Most U.S.-based businesses are aware of the federal and state anti-spam laws and their obligations to comply with them. This summer, Canada will add its own anti-spam law to the compliance list. Canada’s Anti-Spam Law (CASL), effective on July 1, will become one of the most stringent laws governing electronic messages sent by businesses. CASL’s central feature requires U.S., Canadian and certain other foreign companies that send “commercial electronic messages” (CEMs) within, from or to Canada to receive consent from recipients before sending such messages. CASL contrasts sharply with U.S. law, which generally allows commercial messages to be sent without permission unless a recipient opts out of receiving them.
A CEM is any electronic message, such as an email, text or social media message, that in whole or in part encourages participation in a commercial activity, regardless of whether there is any expectation of profit. Under the new law, all CEMs are required to include contact information for both the sender and any person on whose behalf the message is sent, as well as set out an electronic unsubscribe mechanism that complies with CASL’s requirements. Under the new law and its regulations, however, certain messages will not be deemed to be CEMs, such as:
- Messages sent to enforce a legal right (like a contractual obligation).
- Messages sent by a non-Canadian business, provided the sender reasonably believes the message will be received outside Canada.
In most cases the recipient’s express consent must be obtained. To be valid, the request for express consent must set out “clearly and simply” the purpose for which consent is being sought; certain information about the person seeking consent (and if applicable, the person on whose behalf consent is being sought), including contact information; and a statement that the consent may be revoked. In some limited cases, however, consent may be implied, such as if the sender and recipient have an “existing business relationship” or an “existing non-business relationship,” as those terms are defined by CASL and its regulations.
CASL permits a person to seek consent to receive CEMs on behalf of an unknown third party and authorizes the person to use the consent if:
- The consent request identifies the person obtaining the consent.
- The subsequent CEMs identify the person who obtained the consent.
- The unsubscribe mechanism required to be in the CEM allows the user to withdraw consent from the person who obtained it and any other person authorized to use it.
If a user sends an unsubscribe request, the unsubscribe must take effect no later than 10 days after the request is sent. The same deadline applies to all third parties authorized to use an express consent.
The potential penalties for noncompliance with CASL are substantial. Individuals face administrative penalties of up to CDN $1 million per violation, and companies face up to CDN $10 million per violation. The officers and directors of a company can be held personally liable for a CASL violation if they authorized or acquiesced in the violation, and an employer can be held vicariously liable for a CASL violation committed by an employee if the violation was committed within the scope of the employee’s employment. CASL also includes a private right of action, which allows any person affected by a violation to sue for actual and/or statutory damages. The private right of action will be available July 1, 2017.
To prepare for compliance with CASL, companies should consider:
- Reviewing the types of electronic messages the company distributes and determining whether CASL applies to any of them. Where required, a company should seek express consent in accordance with CASL’s requirements well before the effective date of July 1, 2014 and ensure that all required unsubscribe mechanisms are in place and fully operational.
- Seeking express consent even if implied consent is available. Not only is express consent easier to document, this exercise may permit the company to “refresh” relationships with older contacts. If implied consent is used, the company should document all reasons for the implied consent and develop a system that will identify when the implied consent expires.
- Instituting CASL employee training and developing and implementing compliance policies and procedures.