PART 1: What your business needs to know – Getting ready for Canada’s New Anti-Spam Legislation (CASL)

CASL Spam Newsletter

CASL Spam Newsletter

Getting ready for Canada’s New Anti-Spam Legislation

What your business needs to know – Part 1 of a multi-part series on CASL.

By Adam Dwek

Starting July 1st, 2014 business in Canada will be changed dramatically as the bulk of Canada’s Anti-Spam Legislation (CASL) comes into force.  CASL places significant limitations on what type of electronic messages your business can send. The Act permits fines of up to $10,000,000 for corporations and $1,000,000 for individuals.[1]

On top of this administrative penalty, the Act creates a private right of action and you may be sued for additional damages. If you communicate with your customers or solicit business through electronic messages, you need to familiarize yourself with CASL and take appropriate action.

This article aims to help you determine what messages you, your business, and its employees are permitted to send.

Background

The bulk of Canada’s Anti-Spam Legislation (CASL) comes into force on July 1st, 2014. The brunt of the legislation is the act entitled “An Act to promote the efficiency and adaptability of the Canadian economy by regulation certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (the “Act”).

The Act, together with the regulations and amendments to other legislation, empower the Canadian Radio-television and Telecommunications Commission (the “Commission”) to regulate commercial activity related to electronic communications, the alteration of electronic messages, and the installation and update of computer software that is owned or operated by another.

The fundamental principle of CASL is that the above-noted electronic commercial activities be carried out with consent, either express of implied. That said, the legislation is shockingly broad, and prohibits and regulates far more than just spam messages. Business that don’t prepare for CASL may soon find themselves facing large fines for innocent and legitimate electronic communications to their customers and business partners.

Read on to learn the basics of what messages your business can and cannot send, how to make the messages you do send CASL compliant.

What Constitutes a Commercial Electronic Message (CEM)?

CEMs include any electronic message for which it can be reasonably concluded has, as one of its purposes, the encouragement or participation in any act, conduct, or transaction that may be considered a commercial activity. This includes any offer to sell, lease, purchase, or invest; provide goods or service; advises of a business, gaming, or investment opportunity; or even just promotes a person as being a person who does or intends to do any of the above activities. There does not even have to be an expectation of profit on the part of the sender for a message to be of a commercial character and therefore a CEM. The message can also have a million other purposes, but as long as there can be found some commercial purpose in the message, it’s considered a CEM.

In determining whether a message has a “commercial activity” as one of its purposes, not just the content of the message is considered. Any hyperlinks in the message and the content of websites and databases linked will also be considered.

Emails and text messages may be CEMs, but so may any other type of electronic message that fits the above description. Think of Facebook, Twitter, and LinkedIn to name a few.

So Your Message is a CEM – What Does that Mean?

If the electronic message you want to send out is or might be a CEM, there are three possibilities.

  • you may be prohibited from sending the CEM;
  • you may be permitted to send the CEM provided it contains certain information and an unsubscribe mechanism as required by the act; or
  • you may send the CEM without making any changes to it because the message fits within one of the carved out exceptions under the act.

Below is a framework of the analysis that needs to be performed to determine if and how your electronic message can be sent without violating CASL.

What Electronic Messages Can My Business Send and Not Send?

Step 1: Is the Message a CEM?

When determining whether you or your company can send out any electronic message first consider whether the message can be construed in any way to have a commercial purpose. If it can, the starting presumption is that the message is prohibited by CASL.

The next step of the analysis is determining whether your message falls within one of the many exceptions to the general prohibition. The two broad exceptions, which have further exceptions within them, are as follows:

  • You have consent to send the message and the message contains the necessary information to make it CASL compliant; or
  • the relationship between the recipient and the party sending the message falls within a recognized exception to the general prohibition of sending CEMs.

If the message is not a CEM your analysis is done. Send the message. If not, go to step 2.

Step 2: Does Your CEM Fall Within an Exception to the General Prohibition?

Ideally your CEM will fall within one of the recognized exceptions to the prohibition against sending CEMs and you can avoid all the message requirements that are otherwise attached to CEMs sent with consent (listed further below).

Section 6(5) of the Act and the Electronic Commerce Protection Regulations lists a few exceptions which allow a party to send a CEM without having to worry about having including an unsubscribe mechanism and a swath of personal identifying and contact information. Four of these exceptions are listed below.

Exception 1: Response to Request, Inquiry, or Complaint

CEMs that are sent in response to a request, inquiry or complaint are a permitted exception. It is important to note that an inquiry or complaint does not mean the sender has consented to future CEMs from your business.[2]

Exception 2: Within Your Organization

CEMs to others within your organization that concern the activities of the organization are another permitted exception.[3] Now lets say you want to send out a company wide email about how proud you are of your daughter for starting her own law practice. Such a message would be considered a CEM for promoting the image of someone as providing a commercial service (legal services), and would not be permitted under this exception since it does not concern the organization. Proud Parents take heed!

Exeception 2: An Existing Business Relationship

If your business and another business have an “existing relationship” as defined in the regulations, employees of your organization may send CEMs to the other business so long as the CEM concerns the activities of the other business.[3] Like the other exceptions listed, these CEMs don’t have to include the information otherwise required in a CEM.

Exception 4: Family or Personal Relationship

If the message is sent by or on behalf of an individual to another individual and there is a personal or family relationship between them, as defined in the regulations, the CEM is exempt from the requirements for consent as well as the information and unsubscribe mechanism that must otherwise be included in a CEM.

A Family Relationship is defined in the act to mean “related to one another through a marriage, common-law partnership or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication”.[5]

A Personal Relationship is defined as one in which two individuals “have had direct, voluntary two-way communications and it would be reasonable to conclude that they have a personal relationship, taking into consideration any relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person.”[6]

The Family Relationship exception is rather limited. Brothers sending CEM to each other would not be permitted to rely on the Family Relationship exception but would instead have to rely on the Personal Relationship exception. While the Personal Relationship exception appears rather broad, it becomes a lot less clear when two individuals have met through business, and their relationship is one based on business. Sales staff should be keen to go that extra mile and make a relationship a personal one. Take the potential client out to a ball game or for a beer, or the next friendly email you send may have to contain CASL formalities, making what was once a casual and friendly deal seem a lot more impersonal.

Other Exceptions

There are other exceptions for CEMs, including those that are sent:

  • to provide a quote or estimate for the supply of products, goods, services, or land, if such a quote was requested
  • to complete a commercial transaction already entered into;
  • to those outside Canada
  • from charities and political organizations,
  • to enforce, notify, or inform of a legal right.

Each exception has its own nuances and must be carefully examined. Most are not complete exemptions to the general CEM requirement, and must include certain identifying information and an unsubscribe mechanism in accordance with the act and regulations.

If your CEM doesn’t fall within one of the above exceptions, move to step 3.

Step 3: Do You Have Consent to send the CEM?

CEMs may be sent, if the recipient has given express or implied consent to receive a CEM, and the CEM contains the following:

  • The identity of the individual, corporation or organization who sent the message or the name by which they carry on business;[7]
  • Contact information including a mailing address AND a phone number, email address or web address for one of the above persons that is valid for at least 60 days after the message is sent.[8]
  • An unsubscribe mechanism according to section 11(1) of the act that is prominent and able to be readily performed.[9]
  • If the message is sent on behalf of another individual, corporation or organization the message also must include:
    • the name or the name by which the person on whose behalf the message was sent carries on business;[10]
    • a statement indicating on whose behalf the message is sent and also who is sending the message;

There are exceptions to the above requirements in section 2(2) of CRTC Regulatory Policy 2012-183 that allow, in some circumstances, the above information to be posted on the web as opposed to in the CEM. There are also exceptions which may allow you to provide less information.[11] If you are seeking consent for the purpose of installing, upgrading, or update a computer program or software on someone’s computer you must provide additional information, the nature and breadth of which is based on the function(s) of the software installed.[12]

Express Consent

Express consent requires the recipient of the message to have explicitly consented to receiving a CEM. Express consent may be given orally, or in writing, though sending an electronic message to obtain consent for the sending of CEMs is itself considered a CEM and is prohibited. So Express consent may be obtained by calling up the party you wish to send the CEM to, or by getting them to fill out a form, provided you communicate the information proscribed by the regulations (listed below).

As per CRTC Regulatory Policy 2012-183, for express consent to be valid under CASL it must be obtained under a request that:

  • clearly informs the person giving consent of what specifically they are consenting to;
  • identifies the party seeking the consent (if the party carries on business under a different name, it must provide that name)[13];
  • If the request is on behalf of someone else, the party seeking the consent must:identify the party (or the name under which that party carries on business) on whose behalf the consent is being requested; and
    • provide a statement indicating which individual, company or organization is seeking consent, and on whose behalf the consent is sought[14]
    • provides the mailing address and either a telephone number, email address, or web address of the party seeking consent or, if different, the party on whose behalf consent is being sought; and
    • a statement indicating that the person whose consent is sought can withdraw their consent.

If you wish to obtain consent for not only sending CEMs, but also for altering electronic messages or installing computer software or updates on someone’s computer, you must obtain separate consents for each of the other two additional activities.

Implied Consent

If you don’t have express consent, consider whether you have implied consent. Section 10 the Act sets out a variety of situations in which you may be deemed to have implied consent, including:

  • you or the person who sends the message has an existing business or personal relationship with the party you are sending the CEM to;
  • the party the CEM is being sent to has conspicuously published their electronic address or has provided it to the person sending the message or the person on whose behalf the message is being sent, and has not expressed a desire not to be solicited, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity;

Is there an existing business relationship? The act and regulations are nuanced as to what qualifies as a business relationship that would imply consent, but basically, if you have done business – actual business – with the party you want to send a CEM to in the past two years, you have an existing business relationship. Referrals, a mutual relationship with a third party, or past discussions about working together don’t appear to qualify as creating an existing business relationship under CASL, but if anytime in the last 6 months, the party you want to send a CEM to has made an inquiry about doing business with you that would create an existing business relationship under CASL and grant you implied consent.

You Have Consent – Now What?

If your business has express or implied consent, you may send the CEM so long as it has the information proscribed by CASL as noted above.

Conclusion

After July 1, 2014 complying with CASL will become an onerous task.  Businesses must think carefully about what electronic messages they send and how they store and maintain consent information to ensure they do not run amok of CASL. The above is just a short summary of some of the basic rules of CASL and is not intended as legal advice. The breadth and detail of CASL is immense, and it is simply not possible to communicate all of the rules and their nuanced requirements. Making any particular business CASL compliant requires an examination of the businesses practices and an depth examination of the nuanced rules as they apply to your business.

Read part 2 of this series to learn more about CASL and how to protect your business.

References and Footnotes

  1. An Act to promote the efficiency and adaptability of the Canadian economy by regulation certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (the “Act”), section 20
  2. The Act, s. 6(5)
  3. Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 3(a)(i)
  4. Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 3(a)(i)
  5. Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 2(a)
  6. Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 2(b)
  7. CRTC Regulatory Policy 2012-183, s.2(a) 
  8. Act, Section 6(2)(b), and 6(3); CRTC Regulatory Policy 2012-183, s,.2
  9. Act,  Section 6(2)(c); CRTC Regulatory Policy 2012-183, s,.3
  10. CRTC Regulatory Policy 2012-183, s.2(b)
  11. Act, Section 10(2) 
  12. Act, Section 10(3-8)
  13. CRTC Regulatory Policy 2012-183, s.4(a)
  14. CRTC Regulatory Policy 2012-183, s.4(b-c)
Hummingbird Lawyers

Hummingbird Lawyers strategically assists businesses and individuals in the areas of corporate law, commercial and residential real estate transactions, wills and estates, employment law and commercial and family law litigation.

4 Comments

  • Reply June 17, 2014

    Chris

    If a sign up form was worded: “Sign up for our news letter to be informed of valuable products and services” can the company send them anything they want from any company they want?

    If a larger company pools subscribers from the separate business websites it owns can they safely send email out to all subscribers regardless of where the signup was performed provided the were given consent?

    Does it just depend on how the wording of the sign up checkbox is worded?

    Thanks!

  • Reply June 17, 2014

    Adam Dwek

    “Sign up for our news letter to be informed of valuable products and services” can the company send them anything they want from any company they want?”

    Good question. It really does depend on the wording, but as you have written it, the company would not be permitted to send them CEMs from other companies. The consent form would have to be worded in a way that made third party CEMs much more obvious. Remember, the whole idea behind express consent is that the person knows what CEMs they will be receiving, and agrees. Vague consents are not the solution.

    As to whether a company could send you a CEM about any type of goods and services, it really depends on the nature of the business and how the consent is worded. For example, a consent like the one you have written, would most likely not allow a pet store to send you deals on auto parts, because when you give consent, it can reasonably be assumed you consenting to receive CEMs about pet products, and not auto parts. But a consent like that from Walmart – well, you know Walmart sells just about everything.

    • Reply June 17, 2014

      Chris

      Thanks for the reply. So even though it’s vaguely written “valuable products and services” it’s still implied that they are products and services from the company whose website had the form unless stated otherwise. Would I have to list each and every company he plans to send marketing about in the checkbox text?

      I have a client who thought that he could just gather up all of the subscribers on all of the mailing lists of each of his companies and send them all an ” email blast”, as he referred to it…., and now has had someone convince him to mail out a reconfirmation email to get people on this giant list to all resubscribe to a new reconfirmed giant list… this giant list is under one of the many company names he owns.

      The reconfirmation email said “Thank you for subscribing to our mailing list. Your subscription entitles you to receive valuable e-mail newsletters, announcements, and other information from us.”
      It sound pretty vague to me…

      I’m worried that even if he has people “reconfirm” to this list that if he sends out another “email blast” for a different company’s products that he could get himself in trouble.

      Thanks!

  • Reply June 17, 2014

    Chris

    Hell again, I hope you don’t mind me asking another question!

    I haven’t found much information regarding the liability of web developers. If for some reason one of our clients had sent out spam and they or we can’t prove consent are web developers at risk of suffering damages? What would we need to do to protect ourselves?

    Thanks for the arcticle and where can I find Part 2 in this series?

Leave a Reply