While Canada’s “anti-spam” legislation (CASL) has not yet been proclaimed in force, the CRTC has been busy fulfilling its mandate pursuant to that legislation. In March of this year, the CRTC issued the Electronic Commerce Protection Regulations (CRTC) (Regulations), which prescribe the form and certain information to be included in commercial electronic messages, and requests for consent to send CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs.
The CRTC has now issued two guidelines to provide detail on the content requirements for commercial electronic messages, and what practices and format it would consider acceptable to obtain consent to send a commercial electronic message.
Most interesting are the sections regarding request for consent — how to get it, and what needs to be included.
The CRTC makes it clear that each of the prohibited acts (sending a CEM, altering transmission data in electronic messages in the course of a commercial activity, and installation of a computer program on another person’s computer in the course of a commercial activity) require separate and distinct consent to be obtained.
The CRTC further clarifies that consent cannot be subsumed in website terms and conditions — it must be clearly identified and separate from the consent to general terms and conditions of use or sale. Similarly, if the proper use of a product or service requires the installation of a computer program, then it should be explained in the consent request, and consent must be obtained before the product is used or sold.
The CRTC provides useful details on means and methods to obtain consent. It is clear that express consent must be an opt-in mechanism, not an opt-out mechanism. Therefore, organizations are going to have to be explicit in this regard, and a toggling mechanism that pre-checks a consent box will not be sufficient. A CEM cannot be used to elicit express consent, either. It would, however, be sufficient to require the individual to actively check a blank consent box, or type in an email address to indicate consent, with a confirmation of receipt provided to the individual.
The CRTC has also provided some detail on the unsubscribe mechanism to be included in a CEM. This mechanism must be “readily performed”; for emails, a link that takes the user to a webpage where the user can unsubscribe from receiving all or some types of CEM’s from the sender works, as does a reply to an SMS message with the word “STOP” or “Unsubscribe”, then clicking on a link to unsubscribe. Again, this will be an interesting shift from the current practice of embedding the unsubscribe mechanisms in user terms or privacy policies.