Commencing July 1, 2014, Canada's anti-spam and online fraud act (commonly known as "CASL") will create a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties, all designed to prohibit unsolicited or misleading commercial electronic messages and deter other forms of online fraud.
For most organizations, the key parts of CASL are the rules for commercial electronic messages (commonly known as "CEMs"). Subject to limited exceptions, CASL prohibits the sending of a CEM unless the recipient has consented to receive the CEM and the CEM complies with prescribed formalities (specified information disclosure and unsubscribe mechanisms) and is not misleading. Following are some frequently asked questions.
What is a CEM? Subject to important exceptions, a CEM is any kind of electronic message (e.g. text, sound or voice) sent to an electronic address (e.g. email address or texting address) if one of the message's purposes is to encourage participation in a commercial activity (e.g. a transaction, act or conduct of a commercial character), regardless of expectation of profit. Commencing July 1, 2014, a message requesting consent to receive CEMs is deemed a CEM.
Do the CEM rules apply to our CEMs? Subject to important exceptions, the CEM rules apply to a CEM if a computer system in Canada is used to send or access the CEM, regardless of the location of the sender or recipient. The CEM rules apply even if a CEM is sent to a single recipient.
Is this an issue for our marketing department? CASL compliance is an important issue for consideration by an organization's senior management and directors. The CEM rules apply to CEMs sent by any employee or representative of an organization, not just promotional messages sent by marketing departments.
Can we rely on existing mailing lists? Pre-CASL mailing lists likely do not establish express consent to receive CEMs, because CASL requires that express consent be opt-in consent based on a clear disclosure of prescribed information and a statement that the person can withdraw consent. Certain pre-CASL mailing lists (e.g. lists of current customers) might be used to establish implied consent to send CEMs.
Can we rely on implied consent? CASL recognizes implied consent to receive a CEM in limited circumstances (e.g. if the CEM sender and CEM recipient have an existing "business relationship" or "non-business relationship", each as defined in CASL) but only until the implied consent is revoked (using an unsubscribe mechanism or otherwise). Some kinds of implied consent expire after a specified period.
Is consent always required? Some kinds of CEMs can be sent without consent (e.g. a CEM that provides a requested quote or estimate), but those CEMs must still comply with prescribed formalities (e.g. specified information disclosure and unsubscribe mechanisms). Other kinds of CEMs (e.g. a CEM between individuals who have "family" or "personal" relationship, each as defined in CASL) can be sent without consent or formalities.
What kinds of unsubscribe mechanisms are required? CASL imposes detailed requirements for unsubscribe mechanisms that must be included or referenced in each CEM. The required unsubscribe mechanisms will depend on the electronic means used to send the CEM, but in all cases must be "able to be readily performed". An unsubscribe request must be implemented within 10 business days.
How does CASL affect truth in advertising laws? CASL imposes new standards for assessing whether a CEM complies with Canadian truth in advertising laws. Each element of a CEM (e.g. the subject matter information), independently assessed, must not be materially misleading.
Can we rely on our marketing agency? An organization is liable for a CEM sent by the organization's marketing agency. An organization should not assume that its marketing agency understands or will comply with CASL.
What happens if we don't comply? Contravention of the CEM rules can result in severe administrative penalties (up to $1 million per violation for individuals and up to $10 million per violation for organizations), civil liability through a private right of action (commencing July 1, 2017) and vicarious liability on employers, directors and officers.
How can employers, directors and officers avoid liability? Employers and corporate directors and officers can avoid vicarious liability for a CASL violation if they exercise due diligence to prevent the violation.
CASL has potentially serious implications for almost every Canadian organization that sends electronic messages to customers and potential customers, and every foreign organization that sends electronic messages to Canadian customers and potential customers. Organizations should establish and implement a reasonable CASL compliance plan (which may include converting existing mailing lists to lists of CASL-compliant express consent to receive CEMs) before CASL comes into force on July 1, 2014.
More information regarding CASL is available at blg.com/antispam.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.