Canada’s Anti-Spam Legislation, S.C. 2010, c. 23 (Can.), and the regulations promulgated thereunder (“CASL”), is poised to become one of the toughest anti-spam laws in the world when it comes into force on July 1, 2014. And you do not need to be a spammer or even located in Canada to fall under CASL. In fact, CASL will complicate the relationship and marketing and communication strategies between franchisors located outside of Canada and their potential franchisees or customers. Beginning July 1, 2014, no commercial electronic message (“CEM”) may be sent from or received in Canada unless the sender of that message has received either express or implied consent from the recipient (whether an individual or entity), or the CEM is otherwise exempt under CASL. The new law applies to virtually any company that sends any electronic message that, based on the content of the message, has a commercial purpose. The primary difference between the United States’ CAN-SPAM Act and CASL is that the former requires an opt-out procedure for the recipient (e.g., an “unsubscribe” link in a commercial message) whereas the latter requires the recipient opt-in before receiving the message. This article summarizes the scope of CASL, the stiff penalties for non-compliance, and suggestions for complying with CASL.
A CEM is broadly defined to include any message with the purpose of encouraging participation in a commercial activity. Content is key, as there are no specific regulations that define what a CEM may or may not look like. Some examples of a CEM include: offers to purchase, sell, or lease a product, service, or real estate; offers to provide a business or investment opportunity; and promoting a person, including the public image of a person who does, or intends to do, any of the foregoing. This list is not exhaustive, but merely serves to indicate the breadth of the new law’s intended reach. A CEM can be in the form of an email or text, sound, voice, image, or instant message. For instance, an email offer to sell a franchise is a CEM, as are text messages to purchase products or services sent by a franchisee to prospective customers.
But there are several CEMs that are exempt from CASL. CEMs within personal or family relationships are exempt provided that the sender can prove it has a personal or familial relationship with the recipient. Social media connections alone are not enough (e.g., an individual who has “liked” a business on Facebook does not create a personal relationship). Other CEMs that are exempt under CASL include responses to commercial inquiries, certain business communications, legal communications, and communications from Canada to be accessed in certain other countries (including the United States) if the communication meets the receiving country’s laws regarding electronic communication. Commercial inquiries are messages sent in response to a request, inquiry, or complaint, or that are otherwise solicited by the recipient. For instance, a response from a franchisor to a prospective franchisee who requested information on purchasing a franchise is an exempt commercial inquiry. Likewise, responses to a request for product or service information by a customer or a customer complaint are exempt commercial inquires. Certain business communications are also exempt under CASL:
- Communications within an organization, such as between employees;
- Communications between franchisees in the same franchise system concerning the activities of the franchisor and franchise system; and
- Communications between one organization (e.g., the franchisor) and another organization (e.g., the franchisee) that concern the activities of the receiving organization, which may include an electronic newsletter sent out to franchisees, messages regarding the franchise relationship between the two organizations, and notices of defaults and terminations sent to franchisees (which may also be exempt under the legal communications exemption).
These communications are CEMs but they are exempt from CASL’s consent and disclaimer requirements (discussed below). Although this list provides only a limited number of examples, the point is clear—unsolicited communications from businesses and individuals are the target of CASL.
The sender must obtain consent and provide identification information, either in the message or through a clearly identified link, and an unsubscribe mechanism for all CEMs that are not exempt from CASL.
a. Consent to Receive CEMs
Consent to receive a CEM may be given in two ways: express and implied.
Express consent means that the recipient provided a positive or explicit indication of consent to receive CEMs in response to a request that was both clear and simple. Express consent lasts until the recipient withdraws such consent. It is important to note that a solicitous email requesting consent to send further emails is considered to be a CEM and is also within reach of CASL. To the extent that a franchisor desires to send CEMs to Canadian customers of a franchisee, the franchisor should either obtain its own express consent from such customers or require the franchisee to have obtained the express consent of such customers to receive CEMs from both the franchisor and the franchisee.
Consent may be implied if there is an existing business relationship between the sender and recipient arising from the purchase, lease, or inquiry in a certain period of time of goods, services, or real estate; a written contract (e.g., a franchise agreement) currently in force or that expired no more than two years before the CEM was sent; or the acceptance or inquiry about, within a certain period of time, of a business or investment opportunity. This type of implied consent may be useful to franchisors. In an existing non-business relationship, consent may be implied where, for instance, a registered charity, political party, or candidate reaches out to a recipient that has provided a gift, a donation, or volunteer work. This also applies to a club, association, or voluntary organization where the recipient is a member. Implied consent is also applicable where the recipient has conspicuously published or disclosed his or her email address without indicating that he or she does not want solicitations and the communication relates to the person’s role, business, or function in a business or official capacity. Implied consent is generally time-limited to two years after the event that begins the relationship. If the communication is in response to an inquiry, the time limit for implied consent is capped at six months.
However, there are several CEMs that can be sent without obtaining consent, but these CEMs must still include the required content, below. These exemptions include a CEM that provides a quote or estimate that was requested by the recipient, warranty, product recall, and safety information, notification about an ongoing membership or other similar relationship, or information directly related to a current employment relationship. Consent is also not required for a CEM that completes or confirms a commercial transaction or delivers a product, good, or service that the recipient is entitled to receive.
Businesses can seek consent to allow other, third party businesses to send CEMs, even if those other businesses are unknown to the recipient at the time the consent is obtained, but the original business and the unknown third parties have significant compliance burdens to notify each other when the recipient withdraws consent.
The sender has the burden of proving consent, so express consent is the best option for purposes of documentation. Additionally, even if the CEM falls under an exemption to the consent requirement, the message is still required to provide identification information and a method by which to unsubscribe.
b. Required Content of the CEM
Every CEM not exempt under CASL is required to identify the name of the person or entity sending the message. If the message is sent on behalf of another party, that name must also be identified. Contact information is required in the form of a mailing address in addition to at least one of the following: phone number, email address, or web address. These contact methods must be accurate and valid for a minimum of sixty days after sending the message.
In addition, the message must contain a mechanism that clearly allows the recipient to easily unsubscribe at no cost.
2. Compliance with CASL
It is important that individuals and businesses that send messages subject to Canadian law develop an implementation plan. Depending on the size of the business, this can range from a simple process of isolating email addresses to a more complex system of database reconfiguration. Franchisors should ensure that franchisees comply with CASL if they are doing business in Canada or with Canadian individuals or entities.
When a violation occurs, the regulatory authorities will take into account many factors in deciding which enforcement measures are appropriate. Due diligence regarding implementation measures is a key factor in that it provides evidence that any violation was not a deliberate attempt to contravene the law. An implementation program can also serve as evidence that the violation was an isolated occurrence and not systemic in nature.
3. CASL Enforcement
After July 1, 2014, it is unclear how the Canadian regulatory agencies will enforce the new law. The penalties for violating CASL can be severe. In addition to reputational risk that may lead to brand damage, fines of up to $1 million for individuals and $10 million for organizations can be imposed. CASL also allows individuals affected by targeted emailing the option to bring a private civil suit for actual and statutory damages. However, this private right of action provision does not begin until July 1, 2017.
While the law is clearly aimed at deterring large-scale spam operations, many businesses’ marketing strategies are nonetheless subject to and affected by the new regulations. The expansive language of CASL and high degree of discretion vested in the regulating authorities leaves a large amount of uncertainty as to how businesses should operate. Criticism aimed at the law points out that most Canadian spam originates from outside the country, and Canadian authorities may not have enough recourse against these foreign entities. What remains are Canadian businesses who will be forced to comply even if doing so means losing access to long-established direct marketing campaigns and advertising. Moreover, until the Canadian regulatory agencies provide further guidance and it becomes apparent how CASL is being enforced, businesses outside Canada that communicate with Canadian individuals or entities should comply with the law.