What Your Business Needs to Know About Canada’s Anti-spam Law (CASL)
Canada’s “anti-spam law” (formally known as An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, but informally and better known as “CASL“) came into force July 1, 2014.
How does CASL affect my business?
Low-threshold for application
CASL applies to anyone who makes use of commercial electronic messages, alters or transmits data, produces or installs computer programs. This affects:
- Marketing departments but also individual communication
- Not only mass emails, but emails sent from one person in an organization to anyone
A commercial electronic message (“CEM”) is:
An electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that:
- offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
- offers to provide a business, investment or gaming opportunity;
- advertises or promotes anything referred to in paragraph (a) or (b); or
- promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
- contains a request for consent to send a commercial electronic message
Who does the law apply to?
CASL applies not only to email but to other electronic messages, namely: text, sound, voice or image messages to (i) an instant messaging account, (ii) a telephone account, or (iii) “any similar account”. Excluded forms of communication include fax, and recordings sent to a telephone account provided the required unsubscribe mechanism is present and the recipient consents, expressly or by implication to receive it.
It is prohibited to send or cause to be sent to an electronic address a commercial electronic message unless:
- One of the statutory exceptions applies, or
- The sender has the express or implied consent of the recipient, and
- The message is in prescribed form
This means that unless the above conditions are met, CASL prohibits the sending of all unsolicited electronic messages.
CASL provides for several exemptions to the consent and form of message requirements.
Exceptions include messages:
- Sent by an individual to an individual with whom they have a personal or family relationship”Personal relationship” means direct, voluntary two-way communications, where it is reasonable to conclude the relationship is personal, and there is no indication that recipients don’t want to receive CEMs”Family relationship” means marriage, common law and parent child
- CEMs sent to businesses, namely CEMs:
- Sent to a business, where the message consists solely of a related inquiry/application or that business’ response
- Internal CEMs concerning affairs of that organization
- External business-to-business CEMs, where
(1) there is a “relationship”, and (2) the message concerns the affairs of organization or recipient employee, representative, consultant or franchisee’s role, duties or functions
CEMs sent to:
- Satisfy a legal or juridical obligation
- Provide notice of or enforce a right, court order, judgment or tariff
- Enforce a right arising under federal, provincial, municipal or foreign law are also exempt.
Other exemptions from the CASL content and form requirements expand to CEMs:
- Sent on a closed secure account by the provider of the account
- That will be accessed in foreign state and complies with local anti-spam law
- Sent by or on behalf of a registered charity, where the primary purpose is fundraising
- Sent by or on behalf of a political organization or candidate, where the primary purpose is fundraising
- Interactive voice, fax calls or voice recordings sent to telephone account
- As provided in regulations
There are certain scenarios that provide exceptions from consent requirements only, but the prescribed form requirements remain. This applies to CEMs that:
- Provide a quote or estimate, where requested by recipient
- Facilitate, complete or confirm a commercial transaction to which the recipient previously agreed
- Provide warranty, recall, safety or security information about a product/good/service that the recipient purchased
- Provide notification of factual info regarding ongoing subscription or membership
- Provide info to an employee regarding employment, benefits, etc.
- Deliver a product, good or service the recipient is entitled to receive
- Communicate for a purpose set out in the regulations…
Referrals also get special treatment with CASL
- First CEM sent following a referral by a “person” with
- An existing business or non-business relationship (as defined);
- A personal or family relationship with both the sender and recipient
- Where the CEM discloses the full name of the referrer and states the message was sent as a result of the referral
Express or implied consent
In all other scenarios, the sender of a CEM must have implied or express consent.
Express consent must be opt-in
- Consent requests can’t be packaged with other requests for consent for other things
- Consent requests must be in the prescribed form.
Companies can rely on deemed or implied consent provisions derived from:
- Existing business relationships based on
- The purchase, lease, sale or barter of goods/services within the previous 2 years
- Acceptance of business opportunity within the previous 2 years
- Written contract, in force, or expired within previous 2 years; that’s not barter, business opportunity, purchase/lease of services, goods, property.
- Inquiry or application regarding the purchase, sale, barter, or business opportunity within previous 6 months
- Example: a recent customer
- Existing non-business relationships
- Donation/gift to, or volunteer work for a registered charity, political party or organization, candidate for public office – within the previous 2 years
- Membership in club, association or voluntary association (as per regulations) within the previous 2 years
- Two year period beings from the day the membership terminates
- Conspicuous publication of the recipients electronic address
- There must be no statement regarding a desire not to receive unsolicited messages
- The message must be relevant to a person’s business function, role or duties
- Example: a business card received at a networking event
- Disclosure of electronic address by recipient
- Disclosed with no indication of a wish not to receive unsolicited messages
- Message relevant to the person’s business function, role or duties
If no applicable exception or implied consent, sender must have EXPRESS CONSENT
In addition to obtaining consent, your commercial electronic messages must be in the prescribed form. CASL stipulates how a sender must request consent in order for consent to be valid.
To request express consent clearly and simply set out the following:
- Purpose for which consent is being sought, for example – to send product price promotions.
- Information that identifies the person seeking consent:
- Name of the sender’s business
- If sent on behalf of another, identification of sender and on whose behalf sent
- Mailing address and either the telephone, email, website of sender/person on whose behalf sent
- Statement indicating that consent can be withdrawn
- NO PRE-CHECKED BOXES
- Unsubscribe mechanism allowing the recipient to withdraw consent
In order to assist with compliance, we have put together the following best practices that your business can implement to kick start compliance with CASL.
First, conduct an audit.
Organizations should audit their communications strategy in order to ascertain what types of CEMs are being sent and by who. An audit should also be done of recipients of CEMs, or mailing lists in order to determine whether it is necessary to obtain express consent from certain recipients in order to continue to send them CEMs.
- Obtain Express Consent
- Create a strategy to obtain express consent for future delivery of CEMS
- This may involve sending a request for consent to your business’ mailing list
- Each business is unique and their strategy for obtaining consent will vary
- Required content for CEMs template
- Create email templates that contain the required content and unsubscribe mechanism for emails with commercial content
Creating a sustainable long-term CASL strategy
- Implement an organization wide CASL policy:CASL applies to anyone in your organization that sends electronic messages that are commercial in nature. Since this law covers such a broad range of activities, many different people in various positions need to know about CASL and how to adjust their behavior. While the marketing department might send out mass emails, specific emails sent by individuals on your sales team might also require express consent and will have to have content requirements. Furthermore, having a “user friendly” CASL policy, will make it easier to educate new employees.Note also that CASL applies to more than just email – it extends to text, sound, voice or images to an instant message account and a telephone account.Everyone at your business should know about CASL in case their activities are inadvertently subject to its obligations.
A practical solution is to create specific decision trees that breakdown the types of people your business targets and the types of messages you send out. This will greatly facilitate the task of determining which communications are subject to CASL’s content and consent requirements.
- Establish a tracking system
CASL’s deemed and implied consent provisions release a sender from the obligation of obtaining express consent.
Remember, deemed consent is not indefinite, it has a 2 year expiration date. For example, if deemed consent is triggered because of a pre-existing business relationship resulting from the purchase of one of your products, that deemed consent only lasts for 2 years following the purchase.
Some companies will be able to rely largely on deemed consent and will be able to sidestep the need to request express consent to send CEMs. In these cases, it is crucial to have a system in place, such as a customer relationship management system. track the dates for deemed consent and the source of consent, for example, if deemed consent was form a business card.
Processes and procedures should be founded on a policy that sets out how the tracking requirements are to be implemented. There should also be a mechanism to require consent after the deemed consent period has expired.
Why Should You Care about CASL?
Many businesses have vocalized frustration with CASL because they find it extremely difficult to comply with. There is no reason to believe that just because your business is small it won’t be prosecuted for violating CASL’s provisions. This false comfort lacks any basis whatsoever. Every business, no matter how small, should be concerned about CASL and should implement a policy that fits its size and operations. A large multinational might have more groundwork to cover to comply with CASL than a small owner operated business with a mailing list of 1000 recipients. The costs of compliance will vary accordingly.
Your CASL policy should be reviewed by the executive or the board because the implications of non-compliance or violations directly and personally affect the management level.. The board of directors should be vigilant in ensuring the diligent application of a compliance program because CASL’s enforcement mechanisms can pierce the corporate veil and claim personal liability for:
If they directed, authorized, acquiesced in or participated in the commission of the contravention such as contravention of the CEM requirements or the commission of another offence under CASL’s enforcement regime.
In addition with failing to comply with the CEM consent and content requirements, it is also a violation to:
- Refuse or fail to comply to demands to preserve transmission data or a notice to produce a document
- Fail to give all assistance that is reasonably required to enable a designated person to execute a warrant in relation to contravention of a CASL requirement
- Obstruct or hinder, or knowingly make a false or misleading statement or provide false or misleading information to a designated person who is carrying on their duties and functions under CASL
CASL’s enforcement framework includes a number of mechanisms:
- A maximum administrative penalty of $1,000,000 in the case of an individual for contraventions of the CEM requirements
- A maximum administrative penalty of $10,000,000 in the case of a business for contraventions of the CEM requirements
CASL is new and it is reckless to speculate how violations of the law will be pursued. The costs of non-compliance or of committing an offence under the regime are severe.
Due diligence defense
CASL provides a defense that can be used to show that due diligence was exercised to prevent violations. Practical steps that can help demonstrate that due diligence was exercised include:
- Have a CASL policy in place that meets industry standards
- Adopt measures to implement your CASL policy such as tracking dates for deemed consent
- Have training programs for employees that send CEMs
- Assess the risk of your communication strategy by conducting audits
Remember, a best defense is a good offense. The law came into effect July 1, 2014 and its scope is large. Contact a lawyer for more CASL and Internet marketing law advice to make sure that your business doesn’t find its communications strategy compromised.
Note: The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.