The Canadian Anti-Spam Law (“CASL”) has been with us now for five years and it has been over 15 years since the Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into force. Then why is CASL and privacy compliance still so fraught with uncertainty and complexity?
While there is no simple answer, two of the more salient factors include ever-changing technology and expanding regulation. The Digital Privacy Act (Canada), the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as fairly recent examples are all having a significant impact on Canadian organizations, for a number of reasons. Additionally, public expectation and opinions are always changing, which is continuously fueled by high-profile mistakes.
Relying on implied consent and exceptions contained in the legislation without considering basic privacy principles and the underlying purposes of privacy law, can lead to unwanted complaints as well as enforcement; an important lesson learned from past enforcement of CASL and PIPEDA.
Use caution when relying on “business-to-business” based exceptions & implied consent
As a general statement, CASL prohibits the sending of Commercial Electronic Messages (“CEMs”) without the consent of the recipient, unless one of the exceptions in CASL or its regulations applies. PIPEDA prohibits the collection, use, and disclosure of personal information without consent and in the absence of applicable exception. Both regimes contain definitions and exemptions that, on the one hand, allow for certain marketing activities to take place that would otherwise be prohibited and, on the other, ensure these exemptions are properly curtailed. Therein lies the complexity, which we will highlight in this article.
There are three main exemptions related to collecting email addresses and using them to send CEMs:
- Business-to-Business (CASL)
- Implied Consent (CASL and PIPEDA)
- Referral (CASL)
Organizations would be well-advised to be quite diligent and cautious when relying on these exceptions, as navigating the legislative framework can be complex and quite perilous. For example, see the investigation into the practices of Compu-Finder (PIPEDA Report of Findings #2016-003 and CRTC Decision 2017-368) and more recently, a case involving the implementation of “unsubscribe mechanisms.”
The Digital Privacy Act amended PIPEDA in important ways beyond the mandatory breach provisions, which came into force in November 2018. It introduced an exception to the definition of “Personal Information”, exempting so-called “business card information” from its scope. It is absolutely crucial to remember that this is not a clean carve-out. PIPEDA is a principle-based law; processing of personal information of any kind is viewed through the lens of those principles, including how information is collected, used, and disclosed, for what purposes, and under what authority. The business card exemption applies only where that business card information (e.g. business email address) is used “solely for the purposes of communicating or facilitating communication with the individual in relation to their employment, business or profession.”
Connected to this issue is whether individuals have provided implied consent to having their emails: (a) collected (under PIPEDA), and b) used to receive CEMs. CASL lays out the conditions for implied consent, most notably, where a recipient has “a conspicuously published email address and has not indicated they do not wish to receive commercial messages and the message relates to the person’s business role or function.”
Under PIPEDA’s “publicly available” exemption, Principle 4.3 (requiring consent) does not apply to email addresses that are publicly available. However, PIPEDA specifically qualifies this exemption via its so-called “harvesting” provisions that were added when CASL came into force. “Harvesting” means creating software to scour the internet and collect email addresses for commercial uses. Even in cases where an email is public and the message concerns the profession of that recipient, if the email was “harvested,” then the sender cannot rely on the PIPEDA exemption.
- Beware of considering all business card information to be outside the scope of PIPEDA – this exemption must be seen in the context in which the information is collected or used.
- Even if an email address may be posted publicly, this alone should not automatically lead to the conclusion that it can be collected and used for all CEMs.
- Systematic collection of publicly available email addresses without consent may violate PIPEDA and its basic underlying principles.