As readers of The Cassels Brock Report will recall, we have previously written on the progress of Canada’s anti-spam legislation (“CASL”). The articles can be found here: Article #1, Article #2 and Article #3. CASL has not yet been proclaimed in force, and through the public consultations held by both Industry Canada and the CRTC on the draft CASL, it has become apparent that the business community is concerned about the far-reaching and severe consequences of this legislation.
In March of this year, to the surprise of some observers, the CRTC registered the final version of the Electronic Commerce Protection Regulations (CRTC) (the “Regulation”) without conducting a second round of industry consultation. Perhaps as a response to the unease within the business community over the interpretation of the draft version of the Regulation, the CRTC has now issued two interpretive guidelines (the “Guidelines”)1. These Guidelines clarify several provisions of the Regulation and provide examples of compliant behaviour. The salient points of the Guidelines are as follows:
Information to be Included in Commercial Electronic Messages (“CEMs”)
- Whom to Identify
The Regulation contains detailed requirements about the entities that must be identified in a CEM and the information that has to be provided about them. Given the number of entities involved in the sending and transmission of a CEM, this has understandably posed a difficult issue for some industry players, particularly ISPs. The CRTC now advises:
- Identification and contact information of intermediaries between the sender and the person on whose behalf the message is sent isn’t required if the intermediary doesn’t have a role in the content of the CEM or the choice of recipients but simply facilitates its distribution.
- If a CEM is sent on behalf of a number of different entities such as a company and its affiliates, then the prescribed information is required for the company and all of the affiliates. This will prove to be particularly onerous for large entities that may send omnibus email messages on behalf of all of their brands.
- Mailing Addresses
Part of the required CEM information is the sender’s mailing address (and if different, the mailing address of the person on whose behalf the message is sent). The CRTC has clarified that a “mailing address” means a valid, current street (or civic) address, postal box address, rural route address, or general delivery address. It must be valid for at least 60 days after the CEM is sent.
Form of CEMs – The Unsubscribe Mechanism
CASL requires that each CEM contain an unsubscribe mechanism. As originally drafted, the Regulation required that the unsubscribe mechanism be performed in no more than two clicks. In the final version of the regulation, the language was softened to state that the unsubscribe mechanism must be capable of being “readily performed”. The Guidelines now interpret “readily performed” in the following manner:
- A “readily performed” unsubscribe mechanism is one that can be “accessed without difficulty or delay, and should be simple, quick and easy for the consumer to use.”
- The following are examples of acceptable unsubscribe mechanisms:
- A link in an email to a website where users can unsubscribe from some or all of the sender’s CEMs;
- An SMS providing users the option of either replying with the word “Stop” or “Unsubscribe” or clicking on a link to a website where users can unsubscribe from some or all of the sender’s CEMs.
Information to be Included in a Request for Consent
Section 4 of the Regulation mandates that consent be “sought separately” for each act described in sections 6 to 8 of CASL. This language caused some confusion – did it mean that consent must be obtained for each type of activity or each instance of each type of activity? Thankfully, the CRTC has now advised that it views the requirement as applicable to each type of activity only. The Guidelines provide:
- Meaning of “Sought Separately”
- The person seeking consent must identify and obtain specific and separate consent for each of the following acts:
- The sending of CEMs;
- The alteration of transmission data in electronic messages in the course of a commercial activity;
- The installation of a computer program on another person’s computer in the course of a commercial activity.
- As an example, a person must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs.
- It isn’t necessary to obtain separate consents for each instance of the acts listed above as long as the consent request requirements of the Act are met.
- Requests for Consent
- Consent must be clearly identified and separate from consent to any general terms and conditions of use or sale.
- If the proper use of a product or service requires the installation of a computer program then this must be explained in the consent request and consent must be obtained before the product or service is used or sold.
- The following are examples of acceptable consent requests:
- A separate tick-box for each type of act that must be proactively checked to indicate consent; or
- A separate icon for each type of act that must be proactively clicked to indicate consent; or
- Any combination of the above.
- Oral or Written Consent
The original form of consent prescribed by the Regulation stipulated that it had to be “in writing”. That was subsequently amended to include oral consent. However, questions remained as to whether electronic consents would qualify as meeting the “in writing” requirement, and what type of oral consent would suffice. The Guidelines now provide:
- The following forms of oral consent are sufficient:
- Where an independent third party can verify the consent; or
- Where the person seeking consent, or their client, retains a complete, unedited audio recording of the consent.
- Electronic written consent is sufficient if it can be subsequently verified - for example, checking a box on a website where a record of the date, time, purpose, and manner of consent is stored in a database, or completing a consent form at a point of purchase would be considered “in writing”.
Specified Functions of Computer Programs
The Regulation requires that certain types of computer programs (i.e., those that collect personal information, interfere with the owner’s/user’s control of the computer system or that change, interfere with existing settings, preferences or commands without the owner’s/user’s knowledge) must be brought to the attention to the person from whom consent is sought, separate and apart from any other information in the request for consent. The Regulation also requires that an acknowledgement be obtained in writing that the person understands and agrees that the program performs the specified functions.
The Guidelines now explain the proper method of obtaining this acknowledgement and consent.
Means of obtaining consent:
- “In writing” includes paper and electronic forms.
- The following is an example of an acceptable means of obtaining consent: an icon or empty toggle box, separate from the license agreement and other requests for consent, that must be actively clicked to indicate consent to one, some or all of the computer program’s functions, provided that the date, time, purpose, and manner of that consent is stored in a database.
Often consumers encounter online forms that have consents (usually to receive marketing materials) pre-checked, forcing the user to click another button indicating that he/she does not want to receive marketing materials. The CRTC has also weighed in on this type of consent and whether it qualifies as an “express consent” for the purposes of CASL. The CRTC has clearly stated that it does not consider these type of opt-out mechanisms sufficient to comply with the express consent provisions under CASL.
The Guidelines state that:
- Express consent requires a positive or explicit indication of consent – opt-in mechanisms are required.
- Two examples given are checking a box (but not “toggling”) or typing in an email address to indicate consent.
- A subscription email, text message, or other equivalent form of CEM cannot be used to elicit consent.
- Confirmation that express consent has been received should be sent to the person granting consent.
These Guidelines should go a long way to guide businesses through the complex compliance regime of CASL. However, as noted above, Industry Canada has also issued a draft CASL regulation and the business community is still anxiously waiting for the promised release of a revised draft of that regulation from Industry Canada. With administrative monetary penalties under CASL of up to CDN$10 million and the creation of a private right of action for breach of CASL, this statute will have a profound and possibly chilling effect on how responsible organizations communicate electronically with their customers and others. We will continue to monitor and report on key CASL developments as they occur.
Alexis Bowie, Student-at-Law, assisted in the preparation of this article.