Provisions related to sending commercial electronic messages under Canada's Anti-Spam Legislation (CASL) come into force on July 1, 2014. As we stand on the eve of this new regime, many Canadian companies are still scrambling to prepare and, outside of Canada, many companies are just starting to realize how the legislation may impact their communications with Canadians. If you send emails or text messages, use chat/messaging windows, or even interact on social media with consumers or businesses in Canada from abroad, here are five important facts to consider in deciding whether you need to worry about CASL:
1. Rethink "spam"
CASL applies to more messages than you might think. The legislation addresses the sending of "commercial electronic messages" (CEMs), whether sent to consumers or business-to-business, and whether sent through mass emails or one-to-one. Amendments to our Competition Act provide additional tools for our regulators in respect to false or misleading conduct, but even without misleading consumers – and even where you have consent under private sector privacy legislation – your CEM could run afoul of CASL.
Beginning July 1, 2014 it is offside CASL to send a CEM without express consent to do so, unless either an exception is available, or implied consent is permitted through specifically prescribed circumstances. Obtaining express consent also includes the obligation to disclosure certain contact information, and that the person can opt out at any time. Further, prescribed disclosures and an opt-out mechanism need to be included in the CEM. Otherwise, the message will not satisfy CASL requirements. (Try doing all that in a text message.)
And, there is no automatic grandfathering of existing email lists under the legislation, although administrative positions give some help to salvage prior contacts. Companies need to consider carefully the grounds under CASL that allow them to communicate electronically with their existing contacts.
2. CASL's extra-territorial reach
CASL applies to CEMs sent from, or accessed in, Canada. So, if you are sending CEMs to Canadians from another jurisdiction, CASL will apply. Notably, there is an exception where the person sending the message "reasonably believes" that the message will be accessed in one of a list of prescribed jurisdictions with anti-spam laws thought to be 'substantially similar' to CASL and the message complies with the laws of that jurisdiction. So, for example, if your database is built from those who have entered contests open only to residents of the United States, or through a website only advertised in the UK, it may be reasonable to believe that your CEMs will be opened in jurisdictions other than Canada. But, in many cases, it may be unclear whether to is reasonable to assume that Canadians are not on your lists.
The extraterritorial reach of enforcement has yet to be tested, of course, but if you have a physical presence in Canada, you should be prepared to comply with CASL even if the CEMs are originating from outside of the country. CASL also contemplates reciprocal enforcement agreements or arrangements with governments of other jurisdictions, but we are still too early in the game to know what these might capture and to what extent they will be taken up in cooperation with other regulators.
3. Social media can be murky
Don't forget that CASL reaches farther than just emails and, in the context of Facebook, Twitter or other social media platforms, it may not be "reasonable" to assume that the audience does not include Canadians. Given the broad scope of CASL, certain social medial activity is clearly captured, but in some circumstances it's not clear how or whether CASL will apply. We start with the good news – public posts, broadcast Tweets, and the like, would not be captured by CASL. Direct or private messages sent through social media platforms, however, would be captured and therefore need to meet the consent and disclosure requirements. Uncertainty lies in "hybrid" activity, including tagging an individual or calling out another user's handle in a Tweet. To the extent that these are messages sent to an individual user's social media address, in addition to being public posts, they could be captured by CASL requirements. The regulator has yet to comment on how it interprets these kinds of hybrid messages, and so some companies may choose to proceed cautiously for now.
4. Exceptions and Implied Consent
There are exceptions to the CASL requirements, in whole or in part, when sending CEMS to those with whom you have a "personal relationship" or "family relationship" (also defined), responding to a customer inquiry, or completing a transaction, as examples. Note, however that some exceptions only allow you to proceed without obtaining express consent; mandatory information disclosures and opt-out requirements for the message may still apply.
A lot of companies will see to rely on an "existing business relationship" (EBR) with a person or company to be able to imply consent to receive CEMs, instead of needing express consent. Note, however, that there is a very specific definition of an EBR that general requires a past purchase or related inquiry, or some other written contact. Note, however, that this implied consent expires after a prescribed period of time, and so you have to keep track of the dates of the activity unless or until you can convert the communications to be based on express, rather than implied consent.
Some more good news: if you can meet the definition of an "existing business relationship" with existing contacts (i.e. prior to July 1, 2014), and you have sent or exchanged more than one commercial electronic message with the contact as part of that relationship before that date, then you can rely upon implied consent for three years (i.e. until July 1, 2017) unless the contact unsubscribes first.
5. Significant penalties
Non-compliance with CASL is no laughing matter and could cost even well-meaning businesses dearly. Contraventions of CASL carry an administrative monetary penalty of up to $10 million per violation for corporations. CASL also provides for injunctive relief, vicarious liability, and authorizes the enforcing regulators to share information with the government of a foreign state if the information is relevant to an investigation or proceeding in respect of a contravention of the laws of a foreign state (and where the laws of that foreign state are substantially similar to the conduct prohibited by CASL).
And, as if this wasn't bad enough, beginning in July 2017 provisions will come into force extending a private right of action, which would include class proceedings. Hold on to your hats! We can see the potential for some significant challenges ahead on this basis alone.
The above discussion only scratches the surfaces of what is a rather complicated and nuanced new legislation, with further administrative guidance still to come from the regulator. Given its broad reach and strict penalties, it is important for businesses reaching into Canada to evaluate their compliance efforts. In some cases, this may require re-evaluating existing business and consumer marketing models, since CASL is now largely thought to be the most onerous anti-spam regime worldwide. Who would have thought that of Canada, eh?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.