The much anticipated Canada Anti-Spam Law (CASL) is set to go into effect on July 1, 2014. CASL is widely regarded as one of the more restrictive anti-spam legislations and its impending enforcement will change the way many North American businesses market to potential customers.
For example, businesses currently operating under CAN-SPAM, America’s anti-spam legislation may need to make wholesale changes to their marketing campaigns to bring them into compliance with the more stringent CASL. This article highlights some of the key differences between CASL and CAN-SPAM and provides suggestions for transitioning a business’s direct sales and marketing efforts into compliance with the newly minted CASL.
Broader in Scope
CASL regulates all Commercial Electronic Messages (CEMs) accessed from a computer system in Canada. CEMs consist of messages sent by any means of telecommunication, including a text, sound, voice or image message with a purpose to encourage participation in a commercial activity. CASL’s regulation of CEMs is substantially broader in scope than CAN-SPAM, which only regulates e-mail messages. Further, CASL regulates any communications with any commercial content, as compared to CAN-SPAM which only regulates messages with a primary purpose to promote.
Unlike CAN-SPAM, CASL also regulates the installation of programs on a recipient’s computer. As will be discussed further below, express consent is required to install software on another person’s computer system in the course of a commercial activity. While this provision of CASL is certainly directed to curbing unsolicited installation of malware, spyware and botnets, it also affects legitimate commercial business practices such as pushing out upgrades to purchased software. Under CASL, businesses may need to obtain consent before maintaining or upgrading software on a consumer’s computer. The provisions of CASL that regulate the installation of programs will go into effect January 15, 2015.
Perhaps the most substantial difference between CASL and CAN-SPAM is that activities regulated by CASL (e.g., sending CEMs, installing unsolicited software) can only be carried out after receiving express or implied consent from a recipient. This is significantly more restrictive than CAN-SPAM, which allows marketers to send e-mails without first obtaining consent and presumes consent if a recipient fails to opt out of an e-mail.
While express consent under CASL is relatively straightforward (e.g., requesting a recipient to opt-in), implied consent can be a bit more ambiguous. For example, CASL provides that consent can be implied in situations where the recipient has conspicuously published or disclosed his or her electronic address and the CEM is relevant to his or her business role or function. Consent can also be implied when there is an existing business relationship between the sender and the recipient. CASL provides that there is an existing business relationship when business has been conducted between the sender and the recipient within the last two years, there is a contract in place between the sender and the recipient or the contract has expired within the last two years, or the recipient has made an inquiry to the sender within the last six months.
Consent, however, is not required for all messages. Under the Electronic Commerce Protection Regulations (the Regulations), certain messages are excluded from CASL’s consent requirements. For example, no consent is required for messages sent within an organization or between organizations in a business relationship, so long as the messages concern the activities of the organization. Consent is also not required for messages sent between individuals with personal or family relationships. Other messages exempt by the Regulations include, for example, messages in response to an inquiry or application, legal notices, messages with the primary purpose of raising funds for a charity and messages sent by political parties or candidates soliciting contributions.
Penalties and Private Right of Action
CASL calls for higher penalties for contraventions as compared to CAN-SPAM. Where CAN-SPAM limits its penalties to $16,000 per each individual e-mail, the maximum penalty under CASL is one million Canadian dollars per violation for an individual and 10 million Canadian dollars per violation for an organization.
While CASL will be enforced by government agencies (i.e., Canadian Radio-television and Telecommunications Commission, Competition Bureau, Office of the Privacy Commissioner of Canada), CASL also puts into place a private right of action that will allow individuals and organizations to obtain a court order or compensation for contraventions of CASL. The penalties under the private right of action can be up to 200 Canadian dollars per contravention with a max of one million Canadian dollars per day. The private right of action will enter into force on July 1, 2017.
Bringing Your Business into Compliance with CASL
Because of the complexities of CASL, there is no simple way to transition into compliance with CASL. Prepare for a long, arduous process and be ready for some frustration. With that said, here are a few high-level points to consider as you navigate the waters of CASL:
- Plan around the enforcement dates – CASL’s regulation of CEMs goes into force on July 1, 2014, while the regulation of installed software begins January 15, 2015. Circle these dates on your calendar and make sure all transitioning for the sending of CEMs and installation of software is complete before each respective enforcement date.
- Review all your CEMs – The broader scope of CASL necessitates a careful review of all the ways your business markets using electronic messages. While it may be obvious to review e-mails, don’t overlook electronic messages sent over lesser used mediums such as text messages and social media sites.
- Pay attention to your contacts – Since many of the exemptions to CASL depend on your relationship with the recipient, we recommend reviewing your contacts and categorizing them in view of CASL. Which contacts can be considered personal or family and with which contacts do you have a business relationship? Of those with which you have a business relationship, which ones qualify as existing (i.e., two years or less)? Don’t be afraid to use technology to help you categorize your contacts, as most modern e-mail programs and CRM applications will provide this functionality.
- Document your compliance efforts – CASL provides that a person must not be found liable for a violation if they establish they exercised due diligence to prevent the violation. Documenting your compliance efforts now will help to establish the due diligence necessary to keep you out of trouble should compliance issues arise down the line.
- Keep up the good work – It’s one thing to be CASL-compliant and another to maintain CASL compliance over time. Pay special attention the systems and databases that handle your electronic messages and configure and structure them in a manner that facilitates CASL compliance. For example, in addition to categorizing your contacts, are you equipped to track which customers have given express consent and which have given implied consent? For customers where consent is implied, are you able to determine when the implied consent expires (e.g., you haven’t done business with them in over two years)? Also, consider employing periodic auditing and training to help ensure your business remains CASL-compliant.
If you’re not sure where to start or are having trouble with your CASL compliance efforts, don’t hesitate to contact us. We’re full of bright ideas and can point you in the right direction.