Canada’s new anti-spam law applies to “commercial electronic messages” (also known as CEMs) as of July 1, 2014. CEMs include e-mails and text messages.
The general rule under the new anti-spam law is that a person is prohibited from sending a CEM unless (i) the recipient has consented to receiving it (either express or implied consent), and (ii) the message complies with the content requirements under the anti-spam law (e.g., the message must include an unsubscribe mechanism that complies with the new rules).
The penalties for non-compliance with the new law are harsh: the maximum penalty is $1,000,000 per violation by an individual and $10,000,000 for violation by an organization.
The new law also affects other activities such as the installation of computer programs on a recipient’s computer.
When is a Message a CEM?
- The Definition
The information that is contained in the e-mail or other electronic message is the key determination of whether it constitutes a CEM. If the content of the message, hyperlinks in the message to other content, or the contact information in the message would cause a reasonable person to conclude that the purpose of the message (or one of its purposes) is to encourage participation in a “commercial activity”, then the message is a CEM.
Included as CEMs are electronic messages that: (i) offer to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (ii) offer to provide a business, investment or gaming opportunity; (iii) advertise or promote anything referred to above; or (iv) promote a person, including the public image of a person, as being a person who does anything referred to above, or who intends to do so.
A “commercial activity” is broadly defined in the anti-spam law to be any particular transaction, act or conduct, or any regular course of conduct that is of a commercial character whether or not the person who carries it out does so in the expectation of profit (other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada).
Although the source of the electronic address of the recipient may be an important consideration for privacy law purposes, Canada’s new anti-spam law focused not on how the address of the recipient was obtained, but on the content of the message, and what a reasonable person would conclude about the content. A business should nonetheless ensure that it complies with privacy laws regarding its choice of recipients of electronic messages.
Even though an e-mail or other electronic message may be a CEM, the new law contains a number of exemptions such that a message may not be caught by the new rules and may have a complete safe harbour. Several of these exemptions are obvious and include responses to commercial inquiries, family or personal communications, internal business communications, and legal communications. Two key exemptions are:
- Business to business communications. CEMs sent between different organizations (or their employees, representatives or consultants) are exempt provided the organizations have a relationship, and the message concerns the activities of the recipient organization. The term “relationship” is not defined, and at this early stage we do not know how it will be interpreted.
- Charities or Political Fundraising. If the CEM has the primary purpose of raising funds for a registered charity or political fundraising, it will be exempt.
Requirements for Express or Implied Consent
Because a CEM is defined very broadly and the exemptions are relatively narrow, many businesses will be forced to abide by the rule that a CEM may only be sent to a person if that person has given express consent, or consent can be implied under the circumstances. If express or implied consent exists, the e-mail may be sent to the recipient. However, the e-mail must comply with the content requirements under the new anti-spam law including an easy-to-use unsubscribe mechanism (discussed in further detail in Section 4 below).
- The Onus of Proof is on the Sender
One of the biggest challenges facing businesses who wish to market their activities after the new anti-spam law comes into force is that the onus of proving consent, including implied consent, is on the person who claims that they have consent. In other words, the evidence must be very clear that consent has been obtained in a manner that complies with the new rules.
If a business does not have good documented evidence of implied consent, it may choose to seek express written consent in order to avoid risks.
- How to Request Express Consent
All requests for consent, whether written or oral, must include the following information:
- the business name of the person seeking consent or such person’s actual name (if a business name is not used);
- if the consent is sought on behalf of another person, the name of the person on whose behalf consent is sought (the person’s business name or, if a business name is not used, the actual name);
- if consent is sought on behalf of another person, a statement clarifying who is seeking consent and on whose behalf consent is sought;
- with respect to the person seeking consent (or the person on whose behalf consent is sought), the mailing address, and either a telephone number (providing access to an agent or a voice messaging system), an e-mail address or a web address;
- the purpose or purposes for which consent is sought; and
- a statement indicating that the person whose consent is sought can withdraw their consent.
The above items must be set out clearly and simply.
The Canadian Radio-television and Telecommunications Commission (CRTC) enforces many important aspects of the new law. It has suggested that if a person obtains valid express consent prior to the legislation coming into force on July 1st, the express consent may be relied upon after the legislation comes into force, even if the request for consent did not contain the requisite identification and contact information (i.e., i. to iv. above).
The request for consent must nonetheless clearly and simply contain a statement that the person whose consent is sought can withdraw the consent, and must set out the purpose or purposes for which consent is being sought.
- Oral Consent
Oral express consent is permitted, but it may be difficult for a business to discharge the onus of proof. A complete and unedited audio recording of a consent or verification of oral consent by an independent third party in all likelihood would discharge the onus of proof. In situations where the evidence is less certain, the risk increases for a business that chooses to rely upon oral consent. In situations where the evidence is less certain, the risk increases for a business that chooses to rely upon oral consent.
- Implied Consent
Consent may be implied for the purposes of the new anti-spam law only if the specific requirements in the new law are met – a general rule does not exist that consent may be reasonably implied under the circumstances. Implied consent is not an open concept.
Consent is implied in several circumstances as defined in the new law including in cases where the parties have an “existing business relationship” (for commercial organizations) or an “existing non-business relationship” (for charities and other non-commercial organizations) as defined in the new rules. Two key situations where consent is implied are:
- Business dealings: An existing business relationship exists and consent is implied if there has been a purchase or lease of products or services in the last two years, a contract between the parties exists or expired in the last two years, or if the recipient has made an inquiry or application to the sender in respect of business matters in the last six months. In order to rely upon implied consent under these circumstances, businesses must track their last dealings with their contacts; each of the six-month period and two-year period is calculated from the date on which each CEM is sent.
- Disclosure of address: Consent is also implied where the recipient has disclosed their address to the sender, has not indicated they do not wish to receive commercial messages, and the message is relevant to the recipient’s business or official capacity. This exception is sometimes called the “business card exemption” but it can extend to circumstances beyond receipt of a business card at a business networking function.
- A Three-Year Grace Period Exists
For the first three years under the new law (i.e., until June 30, 2017), consent to a CEM will be implied where, as of July 1, 2014, there was an existing business or non-business relationship, regardless of when that relationship may have last been active (i.e., without reference to the two year or six month time periods referred to paragraph (d) above), provided the recipient does not withdraw consent, and also provided that the relationship included the exchange of CEMs such as e-mails.
Content and Unsubscribe Requirements
A business that is in a position to send a CEM to a recipient because the appropriate express or implied consent exists must comply with the content requirements under Canada’s anti-spam law.
The message must contain an unsubscribe mechanism that complies with the new rules, and the following information must be set out in the electronic message:
- the business name of the sender of the CEM or the sender’s actual name (if a business name is not used);
- if the message is sent on behalf of another person, the name of the person on whose behalf the CEM is sent (the person’s business name or, if a business name is not used, the actual name);
- if the message is sent on behalf of another person, a statement clarifying who is sending the CEM and on whose behalf it is sent; and
- with respect to the sender (or the person on whose behalf the message is sent), the mailing address, and either a telephone number (providing access to an agent or a voice messaging system), an e-mail address or a web address.
If it is not practicable to include the above information and the unsubscribe mechanism in the message, that information may be posted to a web page that the recipient can readily access at no cost to the recipient by means of a link that is currently and prominently set out in the message.
All of the above information together with the unsubscribe mechanism must be set out clearly and prominently.
The unsubscribe mechanism must be able to be readily performed, and the CRTC considers that an example of an unsubscribe mechanism that can be readily performed is a link in an e-mail that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.
The unsubscribe mechanism that is contained in the electronic message or a link to a web page must be valid for a minimum of 60 days after the message has been sent, and if a person unsubscribes, the sender of the message must give effect to the unsubscribe request without delay and in any event within 10 business days.
What Should a Business Do Next?
For many businesses, Canada’s new anti-spam law poses substantial challenges to e-mail and other electronic message marketing practices.
Steps that can be taken to manage compliance with the law include:
- Identify CEMs. The types of electronic messages that are sent by a business should be reviewed in order to determine whether they are CEMs and therefore caught by the new anti-spam law. Exemptions that might apply should also be considered (see Section 2(b) above).
- Review each database for consents. Each e-mail or other electronic message database should be reviewed to determine whether express or implied consent to receipt of CEMs exists regarding the contacts identified in the database. If it is not feasible to do so, a campaign to obtain express consents becomes critical.
- Get express consent before the deadline. Many businesses will be sending out e-mail requests for express consent prior to the July 1st deadline. If the e-mail is sent before July 1st, no consent to the e-mail is required from the recipient. On the other hand, if the request for consent is e-mailed on or after July 1st, the consent of the recipient to the e-mail will be required (either express or implied consent in accordance with the new rules), unless an exemption applies. Consent may also be obtained orally or in writing (as opposed to electronically) and a business should consider the feasibility of obtaining such consent.
- Establish appropriate data management. Robust data management is required in order to keep databases in compliance with the new anti-spam law. Although express consents are not subject to expiry, many types of implied consents are subject to expiry (although both may be revoked). In light of the three-year grace period (see Section 3(e) above), certain implied consents will not expire within the first three years after July 1, 2014 (namely, July 1, 2017). However, after the grace period expires, the database will need to track the deadline for each implied consent. New contacts that are added to the database must be identified and tracked regarding express or implied consents (including any revocations of consent).
- Prepare a format for CEMs. Commencing on July 1st, all CEMs (including CEMs that request consent) must comply with the content requirements under new anti-spam law including that unsubscribe mechanisms must meet all anti-spam law requirements.
- Document your Compliance Efforts. Because the onus of proving consent is on the person who claims consent (see Section 3(a) above), businesses should document their efforts to comply with the new law so that, in the event of a complaint, they can discharge the onus of proof imposed upon them.