Canada’s Department of Industry has published long-awaited Governor in Council regulations and announced key compliance dates necessary to implement Canada’s anti-spam law (CASL), which was enacted almost exactly three years ago. Key CASL provisions governing commercial electronic messages (CEMs) take effect July 1, 2014, while on Jan. 15, 2015, the sections of the law related to unsolicited installations of computer programs or software come into force. To ease the transition, CASL’s private right of action provisions will not take effect until July 1, 2017.
CASL is far broader and more punitive than US anti-spam law and does not deal solely with email “spam.” The new law also applies to all CEMs sent to instant message and social network accounts, and by short message service (SMS) texts to cell phones, and regulates the installation of computer programs and alteration of transmission data as well. When the new law is fully in force, it will apply to all CEMs sent from or accessed by a computer system located in Canada and thus governs CEMs sent from the other countries, including the United States.
CASL will generally prohibit:
- Sending CEMs without recipient consent to email addresses, social networking, and similar accounts, and to cell phones by text-message;
- Altering transmission data in electronic messages to cause delivery to a different destination without express consent;
- Installing any computer program or software without express consent;
- Using false or misleading online representations to promote products or services;
- Collecting personal information by accessing computer systems in violation of Canadian federal law (e.g., the Criminal Code of Canada); and
- Collecting electronic addresses by using computer programs (address harvesting), or the use of such addresses without consent.
Accordingly, the next 6 to 12 months will be critical for all businesses in Canada—as well as those in the United States who have a presence in Canada, or send CEMs or computer software downloads that will be received or downloaded by Canadian residents—to achieve compliance.
Commercial Electronic Messages (CEMs)
Generally. Under CASL, CEMs are any electronic messages (i) sent by any means, using text, sound, voice, or image(s), (ii) to any “electronic address,” including email or instant message identifiers and phone numbers, or any “similar account,” (iii) to encourage participation in any commercial activity. CASL does not govern interactive two-way voice, faxing, or sending voice-recordings to phone numbers, nor does it govern blog-posting or other publications on microblogging and social media sites if the activity is not directed to specific electronic addresses. Note also that “electronic addresses” do not include IP addresses if they are not linked to an identifiable person or account
“Encouraging participation in commercial activity” does not require any expectation of profit, and encompasses any message that, based on its content, and/or on contact information and/or included hyperlinks, can reasonably be said to have as one or more of its purposes (even if not a primary purpose) encouraging such participation. This includes offers to sell, purchase, barter, or lease any good, service or land; offers of business, investment, or gaming opportunities; and advertising or promoting any of the foregoing. However, the fact that a message is part of some commercial activity, includes links to a website, or has business-related electronic addressing does not make it a CEM, if none of its purposes include encouraging commercial activity as described above. Thus, messages consisting of newsletters, surveys, polling, and soliciting charitable donations, political contributions, or other political activities are not CEMs.
CASL generally forbids false or misleading subject lines and/or sender information, and requires CEM senders to obtain consent from recipients before sending, i.e., it requires opt-in, and that CEMs include information that identifies the sender (or the entity on whose behalf a CEM is sent) and that enables recipients to withdraw consent. Such withdrawals of consent, i.e., opting out, must be allowed at no cost by replying or clicking on an included link, which mechanism must be active for 60 days after the CEM is sent. Opt-out requests must be processed “without delay,” but in no event beyond 10 days after receipt.
For purposes of the identification requirement, the CEM must include the mailing address and (i) a phone number providing access to an agent or voice messaging system; (2) an email address; or (3) a web address of the sender or the party on whose behalf the message is sent. Such contact information must be valid for at least 60 days after the CEM is sent. Also, in the case of a CEM sent by one entity on behalf of another, the CEM must also have a statement indicating who is sending the message and on whose behalf the message is sent. All told, CASL’s opt-in rule departs from consent rules under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) that have governed e-mail marketing since 2000, as CASL’s procedures are more stringent than PIPEDA, which is an opt-out regime and does not limit implied consent to specific relationships or transactions, as does CASL.
Exceptions. CASL’s consent, opt-out and sender-ID requirements do not apply to CEMs:
- Sent by (or on behalf of) an individual to another individual with whom there is a personal or family relationship;
- To a person engaged in a commercial activity if the message consists solely of an inquiry or application related to that activity;
- Responding to a request, inquiry or complaint, or that are otherwise solicited by the recipient;
- For fund-raising by registered charities or political parties, organizations or candidates;
- On platforms where the required identification and unsubscribe information is conspicuously published and readily available to recipients on the user interface; or
- That it is reasonably believed will be accessed in and to be compliant with local law in certain listed countries outside Canada (including the U.S.).
CASL’s consent requirement does not apply (although opt-out and sender-ID rules still apply) to CEMs that:
- Provide quotes or estimates requested by the person to whom a message is sent;
- Transmit warranty, recall, or safety/security information;
- Offer a means of facilitating the use/purchase of a good/service under a subscription, membership, account, loan or similar relationship; or
- Facilitate/complete/confirm a transaction the recipient previously executed, and/or that deliver products/services (including updates or upgrades) that the message recipient is entitled to receive under a previously entered transaction.
The consent requirement also has an allowance that “implied” consent may suffice within specifically defined circumstances, such as a contractual relationship with the recipient. Other circumstances in which CASL’s consent requirement does not apply (although providing opt-out and sender-ID are still required) include where CEM senders have “implied consent” because:
- An existing business relationship is present based on the purchase, lease, barter for, or receipt/acceptance of any good, service, or land interest within 2 years before the CEM, or based on an application within 6 months before the CEM;
- There is an existing non-business relationships based on any donation or gift to, membership in, or volunteer work performed for a charity within the 2 years before the CEM; or
- Prospective recipients post or provide email addresses that invite communications or do not otherwise indicate the prospective recipients’ intent not to receive messages, so long as the CEM sent is relevant to the recipient’s business.
Compliance. Those seeking express consent for CEMs (and other CASL purposes—see below) may do so orally or in writing by setting out clearly and simply the purpose(s) for which consent is sought, the right to withdraw consent, and information that identifies the entity seeking consent (including contact and other information specified above). Express consents obtained before CASL comes into force to collect or to use electronic addresses to send CEMs will be recognized as being compliant with CASL.
Consent also may be obtained by one entity for another party provided the other party is identified or the asking party is identified in subsequent CEMs relying on the consent, as long as opt-outs cover not only the sender but also the entity who originally obtained the consent. Any party with shared consent must notify the others of any opt-out, and all must honor it.
CASL prohibits installing (or causing to be installed) in the course of commercial activity any computer program on any other person’s computer without express consent of the owner or an authorized user of that computer, and further prohibits anyone, having so installed or caused to be installed a computer program, from causing an electronic message to be sent from another’s computer without such consent. These restrictions apply if one of the parties is located in Canada.
The same rules that apply to obtaining consent for CEMs also apply to computer programs—that is, there must be a clear and simple description of the purpose for which consent is sought and of the identity of the entity seeking consent. In addition, for computer programs specifically, the entity obtaining the consent must also clearly and simply describe (in general terms) the function and purpose of the computer program to be installed, and if the consent is intended to cover future updates or upgrades, it describes them.
Entities seeking consent must describe—clearly and prominently, and separate from any license agreement—the program’s material elements, including its nature, purpose and reasonably foreseeable impact on the operation of the computer if installed. Those elements also must be brought specially to the attention of those from whom consent is sought, if it is known and intended that the program will cause the computer to operate contrary to the reasonable expectations of its owner or authorized user, through any of the following means:
- Collecting personal information stored on the computer;
- Interfering with the owner’s or an authorized user’s control of the computer;
- Changing or interfering with settings, preferences or commands already installed or stored on the computer without the knowledge of the owner or authorized user(s);
- Changing or interfering with data stored on the computer so as to obstruct, interrupt or interfere with lawful access to or use of the data by the owner or authorized user(s);
- Causing the computer to communicate with another computer system (or device) without authorization of the owner or an authorized user; or
- Installing a computer program that may be activated by a third party without knowledge of the owner or an authorized user.
There are also special provisions applicable to withdrawal of consent for the above-bulleted programs that require maintaining and furnishing an electronic address to which consenting persons may send a request to remove or disable the program. If it turns out that the consent was based on an inaccurate description of the material elements of function, the entity who obtained the consent must, on receipt of a request to remove or disable the program, assist the requester in doing so as soon as is feasible.
In addition, express consent is presumed if the owner’s or authorized user’s conduct is such that it is reasonable to believe they consented to installation of certain downloads, limited to:
- Cookies, HTML code, Java Scripts, and/or operating systems, and other programs executable only through the use of another program whose installation or use was previously express consented to;
- Programs installed by or on behalf of a telecommunications service provider (TSP) solely to protect the security of its network;
- Programs installed for purposes of updating or upgrading TSP networks; and
- Programs necessary to correct failures in the operation of the computer system.
Alteration of Transmission Data and Address Harvesting
CASL requires consent and the opportunity for withdrawal of consent (opt-out) to alterations of transmission data that occur in the course of a commercial activity, such as when one causes an electronic message to be sent to a destination different from that which the sender intended. The consent must clearly and simply describe the purpose of the alternation and the identity of the requester. As with CEMs, opt-outs must be honored “without delay” and in all cases within 10 business days.
CASL also generally prohibits the use of address-harvested email addresses without consent. Under CASL, “address harvesting,” is the collection of email addresses through such methods as (i) “web crawler” computer programs, and/or (ii) “dictionary attacks,” i.e., computer programs that guess email addresses by methodically trying multiple name variations. Once collected, the email addresses are often sold to spammers as destinations for unsolicited electronic messages.
Enforcement and Phase-In
CASL provides for criminal prosecution, and for administrative and monetary penalties for violations in amounts of up to C$1 million for individuals and C$10 million for other entities, along with a private right of action for those suffering actual loss or damage as a result of non-compliance. The law also creates criminal offenses for obstructing CASL investigations. As to the private right of action, while it will be necessary to prove actual damages, it is possible to envision class actions by multitudinous plaintiffs where damages, even if minor on an individual basis, are collectively significant. Directors and officers who authorized an organization's non-compliance can be personally liable.
CASL allows the Canadian Radio-Television and Telecommunications Commission (CRTC) to impose the administrative monetary penalties, and the Competition Bureau to seek administrative monetary penalties as well, or criminal sanctions under the Competition Act. The Competition Bureau may investigate and take action on false or misleading representations and deceptive market practices. CASL also affords new powers to the Office of the Privacy Commissioner, including enforcement against impermissible collections of personal information.
As noted at the outset, to permit reasonable time for businesses to become aware of and compliant with the CASL and its regulations, most of the law and rules do not take effect until July 1, 2014, though in order to facilitate compliance with the computer program provisions, those do not take effect until Jan. 15, 2015. To further reduce uncertainty regarding how CASL will be interpreted, the statute’s private right of action will take effect after three years, on July 1, 2017. The government cautions that those contemplating such a suit should get legal advice before filing, as legal fees incurred by the alleged violator to defend may be recoverable if a claim is improper or is considered not to have merit.