Updated Overview of Canada’s New Anti-Spam Legislation (CASL)

CANADIAN CASL (ANTI-SPAM LAW) PRECEDENTS

Do you need a precedent or checklist
to comply with CASL (Canadian anti-spam law)?

We offer Canadian anti-spam law (CASL) precedents and checklists to help electronic marketers comply with CASL.  These include checklists and precedents for express consent requests (including on behalf of third parties), sender identification information, unsubscribe mechanisms, business related exemptions and types of implied consent and documenting consent and scrubbing distribution lists.  We also offer a CASL corporate compliance program.  For more information or to order, see: Anti-Spam (CASL) Precedents/Forms.  If you would like to discuss CASL legal advice or for other advertising or marketing in Canada, including contests/sweepstakes, contact us: contact.

**********

On December 4, 2013, the Federal Government announced that Canada’s new anti-spam legislation (CASL) would finally largely come into force on July 1, 2014 (with several transition periods for the unauthorized installation of computer program and private action provisions).  The following is my updated summary of the impending CASL, including summaries of the consent, form and unsubscribe requirements (and legislative links and key resources).

____________________

A.

RECENT DEVELOPMENTS &
KEY RESOURCES

On December 4, 2013, the Federal Government announced that Canada’s new Federal anti-spam legislation would largely come into force on July 1, 2014.

Some portions of CASL, relating to the unsolicited installation of computer programs and software, will come into force slightly later on January 15, 2015.  The private right of action provisions of CASL will come into force on July 1, 2017.

New Industry Canada Regulations have now been issued, as well as a Regulatory Impact Analysis Statement with some new elements and clarifications of the CASL rules.

The current CASL legislation, regulations and guidelines are as follows: (i) CASL legislation; (ii) CRTC Regulations; (iii) Industry Canada Regulations; (iv) Regulatory Impact Analysis Statement; and (v) CRTC Information Bulletins.

B.

OVERVIEW OF CASL

On December 15, 2010, Canada’s new federal anti-spam legislation (“CASL”), one of the strictest in the world, received Royal Assent.  On December 4, 2013 the Federal Government announced that CASL would largely come into force on July 1, 2014.

CASL will, once in force, create an “opt-in” regime for commercial electronic marketing, and will amend four federal statutes: the Canadian Radio-television and Telecommunications Commission Act; Competition Act; Personal Information Protection and Electronic Documents Act; and Telecommunications Act.

In general, CASL requires express or implied consent for the sending of “commercial electronic messages” and imposes certain form (i.e., disclosure) and opt-out (i.e., unsubscribe) requirements for electronic communications.

CASL significantly impacts companies that engage in electronic marketing, such as e-mail, text messaging, instant messaging and some types of social media marketing (e.g., where subscribers receive e-mail updates).

With respect to jurisdiction, CASL applies where commercial electronic messages are sent from or accessed in Canada (not merely routed through Canada).  The Industry Canada Regulations also exempt messages sent from Canada to a prescribed list of countries with their own anti-spam legislation, provided messages comply with the applicable foreign laws that are substantially similar to CASL’s consent and form requirements (such as to the U.S., U.K., EU, Japan, China, Korea, Australia and New Zealand).

CASL also requires express consent for some other types of electronic practices, including altering transmission data in electronic messages and the installation of computer programs on other persons’ computer systems.

CASL also broadens the Competition Bureau’s jurisdiction to regulate misleading advertising in the context of electronic communications – for example, misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators.  In this regard, CASL also amends the civil and criminal misleading advertising sections of Canada’s Competition Act.

Violation of CASL may result in significant penalties of up to Cdn. $1 million (for individuals) and Cdn. $10 million (for corporations).  CASL also creates private rights of action, with significant statutory damages that will be available (up to $1 million per day of non-compliance).  Class actions will also be possible to be commenced under CASL once fully in force.

C.

LEGISLATIVE HISTORY

In 2005, the Task Force on Spam completed a one-year mandate and issued a final report entitled: Task Force on Spam Report: Stopping Spam: Creating a Stronger, Safer Internet.  The Government also studied successful anti-spam measures in other countries.  CASL, which was first introduced in April, 2009 and reintroduced on May 25, 2010, addresses legislative recommendations made by the Task Force on Spam, which assembled consumers, academic experts and industry to design comprehensive legislation to fight spam in the digital economy.  During third reading, the amended Bill C-28 received unanimous support in the House of Commons and was given Royal Assent on December 15, 2010.  On December 4, 2013 the Federal Government announced that CASL would largely come into force on July 1, 2014.

D.

KEY CASL REQUIREMENTS

1.  

CONSENT AND FORM REQUIREMENTS

(a)

Consent

CASL prohibits the sending of commercial electronic messages (“CEMs”) without the recipient’s prior express or implied consent, the onus of which is on senders.  CASL permits both express and certain categories of implied consent.  CASL also includes a number of exceptions from the consent and form requirements.

CASL defines “CEMs” broadly as electronic messages that encourage participation in a commercial activity (regardless of whether there is an expectation of profit).  This includes: (i) offering or advertising to purchase or sell products, goods, services or land; or (ii) offering or advertising to provide business, investment or gaming opportunities.

“Electronic messages” are messages sent by any means of telecommunication, including text, sound, voice or image messages.  Once in force, electronic messages requesting consent to receive CEMs will also be prohibited.  In other words, one will not be permitted to send spam to request consent to send more spam.

(i)

Express Consent

CRTC Regulations set out requirements for consent requests.  When requesting express consent, the following are required: (i) the purpose for which consent is being sought; and (ii) information identifying the person seeking consent (or on whose behalf consent is being sought).

Consent requests must include certain information:

1.  The name by which the person seeking consent carries on business, if different than their name (or if not, the person seeking consent).

2.  If consent is sought on behalf of another person, the name by which that person carries on business, if different from their name (or if not, the name of the person on whose behalf consent is sought).

3.  If consent is sought on behalf of another person, an identification of which person is seeking consent and which person on whose behalf consent is sought.

4.  The mailing address, and either a phone number to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought.

5.  A statement that the person whose consent is sought can withdraw their consent.

CRTC guidelines also clarify some other aspects of consent requests – for example, what mailing address information must be included, the use of check boxes and toggling for consent, examples of disclosure where check boxes are used on online forms for consent, etc.

Consent requests may be made orally (e.g., through call centres, personal and direct contact, point of sale purchases, etc.) or in writing (including using electronic forms).  One of the CRTC’s Information Bulletins provides that oral consent is satisfied if: (i) it can be “verified by an independent third party”; or (ii) “where a complete and unedited audio recording of the consent is retained by the person seeking consent” (or a client of the person seeking consent).

Written consent can be satisfied where either paper or electronic form consent is obtained, including checking a box on a web page to give consent (with a record of the date, time, purpose, and manner of consent stored in a database).

(ii)

Implied Consent

Consent may also be implied in certain cases, including where there is: (i) an “existing business relationship”; (ii) an “existing non-business relationship”; (iii) where a person has published their electronic address without a statement that they do not want to receive unsolicited CEMs and the message is relevant to their business; and (iv) a recipient has disclosed their electronic address to a sender without indicating that they do not want to receive unsolicited CEMs and the message is relevant to their business.

“Existing business relationships” include: (i) the purchase of products, goods, services or land within two years before a message is sent; (ii) the acceptance by the recipient of a business, investment or gaming opportunity within two years before a message is sent; and (iii) an inquiry by the recipient for products, goods, services, etc. within six months before a message is sent.

“Existing non-business relationships” include: (i) certain donations or gifts to charities or political parties; (ii) volunteer work for charities or political parties; and (iii) memberships in clubs, associations or voluntary organizations (“membership” and “clubs, associations and voluntary organizations” as defined in the Industry Canada Regulations).

(b)

Form and Unsubscribe Requirements

CASL also sets out rules governing the sending of CEMs, including form (i.e., disclosure) and unsubscribe requirements.

(i)

Form Requirements

CEMs must be in a prescribed form that, among other things: (i) identifies the person who sent the CEM; (ii) the person, if different, on whose behalf it is sent; (iii) sender contact information (which must be valid for at least 60 days); and (iv) an unsubscribe mechanism.

The CRTC Regulations set out the specific information that must be included in CEMs:

1.  The name by which the sender carries on business if different from their name (or if not, the person’s name).

2.  If sent on behalf of another person, the name by which the person on whose behalf the message is sent carriers on business if different from their name (or if not, the name of the person on whose behalf the message is sent).

3.  If sent on behalf of another person, a statement identifying the sender and on whose behalf the message is being sent.

4.  The mailing address and either a phone number to an agent or voice messaging system, email or web address of the sender or, if different, the person on whose behalf the message is sent.

This information and the unsubscribe mechanism must be “set out clearly and prominently”.  The CRTC Regulations provide, however, that where it is “not practicable” to include the required disclosure information and unsubscribe mechanism in a CEM, that information may be posted on an Internet web page that is “readily accessible” by the recipient at no cost via a “clearly and prominently” labeled link in the CEM.

(ii)

Unsubscribe Mechanisms

Unsubscribe mechanisms must: (i) allow recipients to indicate that they no longer want to receive CEMs using the same electronic message (or if not practical any other electronic means enabling the same result); and (ii) specify an electronic address or web link to unsubscribe.

The electronic address or webpage for unsubscribing must be valid for a minimum of 60 days.  Recipients who unsubscribe must also be unsubscribed “without delay” and no later than 10 business days after asking to be unsubscribed.

The CRTC Regulations also require that an unsubscribe mechanism must be “set out clearly and prominently” and “must be able to be readily performed.”  According to CRTC guidelines, for an unsubscribe mechanism to be “readily performed” it must be “accessed without difficulty or delay and should be simple, quick and easy for the consumer to use”.

(c)

Exceptions

CASL provides broad exceptions (to both the consent and form requirements) and some narrower exceptions (to only the consent requirement – i.e., where the form requirements must still be met).

Exceptions to both the consent and form requirements include: (i) “personal relationships” or “family relationships” (both as defined by the Industry Canada Regulations); (ii) inquiries for commercial goods and services; and (iii) interactive two-way voice communications (telemarketing), faxes or messages sent by phone.

Other exceptions to both the consent and form requirements are set out in the Industry Canada Regulations and include: messages sent within organizations; between organizations with an existing relationship where the message relates to the recipient’s activities; solicited or sent in response to requests, inquiries or complaints; to satisfy certain legal or juridical obligations; sent on platforms where the required form and unsubscribe information is conspicuously published; and by charities or political parties for fundraising or political contributions.

CASL also includes the following exceptions from the consent requirement: (i) providing a quote or estimate for products, goods, services or land if requested by the recipient; (ii) facilitating, completing or confirming a commercial transaction previously agreed to by the recipient; (iii) sending warranty, product recall or safety information about a product the recipient uses, has used or has purchased; (iv) certain information relating to employment or benefit plans; (v) product updates or upgrades following an earlier transaction; and (vi) a limited exception for referrals, provided certain conditions set out in the Industry Canada Regulations are met.

(d)

Transitional Period

CASL contains a transitional provision that provides that consent is implied for three years from the coming into force of the CEMs section (section 6) for persons with existing business or non-business relationships (as defined), unless consent is withdrawn by a recipient.

2.  

ALTERING TRANSMISSION DATA

CASL also prohibits the alteration of transmission data in an electronic message in the course of a commercial activity, which results in the message being delivered to a different destination without express consent of the sender or recipient.

3.  

UNAUTHORIZED INSTALLATION OF COMPUTER PROGRAMS

CASL also prohibits the installation of computer programs on other person’s computers in the course of a commercial activity without the express consent of the owner (or authorized user) of the computer system.

4.  

MISLEADING REPRESENTATIONS (ELECTRONIC & ONLINE CONTENT)

The criminal and civil misleading advertising provisions of the Competition Act, and related penalty provisions, have also been broadened to expressly include misleading representations made in the electronic and online environment.  For example, CASL amends the criminal misleading advertising provisions of the Competition Act to prohibit false or misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators.

Like the misleading advertising provisions of the Competition Act generally, it will not be necessary to prove that any person was actually deceived or misled.  The general impression as well as the literal meaning will also be relevant in establishing misleading representations made in the electronic context.

5.  

UNAUTHORIZED COLLECTION OF PERSONAL INFORMATION

CASL also amends PIPEDA to prohibit the collection of personal information by means of unauthorized access to computer systems.

6.  

COLLECTION OF ELECTRONIC ADDRESSES

The collection of electronic addresses using computer programs or using such addresses without permission (“harvesting”) will also be prohibited.  This may include the collection of e-mail addresses through the use of, for example, “web crawlers” (computer programs that scan websites, usenet groups and social media websites, trolling for electronic addresses) or “dictionary attacks” (where a computer program guesses real/live e-mail addresses by methodically trying various name variations within a particular group of common e-mail domains – e.g., Gmail, Hotmail, etc.).

E.  

ENFORCEMENT

Three government agencies will be responsible for enforcing CASL:

Competition Bureau

The Competition Bureau’s mandate will be to focus on misleading and deceptive practices and representations online, including false or misleading headers, web links and website content.  CASL extends the Competition Bureau’s existing jurisdiction over misleading advertising and deceptive marketing practices in Canada, which already included online advertising and marketing under the criminal and civil misleading advertising sections of the Competition Act (sections 52 and 74.01).

CRTC

The CRTC will have primary enforcement responsibility for the new legislation and will have the power to investigate and take action, including imposing significant administrative monetary penalties, against unsolicited electronic messages (i.e., without consent), the alteration of transmission data or the installation of computer programs without consent (e.g., malware, spyware or viruses).

Office of the Privacy Commissioner of Canada

The Federal Privacy Commissioner will have the power to take measures against the collection of personal information through unlawful access to computer systems (i.e., contrary to federal law, such as the Criminal Code) or electronic address “harvesting”, where bulk e-mail lists are compiled through mechanisms, including the use of computer programs that automatically mine the Internet for e-mail addresses.

F.  

PENALTIES & PRIVATE ACTIONS

Violation of CASL may result in administrative monetary penalties of up to Cdn. $1 million for individuals and Cdn. $10 million for corporations.

Private individuals or organizations affected by a violation of CASL will also have a right to commence private actions.  In this regard, in addition to allowing awards of damages for actual loss or damage suffered a court may also order persons that contravene CASL to pay statutory damages for each day on which a contravention occurred – for example, for a violation of section 6 (unauthorized sending of CEMs) Cdn. $200 for each contravention up to Cdn. $1 million per day.  Class actions will also be possible once CASL is fully in force.  The private right of action provisions of CASL will come into force on July 1, 2017.

CASL also prohibits aiding, inducing, procuring or causing unauthorized CEMs, altering transmission data or installation of computer programs and includes broad director and officer liability provisions.

********************

Tips For Complying With
CASL (Canadian Anti-Spam Law)

Canada’s federal anti-spam legislation (CASL) came into force in 2014.  Since then, electronic marketers and their advisors have been working to comply with what remains a complex law with outstanding uncertainties in some key areas. Having said that, many of the core requirements of CASL are not overly difficult to comply with (though continue to be misunderstood in many cases).

The following are some key legal tips for complying with CASL:

Express Consent. If you cannot rely on any category of implied consent (e.g., an existing business relationship within two years of a purchase) or a CASL exemption, ensure that you have collected and documented express consent from recipients. Express consent requests must include all of the information set out in CASL and its regulations otherwise the consent will not be valid. Failure to correctly collect consent is the most common CASL compliance error we see and a key basis for CRTC enforcement. For more information, see: Anti-Spam Law (CASL), Anti-Spam Law (CASL) FAQs and Canadian Anti-Spam (CASL) Precedents.

Implied Consent. If you are relying on one or more categories of implied consent to send commercial electronic messages (CEMs) (e.g., an existing business relationship within two years of a purchase or six months of a product inquiry) ensure that all of the requirements of the particular type of implied consent are met. Remember that there is not a single blanket type of implied consent under CASL; rather, there are many different types of implied consent each with their own specific requirements. Also, as with express consent, CEMs that rely on implied consent must still include the prescribed sender identification information and unsubscribe mechanism. For more information, see: Anti-Spam Law (CASL), Anti-Spam Law (CASL) FAQs and Canadian Anti-Spam (CASL) Precedents.

Consent For Third Parties To Send CEMs. Under CASL, consent to send CEMs can be requested for a sender themselves, identified third parties (or multiple identified third parties) or unidentified third parties (i.e., entities whose identities are not yet known when consent is requested). Importantly, however, each type of consent request has specific requirements for the request and, in the case of consent requests on behalf of unidentified third parties, somewhat complex additional requirements. The failure of marketers to correctly request consent for third parties (e.g., partners, affiliates, co-sponsors in promotions, etc.) is another CASL-related error that we regularly see. For more information, see: Anti-Spam Law (CASL) FAQs and Canadian Anti-Spam (CASL) Precedents.

CASL Exemptions. Similar to implied consent, there is no single exemption from CASL but many types of exemptions. If you are relying on a particular exemption (e.g., the “business-to-business” exemption) it is important to ensure that all of the requirements of the exemption are met. Importantly, there is little or no case law interpreting many CASL exemptions. This means that there there may be more risk when relying on an exemption than express consent. Express consent is the strongest type of consent under CASL, considering that it does not expire unless a recipient unsubscribes.

Passive Consents. Remember that under CASL express consent or a category of implied consent is generally required to send CEMs unless a CASL exemption applies. As such, passive types of consents (e.g., language in general terms and conditions) will likely not be CASL compliant unless a sender does not need express consent (i.e., can rely on a category of implied consent or a CASL exemption).

Sharing Lists With Third Parties. Consider the potential risks of sharing e-mail or other electronic marketing lists with third parties. While this is certainly possible under CASL, marketers should be aware that there are specific requirements that must be met depending on who a list will be shared with (e.g., to expressly identify third parties with whom consent is being gathered on behalf of, including their contact information and other requirements for unidentified third parties). Marketers should also be aware that there is also potentially not only risk if they themselves violate CASL (e.g., send CEMs without consent), but also if they assist third parties that violate CASL. As such, it is often prudent for marketers that want to share electronic marketing lists with third parties to ensure that they have list sharing agreements in place with parties with whom they share e-mails. For more information, see: Anti-Spam Law (CASL) FAQs, Anti-Spam (CASL) Compliance Errors and Canadian Anti-Spam (CASL) Precedents. See also: Influencer, Co-Sponsor and List Sharing Agreements.

Sender Identification Information. Ensure that all CEMs include the prescribed sender identification information required by CASL unless an exemption applies. For more information, see: Anti-Spam Law (CASL) and Anti-Spam Law (CASL) FAQs.

Unsubscribe Mechanism. Ensure that all CEMs include a CASL-compliant unsubscribe mechanism. For more information, see: Anti-Spam Law (CASL) and Anti-Spam Law (CASL) FAQs.

Document Consent. Under CASL, the onus is on senders of CEMs to document consent. As such, it is important to document the type of consent (express or implied) or exemption being relied upon, evidence of consent (e.g., subscription logs, forms, dates and names/e-mail addresses), divide lists according to the type of consent or exemption being relied upon and to scrub lists after recipients have unsubscribed or the relevant time period for a category of implied consent has expired (e.g., two years after a purchase). Failure to adequately document consent is another CASL-related compliance error that we regularly see, including not documenting consent at all, not segregating distribution lists and inadequately documenting consents or types of implied consent. For more information, see: Anti-Spam Law (CASL), Anti-Spam Law (CASL) Compliance and Canadian Anti-Spam (CASL) Precedents.

CASL Compliance Program. Consider adopting a CASL compliance program, particularly if electronic marketing is a core aspect of your marketing strategy. The CRTC has issued guidance on CASL compliance programs including key recommended elements. For more information, see: Anti-Spam (CASL) Compliance and Canadian Anti-Spam (CASL) Precedents.

CASL and Specific Types of Promotions. Care should be taken in relation to specific types of promotions under CASL. Just one of many examples is friends and family type promotions (e.g., contests where entrants can gain more entries by sharing with or tagging a friend or family member). While there is an exception to the unsolicited CEMs section of CASL (section 6) for messages sent to a person with whom the sender has a personal or family relationship, these terms are narrowly defined. For example, “family relationship” is limited to spouses, common-law partners and parent-child relationships. “Personal relationship” is defined in a multi-factor and case-by-case fashion such that it is often impractical to rely on this exception for any broad “friends and family” type promotion. Marketers should also be aware that there is potential risk for both themselves and their clients in running friends and family type promotions if they cannot meet the specific definitions of “family relationship” and/or “personal relationship” under CASL for a promotion. For more information, see: Anti-Spam (CASL) Compliance Errors and Running a Friends-and-Family Promotion in Canada? Cruel, Cryptic CASL Strikes Again.

____________________

SERVICES AND CONTACT

I am a Toronto competition/antitrust lawyer and advertising/marketing lawyer who helps clients in Toronto, Canada and the US practically navigate Canada’s advertising and marketing laws and offers Canadian advertising/marketing law services in relation to print, online, new media, social media and e-mail marketing.

My Canadian advertising/marketing law services include advice in relation to: anti-spam legislation (CASL); Competition Bureau complaints; the general misleading advertising provisions of the federal Competition Act; Internet, new media and social media advertising and marketing; promotional contests (sweepstakes); and sales and promotions. I also provide advice relating to specific types of advertising issues, including performance claims, testimonials, disclaimers, drip pricing, astroturfing and native advertising.

For more information about my services, see: services

To contact me about a potential legal matter, see: contact

For more regulatory law updates follow me on Twitter: @CanadaAttorney

This entry was posted in Advertising Law, Anti-spam Law, Articles, Competition Bureau, Competition Law, Compliance, Consumer Protection, CRTC, Direct Sales, Electronic Marketing, Internet Advertising, New legislation, New Publications, News, Online Advertising, Publications, Sectors - Broadcasting, Sectors - Internet & New Media, Sectors - Media, Sectors - Telecommunications, Social media marketing, Targeted Advertising and tagged , , , , , , , , . Bookmark the permalink.