The majority of the Canadian Spam Legislation (CASL) comes into force today—July 1, 2014. This includes Section 6, which relates to the sending of commercial electronic messages (CEMs). Starting today, businesses must obtain opt-in consent before sending CEMs that are accessed by computer systems in Canada. Compliance will be complicated in situations where a business only has an email address for a customer on its mailing list and does not know whether the customer is accessing the email through a computer system in Canada. Businesses may be liable for violations regardless of whether they know they are sending an email to a Canadian computer system without first obtaining the necessary consent.
Some of the provisions of the CASL will be familiar to U.S. businesses that have experience complying with the United States’ Controlling the Assault of Non-Solicited Pornography and Marketing Act—popularly known as CAN-SPAM. As with CAN-SPAM, the CASL has requirements regarding identifying the sender of CEMs and for permitting recipients to opt out of future messages. Where the CASL significantly differs from CAN-SPAM is in the requirement of opt-in consent for CEMs. Although the CASL gives flexibility as to how opt-in consent may be obtained, the burden is on the sender to prove the consent. “Pre-checked” opt-in boxes on websites are not considered sufficient proof of consent under the CASL.
Fortunately, the CASL includes a transitional provision that relates to the consent requirement. Consent to send CEMs is implied for three years (to July 1, 2017) where there is an existing business or nonbusiness relationship that includes the communication of CEMs. One-way communication for CEMs (e.g., where a business sends CEMs to a consumer with whom it has an existing relationship) is acceptable during this three-year period. Note, however, that this transitional period of implied consent will end earlier if the recipient indicates that he or she no longer consents to receiving CEMs. Furthermore, this “existing business relationship” must have been created before July 1, 2014, in order for a business to take advantage of this three-year transitional period. Businesses may take advantage of this transitional period to seek express consent for the continued sending of CEMs.
Express consent does not expire after a certain period of time has passed. If a business has obtained valid express consent before or after July 1, 2014, then that express consent does not expire, unless and until the recipient withdraws his or her consent.
Although the CASL does not apply to messages sent to individuals with whom the sender has a personal relationship, a “personal relationship” requires that the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used). Using social media or sharing the same network does not necessarily reveal a personal relationship between individuals. The mere use of buttons available on social media websites — such as clicking “like,” voting for or against a link or post, accepting someone as a “friend,” or clicking “follow” — will generally be insufficient to constitute a personal relationship. Also, a personal relationship is one that exists between individuals. Legal entities, such as corporations, cannot have a personal relationship. Someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient.
If a business commits a violation under any subsection of Section 6 of the CASL (the area that governs CEMs), then the business may be required to pay an administrative monetary penalty of up to $10 million. Directors, officers, and agents of a corporation can be liable if they directed, authorized, assented to, acquiesced in, or participated in the commission of the violation.