On July 1, 2014, Canada's Anti-Spam legislation, (CASL), comes into force. The intent of CASL is to deter the circulation of "spam" in Canada. Spam, in the context of the CASL, refers to any Commercial Electronic Message (CEM) sent without the express consent of the recipient. Spam is often the vehicle for the delivery of online threats such as spyware, phishing and malware. Unsolicited CEMs can also be annoying, unwelcome, and a venue for fraud.
CASL will likely affect you because you collect personal information from prospective and existing tenants and usually transfer that information to commercial third party suppliers of tenant services. CASL regulates the form and content of CEMs that you may send to tenants, prospective tenants, and potential clients. CASL also imposes new legal obligations between you and third parties you transfer personal information to, such as credit reporting companies, telecom and internet providers, utility companies, and even contractors who provide en-suite services to tenants. CASL regulates aspects of that transfer of information to third parties.
The compliance challenge of CASL is to make changes to the documents and administrative protocols of current business operations to ensure that your operations, and those of third parties to whom you disclose personal information, restrict the use of that information. Where it is likely that CEMs will be transmitted for marketing reasons, the CEM protocols must comply with CASL spam restrictions.
A CEM is defined broadly to include any such message that has, as one of its purposes, to encourage participation in a commercial activity. This includes CEM's about rental promotions, special offers, and business opportunities. CASL applies to most forms of electronic messaging, including email, SMS text messages, and even some social media messages. If you have transferred personal information to a third party which then uses that information to send CEMs, your challenge is to ensure your business operation is protected from liability under CASL. There are exceptions from the obligations described in this article which involve existing legal and professional business relationships between the sender and recipient; however the details of these exceptions are beyond the scope of this article.
The government has stated that legitimate businesses that use email to market their products to Canadians should not be adversely affected by this law. The goal of recommendations in this article is to help you meet the CASL compliance challenge while minimizing the administrative aggravation of implementing major changes to your tenant intake processes and ongoing business operations.
If I Send CEM's What Must I Do To Comply?
CASL requires that you implement a consumer "opt-in" approach to CEMs that you propose to transmit to tenants, prospective tenants or to anyone. Before including a potential CEM recipient to your database, that person must be given the option of declining consent to receive the CEM. Even where consent is given, the recipient must always have the option of "unsubscribing". By now, many of you may already have received emails from CEM senders asking for your consent to continued receipt of their newsletters or other promotional material. Such emails are examples of how the "opt-in" and "consent" requirements can be met.
To be valid, the consent must describe:
- the purpose for which consent is sought;
- the name of the person/corporation seeking consent;
- the mailing address and, either the telephone number, email address, or the web address of the person/corporation seeking consent; and,
- a statement that the recipient can withdraw their consent at any time together with a mechanism for easily withdrawing consent at no cost ("unsubscribe mechanism").
The unsubscribe mechanism may consist of clicking on an email address or a web-based unsubscribe page. An electronic address or web page which services the unsubscribe mechanism must be valid for a minimum of 60 days after the message has been sent. An unsubscribe request should be implemented without delay, and must take effect no later than ten days after the request is made.
Once a compliant consent is obtained and a compliant "unsubscribe" mechanism is in place, you will have met your obligations with respect to CEM's which you initiate to the addresses of recipients who have given consent.
What About Transfers Of Information To Third Parties?
Things get more complicated where you transfer personal contact information obtained from prospective or existing tenants (or anyone) to third parties who, in turn, may use that information in a database for sending CEM's. The solution in such cases is similar to that already used under PIPEDA: obtain an acknowledgment and assurance from the third party that they are informed about the provisions of CASL; that they will comply with CASL in their use and retention of personal information obtained from you; and that they will not use of personal information received from you for CEM purposes. This acknowledgment can be incorporated as part of the standard PIPEDA third party documents that you are already (or should be) using at present.
Some third parties may seek to use personal information you have transferred to them for CEM purposes and you may permit such use, but then you should require that specific third party disclosure and consent requirements be met by them. It is recommended that you include in your Privacy Policy and/or general disclosure consent forms, a full list of the third parties you will likely disclose tenant or prospective tenant information to in the course of business even if you prohibit those third parties from using the information for CEMs. In the course of your rental operations over time, the transfer of personal information to third parties (contractors, change of internet or other building service providers, including management companies) will occur, in which case you should update your Privacy Policy accordingly.
You may withhold disclosure of the identity of third parties with whom you may have special arrangements and have agreed they may use the information for CEMs, but then three special obligations are imposed on both you and the third party under CASL. First, the consent you obtained initially from prospective recipients of CEMs (ie: prospective or current tenants) must have been sufficiently drafted to allow the consenter to know that their information may be transferred to undisclosed third parties. Second, if the undisclosed third party sends CEM's to a person who then exercises the "unsubscribe" mechanism, the undisclosed third party must inform you that the recipient has requested to unsubscribe. Third, upon notification of the unsubscribe request, you are required to notify any other undisclosed third party that you provided the un-subscriber's contact information to that they are now prohibited from sending CEM's to that person.
The purpose of the "undisclosed" third party provisions of CASL appears to be to limit distribution of personal information to large numbers of undisclosed third parties, all of whom may then engage in issuing CEM's to a recipient. The limitations occur because, as soon as one CEM is unsubscribed, the entire list of unsubscribed third parties must follow. Landlords who allow undisclosed third parties to use personal information for CEM's assume a major obligation to track and implement the CASL unsubscribe provisions because the landlord is usually the principal recipient and transferor of the information. By contrast, if the identity of the third party is disclosed, then only the disclosed third party must unsubscribe the person from their database.
As a practical matter, with a portfolio of hundreds of potential "un-subscribers", it is in a landlord's interest to either prohibit CEM use by third parties altogether or ensure disclosure of the identity of any business that may use the personal information received from the landlord for CEM purposes. There may be financial arrangements with a commercial third party as an incentive to allow the use of the information for CEM purposes, in which case disclosure of the third party is recommended, but if it is agreed that disclosure of the third party's identity will be withheld, then put in place administrative procedures to ensure you can meet the "unsubscribe" obligations under CASL.
What Steps Must You Take Now To Meet The CASL Challenge?
Obtain proper consent from persons who provide personal information to you before sending CEMs to their electronic addresses. If you will not be sending CEMs and have in place an absolute CEM prohibition on the use by third parties of personal information you transfer to them, then nothing more needs to be done other than making a statement to that effect in your Privacy Policy. If you have a database and you expect you will send CEM's, then first send a Consent request similar to those you have received from other CEM issuers or get advice as to how to structure a compliant Consent request which meets the four requirements set out above.
If you have arrangements for either yourself or a third party to create and use a CEM database, then one practical option is to add the requirements for CASL consent to the PIPEDA consent form that you currently have prospective tenants sign when they complete a rental application. Have the third party sign an acknowledgment of compliance with PIPEDA and CASL or, where you wish to restrict third party use of personal information, have an acknowledgment accepting the restriction. The acknowledgment should specify that the third party's use of personal information disclosed to them will be for the purposes for which consent is given and that if you permit the information to be used for CEM's, they will only be sent to the person in accordance with the CASL. We have not enclosed a template CASL Third Party form as the requirements for same will vary depending on your specific operations.
In your Privacy Policy and/or consent form, include notice to the consenter that their personal contact information may be provided to a list of specified commercial third parties so that the person may be contacted by those third parties regarding the services they provide or to assess the merits of their offer to lease. Your Privacy Policy and/or consent form should define what a tenant's contact information is and that definition should state that it includes electronic addresses. If possible, list in full the names of the organizations or persons to whom you will disclose a tenant's personal information to so that you avoid the "undisclosed third party" obligations. You can state in the consent form and Privacy Policy that personal information may be disclosed to other third parties in future. If you later make disclosures of information to new third parties, then you should either update the list of disclosed third parties in your Privacy Policy, or maintain a separate updated list of undisclosed third parties so that you can direct them to cease issuing CEM's to a person if any one of them is unsubscribed by that person.
Summary
The new CASL creates immediate and substantial compliance challenges for operators in the rental housing industry because you regularly receive and transfer personal information. You usually transfer that personal information to third parties such as credit companies, residents' service providers (utilities, internet and telephone contracts, cable, parking). A good strategy to meet the challenges of CASL is to start the compliance implementation process now and keep it as simple, generic, and cost-effective as possible. This means implementing some standard best practices now so that, by July 1, 2014, the challenges are met and you can get on with business.
For further information and advice to meet the compliance challenges of CASL for your particular operations, contact the writers or your personal legal advisor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
