" or
"STOP" to the text message or clicking a link that will
take the user to a web page where he or she can unsubscribe from
receiving some or all types of CEMs.
This is the first set of bulletins issued by any of the regulators to provide guidance on CASL. We expect more guidance will be released by the regulators in the future to facilitate compliance with CASL.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.