On December 15, 2010, Canada passed Canada's Anti-Spam Legislation ("CASL"), one of the world's most stringent anti-spam laws.1 The scope of CASL is not limited to Canadian businesses—it regulates any commercial electronic messages that are sent, routed, or accessed using a computer system located in Canada.2 Although delayed several times, the anti-spam provisions of CASL are set to become effective on July 1, 2014,3 which means U.S. businesses need to act now in order to ensure that they are in compliance with the law by July 1.4

The anti-spam provisions of CASL prohibit the distribution of unsolicited commercial electronic messages unless (i) the message recipient has consented to receiving the message, and (ii) the content and form of the message comply with certain statutory requirements.5 CASL also contains provisions which prohibit altering transmission data in an electronic message so that the message is delivered to a destination other than, or in addition to, the destination specified by the sender unless certain statutory requirements are met.6 Such provisions are intended to prevent, or at least create disincentives, for malicious practices such as pharming.7

Failure to comply with CASL can result in substantial potential liability. The Canadian Radio-Television and Telecommunications Commission ("CRTC") is authorized to impose administrative monetary penalties of up to C$1 million per violation of CASL for individuals and C$10 million for businesses.8 Officers, directors, and agents may be personally liable if they acquiesced in a violation of the law.9 However, because CASL takes into account "honest mistakes," a company that has undertaken good faith efforts to comply will have an affirmative defense in the event the CRTC initiates action based on a violation of CASL.10

Recommendations

It is important for any U.S. companies that send, route, or access commercial electronic messages (CEMs) or alter transmission data using a computer system located in Canada, or that deliver CEMs to Canadian residents, to undertake clearly defined actions to comply with the anti-spam provisions of CASL.11

1. Make sure you understand what constitutes a "commercial electronic message." CASL defines a "commercial electronic message" or "CEM" as any electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit.12 Electronic messages that encourage participation in a commercial activity may include messages that offer, advertise or promote goods, services, or business or investment opportunities; messages that advertise or promote a supplier or sponsor; and messages that direct the recipient to a location, telephone number, contact information or website that has a commercial purpose.13 Examples of CEMs include e-newsletters that provide information that may not be commercial in nature, but that contain a link to a sponsor's website; an online client satisfaction survey; or a mass email providing general information about your business or organization.

The law does not apply to certain types of CEMs. For businesses, the most relevant exceptions are messages sent:

  • To a person who is engaged in a commercial activity and your message consists solely of an inquiry or application related to that activity;14
  • In response to a request, inquiry or complaint, or is otherwise solicited by the person to whom you send the message;15
  • By your employee, representative, consultant, or franchisee to an employee, representative, consultant or franchisee of (1) your organization and the message concerns the activities of your organization, or (2) another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent;16 or
  • To a limited-access secure and confidential account that you provide in which only you can send messages to the person who receives the message.17

There is also an exception if you send a message and reasonably believe the message will be accessed in a listed foreign state18 and the message conforms to the law of the foreign state that addresses conduct that is substantially similar to conduct prohibited under the CEM rules in CASL.19

2. You must obtain express consent before July 1, 2014 to send CEMs and alter transmission data. After July 1 an electronic message that requests such consent will itself be an unauthorized CEM, so it will no longer be possible to obtain express consent by sending such a request.20 As a result, you should consider obtaining as many express consents as possible now, while you are still able to lawfully send a request for consent by email. Properly done, this can be a good opportunity to touch base with your customers.

Express consent can be obtained orally21 or in writing, including electronically. However, the burden will be on you to prove that you received such consent. You should keep a record of the time of receipt of consent.22 Examples of acceptable consent include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in the database, or filling out a consent form at the point of purchase.23 The end-user must make a positive action to indicate consent, such as checking a box to indicate consent or typing in his or her email address. Mechanisms such as an unchecked opt-out box or a pre-checked opt-in box cannot be used to obtain express consent. Likewise, silence or inaction on the part of the end-user cannot be construed as providing express consent.24

Unless you obtain express consent, you should no longer send, route, or access CEMs from computer systems located in Canada, or to users located in Canada, except in the following limited cases in which consent will be implied: (1) where the sender and the recipient have an "existing business relationship" or an "existing non-business relationship" where the relationship arose within the two year period immediately before the day on which the message was sent or is pursuant to a contract in effect in the two year period immediately before the day on which the message was sent (there is a limited grandfather provision that these two year time limits do not apply during the initial three year period after July 1, 2014, if the existing relationship included communications using CEMs);25 (2) where the recipient has conspicuously published, or caused to be conspicuously published, his or her electronic address, the publication is not accompanied by a statement that the person does not wish to receive unsolicited CEMS at the electronic address, and the message is relevant to the person's business, role, functions or duties in a business or official capacity;26 or (3) where the recipient has disclosed to the sender the electronic address to which the message is sent without indicating a wish not to receive unsolicited commercial electronic messages at the electronic address, and the message is relevant to that person's business, role, functions or duties in a business or official capability.27 Consent is also assumed for certain other categories, such as most normal business-to-business communications; providing factual information about an ongoing subscription or similar service; or delivering a product or service, including updates and upgrades, pursuant to an existing relationship.28Although not specifically addressed in CASL, the CRTC has taken the position that requests for express consent must not be subsumed in, or bundled with, website terms of use or similar online agreements. The underlying objective is that the specific requests for consent must be clearly identified. For example, users must be able to grant their consent to the website terms, but deny consent to receive CEMS or alter transmission data.29

The requirements for obtaining express consent to alter transmission data are the same as the requirements for sending CEMs. However, separate consents to send CEMs and to alter transmission data are required.30

3. Make sure that you clearly, prominently and simply identify yourself, and anyone else on whose behalf the message is sent in all CEMs and requests to alter transmission data. In addition, you must state your reason for altering transmission data when seeking consent to alter such data. The identification required by CASL must include:

  • Your name or the name by which you conduct your business, if different from your name.31
  • If you are sending the message on behalf of another person, the name of that person, or the name by which that person conducts its business, if different from that person's name.32 If you are sending the message on behalf of multiple senders, such as affiliates, all senders must be listed.33
  • If the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent.34
  • The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person sending the message or, if different, the person on whose behalf the message is sent.35 The address must be valid for a minimum of 60 days after the message is sent.36

If it is not practical for you to include all the above information directly in your message (for example, if you are sending a communication by short message service (SMS)), you can post the information on a web page that the recipient can readily access at no cost. The link to the web page must be clearly and prominently set out in the message.37

In addition to stating your identity, or the identity of the person on whose behalf the message is sent, you should also state why you are requesting consent to alter transmission data when seeking such consent.38

4. Make sure that all CEMS or consents to alter transmission data include an unsubscribe mechanism. Every CEM that you send and every request for consent to alter transmission data must also include a mechanism by which the user may withdraw consent. You must ensure any withdrawal of consent to receive CEMs or alter transmission data becomes effective within 10 business days after your receipt of such request.40

The unsubscribe mechanism in CEMs must be set out clearly and prominently.41 In addition, it must be "readily performed" which means it must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.42 In the case of a SMS, the user should have the choice between replying to the SMS message with the word "STOP" or "Unsubscribe" and clicking on a link in the SMS message that will take the user to a web page where he or she can unsubscribe from receiving all or some types of commercial electronic messages from the sender.43

For consents to alter transmission data, you must provide the person who gave his or her consent with an electronic address to which he or she may send notice of the withdrawal of such consent.44