Canada's new Anti-Spam Legislation, known as CASL, is one of the strictest in the world. In general, CASL requires consent before sending "commercial electronic messages" and requires that all such messages meet certain form and content requirements. This seems simple, but as always, implementation can be complicated. This article explains the legislation and walks through some real-world scenarios to demonstrate compliance.
On July 1, 2014, a majority of the provisions of one of the strictest anti-spam laws in the world came into effect: Canada's Anti-Spam Legislation (CASL)1. CASL prohibits the sending of a commercial electronic message (CEM) to an electronic address unless the person to whom the message is sent has consented to receiving it and the message itself complies with prescribed form and content requirements. A CEM is defined broadly as an electronic message (e.g., email, text message, social media message) designed, in whole or in part, to encourage participation in a commercial activity, whether or not the person who carries it out does so in the expectation of profit.
In general, consent to receive a CEM must be express. To be valid, a request for express consent must be sought separately (i.e., must not be subsumed in a request for consent to the general terms and conditions of use or sale) and must set out "clearly and simply":
- The purpose for which consent is being sought
- Specific information about the person seeking consent and, if applicable, the person on whose behalf consent is being sought
- A statement that the recipient can withdraw their consent
Although CASL generally requires express consent, consent may be implied in limited circumstances, such as where the sender and recipient have an "existing business relationship" as that term is defined by the legislation.
Note that an electronic message requesting consent to send a CEM is itself considered a CEM for which consent is required.
In addition to the consent requirement, CEMs must comply with prescribed form and content requirements. In particular, each CEM must include specific information about the person sending the message and, if applicable, the person on whose behalf the message is being sent as well as prescribed contact information.
Each CEM must also provide an "unsubscribe" mechanism, which must also meet prescribed requirements.
Certain messages may be exempt from CASL's anti-spam provisions altogether while others may be exempt from the consent requirement only.
Subject to limited exceptions, the law applies to all businesses that send CEMs to (or from) computer systems located in Canada. Companies and individuals located anywhere in the world can therefore be exposed to liability under this legislation.
The potential penalties for non-compliance with CASL are significant and include administrative monetary penalties of up to C$1-million for individuals and C$10-million for corporations per violation. It will also be an offence "to aid, induce, procure or cause to be procured the doing of any act contrary to" certain sections, including the provisions relating to sending CEMs. Directors, officers and agents who have directed, assented to, acquiesced in or participated in the violation(s) may be held personally liable.
CASL also creates a private right of action for persons who have been affected by a contravention of CASL 's anti-spam provisions. Although these provisions will not come into force until July 1, 2017, industry should be aware that risks of claims nonetheless exist and should strive to achieve compliance with the law prior to it coming into force.
CASL also contains provisions regarding the unsolicited installation of computer programs. These provisions will not come into force until January 15, 2015, and are not discussed in this paper.
To demonstrate how CASL affects your business, consider the following six scenarios.
SCENARIO 1: A customer purchases a product from your online store. During the checkout process, the customer provides his or her email address for the purposes of obtaining an e-receipt. Can you add this customer to your marketing list?
Yes, but only for the two-year period immediately following such purchase.
Consent to receive CEMs is implied where the sender and recipient have an "existing business relationship" as defined by the legislation. An existing business relationship exists where the sender and recipient have engaged in certain specified types of business together in the two years preceding the date on which the CEM is sent (for example, the purchase or lease of a product, or existence of a written contract) or where the recipient of the CEM has made an inquiry to the sender in the previous six months.
In Scenario 1, consent is implied, but only for the two-year period immediately following the purchase (i.e., the period of time during which an existing business relationship can be held to exist).
Express consent under CASL is not limited in time and will remain valid until the customer withdraws his or her consent (for example, by unsubscribing). Accordingly, consider seeking express consent (in the manner prescribed by the legislation) from the customer at the time of check-out.
SCENARIO 2: You are attending a trade show and meet a prospective customer who gives you her business card. Can you add this customer to your marketing list?
Here, the answer is again most likely yes. Consent is implied under CASL where the recipient has disclosed his or her electronic address to the sender without indicating that he or she does not wish to receive CEMs and the CEM is relevant to the person's business, role, functions or duties in a business or official capacity. Accordingly, if the business card includes the customer's email address and she did not ask not to receive CEMs, you can send her CEMs as long as they relate to her business or her role.
SCENARIO 3: You buy a marketing list from a vendor who assures you that all individuals whose emails are on the list consented to the sharing of their email address with select third-party partners for marketing purposes. Can you use this list?
It depends. CASL provides that a person may, on behalf of an unknown third party, obtain the express consent of a person to receive CEMs from the unknown third party, as long as certain (somewhat burdensome) conditions set out in CASL and its accompanying regulations are met.
As noted above, a request for express consent under CASL must include specific information about the person seeking consent and, if applicable, the person on whose behalf consent is being sought. When express consent is sought on behalf of an unknown third party, CASL allows for the provision of information about the person seeking consent only. However, in this instance, the person seeking consent and the unknown third party must comply with additional conditions imposed by the regulations in order to be able to rely on this consent. Namely, the person who obtained the consent must ensure that the unknown third party (the "authorized user") includes in any CEM sent relying on such consent:
- The identity of the person who obtained the consent
- An unsubscribe mechanism that, in addition to meeting the prescribed requirements for all unsubscribe mechanisms allows the recipient to withdraw his/her consent from the person who obtained consent or any other person who is authorized to use it
SCENARIO 4: Historically, your organization has used an opt-out form of consent for receipt of marketing communications from customers who purchased goods and services from you online. Will these consents that were obtained prior to the coming into force of the law continue to be valid under CASL?
The answer is generally yes. The Canadian Radio-television and Telecommunications Commission (the regulatory body responsible for enforcing the law) has confirmed that existing valid express consents (including opt-out consent) obtained prior to July 1, 2014, continue to be valid after the coming into force of the law. However, for all express consents obtained on or after July 1, 2014, an opt-in form must be used and the request for consent must meet the prescribed form and content requirements set out in CASL.
SCENARIO 5: Your organization offers court-reporting services to law firms in Toronto, and you would like to send an email to litigators at Toronto law firms to inform them of your services. Can you?
Yes, provided the litigators have "conspicuously published" their email addresses on their website, and there is no notice that they do not want to receive unsolicited CEMs.
While CASL is quite broad, it is not all encompassing. The following are exempt from CASL' s anti-spam provisions:
The following messages are exempt from CASL' s consent requirement but not its form and content requirements. In each case, in order to benefit from the exemption, the activity described below must be the message's sole purpose:
Consent to receive CEMs is implied under CASL where a recipient has "conspicuously published" his or her electronic address, the publication is not accompanied by a statement that the recipient does not wish to receive unsolicited CEMs, and the CEM is relevant to the person's business, role, functions or duties in a business or official capacity. Be aware that automatic harvesting of email addresses is prohibited by CASL and other statutes, so you must collect this information manually.
SCENARIO 6: You are a strictly online business and communicate with customers by email and text message only. After a customer purchases a product, you send the transaction receipt by email or text message. Will this have to change because of CASL?
You can still send the transaction receipt by email or text message, but you may need to make changes to the message itself to comply with CASL's form and content requirements (discussed above).
CEMs that are sent to satisfy a legal or juridical obligation are exempt from CASL altogether. Accordingly, if you have a legal obligation to send the transaction receipt, the message may be exempt.
If you are not legally obligated to send the transaction receipt, the message may still be exempt from CASL's consent requirement, since CEMs that solely facilitate, complete or confirm a commercial transaction where the recipient previously agreed to enter into the transaction are exempt from CASL's consent requirement but are still subject to CASL's form and content requirements.
CONCLUSION: Understanding the law and ensuring compliance
The stringent provisions of CASL will affect businesses and individuals around the world, and compliance with the U.S. CAN-SPAM Act 2003 does not equal compliance with CASL. It is therefore important that U.S. organizations doing business in Canada take steps to bring themselves into compliance with CASL.
Here are six steps U.S. organizations should consider taking immediately:
- Review the types of electronic messages that your organization sends out and determine which ones are subject to CASL.
- Seek express consent in accordance with CASL's requirements.
- Track and document implied consents and ensure there are systems in place to identify when an implied consent expires. Consider requesting express consent, which is not time limited and remains valid until consent is withdrawn.
- Render fully operational unsubscribe mechanisms that meet the requirements of the legislation.
- Develop and implement policies and procedures for compliance with CASL and train employees.
- Review contracts with vendors and referral sources to ensure they are contractually obligated to comply with CASL.
Companies that can demonstrate that they exercised due diligence to prevent a violation of CASL may be able to mitigate their potential liability.
1 The full text of the law is available at http://laws-lois.justice.gc.ca/eng/acts/E-1.6/index.html.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.