The Canadian government has finalized long-awaited regulations made under Canada’s Anti-Spam Law (CASL), announcing at the same time that the core of the new anti-spam regime will come into force on Canada Day, July 1, 2014, while other provisions will come into force the following year, and some will not be effective until 2017.
While the final regulations do include a number of last-minute revisions that respond to concerns raised by Canadian businesses, the new regime promises to have a significant negative impact on many businesses that have come to rely on electronic marketing.
CASL in a nutshell
In essence, CASL contains three core prohibitions, each of which is subject to a limited number of specific and narrow exemptions.
On the electronic messaging front, CASL generally requires prior express consent to send a commercial electronic message, and further imposes certain form requirements with respect to those messages, including providing in the message information identifying the sender and a mechanism to opt-out from the receipt of future messages.
Similarly, the law also generally prohibits the installation of a computer program on a user’s system or device without express consent, also imposing certain notice requirements in connection with the collection of that consent.
Finally, CASL also requires explicit consent for the alteration of transmission data in an electronic message or the rerouting of a message to a destination different than that specified by the sender.
A tale of two regulations
Further details of the requirements of the new anti-spam regime are also set out in two sets of regulations.
The first companion set of regulations, the Electronic Commerce Protection Regulations (CRTC) were finalized last year by the CRTC. They generally contain detailed requirements respecting the form of messages and requests for consent.
The second set of regulations, the long-awaited Electronic Commerce Protection Regulations, were registered by the Government on 4 December 2013. This publication is a final version of draft regulations that were originally proposed in July 2011, then substantially revised in January 2012.
Earlier versions of the Regulations attracted significant criticism from the business community, which expressed concern that the regulations omitted some important clarifications of the requirements of the law, failed to provide exemptions for certain business and behaviours that should not be caught by the legislation and imposed unworkable and unnecessary requirements that may have had a disproportionate impact on technologies such as text messaging.
Phasing in the law
As noted, the core anti-spam provision will become effective on Canada Day, 2014. The July in-force date means that businesses will have only half as long as had been expected to get ready for the new law. Earlier statements from the Government had suggested there would be a grace period of approximately one year before the law would come into force.
Businesses will, however, have more lead time to come into compliance with those aspects of the new law governing the installation of computer programs, as these will come into force on January 15, 2015.
The Government has also delayed until July 1, 2017 the coming into force of a controversial new private right of action for non-compliance with CASL. The Government has stated that his delayed effective date, a full three years after the core anti-spam provision comes into force, is intended to reduce uncertainty for business about how the new law will be interpreted.
What’s new in the regulations
Some hoping for significant new exemptions will be disappointed, as the final Regulations make only a few changes to the revised version published in January 2012; however, others, including registered charities, are likely to be pleased with the new regulations. We summarized the main features of the January version of the regulations in an earlier post.
In addition to a number of clarifying wording changes, the final regulations add the following new exemptions from the general requirement to obtain prior consent and provide an opt-out mechanism:
- Electronic messaging service – the Regulations exempt messages sent and received on “an electronic messaging service” if the identification information and unsubscribe mechanism that would otherwise be required in the message itself are conspicuously displayed on the user interface, and the recipient consents to the receipt, including by implication. This exemption would appear to be directed at social media platforms and similar services.
- Limited access accounts – also exempted are commercial electronic messages sent on limited access proprietary accounts by the account owner to the recipient. This exemption appears to be targeted at banking websites and similar systems.
- Foreign recipients – senders are exempt from Canadian anti-spam requirements where the message is sent to certain foreign states (listed in a schedule to the regulations) with their own anti-spam laws, provided the message conforms to the local law in question. This is a significant shift from the earlier version of the Regulations, which required compliance with the Canadian law regardless of the jurisdiction in which a message was received.
- Charities – the new Regulations include a new, broad exemption for commercial electronic messages sent by or on behalf of registered charities for fundraising purposes, regardless of whether the recipient previously donated to the charity.
- Political parties and organizations – a similar new exemption exists for political parties, organizations and candidates for public office, with respect to commercial electronic messages sent soliciting political contributions
In addition, the “referral” exemption contained in the January 2013 version of the Regulations, which originally applied only to individuals, now provides that any “person” (including corporations) are permitted to send one commercial electronic message without consent, based on a referral by another individual with whom the sender has an existing business relationship.
What’s not in the Regulations
Among the more significant unaddressed concerns raised by the business community are:
- Prior consents – many stakeholders wanted the Government to treat as valid any consents to the receipt of commercial electronic messages that are obtained in compliance with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act. Since the regulations were not amended to respond to this concern, many businesses who have collected implied consents that were valid under privacy laws will have to re-approach potential message recipients to secure explicit consent.
- Manufacturers - manufacturers without a direct relationship with end users of their products (such as where the products are purchased from a retailer) had sought the ability to send commercial electronic messages to those end users without explicit consent in certain circumstances. While exemptions exist with respect to sending warranty and recall information, manufacturers will otherwise have to obtain explicit consent.
- Existing business relationships – some had sought to expand the “existing business relationship” exemption to include legitimate commercial electronic messages sent in the context of additional ongoing business relationships, which do not clearly fall within the narrow definition of the current exemption
Time to start work
CASL and its companion Regulations and guidelines comprise a complex package of detailed requirements and exceptions. In light of the short timeline before the anti-spam portions of the law are to come into force, Canadian businesses would do well to start work immediately to implement the changes to their electronic marketing practices that will be required to comply with the new regime.