On Jan. 5, Industry Canada published the long-awaited revised version of its Electronic Commerce Protection Regulations. These Regulations, together with the final Regulations previously published by the Canadian Radio-television and Telecommunications Commission (CRTC), will provide the requirements for complying with Canada's Anti-Spam Legislation (CASL) when it comes into force.

The revised Regulations provide important new exceptions that will be essential for businesses in complying with CASL. Industry Canada notes that these have been introduced in areas where "broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation."

However, the regulatory impact analysis for the Regulations also directly states that some regulatory concerns raised by interested parties in the consultation process were considered but expressly rejected. In particular, Industry Canada has stated that the existing consent that is valid under the Personal Information Protection and Electronic Documents Act (PIPEDA) will not survive CASL in some cases.

Notable aspects of the new Regulations include:

  • New exceptions for the requirements for consent and prescribed disclosure in messages:
    • Sent between employees, representatives, contractors or franchisees of a business and in relation to its affairs;
    • Sent between employees, representatives, contractors or franchisees of separate businesses with an existing business relationship and in relation to their affairs; or
    • Sent in response to a request, inquiry, complaint or solicitation;
  • A new definition of "personal relationship" that removes the requirement to have met in person and to have had a two-way communication in the previous two years;
  • A new — and limited — exception for referral messages sent by an "individual" following a referral from a second individual who has an existing relationship with both the sender of the message and the individual referred.

PIPEDA consent

The regulatory impact statement for the new draft Regulations confirms that Industry Canada takes the position that organizations will not be able to rely on consent (which presumably includes express consent) that was valid under PIPEDA to continue to send messages under CASL when it comes into force.

CASL creates a higher threshold for consent to use information for the sending of commercial electronic messages by requiring specific disclosure set out in the Act itself and the CRTC regulations. Previously obtained consent that did not meet these requirements may not be valid when CASL comes into force and following the transition period.

Instead of relying on existing consent, organizations will have the option to seek additional consent that is valid under CASL or, in more narrow circumstances, to rely on one of the exceptions under the Act. CASL provides a three-year transition period in cases where an organization has an "existing business relationship" as defined in CASL (but without regard to the time limitations typically applicable to the definition) that includes the sending of commercial electronic messages when the Act comes into force.

Prior to CASL coming into force and during the three-year transition period in cases where there is an "existing business relationship," organizations will have an opportunity to confirm that their consent lists are in compliance with the CASL consent requirements. Unfortunately, non-responses to such attempts can be expected to lead to a loss of the ability to use a significant portion of existing consent lists obtained in compliance with the existing law following the transition period when CASL comes into force.

New exceptions

The new draft Regulations create a series of message categories that will be excluded from both the consent and disclosure requirements under CASL. In particular, internal business communications sent between employees, representatives, contractors or franchisees of an organization where the message relates to the affairs of the organization will not be caught. External communications between employees, representatives, contractors or franchisees of separate businesses that are already in a business relationship will also be excluded, provided the message relates to the affairs of the organization or the recipient's role or duties within it.

The draft Regulations also create a broad exception for messages that are sent in response to a "request, inquiry, complaint" or another "solicitation" from the recipient of the message. Previously, businesses would have had to rely on such inquires or solicitations creating an "existing business relationship" stemming from an "inquiry or application" from the message recipient in order to have "implied consent" to respond. However, that approach was problematic in a number of respects, particularly due to the narrow wording "inquiry or application," as well as the requirement that the inquiry or application be specifically related to the purchase, bartering, or lease of products, goods, services, or land, or the acceptance of a business investment or gaming opportunity.

Implied consent in cases of an "existing business relationship" remains in the legislation itself; however, the broader exception now provided for in the draft Regulations will be helpful for manufacturers and other organizations that would typically distribute their products through third parties such as retailers rather than directly to consumers.

For example, a food manufacturer would typically distribute its products through retail grocery stores, which would in turn sell them to consumers. This exception should ensure that responding to questions or comments on a brand's Facebook wall, for example, will not be caught by CASL. That said, it should be noted that Industry Canada expressly declined to create an exception that would bring manufacturers within CASL's definition of "implied consent" based on an "existing business relationship" more generally — unless the manufacturer is able to establish a direct relationship with the message recipient or an exception to the need for consent in the first place.

An organization outside of Canada that sends electronic messages relating to goods, services or organizations outside of Canada will be exempt from the consent and disclosure requirements if the organization "did not know and could not reasonably be expected to know" that the message would be accessed using a computer system in Canada. This provision will provide an exception to general, broad application of CASL, which captures commercial electronic messages that are sent or accessed using a computer system in Canada.

For example, organizations operating solely in the United States are now clearly excluded from the application of the Act in the case of an American customer who receives a commercial electronic message while travelling in Canada. However, if such an entity knew or could be reasonably expected to know that its messages would be received in Canada, the CASL requirements would apply regardless of the fact that the message is sent from a computer in the United States.

However, Canadian businesses sending commercial electronic messages to recipients known to be outside of Canada will still be required to comply with the CASL requirements, regardless of (or in addition to) any local requirements. While Industry Canada indicates that this is a deliberate choice in drafting the Regulations, it appears to impose a significant burden on legitimate businesses — which may now be required to comply with two or more differing standards when sending messages from Canada to other jurisdictions — while failing to deter illegal spammers who would be likely to ignore the law in any event.

Finally, more narrow exceptions to the consent and disclosure requirements will exist in cases where a commercial electronic message is sent to satisfy a legal obligation, or to enforce or provide notice of a legal right.

Family, friends and a very limited referral exception

The revised Regulations also include definitions for "family relationship" and "personal relationship." Commercial messages sent "by or on behalf of" a person with a family or personal relationship will be exempt from both the consent and disclosure requirements of CASL. The definition of "family" relationship tracks that of the 2011 draft of these Regulations, and will include people who have a "blood relationship" descending from a common grandparent, as well as family relationships arising though marriage, common-law partnership and adoption.

The definition of "personal relationship" has been significantly revised and no longer includes a strict requirement for a face-to-face meeting or a two-way communication within the previous two years. Instead, the new proposed definition will apply only to persons who have had "direct voluntary two-way communications," with the number of "communications" required not specified.

If that criterion is met, the individuals will have a "personal relationship" if it is reasonable to conclude their relationship is personal, considering all relevant factors such as shared interests, experiences, opinions, the frequency of their communications and the length of time since they have communicated.

Notably, this definition in now broad enough to capture people who are "friends" through social media, which was a frequent criticism of the previous proposal, which would have excluded pen pals, social media friends, or other friends who had not met in person. However, businesses should note that this definition also relies wholly on factors outside of their direct knowledge and that the Regulations expressly provide that a person may indicate they no longer wish to receive commercial messages from a person even if they remain "friends" through a personal relationship within the definition in the Regulations.

The draft Regulations rely on these definitions to create a new exception to the requirement for consent to send commercial electronic messages following a referral. However, this exception is worded in a narrow manner that would appear to seriously limit its applicability to many "refer a friend"-type promotions if retained in its current form.

As drafted, this exception would apply only to the first message sent by an "individual" to a recipient who was referred to the individual that sends the message by a referrer that has a relationship — either a business or non-business relationship as defined in CASL, or a personal or family relationship as defined in the Regulations — with both the recipient of the message and its sender. Messages sent under this exception would be required to disclose the full name of the person who made the referral.

This exception appears to be severely limited in its application due to the use of the word "individual," which may be read as referring only to natural persons rather than the broader "person," which is defined in CASL to include both "individuals" and legal persons such as corporations and other organizations.

The regulatory impact analysis does not discuss this limitation nor explain the policy basis for excluding corporate entities from an exception that applies only to the first message sent to a recipient following a referral from a person who has an existing relationship with both the sender of the message and its recipient. It is not clear why the Regulations would not recognize that a consumer could as easily and legitimately refer a friend or family member to a trusted corporation as to an individual business person.

Consent sought on behalf of unknown parties

The draft Regulations also detail the permissible uses of a consent obtained on behalf of unknown third parties, such as a commercial email-list broker. The person who obtains such a consent may authorize another to use it on the condition that any commercial electronic messages sent identify the person who obtained the consent and include an unsubscribe mechanism that allows the recipient to withdraw their consent from: a) the person who sent the message, b) the person who obtained the consent, or c) any other person who is authorized to use it.

This provision would place additional compliance requirements on purchasers of commercial email lists, as it would require them to create an unsubscribe mechanism that not only applies to the sender's messages, but also allows the recipient to inform the third-party list provider who initially obtained the consent that it has been withdrawn. Industry Canada states that it has considered this issue but has decided to favour clear disclosure of how consent obtained in this manner is used, as well as a clear consent-withdrawal mechanism.

Comment period

Industry Canada has provided that interested individuals have a 30-day window during which to comment on the draft Regulations, running from Jan. 5 to Feb. 4, 2013.

Following this period of public consultation, final amendments may be made to the Regulations before they are finalized. No coming-into-force date has been published for CASL; however, it is expected to come into force sometime in 2013.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.