Canada’s Anti-Spam Legislation (CASL) came into effect three years ago to restrict commercial electronic messages (CEMs). It started with a probationary period of sorts to help organizations ease into compliance. On July 1, 2017 that phase-in period ends.
The deadline is specifically related to the CASL requirements for obtaining “consent” from recipients of CEMs. Starting on July 1, 2014 when CASL first came into effect, recipients who had an existing relationship with the sender were assumed to have “implied consent” to receiving CEMs for the duration of the phase-in period. This implied consent could be explicitly withdrawn at any time by the recipient. On the three-year mark of July 1, 2017 the phase-in period ends and all of these automatically implied consents cease to apply.
In order for the sender to maintain a recipient’s consent, the recipient has to either have given “explicit consent”, or to have implied consent via some other mechanism of the law. A brief review of these terms is in order.
Implied and Explicit Consent
“Express consent” is very simply an active opt-in by a recipient. For example, they may have written their e-mail address on a subscription sheet for your organization or clicked a toggle box in an e-mail (no pre-checked boxes! They must opt in, not opt out). It lasts until they expressly withdraw it.
“Implied consent” is more nuanced and can come about in a few different ways:
- Some event starts a business relationship between the recipient and your organization: they buy or ask about your goods or services, enter into a written contract, or accept a business or investment opportunity. You have their implied consent for two years after the relationship-starting event.
- Some event starts a non-business relationship between the recipient and your organization: your organization is a registered charity or political party/candidate, and the recipient has provided a gift, donation, or volunteer work. You have their implied consent for two years after the relationship-starting event.
- Your organization is a charity, political party, club, association or voluntary organization and the recipient becomes a member. You have their implied consent for the period of the membership and for two years after it expires.
- The recipient has conspicuously published (or disclosed to your organization) the electronic address to which the CEM is sent, without stating they do not wish to receive unsolicited CEMs, and the CEM is relevant to the recipient’s business, role, functions or duties in a business or official capacity.
Any type of consent is immediately withdrawn at the recipient’s explicit request.
What To Do
If this sounds rather complicated, that’s because it is. But you can tackle your compliance needs by breaking the requirements down into pieces. Here are the important steps questions you or your organization must take as soon as possible:
- Identify recipients whose consent is “implied” only as a result of the phase-in period leniency.
Such recipients will meet all of the following criteria
2014 – The recipient and the sender had a business or non-business relationship as of July 1, 2014.
2015 – The recipient has not explicitly withdrawn their consent since July 1, 2014
2016 – The recipient has not given their explicit consent since July 1, 2014 (if they have done so, their consent will survive the end of the phase-in period).
2017 – The recipient has not given their implied consent some other way since July 1, 2014.
Ideally, you will have kept a register of recipients that indicates what kind of consent was given and when. CASL even requires that you retain documentation to prove each consent. In reality, this is a potentially enormous administrative burden that many senders may not have fully met.
2. Take immediate steps to minimize your risk of exposure.
As you work on identifying them, segregate the expiring recipients from your mailing lists so that no CEMs are wrongly sent to them. If you are not sure whether you have a recipient’s consent, err on the side of caution.
In general, your organization should be keeping track at the least via spreadsheet as to which recipients have given their express or complied consent to receive CEMs, the way in which they did it, and (if any) the date on which their consent will expire.
It is important to note that the following types of CEMs do not require consent:
- Sent internally in an organization, and concerns the organization’s activities
- Sent between organizations that have a relationship, and concerns the recipient’s activities
- Sent by or on behalf of a registered charity and the primary purposes is raising funds for the charity
- Sent by or on behalf of a political party/organization/candidate and the primary purpose is soliciting contributions
- In response to a recipient’s request, inquiry, or complaint
- Sent to satisfy a legal obligation or enforce a law/legal right
- Reasonably believe to be accessed by the recipient in a foreign state
3. Help the expiring consents to survive the deadline
Before July 1, send an e-mail to your expiring recipients asking them to actively opt-in to receiving missives from your organization. Once they opt-in, for example by clicking a button that says “subscribe”, they have given their explicit consent. This will last indefinitely, until they explicitly withdraw it.
“Private Right of Action”
In early June, the federal government announced that certain provisions that were supposed to coming into force on July 1 have been suspended. These provisions allow “private right of action”, i.e. the ability to bring lawsuits against individuals and organizations for alleged violations of CASL. The business and non-profit sectors both pushed back on these provisions, and they are now being suspended indefinitely pending parliamentary review. The Act will continue to be enforced by the government, including penalties of up to $10 million.