Canada's Anti-Spam Legislation (CASL)
CASL is a new federal law aimed at eliminating unsolicited and malicious electronic communications. Originally introduced in December 2010, the majority of CASL.:s provisions will come into force on July 1, 2014. Once in effect, organizations will have to comply with specific consent, disclosure and unsubscribe requirements when sending out electronic communications.
CASL is accompanied by two sets of regulations from the Canadian Radio-television and Telecommunications Commission (CRTC Regs) and from Industry Canada (IC Regs). The CRTC has also issued two interpretative guidelines (referred to as Compliance and Enforcement Information Bulletins CRTC 2012-548 and 2012-549), but these guidelines do not have the force of law.
This guide provides basic information on CASL to help understand how it will impact electronic communication practices and will focus on CASL.:s prohibition on "spam". In many cases where a section applies to your organization, we recommend you look closely as the specific wording of CASL as the notes below are paraphrased. Section references to CASL and the applicable regulations have been added for ease of reference.
What does CASL prohibit?
CASL targets three activities:
Spam Prohibition on sending, causing or permitting to be sent commercial electronic messages (CEMs) without the express or implied consent of the recipient, and in compliance with prescribed form and content requirements (section 6).
Phishing Prohibition on altering transmission data in an electronic message so that it is delivered to an alternative address without express consent (section 7).
Spyware/malware Prohibition on installing a computer program on another's computer or causing electronic messages to be sent from such a computer without express consent (section 8).
CASL and its regulations will trump any conflicting provision of the Persona/Information Protection and Electronic Documents Act (PIPEDA) (section 2).
CASL distinguishes in some sections between individuals and npersons", which are defined to include an individual, partnership, corporation, organization, association, trustee, administrator, executor, liquidator of a succession, receiver or legal representative (section 1(1)).
Spam -Commercial Electronic Messages
Section 6 prohibits sending, causing or permitting to be sent CEMs without (i) consent, and (ii) compliance with certain form and content requirements.
"Commercial Electronic Message" or "CEM• - defined broadly to capture electronic messages that have as one of their purposes "encouraging participation in a commercial activity" sent from email accounts, text messaging accounts and any other similar account types (section 1(2)). Does not include voicemail or fax messages (section 6(8)), or messages for law enforcement or public safety (section 1(4)).
"Commercial Activity" - includes any particular transaction, act, or conduct that is of a commercial nature, whether or not carried out for profit (section 1(1)).
Exceptions where CASL does not apply to CEMs
CASL does not apply to certain types of messages, meaning there are no consent or form requirements for:
Famlly or Personal Communications": CEMs sent to family members or those who have a personal relationship with the sender (section 6(5)(a) & IC Regs). "Personal Relationship" is defined to include (for individuals only) a history of two way communications, and considers factors such as sharing of interests, frequency of communications and whether the parties have met in person (section 2, IC Regs).
"Commercial Inquiry Communications": CEMs consisting solely of an inquiry or application related to the commercial activity of the recipient person (section 6(5)(b)).
Internal Business Communications": CEMs sent within the same organization (among employees, representatives, consultants or franchisees) provided the CEM concerns the activities of the organization (section 3(a)(i), IC Regs).
"Business to Business Communications": CEMs sent between different organizations (among employees, representatives, consultants or franchisees), provided (a) organizations have a relationship and (b) the CEM concerns the activities of the organization to which the message is sent (section 3(a)(ii), IC Regs).
Prompted Communications": CEMs which are responses to inquiries, requests or complaints of a person, or that are otherwise solicited by the recipient (section 3(b), IC Regs).
"Legal Communications": CEMs sent to satisfy a legal obligation, or to enforce a legal right (section 3(c), IC Regs).
"Social Network Communications": CEMs sent and received on ·electronic messaging services" provided the required information and unsubscribe mechanism are conspicuously published on the user interface, and recipient has provided implied or express consent (section 3(d), IC Regs). This is anticipated to apply to social networking services or instant messaging services.
"Secure Account Communications•: CEMs sent to a limited-access secure and confidential account where only the account provider is able to send messages to the account (section 3(e), IC Regs).
"Foreign Destination Communications": a CEM sent with the reasonable expectation that the CEM will be accessed in a foreign state having similar anti-spam laws and the message conforms with those foreign laws (section 3(f), IC Regs). A list of recognized countries is scheduled to the regulations.
"Charity Fundraising Communications": a CEM sent by or on behalf of a registered charity and the message has the primary purpose of raising funds for the charity (section 3(g), IC Regs).
"Political Solicitation Communications": a CEM sent by or on behalf of a political party I organization, with the primary purpose of soliciting contributions (section 3(h), IC Regs).
Form requirements for CEMs
Under CASL, all CEMs will need to include the following information clearly and prominently'' (section 6(2) and (3), 11(1) - (3) &, CRTC Regs):
- Identity/business name of person sending and on whose behalf the CEM is sent (section 6(2)).
- If the CEM is sent on behalf of another person, a statement must be included indicating which person is sending and which person on whose behalf it is sent.
- Contact information including mailing address and either phone number or email/web address of person sending, or if different, the person on whose behalf CEM sent. The information must enable recipient to readily contact one of such persons (section 6(2)). Contact information must be valid for 60 days after message sent (section 6(3)).
- Unsubscribe mechanism must be included with an electronic address or web link and must be able to be ·readily performed". Must be valid for 60 days after message sent. Unsubscribe must be effected within 10 business days after unsubscribe request (sections 11(1)- (3)).
Consent is addressed in one of three ways:
- Express consent from the recipient (section 10(1)).
- Implied consent to send the CEM (section 10(9)).
- An exception applies (section 6(6)).
The onus to prove consent rests with the sender of the CEM (section 13).
To obtain valid express consent (section 10(1) & CRTC Regs), the request for consent must:
- Set out "clearly and simply" the required information.
- State the purpose(s) for which consent is being sought.
- Include the business name of the person seeking consent, and the business name of any person on whose behalf consent is sought; and specifying which person is seeking consent and which on whose behalf consent is sought.
- Include contact information consisting of mailing address and either phone number or email/web address of person sending or if different the person on whose behalf CEM sent.
- Be Opt-in (i.e. click a box, or enter email address) and not Opt-out (CRTC's view).
- State that consent can be withdrawn.
- Be separate for each act of sending a CEM, installing a computer program and altering transmission data (CRTC Regs).
Note: Consent may be obtained orally, in paper form or electronically. However, a request for consent sent by and electronic message is a CEM, and so must comply with the form and consent provisions in order to be sent (section 1(3)).
Consent may be obtained on behalf of an unknown person (who will rely on the consent), provided that certain conditions in the IC regulations are met regarding ongoing use of and withdrawal of such consent.
Implied consent exists where:
- Sender and recipient have an "existing business relationship" (sections 10(9) and detailed definition in 10(10)):
- Within the last two years: any purchase or lease of products or services, acceptance of business or investment, bartering; or contract for such things in force or expired within last two years.
- Within the last six months: an inquiry or application from the CEM recipient to sender, in respect of any such business transactions.
- Sender and recipient have an "existing NON-business relationship" (sections 10(9) and detailed definition in 10(13) & IC Regs), i.e. within the last two years a donation of time or money to a registered charity, political party, organization or candidate, or, membership in a club, association or volunteer organization.
- Recipient "conspicuously" published their email address, or has disclosed their address to the sender, without indicating that they do not wish to receive unsolicited CEMs, and the CEM being sent is relevant to the recipient's business, role, function or duties in a business or official capacity (section 10(9)(b) &(c)).
Exceptions for Consent
- A CEM may be sent without express or implied consent to:
- Provide a quote or estimate requested by the recipient (section 6(6)(a)).
- Facilitate, complete, or confirm a commercial transaction between the sender and recipient that the recipient previously agreed to enter into with sender (section 6(6)(b)).
- Provide warranty/safety/recall/security information about a product or services used or purchased by recipient (section 6(6)(c)).
- Provide notification of factual information about an ongoing subscription, membership, account, loan or similar relationship or goods or services offered thereunder (section 6(6)(d)).
- Provide information directly related to a current employment relationship or benefit plan (section 6(6) (e)).
- Deliver a product, good or service, including updates and upgrades further to an existing relationship (section 6(6)(f)).
- "Third Party Referrals": a single CEM may be sent to a recipient without consent based on the referral to the sender by a third party who has a relationship (business, family, personal or non business} with the sender and the recipient. The CEM must disclose the full name of the referring person and that the message was sent as a result of the referral (section 4, IC Regs).
Always remember that even where consent is addressed by implied consent or an exception, the form requirements of the CEM (contacts, unsubscribe etc.) still apply.
For the first three years under the law, there will be implied consent for sending CEMs to recipients where, as of July 1, 2014, there was an existing business relationship or non-business relationship, regardless of when that relationship may have last been active (i.e. without reference to the two year or six month time periods); provided that the recipient does not withdraw consent, and the relationship included the exchange of commercial electronic messages (section 66).
Enforcement may occur by administrative penalty or private claims (no private claims for the first three years CASL is in force).
Maximum penalties may be $1 million for individuals and $10 million for corporations and other organizations (section 20(4)).
Directors and officers may be liable (section 31) and employers may be liable for acts of their employees (section 32).
A due diligence defence may be available if the sender can show established policies and practices for compliance (section 33).
A three year limitation period for private claims applies (section 47(2)).
What can you do to prepare?
- create implementation team
- audit and assess current CEM practices
- review and update CEM templates
- establish new tracking systems (IT)
- set timeline and priorities for Express Consent
- develop policies and guidelines for staff training
- consider merits of seeking consent in advance of CASL coming into force
Installation of computer programs
The coming into force of the provisions dealing with the unsolicited installation of computer programs is delayed until January 15, 2015. Section 8 of CASL is intended to prohibit spyware/malware but will capture any circumstance involving:
- the installation of a computer program
- on any other person's computer system
- located in Canada
- during the course of a commercial activity
- unless that person's express consent is obtained
- the installation is in accordance with a court order
The standard for express consent that is required for the installation of computer programs overlaps with what is necessary for sending CEMs. In this respect, the general principles for obtaining express consent outlined for CEMs in this guide apply.
Updates or upgrades will not require additional consent where valid express consent has initially been obtained. Also, certain programs necessary for the proper function of Internet browsers are exempted, such as HTML code and java scripts.
Obligation to Describe Program Function and Purpose
As per subsections 10(3) through 10(5) of CASL, when seeking express consent it is required that a party clearly and simply describe the function and purpose of the computer program that is intended to be installed. This includes ensuring that the person giving consent has reasonable expectations about the program, including its functions for:
- Collecting personal information stored on the computer system.
- Interfering with the owner's or an authorized user's control of the computer system.
- Changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system.
- Changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system.
- Causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system.
- Installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system.
Request for Program Removal
For a period of one year after consent for installation is given, the person who gave consent must be provided with an email address where they can send a request to remove or disable the program which performs one of the functions listed above. The request can be made where the person who gave their consent believes that the function, purpose or impact of the program was not accurately described when their consent was obtained. The removal or disabling of the program must be achieved without cost to the party making the request (section 11(5)).
Exemptions for Telecommunication Service Providers (TSPs)
Two exemptions are provided for TSPs in regards to the installation of computer programs. First, TSPs will not be required to obtain prior consent to install a computer program for the limited purposes of preventing activities which pose an imminent security risk. Second, TSPs will not be required to obtain prior consent to install network wide software or system upgrades (section 4, IC Regs).