Despite being in effect for more than a month now, many entities outside of Canada (and possibly those within Canada) are still struggling to understand their obligations under Canada’s recent anti-spam legislation  and the steps necessary to mitigate compliance risk. This is no surprise; CASL is sweeping, demanding, pervasive and punishing. Consider the following:
- Sweeping. CASL applies to the sending of all types of commercial electronic messages (CEMs), including e-mail, SMS messages, Facebook, LinkedIn, Twitter and other social media messages, and other text, sound, voice or image messages; it regulates both the form and content of CEMs, as well as the alteration of message transmission data; and it governs the installation of computer programs on another's computer in the course of a commercial activity, including mobile application downloads and updates.
- Demanding. CASL requires prior express consent (i.e., opt-in consent) before sending CEMs, with limited exceptions; it prescribes stringent form and content requirements on CEMs, including specific unsubscribe obligations; it calls for express consent to alter transmission data or to install a computer programs on another's computer; and it provides for various disclosure requirements when obtaining express consent.
- Pervasive. If you have customers or clients in Canada, CASL likely affects you. CASL applies whenever "a computer system located in Canada is used to send or access" a CEM and to both individual and business recipients. Therefore, no matter where you are located or where the CEM originates, CASL applies if the recipient opens the CEM on a computer located in Canada.
- Punishing. Violating one or more of CASL's multiple and nuanced requirements can result in penalties up to $1 million for individuals and $10 million for businesses; criminal charges against organizations that make false or misleading representations; vicarious liability for directors and officers of corporations and employers of employees acting within the scope of their employment; and, beginning July 2017, a private right of action.
Unfortunately, it is impossible to meaningfully address each of the issues and related provisions addressed by CASL  within the confines of a blog post. Instead, this column distills some of the key provisions specific to online commercial communications, as this activity is likely germane to any entity operating in Canada or with customers/clients in Canada. Along the way, basic guidance is provided to help you assess whether CASL may apply to your online commercial communications and what you can do to mitigate compliance risk to an acceptable level.
Sending Commercial Electronic Messages
Subject to limited exceptions, CASL prohibits the sending of CEMsexcept where (1) the recipient expressly consents to receiving the CEM (or impliedly, in limited cases), and (2) the CEM "clearly and prominently" lays out certain prescribed information, including the identification of the sender, contact information of the sender, and an unsubscribe mechanism that can be “readily performed.” 
Compliance Issue 1: Do you send "Commercial Electronic Messages"to or from Canada?
CASL defines "electronic message" broadly to include a "message sent by any means of telecommunication, including a text, sound, voice, or image message.  This encompasses e-mail, SMS messages, Facebook, LinkedIn, Twitter and other social media messages, and other text, sound, voice or image messages. However, CASL does notapply to interactive two-way voice communications, fax messages or voice recordings sent to a telephone account.  For an "electronic message" to be "commercial" in nature, its purpose, or one of its purposes, must be to "encourage participation in a commercial activity," including messages that offer to sell a product or service, advertisements or promotions of such offers, and messages containing a request for consent to send such messages. 
CASL's pervasive territorial reach subsumes both CEMs (1) sent from a computer in Canada, and/or (2) accessed using a computer in Canada.  In other words, even if you are outside of Canada, CASL still applies if you communicate online with Canadian customers or clients (potential or actual).
✔ Do you interact with customers or clients through e-mail, SMS messages, social media platforms other electronic channels for marketing, promotional or sales purposes?
✔ Do you have customers or clients in Canada?
Compliance Issue 2: Do you have appropriate consent to send CEMs?
A sender of a CEM must first obtain express consent from the message recipient, unless implied consent is specifically allowed or where consent is not required under CASL (discussed below). Express consent requires "a positive or explicit indication of consent" such as checking a box or entering an e-mail address to indicate agreement to receive CEMs.  Express consent can be obtained in writing or orally.  Where consent is obtained orally, it should be able to be verified by an independent third party or recorded and maintained in its entirety.  Consent obtained "in writing" includes both paper and electronic forms.  Notably, express consentcannot be obtained through an opt-out consent mechanism such as a pre-checked box. 
In order for express consent to be valid, the intended recipient must be provided with certain information, including but not limited to (1) the purpose for which consent is being sought; (2) the name by which the person seeking consent carries on business; (3) the mailing address, and either a telephone number, e-mail address or website of the person seeking consent; and (4) a statement informing the intended recipient that consent can be withdrawn.  Where express consent is obtained, it is advisable to send the consenting individual confirmation of the receipt of consent. 
Under limited circumstances, a sender of a CEM can rely on impliedconsent. Two such situations exist: (1) where the sender and recipient have an "existing business relationship" or (2) if the recipient publishes his or her address. 
- Existing Business Relationship. Implied consent exists where the sender and recipient have an "existing business relationship."  This applies to relationships between the recipient of the message and the sender of the message or the organization on whose behalf the message is sent. A qualifying "business relationship" exists where (1) the recipient has purchased something from the sender within the past two years, (2) a contract exists between the sender and recipient or has expired within the last two years, or (3) the recipient has inquired about or applied for something from the sender within the past six months. 
- Published Address. Implied consent also exists where (1) a recipient "conspicuously publishe[s]" his or her electronic address (e.g., through a company directory available online) or otherwise discloses the address to the sender (e.g., providing a business card), (2) without indicating that he or she does not wish to receive unsolicited messages, and (3) the CEM is relevant to the recipient's business, role, functions or official duties. 
Regardless of whether consent is express or implied, written or oral, the burden is on the party needing consent to prove that it in fact obtained valid consent. 
Exceptions to Consent
Finally, consent is not required when sending certain CEMs, including but not limited to, CEMs that solely:
- Provide a quote or estimate for a product or service if requested by the recipient;
- Facilitate, complete or confirm a commercial transaction previously agreed to;
- Provide warranty information, product recall information, or safety or security information about a product that the recipient uses, has used or has purchased;
- Provide factual information about the ongoing use or ongoing purchase by the recipient of a product, good or a service offered under a subscription, membership, account, or similar relationship by the sender or individual on whose behalf the CEM is sent; or
- Deliver a product, good or a service, including product updates or upgrades, that the recipient is entitled to receive under the terms of a previous transaction with the sender or individual on whose behalf the CEM is sent. 
Consent is also not required to send the first CEM for purposes of contacting the recipient following a referral by any individual who has an existing business or non-business relationship, or family or personal relationship with the sender  These consent exceptions do not relieve the sender of its compliance obligations relating to the form and content (including the unsubscribe mechanism) of CEMs as discussed below.
✔ Do you have express consent from intended recipients to send CEMs? If yes, was the necessary information provided to recipients when obtaining consent?
✔ Do you have documentation evidencing the date, purpose, and manner of obtaining express consent?
✔ Do you rely on consent obtained from third parties? If yes, are they contractually required to comply with CASL's consent requirements?
✔ Can you rely on implied consent?
✔ Does an exception to the consent requirement apply to your activities?
Compliance Issue 3: Do your CEMs satisfy the form and content requirements?
In addition to obtaining the recipient's consent, senders must ensure that CEMs meet certain form and content requirements. For example, CEMs must "clearly and prominently" (1) identify the sender and, if different, on whose behalf it is sent; (2) provide information allowing the recipient to easily contact one of the parties identified; and (3) set out an unsubscribe mechanism.  Where a CEM is sent on behalf of multiple parties, such as affiliates, all parties must be identified. 
The required unsubscribe mechanism must be able to be "readily performed"  and must (1) enable the recipient of a CEM to opt-out, at no cost, from receiving CEMs from the sender using the means used to send the CEM,  and (2) provide an e-mail address or link that allows the recipient to indicate his or her desire to opt-out. The e-mail address or link provided must be valid for a minimum of 60 days after the CEM is sent.  When a recipient chooses to unsubscribe from receiving future CEMs, the sender must honor the opt-out "without delay" and no later than has 10 business days after the recipient unsubscribes. 
✔ Do your CEMs contain all necessary information, including a compliant unsubscribe mechanism?
✔ Do you have a mechanism in place to track and process unsubscribe requests?
✔ Do you utilize third parties to send CEMs on your behalf? If yes, are they contractually obligated to comply with CASL's form and content requirements?
Compliance Issue 4: Does an exception to the consent and contentrequirements apply?
In addition to the consent exceptions discussed above, certain exceptions apply to both the consent and content requirements of CASL. Specifically, the consent and content requirements of CASL do not apply to CEMs that are (1) sent in the context of a personal or family relationship;  (2) sent to a person who is engaged in a commercial activity and consisting solely of an inquiry or application related to that activity; or (3) as otherwise specified in regulations. One such regulatory exemption exists where a CEM is sent by an employee of an organization to an employee of another organization, so long as the organizations have a relationship and the message concerns the activities of the organization to which the message is sent. 
✔ Do any consent and content expectations apply?
This post highlights some of the requirements relating to just one activity regulated by CASL – the sending of Commercial Electronic Messages. Complying with CASL is no small feat for anyone. However, due to CASL's extra-territorial reach and the breadth of activities it regulates, it cannot – and should not – be ignored.