Canada’s anti-spam legislation (“CASL”) is not yet in force but organizations are already busy preparing for the new rules, including evaluating their current practice of obtaining consent from recipients prior to sending electronic messages. Charities and not-for-profits are subject to privacy laws when they carry out activities that have a commercial nature and, therefore, may have already obtained consent from recipients to collect, use and disclose a recipient’s personal information. It is important for charities and not-for-profits to understand that the consent required under privacy legislation differs from the consent that is intended under CASL. Some specific considerations when evaluating consent include the following:
- Opt-in consent occurs where an organization will not do something, such as sending you unsolicited messages, unless you actively affirm that you accept that action by checking a box or verbally affirming. Opt-out consent occurs where an organization will do something, such as sending you unsolicited messages, unless you otherwise tell it not to. Guidance from the Federal Office of the Privacy Commissioner (“OIPC”) suggests organizations can use “opt-out” consent unless the information collected, used or disclosed is considered extremely sensitive. CASL and the related Canadian Radio-television and Telecommunications Commission (“CRTC”) guidance, on the other hand, require that organizations only use opt-in consent where express consent is required from recipients. Opt-in consent is a much higher standard.
- CRTC has stated that, where opt-in consent is required under CASL, a pre-ticked box will not suffice, and recipients must be given the option to proactively check the box or click an icon to opt in. Guidance from the OIPC does not contain similar requirements.
- Both privacy legislation and CASL contain different provisions for occasions when consent may be implied by individuals (that is, where express, written consent is not required). CASL will generally allow implied consent where there is an existing or proposed relationship between the parties as defined in CASL, but puts an expiry date on the length of time the relationship implies consent. Privacy legislation and guidance from the OIPC, on the other hand, allows implied consent where the intended use is obvious in the context and does not generally place an expiry date on implied consent.
It is important for charities and not-for-profits to evaluate their obligations under both CASL and applicable privacy legislation to determine when each piece of legislation will apply and the type of consent required from those with whom they interact.