The Canadian anti-spam legislation, or CASL for short (pronounced “Castle”) was approved by the federal House of Commons in 2010 to regulate the use of electronic means to carry out commercial activities. In broad terms, CASL discourages electronic conduct that undermines computers and electronic communications. CASL regulates: (1) commercial electronic messages (i.e. emails, texts, etc.); and (2) the installation of computer programs. The objective is to give Canadian computer users the right to choose what messages to receive and what programs are being installed on their computers.

CASL applies to all forms of electronic messages sent via telecommunication means, including emails, texts, sound messages, voice messages, image messages and any new forms of messages created in the future.

This edition of The Battlefront will look at the legal requirements of CASL relating to emails from a mid-market business perspective. This will be a brief overview only as CASL has many more complex details!

What emails are subject to CASL?

CASL regulates “commercial electronic messages” (CEMs for short), the most common form of which is email. Only emails sent for a commercial purpose are subject to this law. Personal emails are not. Messages that are posted (i.e. not “sent” to anyone) are not CEMs (ex: blog posts; Facebook / LinkedIn / Twitter updates; etc.).

There is no minimum number of emails before CASL could apply. CASL does not distinguish between sending 1 or 1,000 emails at a time. Even emails sent to request consent are governed by CASL, so sending a single email requesting consent could be a contravention of CASL!

When does CASL apply?

CASL came into effect on July 1, 2014 with a three-year transition period that deemed implied consent if there was an existing business relationship before such date.

This transition period ends on July 1, 2017! As of such date, all commercial emails can only be sent if the email complies with the requirements of CASL!

Who is subject to CASL?

CASL casts a wide net! If the sender is using a computer in Canada, CASL will apply regardless of where in the world the email is initiated.

Also, if the sender is a company, each director and officer is also liable if they directed, authorized, assented to, acquiesced in, or participated in the violation. A company is liable for the actions of its employees and agents if they acted within the scope of their employment or retainer.

CASL intends to capture any person or company in Canada who participated in sending non-compliant emails!

Why comply with CASL?

Contraventions of CASL can result in administrative penalties of up to $1,000,000 for an individual or $10,000,000 for a company that contravenes the law. That should be a sufficient threat to ensure compliance!

CASL was also about to create a much larger risk by implementing a private right of action as of July 1, 2017 that would have permitted recipients to take legal action against the senders of non-compliant emails. Fortunately, on June 7th, 2017, the federal government quietly revoked the coming into effect of this private right of action. The administrative penalties still exist, but enforcement will remain in the hands of the federal government for now.

How to comply with CASL requirements?

A two-step process is needed: (1) does the email fall within a permitted category?; (2) if no, CASL requires consent and content.

Step #1 – Permitted Categories

Certain categories of emails are specifically excluded from CASL, such as:

  1. Emails sent as a response to the recipient (responding to a request, inquiry, complaint or solicitation);
  2. Emails sent by employees of one organization to employees of another organization if the two organizations have a relationship and the email is about the recipient’s activities; and
  3. The first email sent to contact a person that has been referred by a person who has a relationship with both the sender and the recipient (personal referrals).

If none of these various categories apply, then any email sent for a commercial purpose will be subject to the CASL requirements of consent and content.

Step #2 – Consent and Content

If a permitted category does not apply, then CASL requires that all commercial emails may only be sent if: (1) the recipient has consented; and (2) the email has the required content.

Requirement #1: Consent

An intended receiver may give either express consent (i.e. a specific consent to receiving emails) or implied consent (i.e. have acted in a way that reasonably indicates he/she wishes to receive emails).

Express consent - A request for express consent must include: (i) the purpose for consent; and (ii) the name of person requesting consent (including mailing address and either a telephone number, email address or web address). This is the gold standard of consent. Once express consent is given, it remains in effect until expressly withdrawn.

Implied consent – Implied consent is given based on the actions of the intended receiver of the email. Implied consent exists in any one of the following circumstances:

  1. the sender and the recipient have an “existing business relationship” or an “existing non-business relationship” (as defined in CASL); or
  2. the recipient has conspicuously published his/her email address; and has not stated he/she does not want to receive unsolicited emails; and the email is relevant to the recipient’s business (ex: publishing a contact email address on a website); or
  3. the recipient has given his/her email address directly to the sender; and has not stated he/she does not want to receive unsolicited emails; and the email is relevant to the recipient’s business (ex: giving someone a business card that includes an email address).

CASL considers an “existing business relationship” as some form of commercial interaction within the previous 2 years or an inquiry by the recipient within the previous 6 months.

An “existing non-business relationship” includes recipients who have donated or volunteered time to a charity, or been a member of a club or association, within the previous 2 years.

Exceptions to consent – There are narrow circumstances when consent is not required, the principal one being when the email provides a quote or estimate for product or services that the recipient has requested. These exceptions may be relied upon in narrow circumstances.

Regardless of the category, the sender has the burden of maintaining evidence of each recipient’s consent. However, once the consent requirement is satisfied (or a narrow exception is available), then the email must still have the required content.

Requirement #2: Content

To comply with CASL, the commercial email must contain: (i) the name of the sender (as well as the name of any intermediary sending the email on behalf of the sender); (ii) contact information for the sender (mailing address and one of a telephone number, email address or web address); and (iii) an unsubscribe mechanism.

With the required consent and the required content, the commercial email can be sent in compliance with CASL.

Thoughts to Take Away

Offenders beware! Spam emails may seem to be a minor irritant, but CASL gives the federal government real teeth to enforce. As of July 1, 2017, emails must either fit into one of the permitted categories or comply with the CASL requirements for consent and content! Directors and officers may be liable and companies may be liable for the actions of their employees and independent contractors!

How does a business send the first email? Any first email to a potential new customer could be a violation of CASL unless an exception is available for consent. The primary exceptions for businesses will likely be:

  1. An existing business relationship between the sender and the recipient; or
  2. A referral by a third party that has an existing business relationship with both the sender and the receiver; or
  3. The receiver has provided his/her email address (either publicly on a website or directly on a business card) and has not declined to receive unsolicited emails.

Even if implied consent exists, the first email must also include the required content. Only with consent and content can the first email be sent in compliance with CASL!

Compliance is a good thing! While initially burdensome to comply, CASL contains many best practices that can improve your relationship with your customers. CASL may throttle unrestricted communications, but the result should be to focus communications to willing recipients. Less communication may be better communication! So, time to check your Castle!