Canada’s new anti-spam law applies to “commercial electronic messages” (also known as CEMs) as of July 1, 2014. CEMs include e-mails and text messages.

The general rule under the new anti-spam law is that a person is prohibited from sending a CEM  unless (i) the recipient has consented to receiving it (either express or implied consent), and  (ii) the message complies with the content requirements under the anti-spam law (e.g., the message  must include an unsubscribe mechanism that complies with the new rules).

The penalties for non-compliance with the new law are harsh: the maximum penalty is $1,000,000 per  violation by an individual and $10,000,000 for violation by an organization.

The new law also affects other activities such as the installation of computer programs on a  recipient’s computer.

When is a Message a CEM?

  1. The Definition

The information that is contained in the e-mail or other electronic message is the key  determination of whether it constitutes a CEM. If the content of the message, hyperlinks in the  message to other content, or the contact information in the message would cause a reasonable person  to conclude that the purpose of the message (or one of its purposes) is to encourage participation  in a “commercial activity”, then the message is a CEM.

Included as CEMs are electronic messages that: (i) offer to purchase, sell, barter or lease a  product, goods, a service, land or an interest or right in land; (ii) offer to provide a business,  investment or gaming opportunity; (iii) advertise or promote anything referred to above; or (iv)  promote a person, including the public image of a person, as being a person who does anything  referred to above, or who intends to do so.

A “commercial activity” is broadly defined in the anti-spam law to be any particular transaction,  act or conduct, or any regular course of conduct that is of a commercial character whether or not  the person who carries it out does so in the expectation of profit (other than any transaction, act  or conduct that is carried out for the purposes of law enforcement, public safety, the protection  of Canada, the conduct of international affairs or the defence of Canada).

Although the source of the electronic address of the recipient may be an important consideration  for privacy law purposes, Canada’s new anti-spam law focused not on how the address of the  recipient was obtained, but on the content of the message, and what a reasonable person would  conclude about the content. A business should nonetheless ensure that it complies with privacy laws  regarding its choice of recipients of electronic messages.

  1. Exemptions

Even though an e-mail or other electronic message may be a CEM, the new law contains a number of  exemptions such that a message may not be caught by the new rules and may have a complete safe  harbour. Several of these exemptions are obvious and include responses to commercial inquiries,  family or personal communications, internal business communications, and legal communications. Two  key exemptions are:

  1. Business to business communications. CEMs sent between different organizations (or their  employees, representatives or consultants) are exempt provided the organizations have a  relationship, and the message concerns the activities of the recipient organization. The term  “relationship” is not defined, and at this early stage we do not know how it will be interpreted.
  2. Charities or Political Fundraising. If the CEM has the primary purpose of raising funds for  a registered charity or political fundraising, it will be exempt.

Requirements for Express or Implied Consent

Because a CEM is defined very broadly and the exemptions are relatively narrow, many businesses  will be forced to abide by the rule that a CEM may only be sent to a person if that person has  given express consent, or consent can be implied under the circumstances. If express or implied  consent exists, the e-mail may be sent to the recipient. However, the e-mail must comply with the  content requirements under the new anti-spam law including an easy-to-use unsubscribe mechanism  (discussed in further detail in Section 4 below).

  1. The Onus of Proof is on the Sender

One of the biggest challenges facing businesses who wish to market their activities after the new  anti-spam law comes into force is that the onus of proving consent, including implied consent, is  on the person who claims that they have consent. In other words, the evidence must be very clear  that consent has been obtained in a manner that complies with the new rules.

If a business does not have good documented evidence of implied consent, it may choose to seek  express written consent in order to avoid risks.

  1. How to Request Express Consent

All requests for consent, whether written or oral, must include the following information:

  1. the business name of the person seeking consent or such person’s actual name (if a business  name is not used);
  2. if the consent is sought on behalf of another person, the name of the person on whose behalf  consent is sought (the person’s business name or, if a business name is not used, the actual name);
  3. if consent is sought on behalf of another person, a statement clarifying who is seeking  consent and on whose behalf consent is sought;
  4. with respect to the person seeking consent (or the person on whose behalf consent is sought),  the mailing address, and either a telephone number (providing access to an agent or a voice  messaging system), an e-mail address or a web address;
  5. the purpose or purposes for which consent is sought; and
  6. a statement indicating that the person whose consent is sought can withdraw their consent. 

The above items must be set out clearly and simply.

The Canadian Radio-television and Telecommunications Commission (CRTC) enforces many important  aspects of the new law. It has suggested that if a person obtains valid express consent prior to  the legislation coming into force on July 1st, the express consent may be relied upon after the  legislation comes into force, even if the request for consent did not contain the requisite  identification and contact information (i.e., i. to iv. above).

The request for consent must nonetheless clearly and simply contain a statement that the person  whose consent is sought can withdraw the consent, and must set out the purpose or purposes for  which consent is being sought.

  1. Oral Consent

Oral express consent is permitted, but it may be difficult for a business to discharge the onus of  proof. A complete and unedited audio recording of a consent or verification of oral consent by an  independent third party in all likelihood would discharge the onus of proof. In situations where  the evidence is less certain, the risk increases for a business that chooses to rely upon oral  consent. In situations where the evidence is less certain, the risk increases for a business that chooses to  rely upon oral consent.

  1. Implied Consent

Consent may be implied for the purposes of the new anti-spam law only if the specific requirements  in the new law are met – a general rule does not exist that consent may be reasonably implied under  the circumstances. Implied consent is not an open concept.

Consent is implied in several circumstances as defined in the new law including in cases where the  parties have an “existing business relationship” (for commercial organizations) or an “existing  non-business relationship” (for charities and other non-commercial organizations) as defined in the  new rules. Two key situations where consent is implied are:

  1. Business dealings: An existing business relationship exists and consent is implied if there  has been a purchase or lease of products or services in the last two years, a contract between the  parties exists or expired in the last two years, or if the recipient has made an inquiry or  application to the sender in respect of business matters in the last six months. In order to rely  upon implied consent under these circumstances, businesses must track their last dealings with  their contacts; each of the six-month period and two-year period is calculated from the date on  which each CEM is sent.
  2. Disclosure of address: Consent is also implied where the recipient has disclosed their  address to the sender, has not indicated they do not wish to receive commercial messages, and the  message is relevant to the recipient’s business or official capacity. This exception is sometimes called the “business card exemption” but  it can extend to circumstances beyond receipt of a business card at a business networking function.
  1. A Three-Year Grace Period Exists

For the first three years under the new law (i.e., until June 30, 2017), consent to a CEM will be  implied where, as of July 1, 2014, there was an existing business or non-business relationship,  regardless of when that relationship may have last been active (i.e., without reference to the two  year or six month time periods referred to paragraph (d) above), provided the recipient does not  withdraw consent, and also provided that the relationship included the exchange of CEMs such as  e-mails.

Content and Unsubscribe Requirements

A business that is in a position to send a CEM to a recipient because the appropriate express or  implied consent exists must comply with the content requirements under Canada’s anti-spam law.

The message must contain an unsubscribe mechanism that complies with the new rules, and the  following information must be set out in the electronic message:

  1. the business name of the sender of the CEM or the sender’s actual name (if a business name is  not used);
  2. if the message is sent on behalf of another person, the name of the person on whose behalf  the CEM is sent (the person’s business name or, if a business name is not used, the actual name);
  3. if the message is sent on behalf of another person, a statement clarifying who is sending  the CEM and on whose behalf it is sent; and
  4. with respect to the sender (or the person on whose behalf the message is sent), the mailing  address, and either a telephone number (providing access to an agent or a voice messaging system),  an e-mail address or a web address.

If it is not practicable to include the above information and the unsubscribe mechanism in the  message, that information may be posted to a web page that the recipient can readily access at no  cost to the recipient by means of a link that is currently and prominently set out in the message.

All of the above information together with the unsubscribe mechanism must be set out clearly and  prominently.

The unsubscribe mechanism must be able to be readily performed, and the CRTC considers that an  example of an unsubscribe mechanism that can be readily performed is a link in an e-mail that takes  the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs  from the sender.

The unsubscribe mechanism that is contained in the electronic message or a link to a web page must  be valid for a minimum of 60 days after the message has been sent, and if a person unsubscribes,  the sender of the message must give effect to the unsubscribe request without delay and in any  event within 10 business days.

According to the CRTC, the recipient must be required to actively check a box or click an icon in  order to give express consent – pre- checked boxes will not be considered valid. If a recipient is  asked to consent to general terms of use or sale, the recipient must still be able to refuse  consent to receiving CEMs. In other words, it is a good practice that a request for consent to CEMs  not be bundled with other requests unless the recipient can deal with the request for consent  separately. other requests unless the recipient can deal with the request for consent separately.

What Should a Business Do Next?

For many businesses, Canada’s new anti-spam law poses substantial challenges to e-mail and other  electronic message marketing practices.

Steps that can be taken to manage compliance with the law include:

  1. Identify CEMs. The types of electronic messages that are sent by a business should be reviewed  in order to determine whether they are CEMs and therefore caught by the new anti-spam law.  Exemptions that might apply should also be considered (see Section 2(b) above).
  2. Review each database for consents. Each e-mail or other electronic message database should be  reviewed to determine whether express or implied consent to receipt of CEMs exists regarding the  contacts identified in the database. If it is not feasible to do so, a campaign to obtain express  consents becomes critical.
  3. Get express consent before the deadline. Many businesses will be sending out e-mail requests  for express consent   prior to the July 1st  deadline. If the e-mail is sent before July 1st, no  consent to the e-mail is required from the recipient. On  the  other  hand,  if  the  request  for   consent  is  e-mailed  on  or  after  July  1st,  the  consent  of  the  recipient  to  the e-mail  will be required (either express or implied consent in accordance with the new rules), unless an  exemption applies. Consent may also be obtained orally or in writing (as opposed to electronically)  and a business should consider the feasibility of obtaining such consent.
  4. Establish appropriate data management. Robust data management is required in order to keep  databases in compliance with the new anti-spam law. Although express consents are not subject to  expiry, many types of implied consents are subject to expiry (although both may be revoked). In  light of the three-year grace period (see Section 3(e) above), certain implied consents will not  expire within the first three years after July 1, 2014 (namely, July 1, 2017). However, after the grace period expires, the database will need to track  the deadline for each implied consent. New contacts that are added to the database must be  identified and tracked regarding express or implied consents (including any revocations of  consent).
  5. Prepare a format for CEMs. Commencing on July 1st, all CEMs (including CEMs that request  consent) must comply with the content requirements under new anti-spam law including that unsubscribe mechanisms must  meet all anti-spam law requirements.
  6. Document your Compliance Efforts. Because the onus of proving consent is on the person who  claims consent (see Section 3(a) above), businesses should document their efforts to comply with  the new law so that, in the event of a complaint, they can discharge the onus of proof imposed upon them.