First published: June 16, 2014, Canadian Lawyer Magazine, "The IT Girl" column (www.canadianlawyermag.com/author/Lisa-R.-Lifshitz.html)
On June 6, I received an e-mail from Industry Canada inviting me to become "better informed" about Canada's Anti-Spam Legislation through one of several information sessions hosted by the Canadian government "across the country" during the past six months. Having duly signed up to receive "Fighting Spam" updates, I was directed to watch a video, one month after it had been posted to YouTube, that promised to provided "detailed information on enforcement, regulations and guidance related to CASL."
Since I have a professional interest in this subject, I dutifully watched the 47-minute, 46-second video a few times and reviewed the 38-page accompanying PowerPoint presentation. So let me share with you what I have — and have not — learned.
Perhaps first and foremost, I learned I could not rely on anything I heard in the video. Within the first 20 seconds, the first speaker announced as this presentation was prepared by Canadian Radio-television and Telecommunications Commission staff, it provides "staff level guidance" only and does "not bind the commission in any way." Nor does it provide interpretational guidance on behalf of the Privacy Commissioner, the Competition Bureau, or Industry Canada. The PowerPoints made this even clearer, confirming the material "is not to be considered legal advice nor is it binding on the Commission itself."
This point was repeated several times during the video, reinforced again by the second speaker, Kelly-Anne Smith, the CRTC's lawyer who later spoke on the substantive parts of the act and frequently reiterated the "CRTC's staff's" positions on various regulations and "guidance." (She also confirmed the CRTC's previous information bulletins and the Regulatory Impact Assessment Statement first provided with the final Industry Canada Regulations last December are also not binding on the CRTC nor on the courts — but we knew that already).
Given the paucity of guidance Canadians have been receiving on this legislation, it was mildly interesting to hear the "staff views" articulated in this presentation but remain distinctly uneasy as to how I am now supposed to translate this information into meaningful advice for my clients whose livelihoods depend on clear guidance.
I also learned the CRTC is very proud of the enforcement and compliance aspects of this legislation, particularly the robust administrative monetary penalties and its ability to "follow the money," "pierce the corporate veil," and hold officers and directors accountable for their actions. About one-third of this video provided an overview of the history of the legislation, the (sometimes overlapping) roles of the three different organizations, and, in particular, the role of the CRTC in enforcing CASL.
There was even a detailed slide on the CRTC's enforcement procedure and the new "spam reporting centre," which will allow Canadians to file complaints and send in spam samples for enforcement activities. It will be "operationalized out of the CRTC."
Did you know, for example, that the CRTC plans to set up "honey pot" spam sting operations to reel in would-be spammers and substantiate spam complaints? Shades of James Bond! Ultimately, we were told the CRTC wants and needs maximum flexibility in how it actually deals with enforcement — so all decisions regarding enforcement will be made on a case-by-case scenario and may or may not involve those dreaded AMPs, depending on the seriousness of the violation. Interesting, but not particularly enlightening.
In the remaining 30 or so minutes, the CRTC's lawyer discussed CASL regulations, primarily the form requirements under the CRTC regulations, and more generally the governor in counsel/Industry Canada Regulations. Not much new under the CRTC regulations, other than to confirm a request for consent can be sent on behalf of several affiliates and these affiliates can be listed on a separate web site, not just in the message.
With regard to the Industry Canada regulations, the video offered the following "additional staff level guidance" (these are highlights only):
- As explained in the RIAS, the definition of "personal relationship" must remain limited to "close" relationships. The "personal relationship" exemption remains very narrow and has this relationship to exist between individuals. So the CRTC staff does not consider legal entities, such as a corporation, to be able to have a "personal relationship." Thus, someone who sends a commercial electronic message on behalf of a corporation may not claim to have a personal relationship with the recipient.
- Additionally, in order to use the "personal relationship" exemption, there can be no hiding under aliases — this exemption requires the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used).
So according the CRTC staff, using social media or sharing a same network does not necessarily reveal a personal relationship between individuals. The "mere use of buttons available on social media — i.e. clicking 'like' on Facebook, voting for or against a link or post on Reddit, accepting someone as a friend on Facebook, or clicking to follow someone on Twitter — will generally be insufficient to constitute a personal relationship" (of course, this will be verified on a case-by-case basis).
- If you obtained valid express consent prior to CASL coming into force, ("valid under PIPEDA") you will be able to continue to rely on that express consent even if your request did not contain the requisite identification and contact information (finally, some good news!). However, all CEMs sent after CASL comes into force must contain the requisite information, meet all form requirements, and contain an unsubscribe mechanism. CASL requires the sender to prove having obtained valid express consent.
- Under the transition period of CASL, s. 66 deems implied consent for a period of 36 months and the definition of existing business relationship and non-business relationship is not subject to the limitation periods (six months and two years, respectively) that would otherwise be applicable under CASL during this period. This will definitely buy additional time for compliance purposes.
- The video also attempted to discuss the exemptions relating to quotes/estimates versus requests and confirmed if a company is sending a CEM in response to a request, inquiry, or complaint, requested by the person to whom the message is sent, it would not have to comply with s. 6 of CASL (i.e. it "does not require consent or need to meet the information requirements and add an unsubscribe mechanism to the CEM.")
However, per s. 6(6), if you are sending a CEM that provides a quote or estimate for the supply of a product, goods, a service, land or an interest or right in land, if the quote or estimate was requested by the person to whom the message is sent, you do not need consent (express or implied) but you still are required to meet information requirements and to add an unsubscribe mechanism to the CEM because, per the guidance of CRTC staff, there is a "financial requirement" to the quote or estimate. This explanation seems strained — there could presumably also be financial considerations to inquiries/complaints — and the issue is still not well explained and remains confusing.
- While CEMs sent by or on behalf of a registered charity, as defined in s. 248(1) of the Income Tax Act, are excluded from s. 6 of CASL, the main purpose of the CEM must be to raise funds for the charity to get the exclusion. But if the charity is sending CEMs for other purposes, CASL may apply for those messages. Not great guidance here.
- Curiously absent from the video was more guidance of what constitutes a CEM itself, the exact definition of which remains ambiguous (see my January column). Or whether the CRTC will attempt to expand its compliance reach extraterritorially, since CASL nominally applies to CEMs accessed from computer systems located in Canada, regardless of where they were sent from.
I invite you to all watch the video. However, don't try leaving any comments as this feature has been disabled. So much for transparency. What's the CRTC afraid of? Low viewing numbers? (Right now the video indicates that there have been 301+ viewers). Or is the fact Canadians might express their true feelings towards this absurd legislation and its cumbersome, time-consuming, and expensive compliance requirements?
My clients remain incredulous that after July 1, in the absence of other exemptions, the sending of a message asking for express consent itself will be considered spam.
In the meantime, I await further enlightenment, which the video has said will be forthcoming in the form of more "Future Informative Guidance Material" (i.e. cross-country information sessions, speaking engagements, webinars, information bulletins, staff guidance material, FAQs on the CRTC web site, infographics, and informative videos, etc.). With the enforcement of the first part of CASL less than one month away, I still think my clients, and the Canadian public at large, deserve much better — or at least more concrete guidance — than this.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.