CANADA'S ANTI-SPAM LAW
By Tricia Kuhl and Wendy Mee Blake, Cassels & Graydon LLP
CANADA'S ANTI-SPAM LEGISLATION (CASL) is generally regarded as one of the strictest anti-spam laws in the world. This article explains the legislation and walks through some real-world scenarios to demonstrate compliance.
CASL prohibits the sending of a commercial electronic message (CEM) to an electronic address unless the person to whom the message is sent has consented to receiving it and the message complies with prescribed form and content requirements. A CEM is defined broadly as an electronic message (e.g. email, text message, social media message) that has as its purpose, or one of its purposes, to encourage participation in a commercial activity.
In general, consent to receive a CEM must be express (i.e. opt-in) and cannot be bundled with consent to general terms and condition of purchase or sale (it must be sought separately). To be valid, a request for express consent must set out "clearly and simply":
1. The purpose for which consent is being sought
2. Specific information about the person seeking consent and, if applicable, the person on whose behalf consent is being sought
3. A statement that the recipient can withdraw their consent
Although CASL generally requires express consent, consent may be implied in limited circumstances, such as where the sender and recipient have an "existing business relationship" as that term is defined by the legislation.
* T he full text of the law is available at http://laws-lois.justice.gc.ca/eng/acts/E-1.6/index.html.
Blake, Cassels & Graydon LLP | August 2018 | blakes.com
Note that CASL deems an electronic message requesting consent to send CEMs to itself be a CEM, which means that a request for express consent cannot be sent by email or other electronic means unless the sender already has consent or an exemption applies.
In addition to the consent requirement, CEMs must comply with prescribed form and content requirements. In particular, each CEM must include specific information about the person sending the message and, if applicable, the person on whose behalf the message is sent. Each CEM must also provide an "unsubscribe" mechanism, which meet prescribed requirements. Certain messages may be exempt from CASL's anti-spam provisions altogether while others may be exempt from the consent requirement only. These exemptions are summarized in the sidebar on page 3.
Subject to limited exceptions, the law applies to all businesses that send CEMs to (or from) computer systems located in Canada. Companies and individuals located anywhere in the world can therefore be exposed to liability under this legislation.
The potential penalties for non-compliance with CASL are significant and include administrative monetary penalties of up to C$1- million for individuals and C$10-million for corporations per violation. It is also an offence "to aid, induce, procure or cause to be procured the doing of any act contrary to" certain sections, including the provisions relating to sending CEMs. Directors, officers, and agents who have directed, assented to, acquiesced in, or participated in the violation(s) may be held personally liable.
CASL also contains provisions regarding the unsolicited installation of computer programs, which have not been discussed in this paper.
To demonstrate how CASL may affect you, consider the following scenarios.
SCENARIO 1: A customer purchases a product from your online store. During the checkout process, the customer provides his or her e-mail address for the purposes of obtaining an e-receipt. Can you add this customer to your marketing list?
Yes, but only for the two-year period immediately following such purchase.
Consent to receive CEMs is implied where the sender and recipient have an "existing business relationship" as defined by the legislation. An existing business relationship exists where the sender and recipient have engaged in certain specified types of business together in the two years preceding the date on which the CEM is sent (for example, the purchase or lease of a product, or existence of a written contract) or where the recipient of the CEM has made an inquiry to the sender in the previous six months.
In Scenario 1, consent is implied, but only for the two-year period immediately following the purchase (i.e., the period of time during which an existing business relationship can be held to exist) or until the customer unsubscribes.
SCENARIO 2: You are attending a trade show and meet a prospective customer, who gives you her business card. Can you add this customer to your marketing list?
Here, the answer is most likely yes. Consent is implied under CASL where the recipient has disclosed his or her electronic address to the sender without indicating that he or she does not wish to receive CEMs and the CEM is relevant to the person's business, role, functions or duties in a business or official capacity. Accordingly, if the business card includes the customer's e-mail address and she did not ask not to receive CEMs, you can send her CEMs as long as they relate to her business or her role in a business or official capacity.
2 Blake, Cassels & Graydon LLP | blakes.com
SCENARIO 3:You buy a marketing list from a vendor who assures you that all individuals whose e-mails are on the list consented to the sharing of their e-mail address with select third-party partners for marketing purposes. Can you use this list?
It depends. CASL provides that a person may, on behalf of an unknown third party, obtain the express consent of a person to receive CEMs from the unknown third party, as long as certain (somewhat burdensome) conditions set out in CASL and its accompanying regulations are met.
As noted above, a request for express consent under CASL must include specific information about the person seeking consent and, if applicable, the person on whose behalf consent is being sought. When express consent is sought on behalf of an unknown third party, CASL allows for the provision of information about the person seeking consent only. However, in this instance, the person seeking consent and the unknown third party must comply with additional conditions imposed by the regulations in order to be able to rely on this consent. Namely, the person who obtained the consent must ensure that the unknown third party (authorized user) includes in any CEM sent relying on such consent: (i) the identity of the person who obtained the consent; and (ii) an unsubscribe mechanism that, in addition to meeting the prescribed requirements for all unsubscribe mechanism allows the recipient to withdraw his/her consent from the person who obtained consent or any other person who is authorized to use it. The person who obtained consent is responsible for ensuring that authorized users communicate unsubscribe requests back to the person, and the person must communicate those requests to all other authorized users.
SCENARIO 4:Your organization offers court reporting services to law firms in Toronto, and you would like to send an e-mail to litigators at Toronto law firms to inform them of your services. Can you?
Yes, provided the litigators have "conspicuously published" their e-mail addresses on their website, and there is no notice that they do not want to receive unsolicited CEMs. Consent to receive CEMs is implied under CASL where a recipient has "conspicuously published" his or her electronic address, the publication is not accompanied by a statement that the recipient does not wish to receive unsolicited CEMs, and the CEM is relevant to the person's business, role, functions or duties in a business or official capacity. Be aware that automatic harvesting of e-mail addresses is prohibited by CASL and other statutes, so you must collect this information manually.
While CASL is quite broad, it is not all encompassing. The following are exempt from CASL's anti-spam provisions:
CEMs between those with a personal or family relationship (as defined by CASL)
CEM responding to an inquiry, request, or complaint
CEMs within organizations, or between organizations in an existing relationship, if the message concerns the activities of the recipient organization
CEMs that deliver legal notices
CEMs from electronic messaging services provided certain condition are met
CEMs from secure limited-access accounts where messages can only be sent by the person who provides the account (e.g. message centres in online banking accounts)
CEMs sent from Canada to one of a list of prescribed foreign countries so long as the messages comply with the law of the recipient country that addresses conduct that is substantially similar to conduct prohibited under CASL
CEMs for fundraising by charities and political parties
The following messages are exempt from CASL's consent requirement, but not its form and content requirements. In each case, in order to benefit from the exemption, the activity described below must be the message's sole purpose:
CEMs that provide a requested quote or estimate for the supply of a product, good or service
CEMs that facilitate, confirm or complete a commercial transaction that the recipient previously agreed to enter into
CEMs that provide warranty, product recall, or safety information on a product or service used by the recipient
CEMs offering factual information about an ongoing subscription, membership, account, or loan
CEMs delivering information about the recipient's employment or benefit plan
CEMs delivering a product or service, including updates/upgrades, as part of a pre-existing, agreed-upon transaction
3 Blake, Cassels & Graydon LLP | blakes.com
SCENARIO 5:You are a strictly online business and communicate with customers by e-mail and text message only. After a customer purchases a product, you send the transaction receipt by email or text message. Will this have to change because of CASL?
You can still send the transaction receipt by email or text message but you may need to make changes to the message itself to comply with CASL's form and content requirements (discussed above).
CEMs that are sent to satisfy a legal or juridical obligation are exempt from CASL altogether.
Accordingly, if you have a legal obligation to send the transaction receipt, the message may be exempt.
If you are not legally obligated to send the transaction receipt, the message may still be exempt from CASL's consent requirement, since CEMs that solely facilitate, complete, or confirm a commercial transaction where the recipient previously agreed to enter into the transaction are exempt from CASL's consent requirement but are still subject to CASL's form and content requirements.
ABOUT THE AUTHORS
Tricia Kuhl is a partner in the Blakes Montral office. Her practice focuses on mergers and acquisitions, corporate and commercial matters, and intellectual property law. She represents clients in the pharmaceutical, technology, fashion and renewable energy industries. Tricia has advised clients in the technology sector on complex arrangements relating to all aspects of intellectual property and privacy concerns. She also advises clients in relation to Canada's anti-spam legislation.
Wendy Mee is a partner in the Blakes Toronto office. She practices primarily in the area of privacy law, where she advises a wide range of clients, including in the life sciences, financial services, education, retail, food and consumer goods sectors, on a variety of privacy and data protection issues. Wendy also advises clients on marketing and advertising issues generally, including in respect of Canada's anti-spam legislation, the CRTC's do not call rules, misleading advertising and contests and promotions.
ABOUT THE FIRM
As one of Canada's top business law firms, Blake, Cassels & Graydon LLP (Blakes) provides exceptional legal services to leading businesses in Canada and around the world.
CONCLUSION: COMPLIANCE CHECK UP
The Canadian Radio-Television Commission (CRTC) is responsible for the enforcement of CASL's anti-spam provisions, and has been active in its enforcement efforts to date. Penalties for non-compliance with CASL's anti-spam provisions have ranged from C$15,000 (for an individual) to up to C$200,000 for a corporation.
With enforcement action already underway, it is a good time for a "compliance check up". Here are six questions you should be asking:
1. Have you reviewed the types of electronic messages that your organization sends out and determined which ones are subject to CASL?
2. Have you updated your consent language to ensure that it complies with CASL's requirements for requests for express consent?
3. Have you implemented a system to track and document implied consents so that you can stop sending CEMs when an implied consent expires?
4. Do you include a fully operational unsubscribe mechanism that meet the requirements of CASL in each CEM that your organization sends out?
5. Have you developed and and implemented policies and procedures for compliance with CASL and trained your employees? Companies that can demonstrate that they exercised due diligence to prevent a violation of CASL may be able to mitigate their potential liability.
6. Have you reviewed and revised contracts with vendors and referral sources to ensure they are contractually obligated to comply with CASL?
4 Blake, Cassels & Graydon LLP | blakes.com