American businesses with customers residing in our neighbor to the north should pay close attention to a new Canadian law that takes effect on July 1, 2014, and that will substantially restrict electronic marketing. The law, known as the Canadian Anti-Spam Law (CASL), regulates many routine business activities, such as sending marketing emails, text messages, or social media messages to individuals in Canada. It also applies to software downloads, including programs and updates to mobile applications.
Although the CASL addresses many of the same concerns as the American CAN-SPAM Act, it takes a very different approach, of which U.S. businesses should be aware. It effectively converts electronic marketing in Canada from an “opt-out” basis to a stringent new “opt-in” standard. American businesses should begin to take measures now in anticipation of the new rules, rather than scramble at the last minute to achieve compliance.
Because the CASL protects people and computers located in Canada, it is intended to apply to businesses located in the U.S. if the recipient of the message or download is located in Canada. This will potentially complicate business processes for American companies with cross-border customers.
“Commercial Electronic Message”
In general, the CASL prohibits the sending of a “commercial electronic message” (CEM) to an “electronic address” unless the recipient has consented to receiving it and the message complies with certain additional requirements. A CEM is a message intended “to encourage participation in a commercial activity.” This includes marketing, promotional, and advertising messages. An “electronic address” broadly means an email account, an instant messaging account, a telephone number, or “any similar account.” An electronic message that requests consent for the delivery of such commercial messages is itself a CEM.
Under the CASL, as of July 1, any CEM must also contain the following:
- Information (prescribed by regulation) that identifies the person sending the message and the person on whose behalf it is sent, if different;
- Information that will enable the recipient to “readily contact” the sender; and
- An unsubscribe mechanism that allows the recipient to indicate, at no cost, their desire to no longer receive any CEMs through the same electronic means by which the message was sent, or, if that is not available, an electronic address or link to a webpage to which the indication can be sent. A person must honor an opt-out request within 10 business days.
The law allows certain commercial messages that are transactional in nature to be sent without the recipient’s prior consent, without the sender identification, and without the unsubscribe mechanism. For example, CEMs that provide price quotes requested by the recipient; or that facilitate, complete, or confirm a commercial transaction are permitted. The same applies to CEMs that provide warranty information; or that provide notice of factual information about the ongoing subscription or account; or that deliver a product (including updates or upgrades) that the recipient is entitled to receive.
The CASL also contains specific provisions regarding how express consent is to be obtained. It requires that a request for consent to receive CEMs must set forth “clearly and simply” the purpose(s) for which consent is sought, the identity of who is seeking consent and, if different, on whose behalf consent is being sought.
Consent also can be implied where an existing business relationship or personal relationship exists. For this purpose, an “existing business relationship” (EBR) requires the purchase or lease of a product or service (or certain other commercial transactions) within the two-year period immediately before the day on which the CEM is sent. Alternatively, an inquiry or application, within the six-month period prior to the sending of the CEM, also creates an EBR.
These rules apply to CEMs. Computer programs, including mobile applications, will also be subject to additional requirements that take effect on January 15, 2015. First, the provider of the software must “clearly and simply describe, in general terms” its function and purpose. Additionally, disclosures are necessary if the program will cause the recipient’s computer to operate in a manner contrary to the user’s reasonable expectations, such as by collecting personal information stored on the computer, changing settings, or similar malware functions. Updates and upgrades to a computer program are permissible only if the person who gave the consent to the installation in the first place is entitled to receive the update or upgrade under the terms of the initial express consent.
What about software, such as cookies, that necessarily is installed when a computer visits a website? The law contains an exception that presumes consent to the setting of cookies, to the installation of html code and Java scripts, and to the downloading of programs executable only through programs that the user has previously installed or consented to, or a person has conspicuously published the electronic address, and the recipient has not indicated a preference not to receive CEMs at that address.
When the CASL takes effect on July 1, 2014, the law initially will be enforced only administratively. The maximum penalty for a violation is $10 million, but the regulations may specify that each day on which a violation occurs constitutes a separate violation. However, the CASL also authorizes private rights of action, including class actions, as of July 1, 2017.
As mentioned above, the CASL will apply to U.S. firms sending commercial emails and computer programs, such as apps, into Canada. This will present a risk for many American businesses that currently transmit CEMs on the “opt-out” basis established by the U.S. CAN-SPAM law. Those businesses will need to consider whether to segregate their Canadian recipients (if they can be identified) for separate handling in their marketing, or whether to convert to a more opt-in approach generally. And even if the Canadian recipients can be identified, securing the necessary consents may be a heavy lift.
To alleviate the effect of these changes, the CASL in effect will grandfather “established business relationships” in existence as of July 1, 2014, for a three-year transitional period if the EBR includes the transmission of CEMs. During the next three years, companies may rely on implied consents arising from “existing business relationships” or non-business relationships, where permitted under existing Canadian privacy laws, unless that person expressly withdraws the consent. A similar three-year transition period will allow businesses to install updates or upgrades to computer programs on an implied basis, unless the person expressly rescinds consent.
American businesses with Canadian customers are well advised to begin taking steps now. Many marketers have painful memories of scrambling to adjust to last fall’s transition to a “prior express written consent” to autodialed or prerecorded telemarketing calls. It would be advisable to avoid a repeat now, especially with the substantial penalties established by the law.
A first step would be to identify what types of CEM—as defined by the CASL—the business currently uses, or is planning to use in the next few years. This inventory should include not only emails, but texts and mobile applications. A second step is to review any software programs the business makes available, including mobile applications, to see whether appropriate consent to updates and upgrades has been obtained. Still another necessary step is to attempt to identify the Canadian recipients of such messages, and to figure out how to start converting them to an opt-in regime.
All this will likely consume a considerable amount of time and resources. Businesses should not wait until June to start thinking about what, if any, changes in their practices are appropriate.