July 1, 2014 marks the implementation of Canada’s new anti-spam legislation, known as “CASL”. The new law has a number of components, with the main features introducing restrictions on commercial electronic messages (CEMs), alteration of transmission data and installing software on other people’s devices. This article will explore the new obligations regarding CEMs.
Overview
CASL is Canada’s first comprehensive anti-spam law – and it is one of the last such pieces of legislation among G8 nations. It is, however, considered to be more broad-reaching and comprehensive than the legislation in force in other nations, including that which is in force in the United States.
The basic intent of CASL is to prohibit companies and organizations from sending unsolicited CEMs to those who have not consented to receiving them.
Exemptions
Messages between certain types of people are completely exempt from CASL, meaning that there is no consent needed and no requirement to include certain content in the message. These exemptions are:
- CEMs sent between individuals with a personal relationship. The individuals must have direct, voluntary, two-way communications, and it must be reasonable to conclude a personal relationship exists (based on factors such as shared interests, experiences, opinions, the frequency of the communication and whether or not they have met in person);
- CEMs sent between individuals with a family relationship. The individuals must be related through marriage, common-law partnership or any legal parent-child relationship, and those individuals must have voluntary, two-way communication;
- CEMs sent as part of an inquiry or application related to a commercial activity;
- CEMs sent to employees, representatives, consultants or franchisees;
- CEMs sent in reply to a request, inquiry, complaint or otherwise solicited;
- CEMs sent as part of legal communications;
- CEMs sent to fundraise for a charity; and
- CEMs sent to fundraise for a political party or movement.
If the CEMs are sent for any purpose or in any context listed above, then CASL does not apply.
Where CASL Applies
If the CEMs are sent for any purpose or in any context not listed above (in the Exemptions section), then CASL does apply. If CASL applies, then there are five main things to consider:
- Is your message an electronic message?
- Is your message, at least partially, commercial?
- Do you have express or implied consent to send your message?
- Have you included the required content in you message?
- Is your message exempt from the consent requirements?
(1) Is Your Message An Electronic Message?
- A message sent by any means of telecommunication, including a text, sound, voice or image is considered an electronic message under the law.
- The definition extends the application of CASL to all social media and electronic communications channels, including, but not limited to: Facebook, LinkedIn, Twitter, Instagram, etc. However, CASL does not extent to broadcast messaging on such platforms - to such things as tweets and posts on social media sites.
- CASL explicitly exempts two-way phone calls, fax message deliveries and voice recordings (i.e. robocalls) to a telephone account from being electronic messages.
(2) Is Your Message Commercial?
- Under the law, a commercial electronic message is an electronic message that is sent with the intention of encouraging participation in a commercial activity.
- As long as at least one purpose of the message is commercial, then the message is a CEM.
- A message can constitute a CEM whether or not the "commercial" purpose is connected to any expectation of profit: Not-For-Profits are captured by CASL.
- Some examples of CEMs include: (1) offers to purchase, sell, barter or lease a product, good or service; (2) a message, which links through to a website whose purpose is commercial; and (3) a message, which requests consent to send a CEM.
(3) Do You Have Consent to Send the CEM?
- Under CASL, organizations must have consent to send CEMs.
- Consent can be express or implied.
- There are several exemptions from the consent requirement.
Express Consent:
Express consent is the “gold standard” of consent, because it does not expire. Care must be taken to retain evidence of express consent being given. Consent is express where a positive action is taken to provide the consent:
- Opt-In (okay): a person must fill out your “subscription form” in order to receive CEMs. The problem is that there is no proof that the person with the email address is the one who consented to receive the CEM.
- Confirmed Opt-In (better): once someone subscribes to receive CEMs, they are sent a “welcome email” with an unsubscribe mechanism. The problem with this method is that people who didn’t subscribe in the first place might not trust the “unsubscribe” link and, in turn, just ignore the email.
- Double Opt-In (best): when someone signs up for your list, they are sent a “confirmation” email. They must click through and confirm their email address or they will not receive your CEMs. This provides you with the best evidence that the person receiving the CEMs did indeed consent and builds your contact list with those who truly want to receive your communications.
Note: Opt-Out is not express consent. This includes pre-checked "opt-out" boxes.
Consent should be sought separate from other terms and conditions of sale; an purchaser should not be forced to accept CEMs from the organization if they want to purchase a product. Consent can be obtained orally or in writing. In both cases, organizations should carefully track how and when the consent was obtained. Lastly, it is important to know that the burden of proving that consent has been obtained is on the sender of the CEM.
Implied Consent:
Where it is reasonable to assume that the recipient would consent to receiving the CEM, then implied consent may be inferred. Implied consent is less desirable than express consent, because, in most cases, implied consent expires within two years from the situation giving rise to the relationship. This means that those maintaining a contact list should very carefully track on what basis they added the person to the contact list and when the relationship arose. It is best practice to try to translate the implied consent into express consent during the relationship so that the consent does not expire.
Implied consent can be inferred on the basis of:
- Where an existing business relationship exists. The relationship must be between the person sending the CEM and the person receiving the CEM, and it must have arisen from: the purchase of a product, good or service; the acceptance of a business opportunity; the entering into of a contract for a business purpose; or an inquiry or application sent within six months of the CEM.
- Where an existing non-business relationship exists. The relationship must be between the person sending the CEM and the person receiving, it must have arisen from: a donation or gift made by the person receiving the CEM to a charity or political party in the preceding two years; volunteer work performed by the person receiving the CEM for a charity or political party; or membership in the organization sending the CEM within the preceding 2 years.
- Where the recipient has a previously conspicuously published email address. This means that any person who publishes their contact email on the Internet - whether it is on a business webpage, LinkedIn account, organization membership site (i.e. a Chamber of Commerce) or other such publication - implicitly consents to receiving CEMs (related to their business role), unless there is a statement accompanying the email address that they do not wish to receive CEMs.
- Where the recipient has provided email address to sender (the so-called “business card exemption”). In order to apply, the person providing the contact information must not have indicated that they do not wish to receive CEMs. Further, the CEM must relate to their business role.
Note: the implied consent rules apply for 3 years, as the legislation is transitioned into place.
Again, the burden of proving that consent was obtained is on the party sending the CEM, so record-keeping is essential, especially where consent was only "implied" and, as such, is time-sensitive.
(4) Have You Included the Required Content in the CEM?
Any CEM that you send, barring the few exceptions, must contain certain disclosures (information) and an unsubscribe mechanism.
A. The CEM must include the following disclosures:
- It must identify the sender;
- It must contain specific contact information for the sender, including a physical mailing address (or a link to an easily accessible website with information);
- If using a third party sender, it must identify both the sender and the third party initiator; and
- It must contain an unsubscribe mechanism.
B. The unsubscribe mechanism must be clearly displayed, prominent and readily able to be performed. All unsubscribe requests must be implemented within ten days.
(5) Is Your Message Exempt From Consent Requirements?
There are certain circumstances where consent is not required to be obtained to send a CEM, including:
- The provision of a quote or estimate, where it was requested;
- The provision of a warranty, recall, safety or security information;
- The provision of factual information about the use or purchase of a product or service;
- The facilitation, completion or confirmation of a transaction (previously entered into); or
- The provision of information related to an employment relationship or benefit plan.
Note: even where the CEM falls under a consent exemption, the CEM is still subject to the content requirements.
There is also an exemption relating to qualified consent (that comes from third party referrals). An organization without consent can send one CEM where:
- The referral comes from someone with a consent-based relationship to the recipient;
- There is an existing relationship between the sender and the third party referrer; and
- The third party referrer is identified as the referral source.
It is possible to obtain unknown third party consent (i.e. where an entity obtains consent to provide the contact details of someone on their list to a third party with goods or services of interest to an individual). For example, a gym might ask their clients if they wish to receive CEMs from certain entities of interest, and then share those clients' contact information with entities that sell nutritional products, fitness attire or other goods or services related to the health industry.
What Happens If You Breach CASL?
The penalties in CASL are “administrative, monetary penalties," with the stated purpose of “[promoting] compliance, not punishment”. That said, there are severe penalties for engaging in prohibited activities, including (for each violation):
- Fines of up to $1 million for individuals; and
- Fines of up to $10 million for organizations.
Note:
- In determining the penalties, account will be taken of the nature and scope of the violation, the violator’s history, any financial benefit received as a result of the violation, and the violator’s ability to pay. There is also a “due diligence” defence, which reaffirms the importance of maintaining and tracking consent in an organization’s contact list. You should also be aware that an organization can be found liable vicariously for the conduct of it’s employees and agents. In the same vein, directors, officers and agents of an organization are liable for penalties if they “directed, authorized, assented to, participated in or acquiesced to a violation of CASL." The Canadian RTC holds the enforcement power.
CASL also introduces a private right of action, so individuals can pursue the enforcement of CASL in addition to other violations.
How Momentum Can Help
We are happy to address any questions or concerns that you may have regarding your business' privacy practices. We can also draft privacy policies, complete a privacy compliance audit or put on a private privacy seminar for your business.