On July 1, 2014, key provisions of Canada’s Anti-Spam Legislation (CASL) come into force. CASL includes updates to the Personal Information Protection and Electronic Documents Act (PIPEDA).
The majority of the legislation comes into force on July 1, 2014. This includes Section 6, which relates to the sending of commercial electronic messages (CEMs). Section 8, the section that deals with the installation of computer programs, will come into force on January 15, 2015. The sections that deal with the private right of action will come into force on July, 1 2017.
Please note that some parts of the law came into force on April 15, 2011, with respect to some amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).
Spam accounts for approximately 80% of emails in Canada and costs the Canadian economy approximately $3 billion per year. Clearly, the spirit of Canada’s new anti-spam legislation (CASL) is to stop indiscriminant mass marketing spam which clogs our email inboxes every day.
It is committed to reducing the harmful effects of spam and related threats to electronic commerce and are working towards a safer and more secure online marketplace. Canada’s new anti-spam legislation helps protect Canadians while ensuring that businesses can continue to compete in the global marketplace.
The Office of the Privacy Commissioner of Canada (OPC) will share responsibilities for enforcing the CASL with the Canadian Radio-television and Telecommunications Commission (CRTC) and the federal Competition Bureau.
The CRTC will be responsible for investigating the sending of unsolicited commercial electronic messages, the alteration of transmission data and the installation of software without consent.
The Competition Bureau will address false or misleading representations and deceptive marketing practices in the electronic marketplace.
The OPC meanwhile will focus on two types of violations:
- the harvesting of electronic addresses, in which bulk lists of email addresses are compiled through mechanisms that include the use of computer programs to automatically mine the Internet for addresses; and,
- the collection of personal information through illicit access to other people’s computer systems, primarily through means such as spyware.
The following FAQs provide information specifically about the OPC’s mandated responsibilities tied to CASL.
Knowing that people and businesses may need to change their practices when it comes to sending commercial electronic messages (CEMs), the legislation includes a transitional provision that relates to the consent requirement. There are two types of consent – express and implied. The transitional provision set out in section 66 of CASL applies to implied consent.
Under section 66, consent to send commercial electronic messages (CEMs) is implied for a period of 36 months beginning July 1, 2014, where there is an existing business or non-business relationship that includes the communication of CEMs. Note however, that this three-year period of implied consent will end if the recipient indicates that they no longer consent to receiving CEMs. During the transitional period, the definitions of existing business and non-business relationships are not subject to the limitation periods that would otherwise be applicable under section 10 of CASL. Businesses and people may take advantage of this transitional period to seek express consent for the continued sending of CEMs.
In contrast, express consent does not expire after a certain period of time has passed. If you obtain valid express consent before July 1, 2014, then that express consent remains valid after the legislation comes into force. It does not expire, until the recipient withdraws their consent.
If you commit a violation under any of sections 6 to 9 of CASL, then you may be required to pay an administrative monetary penalty (AMP). The maximum amount of an AMP, per violation, for an individual is $1 million, and for a business, it is $10 million. CASL sets out a list of factors considered in the determination the amount of the AMP.
Yes, directors, officers, agents and mandataries of a corporation can be liable, if they directed, authorized, assented to, acquiesced in, or participated in the commission of the violation.
Understanding Canada’s Anti-Spam Legislation
What follows are observations about certain portions of the Act and regulations that may be of particular interest to you. This is not an exhaustive discussion of CASL. Please seek professional advice as to the steps you must take in order to achieve full compliance with this Act.
Commercial Electronic Messages
The focus of CASL is the distribution of Commercial Electronic Messages (CEMs) which includes emails, texts, tweets, BBM, social media messages or posts, etc. A CEM is any electronic message where the purpose is to encourage the recipient(s) to participate in a commercial activity (e.g. a transaction or commercial act) regardless of whether there is any expectation of profit.
Effective July 1, you must have oral or written consent to send commercial electronic messages. Even if you have consent, all your CEMs must include:
- The name of the sender
- The complete business mailing address
- Either your phone number, email address or web address
- A mechanism to “unsubscribe”
There are two types of consent, “express” and “implied”. The onus is on you the sender, to prove that you have consent, so be sure to keep careful records of implied and express consent going forward.
You can rely on implied consent if you have an existing business relationship, the recipient has supplied the electronic address or published it widely without the caveat that unsolicited CEMs are not welcome, and the message is relevant to the business relationship. However, implied consent ends:
- 2 years after any contract establishing the business relationship ends; or
- 6 months after an inquiry or application was made, assuming there has been no other activity.
An existing business relationship survives the sale of a business.
Starting July 1, 2014 you have 3 years to transition from implied consent to express consent.
Under the law, express consent requires an action by the customer – hence the need to have the customer respond to you rather than using a “negative response” mechanism that requires only the un-subscribers to respond to you. Express consent is valid until the person revokes their consent by unsubscribing or giving notice to you. There are requirements to adhere to when requesting express consent from your customers such as:
- The name of the person or company seeking consent must be clear
- There must be contact information in the form of a postal address, telephone number and email or website address
- The reason for requesting consent must be made clear
- The ability to revoke consent / unsubscribe must be made clear (Some email programs such as ‘Constant Contact’ contain this automated feature)
When you obtain a new client or prospect after July 1st, you must request and obtain express consent to send CEMs to him or her. After July 1, 2014 you cannot ask for express consent (at least electronically) from someone whom you don’t have a current business relationship with, because emailing a request for express consent is itself a CEM.
Exemptions and Exclusions
There are a few exemptions in CASL which are mostly intuitive. Here are a few of the key ones:
- Responses to inquiries (thus most email replies)
- Internal communications within organizations when the messages concern the activities of the organization
- Business to business messages where there is an existing relationship and the message concerns the activities of the organization
- Messages sent to family or those with whom you have a personal relationship
- Messages sent and received on social media where there is a clear “unsubscribe” function and there is an implied or explicit consent by the recipient
- Fund raising messages from Canadian registered charities and political parties
Third-party referrals are exempt, subject to the following conditions:
- The sender must disclose in the message the full name of the person who made the referral and,
- The person who made the referral must have an existing personal or family or business relationship with both the sender and the recipient and,
- Only one email can be sent to a recipient based on the referral. Any additional emails must be based on consent from the recipient.
Certain types of communications do not appear to constitute CEMs, including such things as emails between advisors and their customers, regarding pending or existing business (but not encouraging participation in a new commercial activity.)Sources: