The Office of the Federal Privacy Commissioner has issued a Guidance Document with helpful tips on compliance with Canada’s anti-spam legislation, or CASL, for businesses in their marketing activities. The Commissioner’s Guidance addresses “e-marketing” which encompasses electronic marketing, including by way of emails and text messages. The Guidance document is focussed specifically on email marketing and on the issue of electronic address harvesting. The Commissioner defines electronic address harvesting as, “the use of a computer program to indiscriminately collect electronic addresses, such as email addresses”.

The Guidance document provides comment on the due diligence that is necessary to avoid inadvertently harvesting email address or using harvested email addresses in an e-marketing campaign. Due diligence includes taking appropriate steps to ensure compliance with CASL obligations by a third party who has been contracted to do e-marketing for you or by third party list vendors who provide email lists for you to use in our in-house e-marketing campaigns.

The Guidance document outlines some practical steps that businesses can take to ensure that they do not run afoul of CASL consent requirements, including asking questions about where a third-party has obtained the email addresses it is selling, how consent was obtained to use the email address, whether lists are kept up-to-date and how changes are communicated.

The Commissioner also cautions that contracts should be clear on what steps the list vendor or e-mail marketing firm is to take to ensure compliance with CASL requirements and that contracts should ensure that it is an up-front obligation for an email marketing firm to ensure that commercial messages are not sent to people who have not provided their email addresses or have not consented to receiving commercial messages.

The Office of the Privacy Commissioner shares the responsibility for enforcing CASL with the Canadian Radio-television and Telecommunications Commission (CRTC) and the Competition Bureau.

The Office of the Privacy Commissioner is responsible for violations related to electronic addresses harvesting and the collection of personal information through illicit access to other people’s computer systems, primarily through means such as spyware.

The CRTC is responsible for investigating the sending of unsolicited commercial electronic messages, the alteration of transmission data and the installation of software without consent.

The Competition Bureau is responsible for investigating claims of false or misleading representations and deceptive marketing practices in the electronic marketplace.