The Canadian Radio-television and Telecommunications Commission (CRTC) is gearing up for Canada’s anti-spam legislation (CASL), which is expected to come into force sometime in 2013. The CRTC, charged with most of the oversight of the new act, released two Bulletins that provide guidance on sending commercial electronic messages, including emails and text messages (e-messages):

Compliance and Enforcement Information Bulletin CRTC 2012-548

Compliance and Enforcement Information Bulletin CRTC 2012-549

Express Consent Mandatory (Pre-Checked Boxes No Longer Acceptable)

CASL generally requires express consent to send e-messages, alter transmission data, and install and update computer programs. There are a few limited exceptions where consent will be implied. For example, emails can be sent if the sender and receiver had a business relationship within the last two years.

The common practice of pre-checking boxes can no longer be relied on to obtain express consent to send e-messages in Canada. The CRTC guidelines state that the consumer must do something to explicitly indicate their consent. Default opt-in consent will not be sufficient. For example, if a default toggle (selection option) assumes consent by pre-checking a box or auto-filling in an email address, the CRTC considers there to be no express consent. Also, a subscription email, text message, or equivalent cannot be used to elicit express consent. So, businesses will need to take advantage of the limited other opportunities to elicit express consent, like sign-up pages and customers calling in for support.

Requests for consent must clearly and simply identify the purposes for which the consent to send e-messages is being sought, and the person(s) seeking consent, along with their contact information.

Separate consent must be sought for (i) sending e-messages, (ii) altering transmission data, and (iii) installing computer programs. This means that consent requests cannot be bundled. For example, a customer must be able to consent to the installation of a computer program but not consent to receiving e-messages. It also means that consent requests must stand alone, and cannot, for example, be bundled in with a request that a user accept general terms and conditions.

It is important for businesses to maintain records of express consent. If consent is obtained electronically, there should be a record of the date, time, purpose, and manner of that consent stored in a database.

The CRTC has clarified that consent can be obtained orally provided it can be verified by an independent third party, or there is a complete and unedited recording of the consent that is retained.

Content of E-messages: Identity, Contact Information, and Unsubscribe Mechanisms

E-messages must:

  1. Identify the sender and the person(s) on whose behalf the message is being sent, if different. Intermediaries do not need to be identified (e.g., third party service providers who facilitate the distribution of the e-message, but do not have any role in its content). However, all entities on whose behalf an e-message is sent must be identified, including affiliates.
  2. Include the contact information of the sender, or the person on whose behalf the e-message is sent, if different.
  3. Contain an opt-out mechanism that can be “readily performed” (i.e., accessible without delay) and simple for consumers to use.

If it is not practicable for the e-message itself to contain the above three elements, a link to a readily and freely accessible webpage that clearly and prominently sets out the information and opt-out mechanism can be included in the e-message.

Some are suggesting that the implications of these new requirements are vast. Most email subscription services presume consent in their toggle selections. Popular e-message senders, such as FabFind and Groupon, may now have to include the complete contact information for every party with advertising in a given e-message. Applications and software that historically assumed consent to allow updates and to fix “bugs” on an ongoing basis, now must require the consumer to actively consent to such activities. While comprehensive in scope and stringent in their requirements, it remains to be seen how effective these new regulations will actually be in preventing spam, and how greatly they will hinder businesses and consumers alike.