Both the CRTC and the Department of Industry have now published their respective proposed regulations intended to flesh out the requirements of Canada’s Anti-Spam Legislation (CASL) [available here] which is scheduled to come into force January 1, 2012. The CRTC Regulations [available here] and the Industry Regulations [available here] are both called “Electronic Commerce Protection Regulations” and provide additional information on three aspects of CASL.
Comments on the CRTC Regulations may be made to the CRTC by August 29th and comments on the Industry Regulations may be made to Industry before September 7th.
CASL, creates a comprehensive regime of offences, enforcement mechanisms, and potentially severe penalties (including personal liability for corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages (CEMs) and to deter other forms of online fraud (including identity theft, phishing and spyware). For most organizations, the key parts of CASL are the rules for CEMs, which apply to almost every electronic message (including email and instant messages) relating to a commercial activity. Subject to limited exceptions, CASL prohibits the sending of a CEM unless the recipient has given consent (express or implied in limited prescribed circumstances) to receive the CEM, and the CEM complies with prescribed formalities and is not misleading. The rules can be enforced by regulators and through private lawsuits. Contravention of the rules for CEMs can result in severe administrative penalties (up to $1 million per violation for individuals and up to $10 million per violation for organizations) and civil liability.
For more information on the detailed provisions of CASL and guidance on implementing a compliance plan, see our earlier publication PREPARING FOR CANADA’S NEW ANTI-SPAM AND ONLINE FRAUD ACT [available here].
The CRTC Regulations prescribe the form of, and information to be included in, a CEM. They also prescribe the information that needs to be provided when requesting consent to install a computer program that performs a function specified in CASL.
The Industry Regulations define the terms “family relationship”, “personal relationship” what constitutes membership in a club, association or voluntary organization and conditions for the use of a consent.
Section 6 of CASL prohibits the sending of a commercial electronic message unless the person to whom it is sent has consented to receiving it, it complies with requirements which are to be prescribed, sets out information about the person who sent it or on whose behalf it is being sent and provides for an unsubscribe mechanism. Section 10 specifies what is required to obtain consent. The CRTC Regulations provide additional meat on the bones of these two sections and prescribe the information that must be included and how the unsubscribe mechanism is to be presented.
For the purposes of section 6(2) the specific information that needs to be set out to identify the person sending the message or on whose behalf the message is sent are detailed. This information includes the name of the person or business sending the CEM, the name of the person or business on whose behalf it is sent, if different, a physical and mailing address, a telephone number providing access to an agent or a voice message system, an email address and a web address. The regulations do permit both the identifying information and the unsubscribe mechanism to be provided by way of a link to a web page if it is not practicable to include the information in the CEM itself. This concession will accommodate CEMs with limited character capability such as Twitter.
The Regulations also require that the unsubscribe mechanism must be capable of being performed in “no more than two clicks or another method of equivalent efficiency” even if the method involves a link to a web page.
The request for consent, interestingly enough, must be “in writing”. One assumes that this would include an electronic consent request and response for which there is a permanent record. However, the regulation is not clear. The consent does not need to be in writing but the request does. Accordingly, it appears that a verbal request for a consent made during a telephone call to a call centre, even if the request and the consent are permanently recorded, would not qualify. The regulation is also silent on any requirement for the recording or preservation of the consent, but presumably it is up to the sender of the CEM to ensure that he or she can demonstrate that consent has been obtained and that the legislative requirements have been met.
A separate consent is required for each of the acts described in section 6 to 8 of CASL, sending a CEM, altering transmission data in a CEM so that the message is delivered to a destination other than, or in addition to, that specified by the sender and installation of a computer program and installing certain computer programs.
The Consent request requirements are quite detailed and must include:
- the name of the person seeking consent and the person, if different, on whose behalf consent is sought;
- if the consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought;
- if the person seeking consent and the person, if different, on whose behalf consent is sought carry on business by different names, the name by which those persons carry on business;
- the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person seeking consent and, if different, the person on whose behalf consent is sought and any other electronic address used by those persons; and
- a statement indicating that the person whose consent is sought can withdraw their consent by using any contact information referred to in paragraph (d).
Subsection 10 (5) of CASL details certain functions of a computer program that have additional disclosure requirements which are also amplified by the regulations. Consent to the installation of a computer programs that performs one or more of the functions listed subsection 10 (5) of CASL must be separately brought to the attention of the person from whom consent is sought. The consent request cannot be combined with a consent to send a CEM.
One of the exceptions to the requirement to obtain consent before sending a CEM is if the message is being sent to an individual with whom the sender, or person on whose behalf it is sent, has a personal or family relationship, to be defined in regulations. These regulations define who falls into the family relationship class and includes blood relationships, marriage or common-law relationships and adoption relationships. While presumably intended to cover all of the basis, one can envisage that there will be “family relationships” which have not been thought of that will have to be added at some point.
The regulation also defines a “personal relationship” which requires a relationship, other than in relation to a commercial activity, between an individual who send the message and the individual to whom the message is sent. However, they must have had an “in-person meeting” and within the previous two years, a two-way communication. So the personal relationship would not include your long time pen pal in Europe, whom you have never met in person, even though you may have been in communication for years by way of snail mail, telephone and email and are fast friends on Facebook. Is a video conversation on Skype an “in person meeting”?
The Industry regulations also prescribe the conditions for using a consent, as opposed to the requirements for a valid consent., when consent is being obtained on behalf of another person. These provisions address the requirements for passing on the use of a general consent when mailing lists are exchanged or sold.
Finally, the Industry regulations prescribe what constitutes membership in a club, association or voluntary organization for the purposes of paragraph 10 (13) (c) which sets out certain “existing non-business relationships”, including such memberships, where consent to the sending of a CEM is implied.
Most observers were expecting more detail in the regulations and more specific guidance as to how consents were to be obtained and recorded. The legislation still leaves a lot to the imagination and will require the senders of CEM’s, which encompass virtually all electronic communications with customers and clients, to be extra vigilant in determining if they have met the requirements of CASL. Hopefully the CRTC will issue more detailed guidance as to its interpretation of some of these requirements to provide additional assistance to the senders of CEMs.