Canada's Anti-Spam Law (CASL)
This chapter focuses both on the requirements for sending electronic messages under CASL and the requirements regarding express consent for the unsolicited installation of computer programs, which came into effect on January 15, 2015.Canada's Anti-Spam Legislation, or CASL for short, came into force on July 1, 2014. It is one of the most prescriptive and punitive anti-spam laws anywhere in the world. With penalties of up to $10 million, CASL compliance has become a priority for anyone doing business in Canada.
With respect to spam, CASL imposes two primary obligations. First, CASL prohibits the sending of unsolicited commercial electronic messages. This means that, subject to certain exceptions, before sending an electronic message that encourages participation in a commercial activity - including most standard promotional or advertising emails and texts - the sender must have either the express or implied consent, as defined under CASL, of each recipient. Second, even where consent exists, CASL requires commercial electronic messages to contain certain disclosures and an unsubscribe mechanism. This chapter briefly reviews the essential requirements of the legislation.
CASL's computer software provisions are aimed at preventing the installation of unauthorized malware and spyware computer programs; however, they have varying degrees of impact on all types of software applications. Section 8 of CASL requires express consent to install a computer program on another person's computer system in Canada during the course of commercial activity. Enhanced disclosure and consent requirements apply where the software performs certain prescribed functions.
2. Commercial electronic messages (CEMs)
CASL applies specifically to "commercial electronic messages." A CEM is defined as any message sent to an "electronic address" that has as its purpose, or one of its purposes, the encouragement of participation in a commercial activity. This includes, but is not limited to, messages that:
- Offer to purchase or sell goods or services
- Offer to provide a business, investment or gaming opportunity
- Contain advertisements related to any of the above
An electronic message that requests the recipient's consent to receive further electronic messages is itself a CEM and, as such, may only be sent with prior consent.
To constitute a CEM, the message must be sent to an "electronic address" by any means of telecommunication. This includes email, texting, instant messages, messages to telephone accounts, or messages sent to any "similar account", such as certain forms of social media messaging or other digital messaging systems where a message is sent by one person to one or more specific electronic addresses. However, CASL does not apply to interactive two-way voice communications between individuals, voice recordings sent to telephone accounts or to the transmission of facsimiles.
CASL also does not apply to electronic messages that are displayed to the general public. For example, CASL will not apply to display advertisements such as banner or box advertisements, or to a normal tweet on Twitter or to a Facebook wall post. It will, however, apply to private messages sent through those social media platforms to one or more recipients.
CASL applies to any CEM that is either sent from a computer within Canada or accessed by a computer in Canada. Because of this, even organizations operating solely outside of Canada will, in most cases, be required to comply with CASL if they communicate with Canadian clients or customers.
Consent is the cornerstone of CASL and most of the legislation's complexity lies here. In order to send any CEM, unless the message is otherwise exempt - as discussed later in this chapter - the sender must have the consent of the recipient to send the message. It is important to note that under CASL, the onus is always on the sender to prove consent.
There are two principal types of consent under CASL: express consent and implied consent.
- Express consent CASL creates prescriptive requirements for express consent to receive CEMs. Express consent requires clear and informed consent on the part of the person consenting to receive the messages. The form of consent must be opt-in, rather than opt-out, and the person must be aware of the nature of the messages that they are agreeing to receive. Opt-ins cannot be buried in the terms and conditions of another service or contract, and must instead require a positive or explicit action on the part of the person providing his or her consent. Most commonly, express consent is obtained through a checkbox or a confirmation button on a form, web page or digital application. Any such checkbox cannot be pre-checked, and consent should never be assumed. CASL also requires the following information to appear with any request for express consent:
- An identification of the types of messages that will be received and the purposes of the consent
- The name by which the person or organization requesting consent carries on business, or their legal name
- If seeking consent for another person or organization, the name by which that person or organization carries on business, or their legal name, and an indication as to which person or organization is seeking consent for the other (e.g. if seeking consent for an affiliate)
- The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address, or a web address of the person or organization seeking consent
- A statement indicating that the person whose consent is sought can withdraw their consent
Once express consent is obtained, the sender may continue to send messages of the type identified in the request for consent until the recipient withdraws their consent. The CRTC has indicated that "valid, express" consents provided prior to January 1, 2014, with respect to the sending of CEMs may continue to be relied on until the message recipient withdraws consent.
- Implied consent Implied consent is based on the existence of a prescribed relationship between the sender and recipient, or on the presence of a specific set of circumstances. Under CASL, implied consent may exist where the sender of the CEM and its recipient have an "existing business relationship." An existing business relationship arises in the following cases: As these provisions make clear, implied consent for an existing business relationship has a time limitation, which must be tracked by those relying on the implied consent. Tracking these time limits can be problematic, especially since it requires monitoring the expiry of consent for each address, and it may be difficult to establish the exact times when recent transactions took place, or when the timer began to run. Due to this difficulty, it is often advisable to seek express consent for any ongoing commercial electronic messaging. Regardless of the time frame given for the use of implied consent from an existing business relationship, if the recipient indicates that he or she no longer wishes to receive ongoing messages, the sender must cease sending CEMs to that recipient within 10 business days. A second form of implied consent exists if the recipient has conspicuously published his or her electronic address, or has given the address to the sender, without indicating that he or she does not wish to receive CEMs. Importantly, in order to use this form of implied consent, the message must be relevant to the business, role, functions or duties of the recipient of the message. This form of consent does not exist for consumers or other persons who do not have a business role or function.
- Where there has been a purchase or lease of a product, good, service, land, or an interest or right in land, within the previous two years by the message recipient from either the sender or the person who caused or allowed the message to be sent
- Where the recipient accepted a business, investment or gaming opportunity, or engaged in the bartering of anything mentioned in (i) within the previous two years from either the sender or the person or organization that caused or allowed the message to be sent
- Where a written contract currently exists between the recipient and either the sender or the person or organization that caused or allowed the message to be sent, or where such a contract expired within the previous two years
- Where an inquiry or application was made by the recipient in respect of anything in (i) or (ii) from either the sender or the person who caused or allowed the message to be sent, within the previous six months
- Referrals CASL allows for the limited sending of messages to new contacts based on referrals. Essentially, CASL will deem the sender to have consent to send a single message to a recipient where another individual has referred that person to the sender and has provided their electronic address. In order for this to apply, the individual who made the referral must be in certain types of prescribed relationships with both the sender and the recipient, and the referral message must contain prescribed disclosures and the prescribed unsubscribe mechanism.
- Records of consent CASL places the onus of proving the existence of consent on the person or organization claiming to have it. As such, it is important for organizations that send CEMs to retain records sufficient to establish that they have CASL compliant consent if they are ever faced with enforcement action. The regulator, the Canadian Radio-television and Telecommunications Commission (CRTC), has indicated that to help establish adequate proof of consent, organizations that send CEMs should retain records, such as any signed consent forms or completed electronic forms from individuals, documentation of the organization's consent processes, records of their policies and procedures in respect of CASL compliance, and a record of all unsubscribe requests and their resulting implementation.
- Statutorily defined categories of messages A number of prescribed classes of electronic messages are exempt from the requirement to obtain consent, either express or implied, from the recipient. It should be noted that these messages are not exempt from the application of CASL. Rather, the sending of electronic messages under these categories is analogous to implied consent, as it is still necessary to comply with other CASL requirements, such as including the message disclosure requirements and unsubscribe mechanism discussed below. Such categories of electronic message include, but are not limited to, messages sent solely:
- To provide a requested quote or estimate regarding a product or service
- To provide warranty or product recall information about a product the recipient has purchased
- To facilitate or confirm a commercial transaction entered with the recipient
- To deliver a product or service that the recipient is entitled to receive under the terms of a transaction between the sender and recipient
c. Message disclosure requirements
Even where a sender has obtained express consent or has implied consent to send a CEM, any CEM sent pursuant to that consent must clearly and prominently include prescribed information within the message. It must also include an unsubscribe mechanism, allowing the recipient to easily opt-out of future CEMs from the sender.
- Required information: If it is not possible to include all of this information directly in a message - such as in the case of some commercial messages sent by text message - a clearly labelled link may instead be included that leads directly to a web page with the required information.
- The name by which the person or organization sending the message carries on business, or that person or organization's legal name
- If the message is sent on behalf of another person or organization, the name by which the person or organization on whose behalf the message is sent carries on business, or their legal name
- If the message is sent on behalf of another person or organization, a statement identifying both the person or organization sending the message and the person or organization on whose behalf the message is sent
- The mailing address and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person or organization sending the message or the person or organization on whose behalf the message is sent
- Unsubscribe mechanism All CEMs not exempt from CASL must include an unsubscribe mechanism, whether the consent to send the message is express or implied. The unsubscribe mechanism - which is usually in the form of an unsubscribe link at the end of the message - must enable recipients to indicate, at no cost to them, that they wish to no longer receive CEMs from the sender, or the person on whose behalf the messages are sent. The unsubscribe mechanism must be sent using the same electronic means by which the message was sent, and include a link to a website or electronic address to which the request can be sent. The unsubscribe mechanism must be simple and easy to use, and must be accessible for 60 days following receipt of the message. The sender must ensure that any unsubscribe request is implemented within 10 business days.
There are a small number of complete exemptions from the application of CASL, the most important of which are discussed below. Please note that additional exemptions, such as for charitable solicitations and political messages, are not discussed here.
- Personal or family relationship
CASL does not apply to messages sent to narrowly defined classes of family or to those with whom the sender has a close personal relationship, so long as the relationship has previously included direct, voluntary two-way communication.
- Not a commercial electronic message Messages that do not meet the definition of a CEM, as they do not "encourage participation in commercial activity," or are not sent to an "electronic address" are outside the scope of CASL.
- Business to business exemption Messages sent internally within an organization that concern the activities of the organization are exempt from CASL. More importantly, messages sent from an employee or other representative of an organization to an employee or representative of another organization are exempt if the organizations have an existing relationship and the message concerns the activities of the recipient organization.
- Response to an inquiry or complaint Any message sent in response to an inquiry or complaint, or which is otherwise solicited by the recipient, is exempt from CASL.
- Satisfying a legal right Messages sent to enforce a right, satisfy a legal obligation, or provide notice of a legal right, are exempt from CASL. This will include messages sent to collect debts or provide notice of the sender enforcing any contractual right or remedy.
e. Use of third-party lists
CASL does not go so far as to eliminate the possibility of using third-party electronic address lists. However, those using such lists must take caution, as CASL imposes a number of requirements on the use of third-party electronic address lists with respect to opt-outs and disclosure, in addition to those discussed previously in this chapter. A robust agreement is required between the list-provider and user to ensure that these requirements are satisfied, and to provide the list user with assurances that all necessary consents have been obtained and have not been withdrawn. Such an agreement might provide for indemnities against third-party claims arising in connection with misrepresentation or failure to comply with the agreement or with CASL.
f. Amendments to the Competition Act and the Personal Information Protection and Electronic Documents Act (PIPEDA)
CASL also amended the Competition Act in two important ways. First, the amendments make it an offence to send a CEM that is false or misleading in a material respect. Second, the amendments make it an offence to send or make a false or misleading representation in the sender information, subject matter information, uniform resource locator (URL) or other locator of a CEM. This latter amendment may make it difficult for businesses to include claims that require qualification, or a disclaimer, in the subject lines or URLs of CEMs, as it may be impossible to effectively include such qualifying language in the limited space.
Additionally, CASL amended PIPEDA to ensure that PIPEDA's exceptions to the requirement for consent to collect, use and disclose personal information do not apply where electronic addresses are collected by the use of a computer program created expressly for that purpose, or where any personal information is collected or used by accessing a computer system in contravention of an act of Parliament. CASL requires the Office of the Privacy Commissioner of Canada, Competition Bureau and CRTC to consult one another and to co-ordinate their CASL enforcement activities.
g. Enforcement to date
Since CASL came into force, the CRTC has received hundreds of thousands of complaints. The CRTC has indicated it will review these complaints, and will take action where appropriate.
The CRTC enforces CASL, including issuing one notice of violation that imposed a $1.1-million penalty for an alleged violation of the consent requirement under CASL and for using an unsubscribe mechanism that did not function. Since CASL came into force, enforcement efforts have resulted in penalties of over $1.75 million. In July 2018 the CRTC took enforcement action to combat the installation of malicious software through online ads for the first time under CASL. This was also the first enforcement action against an organization for aiding CASL violations committed by its customers. The two online advertising companies involved were required to pay $100,000 and $150,000 in penalties, respectively.
The CRTC has also entered into a series of undertakings with companies for violations of CASL. In particular, it alleged that each of these companies had sent CEMs to individuals - including in some instances their own registered users - that included an unsubscribe mechanism that was not "clearly and prominently set out" and that could not be "readily performed," as well as a variety of consent defects. The penalties imposed via undertaking have ranged from $48,000 to $200,000. In June 2017, a CEO was found personally liable for noncompliant CEMs by a group of companies under his direction.
In 2018, two companies were subject to undertakings that included the implementation of a compliance program and in one case monetary compensation of $100,000. In the former case, the CRTC found that it was not possible to unsubscribe from all messages with just one operation, contrary to CRTC regulations. In the latter case, the request for consent was alleged to have contained a number of deficiencies.
In June of 2017 the government indefinitely suspended the commencement of a private right of action that was scheduled to come into force on July 1, 2017. The private right of action would have allowed any individual or organization who alleged they had been affected by a CASL contravention to bring an action seeking their actual loss or damages, and a penalty of $200 for each contravention, not to exceed $1 million for any day on which a contravention took place. The government explained its decision was in response to broad-based concerns raised by businesses, charities and the not-for-profit sector. CASL then underwent a parliamentary review, with the House of Commons Standing Committee on Industry, Science and Technology issuing a report in December 2017 titled "Clarifications Are in Order". The Committee recommended changes to CASL to clarify the scope and application of CASL and to reduce the cost of compliance and better focus enforcement. The report encourages the government to: adopt a short title for the Act; clarify certain definitions and provisions in the Act; increase education and transparency regarding its CASL enforcement process; investigate further the impact of a private right of action and for the CRTC to share information with domestic law enforcement agencies. The government responded in April 2018 with a commitment to work further on these issues with a diversity of stakeholders to identify concrete solutions, while maintaining a balance between protecting Canadians from spam and other electronic threats, and at the same time minimizing the cost and administrative burden of compliance for Canadian organizations subject to CASL.
3. Installation of computer programs
a. Consent to install a computer program
Section 8 of CASL requires anyone who installs, or causes to be installed, a computer program on another person's computer system, in the course of commercial activity to obtain the prior express consent of the owner, or an authorized user, of that system in the manner prescribed by CASL.
The CRTC considers CASL not to apply where the owner or authorized user of a computer system intentionally installs software on their computer system. CASL applies, however, where a computer program or a subset of a program is installed without the knowledge of the owner or authorized user of the computer system. CASL also applies where a previously installed computer program causes updates to be installed automatically without the user's knowledge and intent.
The application of CASL's software provisions does not stop at Canada's borders. Section 8 applies to anyone who installs software in Canada, and to persons inside Canada who install software on computer systems outside of Canada. In both cases, the installation must be done in the course of commercial activity for CASL's software provisions to apply.
CASL uses the terms "computer system" and "computer program" broadly. Under CASL, a "computer system" means a device - or a group of interconnected or related devices - that contains computer programs or other computer data, and that performs a logic and control function pursuant to computer programs. As a result, computer systems may include automobiles, industrial equipment, smart appliances and other consumer products that may not normally be considered to constitute "computer systems." CASL considers "computer programs" to include data that when executed in a computer system cause it to perform a function, including both software applications and updates to them.
b. Computer program consent requirements
CASL requires the following information to be clearly and simply set out when consent to install a computer program is sought:
- The reason why consent is sought
- The name by which the person or organization requesting consent carries on business, or that person's legal name, and if applicable the name of any person or organization on whose behalf consent is sought and an indication who is seeking consent for whom
- The mailing address and one other piece of contact information (i.e., telephone number, email address or web address) for the person or organization seeking consent or any person on whose behalf consent is sought
- A statement indicating that the person whose consent is sought can withdraw their consent
- A description of the function and purpose of the computer program to be installed
The person who obtains consent should keep a record of it, as that person will bear the onus of proving the consent once the computer program is installed.
c. Deemed consent
CASL deems the computer system's owner or authorized user to have expressly consented to the installation of a computer program if that person's conduct is such that it is reasonable to believe that he or she did consent to the installation, and the computer program is:
- Software installed by a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat, or to update or upgrade all or part of its network
- Software installed solely to correct a failure in a computer system or a program installed on it
d. Additional disclosure and consent requirements
CASL imposes additional disclosure and consent obligations where the computer program being installed performs any one of a list of prescribed functions - provided that the person installing the computer program knows and intends such functions will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer system.
The prescribed computer program functions are:
- Collecting personal information stored on the computer system
- Interfering with the user's control of the computer system
- Changing or interfering with settings, preferences, or commands already installed or stored on the computer system without the knowledge of the user
- Changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of the data
- Causing the computer system to communicate with another computer system without authorization of the user
- Installing a computer program that may be activated by a third party without the knowledge of the user
- Performing any other function listed in CASL's regulations
When the foregoing applies, the person seeking to install the computer program must provide the computer system's owner or authorized user with a description of the material elements of the computer program that perform the specified function(s) - including the nature and purpose of those elements, and their foreseeable impact. These elements must be brought to the attention of the owner or authorized user of the computer system clearly and prominently - separate from other information provided in a request for consent, and separate from the software licence agreement.
The person seeking to install the computer program must also obtain written acknowledgement (in paper or electronic form) that the person from whom consent is sought understands and agrees that the program performs the specified functions. The request for consent must not be bundled with requests for consent to general terms and conditions of use or sale, and must be separate from any consent requested under CASL's CEM provisions.
CASL provides an exception to these enhanced consent and disclosure requirements where the specified computer program function only collects, uses or communicates transmission data. For CASL's purposes, "transmission data" means data that:
- Relates to the telecommunications functions of dialing, routing, addressing or signalling
- Either is transmitted to identify, activate or configure an apparatus or device (including a computer program) to establish or maintain a communication
- Is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication
- Does not reveal the substance, meaning or purpose of the communication
e. Additional obligations
CASL imposes additional obligations on a person or organization that installs a computer program on another person's computer such that the "enhanced disclosure and consent" requirements outlined above apply.
For one year after such installation, the person who installed the computer program must ensure that the consenting person is provided with an electronic address through which they can request to remove or disable the program if they believe that its function, purpose or impact was not accurately described when consent was requested.
If the consent was given based on an inaccurate description of the program's material elements, then the person who installed the program must assist the person who gave the consent to remove or disable the computer program as soon as feasible, without cost to the person who gave the consent. This assistance is required where the person who gave the consent requests it within one year after installation.
f. Updates and upgrades
Software updates and upgrades involve the replacement or supplementation of a computer program's software with newer software in order to improve the program or bring it up to date. In the course of commercial activity, where an update or upgrade is being installed on someone else's computer, the consent of the owner or authorized user of the computer must be obtained in accordance with CASL.
g. Transition provisions
CASL provides a transition period for updates and upgrades to computer programs that were installed prior to the effective date of CASL's computer software provisions. Programs that were installed before January 15, 2015, may be upgraded or updated without express consent until January 15, 2018. In these circumstances, CASL provides that the necessary consent is implied. However, if the computer system's owner or authorized user withdraws their implied consent for such updates and upgrades, their choice must be respected. After the expiry of the three-year transition period, express consent will be required to install updates and upgrades to existing computer programs - except where one of the other exceptions applies.
The CRTC has also indicated that "valid, express" consents provided prior to January 15, 2015, with respect to the installation of a computer program may be relied on after January 15, 2015.