Many businesses are taking steps to comply with Canada's new anti-spam legislation ("CASL"), which is coming into force on July 1, 2014. However, CASL compliance should not be the end of the story for businesses or their lawyers. Once in force, CASL will introduce new issues to consider and address in commercial transactions – and it is prudent to start thinking about those issues now.
What's Up with CASL?
CASL deals largely, though not exclusively, with "commercial electronic messages" or "CEMs": electronic messages (including e-mail and text messages) that are sent for commercial reasons. Generally, CASL prohibits sending CEMs without express or implied consent and requires that all CEMs have certain content.
CASL also prohibits anyone from installing a computer program on any other person's computer system in the course of a commercial activity without express consent. There is no implied consent mechanism as there is for CEMs, although there are some limited exceptions where express consent is deemed to have occurred. The computer program provisions are meant to address malware and spyware, but are broadly worded and have much broader application.
Finally, CASL violations can trigger significant penalties. The maximum administrative penalty for a violation by a business is $10 million, and directors and officers may be personally liable for their company's violations. There is also a private right of action that allows individuals to sue for CASL breaches, though it does not come into force until 2017.
CASL and Commercial Transactions – What Do We Know?
CASL itself has little to say about commercial transactions. In fact, CASL only says that if a person has an "existing business relationship" with another person (this is one of CASL's key "implied consent" mechanisms), a buyer of the first person's business is considered to have the same "existing business relationship". That is, the buyer in an asset transaction essentially assumes the seller's "existing business relationships" under CASL (the provision appears to have no relevance to a share purchase, since the first "person" would not change). The buyer can therefore continue sending CEMs to those individuals while the "existing business relationship" continues (or until they opt out). There does not appear to be any need to document this "assumption" of existing business relationships in the purchase agreement.
A large part of CASL compliance involves obtaining and maintaining express consents for CEMs, but CASL does not address how those express consents are handled in commercial transactions. However, a non-binding Industry Canada guidance document states that express consents will transfer upon the sale of a business if the purchase contract includes a provision transferring these consents as a business asset. This provides some comfort that a buyer (again, in an asset transaction) can rely on the express consents that the seller obtained so long as the purchase agreement transfers those consents.
However, this raises further issues and questions around the transfer of express consents, including:
- It's not clear what wording is needed. It seems prudent to list express consents as a specific asset rather than relying on catch-all "all other assets relating to the business" wording. The agreement should also address exactly what is being delivered, and how, to implement the transfer of the consents. For example, CASL says that any person alleging that they have consent to send a CEM has the onus proving it – so it behooves the buyer to obtain usable copies of whatever documentation the seller has of the express consents.
- Requests for express consent must state the purpose or purposes for which the consent is sought. A buyer who acquires the seller's express consents must still only rely on those consents for those specific purposes, and must seek and obtain new consent for new purposes.
- Requests for express consent must clearly identify the person seeking consent. Clearly that person will have changed if express consents are transferred in an asset transaction – but does the buyer have any obligation to notify customers that it is now carrying out the consented-to activity in order to rely on the existing consents? Or will the fact that the buyer must identify itself and provide its contact information in its CEMs be sufficient notice?
- CEMs must set out an unsubscribe mechanism, and CASL specifies that (1) the opt-out contact information must be valid for at least 60 days after the CEM is sent, and (2) opt-out requests must be acted on "without delay", and in any event no later than 10 business days after the request is sent. Sellers and buyers should make sure there is a transition mechanism for handling opt-outs – for example, if the seller sends a CEM 30 days before closing, the seller's opt-out contact information will have to remain valid for at least 30 days post-closing, and the seller will have to be able to process opt-out requests (or relay them to the buyer for processing) within the specified timelines.
These points are only somewhat helpful with respect to computer programs. First, the "existing business relationship" situation specifically addressed by CASL does not apply to computer programs, because they require express consent. Second, while Industry Canada's guidance document addresses the transfer of express consents, the comments seem directed at CEMs and do not clearly apply to computer programs – though it seems reasonable to presume that express consents to the installation of computer programs can be transferred in the same way as express consents to CEMs. If so, the same issues described above will apply (and certain computer programs have a one-year opt-out period, which would have to be addressed in the transition provisions).
Finally, it is interesting to consider CASL's limited wording around commercial transactions in light of private-sector privacy legislation in BC and Alberta, which address in detail how personal information must be treated in business transactions. There are proposed amendments to add similar provisions to the federal legislation. Having more detailed "business transaction" wording in CASL would have created some initial certainty for practitioners and their clients.
CASL and Commercial Transactions – What Needs to Be Done?
So, what should lawyers and their clients do to make sure CASL issues are addressed in commercial transactions? Here's a preliminary list:
- Include CASL in due diligence. The scope of CASL due diligence will depend on the nature of the transaction and the seller's activities. If the seller has extensive e-mail marketing systems or if installing computer programs is an important part of its business, the buyer should consider both the seller's actual CASL compliance and its CASL compliance infrastructure (e.g., does it have a CEM inventory that tracks what consents apply and when they expire? Does it clearly document express consents? Does it have a working unsubscribe framework and mechanism? Are its staff properly trained in CASL compliance? Does it have CASL-related policies? Does it have third-party contracts that relate to CEMs, etc., and if so, do they contain appropriate CASL-compliance provisions?).
- Address CASL in reps and warranties. Again, the extent of these reps and warranties will depend on the transaction and the parties. A general statement that the seller has complied with applicable laws would clearly cover CASL, but buyers may desire a stand-alone, more detailed provision in some situations. Sellers, on the other hand, may be reluctant to give CASL-specific reps and warranties (and in fact may want to expressly carve out CASL compliance from any general "compliance with applicable laws" provision), at least in CASL's early days. CASL is novel and complex, creates uncertainty, and brings serious consequences for non-compliance. In these circumstances, sellers may prefer only to offer their business on an "as-is" basis with respect to CASL compliance – perhaps by giving the buyer sufficient time and access to the seller's records during due diligence to satisfy itself (or not) about the CASL compliance risks.
- Consider CASL-specific indemnities. CASL creates significant monetary penalties for non-compliance and potential personal liability for officers and directors. It also creates a private right of action. Both parties to a potential transaction should think carefully about these potential liabilities and how the CASL risks should be allocated.
- Consider a middle ground. Especially in CASL's early days, parties to a potential transaction will be uncertain about how CASL will be interpreted and enforced. This uncertainty may affect negotiations or perhaps the entire deal. If both parties are concerned about the seller's CASL compliance, consider what a reasonable middle ground might entail. Perhaps the seller might give only limited reps and warranties that it has made commercially reasonable efforts to comply with CASL, and the buyer might acknowledge that the seller cannot give "clean" reps and warranties about CASL given its novelty and complexity. Similarly, perhaps the purchase agreement could include carve-outs or caps on indemnities relating to CASL compliance.
- Identify CASL assets. In asset purchases, any express CASL consents should be specifically identified as purchased assets to reflect Industry Canada's guidance document, as discussed above. Also make sure that any relevant documentation and records are delivered to the buyer, including contact lists, consent records, etc. If the seller has automated its CEM management (e.g., by tracking when implied consents expire and automatically removing recipients from contact lists when those consents expire), consider whether, and how, the buyer is acquiring that system.
- Address any CASL-related transition issues. Make sure there is a clear mechanism for handling any opt-out requests directed to the seller immediately before or after closing.
- Don't forget privacy laws. CASL runs in parallel with Canada's private-sector privacy laws. It is important to make sure that both legislative regimes are considered and addressed. You are by no means guaranteed of being privacy-compliant if you are CASL-compliant, and vice versa.
Start a CASL Plan Now for Smoother Business Transactions in Future
CASL has broad implications for any business that advertises or promotes its products or services through e-mail or other electronic communications, or that installs computer programs on other people's computer systems. Many businesses are (or should be) figuring out how to comply with CASL, including by determining what CEMs they send, what CASL-compliant express consents they already have (or, if they don't have any, how to get them), what implied consents they can rely on, what other CASL exceptions might apply, etc.
However, commercial lawyers and their clients should not just be thinking about CASL in terms of compliance. They should also be thinking about how CASL will affect commercial transactions and how CASL issues should be addressed in those transactions. This is not unfamiliar territory – Canada's private-sector privacy laws came into force about a decade ago, and there was an adjustment period as everyone came to grips with how personal information should be handled in commercial transactions. Now privacy issues in commercial transactions are well understood, and lawyers and businesses are generally used to addressing them. The same process will have to happen with CASL, but it's better to start it sooner rather than later.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.