CASL - What does it mean for your business?

Canada’s Anti-Spam Legislation (“CASL”) was passed by Parliament on December 15, 2010,. Viewed as one of the world’s toughest anti-spam laws, it was originally planned to come into force in 2011 and 2012. However, it was not until December 4, 2013 that the final Industry Canada regulations (the “Regulations”) that are to govern the enforcement of the CASL were released following a lengthy process of stakeholder consultation.

As a result of the Regulations, CASL will come into force on July 1, 2014. The Canadian Radio-television and Telecommunications Commission (“CRTC”) will then have the power to enforce a maximum available penalty of $10M for an offence committed by an organization. The provisions relating to unpermitted installation of computer programs and the private cause of action set out in CASL will not come into force until January 15, 2015 and July 1, 2017 respectively.

The objective of CASL is to discourage commercial activities that impair a secure online environment and undermine consumer trust in the online marketplace. This new legislation will have a significant impact on the communication efforts of businesses and nonprofit organizations (though, the new regulations do make an exception for registered charities). CASL prohibits unsolicited commercial electronic messages (“spam”), unauthorized installation of computer programs on another person’s computer (“spyware”), and the altering of the transmission of a sender’s data that causes the message to be delivered to a destination other than the destination specified by the sender. CASL’s definition of “commercial activity” is sufficiently broad that potentially any transaction or conduct, whether or not carried on for profit, could be considered commercial.  As such, CASL may be applicable to both commercial enterprises and nonprofit organizations.

CASL will apply to “commercial electronic messages” (“CEM”) sent by any means of telecommunication, including text, sound, voice or image messages that promote a commercial activity. And it will not matter if the recipient is an individual or a business; the test is whether the sender of the message encourages participation in a commercial activity. If a communication is deemed to be a CEM, then it is prohibited unless: i) consent to send a message has been obtained from a recipient; ii) certain formalities as to the content of the message are met; and iii) the message falls within one of the enumerated exceptions, including but not limited to, CEMs sent to persons to whom the sender has personal or family relationship, and business inquiries about products or services offered by the recipient. The new regulations define “family relationships” to exclude siblings and cousins, however these relationships would still likely be covered in the definition for “personal relationships”.

THE RULES OF CONSENT

It is important to remember that an electronic message requesting consent to send a CEM is itself a CEM and, thus, after July 1, 2014 cannot be sent without the prior consent of the recipient. In reviewing their email lists, companies must identify which recipients have given express consent, implied consent or no consent at all. Where there has never been consent from the recipient, businesses must obtain express consent prior to July 1, 2014. However, where this is implied consent, businesses will have a three-year grace period in which to obtain express consent.

The express consent is in a prescribed form and consists of the recipient’s positive confirmation of consent. The sender’s request must disclose the purposes for which consent is sought, the identity of the actual or benefi cial sender of the message, the sender’s contact information, and an effective unsubscribe mechanism. Recipients must be given an option to withdraw consent at any time. Once consent is withdrawn, the sender can no longer send CEMs to the recipient.

There are limited exceptions to the opt-in consent to receive CEMs. For instance, consent may be implied where a sender of the message has an “existing business relationship” with the person it is sent to.  Although businesses may rely on implied consent, the exception will be limited to customers who have had a continuous business relationship with the sender within the two years or six months prior to the sending of the message.

For charities and other not-for-profit organizations consent may be implied where there is an “existing non-business relationship” between a recipient and a sender that is a registered charity, political party, political candidate, club, association or voluntary organization. A non-business relationship would be deemed to exist if within the last two years before the day on which the message was sent, the recipient had made a donation to or had performed volunteer work for a charity, or had been a member of a club, association or voluntary organization, and had not annulled or revoked consent.

The Regulations clarify that messages sent by a registered charity to seek donations fall within the permitted exceptions, provided they are not engaging in any other kind of commercial activity, that is, not engaging in selling or promoting a product. CASL also exempts charities where there is implied consent, i.e. where a previous donation has been made to the charity within the last two years.

The aforementioned 3-year grace period relating to implied consent has a similar counterpart in the provisions relating to the installation of computer programs where they were installed on a person’s computer prior CASL coming into effect. Valid express consent obtained before CASL comes into force will be recognized as being compliant. However, where organizations are currently relying on implied consent, organizations will have to seek and receive express consent from recipients within the permitted timeframe. 

In response to stakeholder concerns, the Regulations have provided an exception for contact by referral by exempting a single message that is sent as the result of a referral from someone with a family, personal, business or non-business relationship both with the sender and with the recipient provided that the message discloses the full name of the individual or individuals who made the referral.

CASL requires consent for the installation of computer programs unless it is reasonable to believe that the person has consented to such installation and the program is a cookie, HTML code, Java Scripts, an operating system, or any other program that is executable only through the use of another computer program which was installed with express consent. As mentioned above, provisions relating to the installation of computer programs will come into force on January 15, 2015.

ENFORCEMENT

CASL has introduced a robust enforcement regime which gives the CRTC sweeping powers to investigate and impose harsh monetary penalties. Failure to comply with the new rules could cost individuals up to $1 million and businesses up to $10 million per violation. Individuals and businesses will also be able to apply to a court for a private remedy against any person that contravenes the legislation, and the court may award statutory damages as high as $1 million. Directors, offi cers, or agents of corporations can be held personally liable. However, this private right of action will come into force July 1, 2017.

Under the Regulations, a person who obtains consent on behalf of a third party may authorize any person to use consent, but such consent is valid if a recipient of CEMs is provided with an effective unsubscribe mechanism by the authorized person, so that the recipient may withdraw consent at any time. When consent to receive CEMs from a third party is withdrawn by the recipient, the party who obtained consent must notify every other party to whom the consent was provided that it is withdrawn. This can cause additional problems for small businesses that do not run their advertising campaigns, but hire a third party contractor to perform marketing services. The Regulations would make both the business and the third party potentially liable and, thus, could force advertising agents to charge higher fees for their services to ensure compliance.

WHAT YOU NEED TO CONSIDER

The following is a list of measures businesses should consider undertaking prior to CASL coming into force on July 1, 2014:

• Review electronic communications to identify those that fall within the definition of CEMs;
• Go through your contact lists and determine whether or not express consent has been obtained or is required, or whether implied consent may be applicable;
• Update your contact lists with express consent prior to July 1, 2014 if needed;
• Implement or modify a policy setting out the contents of a request for consent to send CEMs, including but not limited to an identity of a sender, the sender’s contact information which must be valid for a minimum of 60 days, an effective unsubscribe mechanism (by providing an electronic address or a link to a web page), and directions on how to withdraw consent, etc.;
• Implement or modify a policy setting out prescribed disclosure with respect to computer programs; and
• Adopt a practice of monitoring mailing lists in order to track consents and/or refresh consents in a timely fashion (as transitional period may eventually “expire” or consent may be withdrawn).

Although the implementation of CASL-compliant practices is likely to entail cost, it is important to act proactively and implement consent-based online marketing practices before CASL comes into force and before sending a request for consent in itself becomes a violation of the law.