The first wave of Canadian anti-spam legislation, or CASL, (S.C. 2010, c.23) will come into force on July 1, 2014, and will bring with it some of the most stringent anti-spam laws and most severe penalties U.S. businesses have encountered to date. CASL, which is intended to help Canadians avoid spam and other electronic threats, requires businesses and individuals sending commercial electronic messages (CEMs) to Canada to obtain express or implied consent from a recipient before transmitting a CEM. Accordingly, CASL will have serious implications for any business, including one located in the United States, sending a CEM to a Canadian customer, potential client, business partner, or the like. The new law also includes restrictions on the use of address harvesting tools, the alteration of transmission data, and the installation of computer programs.
Currently, under U.S. law (U.S. Can-Spam Act of 2003), senders of commercial messages have to allow recipients to "opt out" of or unsubscribe from receiving unsolicited CEMs. CASL, however, requires senders of CEMs, which may include e-mail messages, SMS communications, instant messages, VoIP communications, tweets, facebook posts, and similar electronic correspondence, to obtain express or implied, affirmative consent from each message recipient located in Canada prior to transmission.
Also under CASL, CEMs must contain specific message content and disclosure requirements. While senders of CEMs are in most cases required to obtain express written or oral consent from recipients, in some situations an exception will apply. Senders are encouraged to obtain express consent, however, and should not assume that an exception will apply. Express consent may be obtained, for example, by having the recipient check a box to "opt in" or type an email message into a field. After July 1, 2014, however, such consent must be obtained prior to the transmission of the CEM.
Businesses and individuals transmitting CEMs will have a three-year transition period to obtain consent from existing business contacts. During the three-year grace period, consent will be implied for those individuals with whom the sender has an existing business relationship. "Existing business relationships" is narrowly defined, however, and you should consult with an attorney before relying on this three-year transition period for existing contacts. And, as of July 1, opt-in consent must be obtained for any new recipient of CEMs.
Finally, the request for consent must include some specific information, including a statement indicating that the person whose consent is sought can withdraw their consent at any time.
CASL carries with it significant potential penalties for violations of its various provisions. CASL not only gives individuals and businesses a private cause of action for violations, it also provides for the following civil and criminal liability:
- Penalties of up to $10 million (CAD) per violation for corporations or $1 million (CAD) per violation for individuals
- Criminal liability for false or misleading statements
- Personal liability for officers and directors who knowingly violate CASL
- Vicarious liability for the actions of staff
- Civil liability of $200 (CAD) per violation, up to $1 million (CAD) per day, to individuals and businesses pursuing a private right of action
What You Can Do
Given the risk of incurring substantial civil or criminal liability for CASL violations, U.S. businesses are encouraged to work with legal counsel to develop, implement, and monitor a CASL compliance policy and strategy for obtaining opt-in consent from CEM recipients. Early action to develop policies and procedures for responding to CASL will help businesses seamlessly transition through the law's multi-stage implementation and avoid disruptions to marketing strategies and customer relationships.