At the end of June, Industry Canada and the CRTC released their proposed regulations for Canada's Anti-Spam Law (CASL), with a 60-day period for comments. While the final regulations have not yet been published, the draft regulations provide useful guidance for organizations preparing for the law, which is expected to come into force in early 2012. Some changes in the proposed regulations may be made; however it is unlikely that any changes will make the compliance requirements more onerous. Therefore, there are strong reasons for businesses to be adjusting their procedures and email formats now in anticipation of the new law, with the draft regulations serving as guidance.
CASL regulates "commercial electronic messages" (CEMs), a term that is broadly defined to include all forms of electronic communication if used for commercial purposes (including email, text and twitter).1 It also regulates downloading of software and interception or alteration of electronic messages. In the immediate time-frame however, the law's main impact will be on CEMs used by businesses to communicate with their customers and others.
key compliance rules
Subject to limited exceptions,2 the law imposes the following key requirements for all CEMs:
- disclosure of the identity and readily-accessible contact information of the sender;
- a readily-accessible unsubscribe mechanism; and
- the recipient's prior consent to receive the CEM.
The draft regulations provide useful guidance for organizations seeking to adopt CASL-compliant procedures that respond to these requirements.
identity and contact information
All CEMs must include sender identity and contact information, as follows:
(i) the identity of the sender and any person on whose behalf the message is sent;
(ii) a statement of the relationship between the sender and any person on whose behalf the message is sent;
(iii) disclosure of any other names by which such persons carry on business; and
(iv) contact address information for such persons, specifically:
- a physical and mailing address,
- a telephone number with access to a person or voicemail,
- an email address,
- a website address,
- any other electronic address used by them;3
all of which must be valid for at least 60 days following sending the CEM.
If it is not practicable to include the above information together with the unsubscribe mechanism (see below) within the CEM, the information may be provided via a prominently disclosed link to a web page, accessible by a "single click" or "another method of equivalent efficiency", at no cost.
All CEMs must include clearly and prominently a no-cost unsubscribe mechanism using the same media as the CEM or, if using that media is not practicable, any other electronic means enabling the unsubscribe request, and must specify an electronic address or link to a web page to which the request may be sent. Any unsubscribe request must be able to be performed in no more than two "clicks" or other method of equivalent efficiency.
consent to receive CEMs
Subject to specified exceptions,4 sending of CEMs is prohibited unless the intended recipient has consented, in advance, to receiving them from the sender or a person on whose behalf they are sent. Consent must be express – i.e. "opt-in", unless implied consent has been given. CASL does not define express consent. However implied consent is defined.5
requests for consent
If a sender does not have implied consent, it must obtain prior, opt-in, express consent from the intended recipient. CASL, in subs. 6(b), sets out certain requirements for information to be included in any request for consent.6 These requirements are supplemented by the draft regulations, which include certain form requirements.
All requests for consent must:
(i) be in writing (which would include electronic communications);
(ii) state the purposes for which consent is sought (i.e. what is or are the reason(s) for which CEMs are intended to be sent);
(iii) identify the requestor and any person on whose behalf the requestor is seeking consent and describe the nature of their relationship (e.g. requestor is an email marketing service provider);
(iv) identify any other names under which the requestor and its client (as applicable) carry on business;
(v) provide the following contact information for the requestor and its client (as applicable):
- physical and mailing addresses,
- a telephone number having either an active person response or voicemail capacity,
- an email address,
- a website address,
- any other electronic address used by them; and
(vi) state that the recipient may withdraw their consent by using any of the required contact information.
action items for compliance
The government's release of the CASL draft regulations enables organizations to focus their compliance strategies. The following are key action items for organizations to consider.
1. Conduct a comprehensive inventory of email contact lists, categorizing each addressee by CASL exceptions and consent qualifications, such as:
(i) existing customer or donor relationship and timeline of most recent transaction;
(ii) inquiry or application and date made;
(iii) express consent obtained.
2. Email contact lists that include both Canadian and non-Canadian addressees may require scrubbing either to exclude Canadian addressees or to identify them for CASL compliance – may require due diligence to go behind the email address.
3. Databases that do not qualify according to CASL categories will require upgrading (technology, software) and protocols for evergreen scrubbing (i.e. deletions as qualifications expire).
4. Develop strategies for capturing express consents (e.g. email response, website sign up, application forms, agreements, email policies).
5. For email contacts within existing databases that cannot be CASL-qualified, initiate email opt-in consent programs immediately (i.e. prior to CASL in-force date).
6. Develop internal compliance procedures, forms, policies and controls.
As we have noted previously,7 CASL will require organizations to adjust substantially their email communications procedures and practices. While it is anticipated that a period of flexible compliance expectations may characterize the government's early enforcement approach, ultimately the potentially severe penalties for non-compliance will have an impact. As well, the law's private right of action poses the threat of substantial financial costs to non-compliers.