Canada has enacted new Anti-Spam Legislation (“CASL”) that is anticipated to take effect in Fall of 2014. Although the new law was passed in December of 2010, the enforcement has been delayed to allow time for the Canadian Radio-television and Telecommunications Commission (“CRTC”) and Industry Canada to develop accompanying regulations. Nevertheless, because the new law will impose major changes, businesses, charities and individuals who use electronic marketing to reach customers or potential customers in Canada should start preparing for it now. Currently, US businesses can send marketing emails to anyone, including Canadian residents, without permission unless and until the recipient opts out by expressly notifying the sender that they do not want to receive such messages. However, once CASL goes into effect, companies will not be allowed to send any commercial electronic message (“CEM”) to any person or business in Canada without the prior express or implied consent of the recipient, unless the CEM falls within one of the following limited exemptions.
CASL specifically exempts companies from obtaining consent if the CEM is sent (i) in response to a request, inquiry, or complaint otherwise solicited by the recipient; (ii) due to a legal obligation or to enforce a legal right; (iii) by senders located outside of Canada if the message relates to a product, good, service or organization that is located or provided outside of Canada and the sender does not know that the recipient is in Canada, and neither knows nor reasonably expects that the message would be accessed in Canada; or (iv) as the first CEM following a referral by a third party who has an existing relationship with both the sender and the recipient. If there is no implied consent or the message does not fall within one of the exemptions, then express consent from the recipient is required prior to sending any CEM.
In light of this new law, companies need to proactively examine what type of electronic marketing messages they are sending to Canadian consumers to determine if what they are sending is a CEM. A CEM is broadly defined to include any message sent to an electronic address that “encourages participation in a commercial activity”. This definition includes not only email messages, but also e-mail newsletters, text messages, instant messaging, and direct messages sent by social media and blogs to subscribers’ or followers’ e-mail addresses. CASL specifically indicates that commercial activity does not have to be for profit. A simple donation request would not qualify. But if a request to donate is accompanied by either a promotional offer or an offer to sell a product, such as a t-shirt or ticket to a fund raiser, then the message would be subject to the CASL requirements.
If companies are sending CEMs, they need to review their e-mail lists and databases to assure that they have the appropriate consent from each recipient. Consent can either be implied or express. Implied consent exists if there is an existing business or non-business relation (for example, existing customer, member of a club, or prior donor to a non-profit) that arose within the past two years, but only if the recipient has not opted out or requested that they not receive messages. However, implied consent can only be relied on during a three-year transitional period from the time the regulations is enforced. Therefore, at some point during the transitional period, companies must obtain express consent from recipients. If they do not get express consent, they must cease sending the recipient messages after the three-year period.
Express consent may be obtained either orally (for example, through call centers or personal direct contact) or in writing (for example, through checking a tick-box on a webpage, filling out a consent form at the point of purchase, or electronic consent forms available online). If companies plan to obtain consent orally, they need to establish policies to generate effective evidence of the consents. The CRTC has suggested that oral consent can be demonstrated by verifying the consent through an independent third party (although it is unclear how this would be accomplished by companies) or by producing a complete and unedited recording of the consent.
Consequently, companies should start reviewing and, if necessary, updating their marketing strategies and express consent mechanisms, both paper and electronic, to assure that they acquire express consents that comply with the CASL’s opt-in format requirements. The most important point is that, for Canadian consumers, companies cannot rely on their failure to opt out — there must be explicit opt-in consent. Although companies may continue to use an icon or empty tick-box that requires the recipient to click or check to opt-in, they may not use a pre-checked box. Additionally, all express consents must conspicuously identify the purpose for the consent and the person seeking the consent. If a company is using a third party to secure consent on its behalf, the consent must clearly identify the company, not the third party, as the entity seeking consent. It is critical to get express consent from consumers prior to the effective date of the regulations. If companies wait to get consent until after the effective date, then even electronic messages sent to request consent will be considered spam and therefore prohibited.
Furthermore, the CTRC’s interpretation guidelines have made it clear that consent cannot be bundled with a request for acceptance of a company’s general terms and conditions of use or sale--consent for CEMs must be separate. In addition to a tick-box for terms and condition of use, a company must have a separate tick-box for express consent that must be checked by the person whose consent is being sought. Additionally, companies should review their website terms and conditions, as well as their privacy policies, to assure that the text properly explains the new express opt-in consent requirements imposed by CASL.
In addition to the prior consent rule, CASL also imposes content requirements on all CEMs, including those requesting consent. CEMs must (i) clearly identify the sender; (ii) have a clear, applicable and relevant subject line that reflects the purpose of the email; and (iii) contain the sender’s physical address and either the sender’s URL, email address or phone number, all of which must remain valid for up to 60 days after the message has been sent. All CEMs must also provide recipients with a simple way to unsubscribe/opt out of future messages (either by a link within the message or a working reply to address). The opt out option must allow for the removal of the recipient within 10 days of receipt of notice and remain active for 60 days from the day the electronic communication was sent.
The penalties for violating CASL can be severe, so the new law must be taken seriously. The maximum penalty per violation is $1 million for an individual and $10 million for a corporation. CASL also provides for private lawsuits by individuals, which opens up the possibility of class actions. Moreover, directors and officers may be personally liable for their company’s violation.
In order to avoid these penalties, companies should take the time now to ensure that they have data management systems in place to collect, validate, and store consents, and to manage all time-sensitive compliance requirements. It is vital that companies maintain copies of all express consents forms, mechanisms, and recordings as evidence of consent, because the burden of proving consent falls on the sender. Companies also need to remember to check with all relevant third party vendors, including marketing or mailing agencies, software providers, distributors, and anyone they use to develop or send CEMs to consumers, donors, or others, to make sure that they are taking the necessary steps to assure compliance. Companies should also consider revising the indemnification and insurance provisions of their agreements with third parties to cover the cost of any violation.
Since the regulations have not been finalized, we do not have a complete understanding of the requirements of this new law. However, we do urge companies who send CEMs to Canadian companies to start the development and implementation of compliance programs now so that they will be ready once the regulations take effect.