On October 10, 2012, the Canadian Radio-television and Telecommunications Commission (CRTC) published two Compliance and Enforcement Information Bulletins regarding Canada’s Anti-Spam Legislation (CASL). The Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC) and the Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation (collectively, the Guidelines) provide some much needed guidance on several issues that have been raised by industry and commentators with respect to CASL as well as the Electronic Commerce Protection Regulations (CRTC) that were finalized in March 2012 (the CRTC Regulations). In particular, the Guidelines provide significant further interpretation of the requirements regarding express consent.
The anti-spam provisions of CASL prohibit, subject to limited exceptions, the sending of a commercial electronic message (CEM) unless the recipient has consented to receiving the message and the message meets certain form and content requirements. Except where CASL explicitly allows consent to be implied, companies must obtain express consent in order to send CEMs. Please refer to our concurrently published Blakes Bulletin which sets out an overview of CASL and the CRTC Regulations. CASL is expected to come into force in 2013, possibly four to six months after Industry Canada regulations have been finalized.
REQUESTS FOR EXPRESS CONSENT
Separate Opt-in Consent Required
The CRTC has made clear in the Guidelines that “a positive or explicit indication of consent is required” to comply with the express consent requirements of CASL and therefore “express consent cannot be obtained through opt-out consent mechanisms”. This impacts the common industry practice of using a “pre-checked” box on a computer or device screen that assumes the user’s consent unless the user takes the active step to “un-check” the box. The Guidelines state that such practice is not an acceptable form of express consent under CASL. Instead, if a check box is used, the user must actively check it to indicate his or her consent. Another consent mechanism deemed acceptable under the Guidelines would be where the individual actively enters his or her email address into an electronic field to indicate consent where it is explicit that the individual is entering his or her address for this purpose.
While the Guidelines do not explicitly comment on this issue, in the illustrated figures that are provided as examples, the mandatory contact information of the person requesting consent appears to be included in a “Contact Us” link rather than on the same screen or page with the check box/address field and “Submit” button. This implicitly suggests that the requirements in the CRTC Regulations about providing the contact information of the person requesting consent can be satisfied by means of a link to that information.
The Guidelines also state that requests for consent may not be “subsumed in, or bundled with requests for consent to the general terms and conditions of use or sale”. Rather, the request for consent to do one of the acts contemplated by sections 6 to 8 of CASL must be clearly and separately identified. The Guidelines provide that people must, for example, be able to grant consent to terms and conditions of use but may refuse to grant consent for receiving CEMs.
Clarification of “Sought Separately”
The CRTC Regulations require that express consent must be sought separately for each act described in sections 6 (sending CEMs), 7 (altering transmission data in electronic messages) and 8 (installing a computer program on another person’s computer) of CASL. The Guidelines clarify that this means consent must be sought separately for each act in sections 6 to 8 and that a person must be able, for example, to grant consent for the installation of a computer program separately from consent to receive CEMs. However, consent does not need to be sought separately for each instance of an act.
Oral or Written Consent
The CRTC Regulations provide that a request for express consent may be obtained orally or in writing. The Guidelines set out two ways that oral consent can be established, namely where (1) verification may be made by an independent third party or (2) a complete and unedited audio recording of the consent is retained by the person seeking consent. These are not necessarily the only ways a sender of a CEM can establish that oral consent has been provided, but these are the only methods set out in the Guidelines. Given the difficulty in many situations of satisfying the requirements in the Guidelines for establishing oral consent (for example, at point of sale in a retail context), reliance on oral consent may not be practical for many organizations.
The Guidelines state that written consent may be electronic, provided that the date, time, purpose and manner of the consent is stored in a database.
Following receipt of express consent, the Guidelines state that confirmation should be sent to the person whose consent was sought, although this requirement does not appear in either CASL or the CRTC Regulations.
FORM AND CONTENT REQUIREMENTS
The CRTC Regulations provide that every CEM must set out information that identifies the sender of the message and, if applicable, the person on whose behalf the message is sent. Prescribed contact information for such persons must be set out in the CEM. The Guidelines state that this “does not require that persons situated between the person sending the message and the person on whose behalf the message is sent need necessarily be identified. For example, persons so situated who may facilitate the distribution of a CEM but have no role in its content or choice of recipients.” Accordingly, service providers such as those who merely provide an email or other software platform but are not ultimately in control of the sending do not generally need to be identified.
The Guidelines are clear that when a CEM is sent on behalf of multiple persons, including on behalf of multiple affiliates, all such persons must be identified.
The CRTC Regulations require that an unsubscribe mechanism must be set out clearly and prominently in each CEM and must be able to be “readily performed”. The Guidelines state that an example of an unsubscribe mechanism that can be readily performed is a link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender. With SMS texts, the Guidelines state that the user should have the choice between replying “Unsubscribe” or “STOP” to the text message or clicking a link that will take the user to a web page where he or she can unsubscribe from receiving some or all types of CEMs.
This is the first set of bulletins issued by any of the regulators to provide guidance on CASL. We expect more guidance will be released by the regulators in the future to facilitate compliance with CASL.