On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (“CASL”) came into force. 1 These provisions generally prohibit the sending of a Commercial Electronic Message (“CEM”) without a recipient’s express consent, and unless the CEM contains certain sender identification information and an effective unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law. The primary enforcement agency of CASL is the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has several compliance tools to enforce CASL, including the issuance of Administrative Monetary Penalties (AMPs) against individuals and organizations that have violated CASL’s provisions.
Due to CASL’s broad applicability, exacting standards, and potentially severe financial penalties, companies that do business in Canada are advised to implement appropriate compliance measures to address the provisions of CASL. Companies sending emails to recipients in Canada must tailor their compliance programs to CASL’s complex set of consent exceptions and patchwork of guidelines, interpretations, and enforcement actions. To date, the CRTC has brought only a handful of major CASL enforcement actions, but many investigations are ongoing. Further clarification with regard to the most heavily utilized exceptions is expected. In October 2016, the CRTC assessed the scope of the “conspicuously published” implied consent exception in its first Compliance and Enforcement Decision (CRTC 2016-428).
The maximum AMP that the CRTC can assess against a company for a violation of CASL.2
The largest AMP that has been issued since CASL came into force in July 1, 2014.3
CASL related complaints filed with the CRTC between July 1, 2014 and January 6, 2015.4
July 1, 2017
The date that a private right of action for CASL violations becomes available.5
1. CASL does not apply to electronic messages sent:
- Internally within an organization.
- Between organizations in a relationship, where the message concerns the recipient.
- In response to an inquiry from the recipient.
- To satisfy a legal right or obligation.
- From Canada and accessed in another “listed” country, and the message complies with the “listed” country’s spam laws.
- By a sender who has a “family” or “personal” relationship with the recipient.
- By or on behalf of a charity soliciting donations.
- By or on behalf of a political party soliciting donations.
2. CASL applies, but consent is not required where a CEM only:
- Provides a quote or estimate.
- Facilitates, completes, or confirms an existing transaction.
- Provides a warranty, a product recall, or safety information.
- Provides factual information about products or services.
- Delivers products, updates, or upgrades that the recipient is entitled to receive.
3. CASL applies, but consent from the recipient is implied where:
- The recipient and sender have an “existing business relationship.”
- The recipient and the sender have an “existing non-business relationship.”
- The recipient has conspicuously published or provided his or her email address.
Questions to consider when evaluating CASL:
- Have you performed an assessment of your organization’s electronic communications to determine if they qualify as CEMs?
- Do any consent exceptions apply to your organization or your organization’s CEMs, or do you have a special relationship with the recipient such that consent is implied?
- If no consent exception applies, have you implemented a procedure to capture “express consent,” including providing: (i) the purpose of requesting consent; (ii) the name of the entity requesting consent; (iii) a mailing address plus phone number, email, or web address; (iv) a statement that consent can be withdrawn; and (v) an affirmative opt-in mechanism?
- Do your CEMs include the required sender indemnification information and a functioning unsubscribe mechanism?
- Do you honor all requests to unsubscribe within 10 days?
- Does your mailing list include any recipient that has either unsubscribed from your CEMs or no longer qualifies for a consent exception?
- Do you scrub your mailing list against your organization’s “do not e-mail list”?
- Have you implemented procedures to test the effectiveness of your unsubscribe mechanism?
- Have you reviewed your vendor contracts to determine each party’s responsibilities with regard to CASL compliance?
- Does your CASL compliance program include senior management involvement, a written policy, risk assessments, record keeping, staff training, and a complaint-handling process?