Getting ready for Canada’s New Anti-Spam Legislation
What your business needs to know – Part 1 of a multi-part series on CASL.
By Adam Dwek
Starting July 1st, 2014 business in Canada will be changed dramatically as the bulk of Canada’s Anti-Spam Legislation (CASL) comes into force. CASL places significant limitations on what type of electronic messages your business can send. The Act permits fines of up to $10,000,000 for corporations and $1,000,000 for individuals.
On top of this administrative penalty, the Act creates a private right of action and you may be sued for additional damages. If you communicate with your customers or solicit business through electronic messages, you need to familiarize yourself with CASL and take appropriate action.
This article aims to help you determine what messages you, your business, and its employees are permitted to send.
The bulk of Canada’s Anti-Spam Legislation (CASL) comes into force on July 1st, 2014. The brunt of the legislation is the act entitled “An Act to promote the efficiency and adaptability of the Canadian economy by regulation certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (the “Act”).
The Act, together with the regulations and amendments to other legislation, empower the Canadian Radio-television and Telecommunications Commission (the “Commission”) to regulate commercial activity related to electronic communications, the alteration of electronic messages, and the installation and update of computer software that is owned or operated by another.
The fundamental principle of CASL is that the above-noted electronic commercial activities be carried out with consent, either express of implied. That said, the legislation is shockingly broad, and prohibits and regulates far more than just spam messages. Business that don’t prepare for CASL may soon find themselves facing large fines for innocent and legitimate electronic communications to their customers and business partners.
Read on to learn the basics of what messages your business can and cannot send, how to make the messages you do send CASL compliant.
What Constitutes a Commercial Electronic Message (CEM)?
CEMs include any electronic message for which it can be reasonably concluded has, as one of its purposes, the encouragement or participation in any act, conduct, or transaction that may be considered a commercial activity. This includes any offer to sell, lease, purchase, or invest; provide goods or service; advises of a business, gaming, or investment opportunity; or even just promotes a person as being a person who does or intends to do any of the above activities. There does not even have to be an expectation of profit on the part of the sender for a message to be of a commercial character and therefore a CEM. The message can also have a million other purposes, but as long as there can be found some commercial purpose in the message, it’s considered a CEM.
In determining whether a message has a “commercial activity” as one of its purposes, not just the content of the message is considered. Any hyperlinks in the message and the content of websites and databases linked will also be considered.
Emails and text messages may be CEMs, but so may any other type of electronic message that fits the above description. Think of Facebook, Twitter, and LinkedIn to name a few.
So Your Message is a CEM – What Does that Mean?
If the electronic message you want to send out is or might be a CEM, there are three possibilities.
- you may be prohibited from sending the CEM;
- you may be permitted to send the CEM provided it contains certain information and an unsubscribe mechanism as required by the act; or
- you may send the CEM without making any changes to it because the message fits within one of the carved out exceptions under the act.
Below is a framework of the analysis that needs to be performed to determine if and how your electronic message can be sent without violating CASL.
What Electronic Messages Can My Business Send and Not Send?
Step 1: Is the Message a CEM?
When determining whether you or your company can send out any electronic message first consider whether the message can be construed in any way to have a commercial purpose. If it can, the starting presumption is that the message is prohibited by CASL.
The next step of the analysis is determining whether your message falls within one of the many exceptions to the general prohibition. The two broad exceptions, which have further exceptions within them, are as follows:
- You have consent to send the message and the message contains the necessary information to make it CASL compliant; or
- the relationship between the recipient and the party sending the message falls within a recognized exception to the general prohibition of sending CEMs.
If the message is not a CEM your analysis is done. Send the message. If not, go to step 2.
Step 2: Does Your CEM Fall Within an Exception to the General Prohibition?
Ideally your CEM will fall within one of the recognized exceptions to the prohibition against sending CEMs and you can avoid all the message requirements that are otherwise attached to CEMs sent with consent (listed further below).
Section 6(5) of the Act and the Electronic Commerce Protection Regulations lists a few exceptions which allow a party to send a CEM without having to worry about having including an unsubscribe mechanism and a swath of personal identifying and contact information. Four of these exceptions are listed below.
Exception 1: Response to Request, Inquiry, or Complaint
CEMs that are sent in response to a request, inquiry or complaint are a permitted exception. It is important to note that an inquiry or complaint does not mean the sender has consented to future CEMs from your business.
Exception 2: Within Your Organization
CEMs to others within your organization that concern the activities of the organization are another permitted exception. Now lets say you want to send out a company wide email about how proud you are of your daughter for starting her own law practice. Such a message would be considered a CEM for promoting the image of someone as providing a commercial service (legal services), and would not be permitted under this exception since it does not concern the organization. Proud Parents take heed!
Exeception 2: An Existing Business Relationship
If your business and another business have an “existing relationship” as defined in the regulations, employees of your organization may send CEMs to the other business so long as the CEM concerns the activities of the other business. Like the other exceptions listed, these CEMs don’t have to include the information otherwise required in a CEM.
Exception 4: Family or Personal Relationship
If the message is sent by or on behalf of an individual to another individual and there is a personal or family relationship between them, as defined in the regulations, the CEM is exempt from the requirements for consent as well as the information and unsubscribe mechanism that must otherwise be included in a CEM.
A Family Relationship is defined in the act to mean “related to one another through a marriage, common-law partnership or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication”.
A Personal Relationship is defined as one in which two individuals “have had direct, voluntary two-way communications and it would be reasonable to conclude that they have a personal relationship, taking into consideration any relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person.”
The Family Relationship exception is rather limited. Brothers sending CEM to each other would not be permitted to rely on the Family Relationship exception but would instead have to rely on the Personal Relationship exception. While the Personal Relationship exception appears rather broad, it becomes a lot less clear when two individuals have met through business, and their relationship is one based on business. Sales staff should be keen to go that extra mile and make a relationship a personal one. Take the potential client out to a ball game or for a beer, or the next friendly email you send may have to contain CASL formalities, making what was once a casual and friendly deal seem a lot more impersonal.
There are other exceptions for CEMs, including those that are sent:
- to provide a quote or estimate for the supply of products, goods, services, or land, if such a quote was requested
- to complete a commercial transaction already entered into;
- to those outside Canada
- from charities and political organizations,
- to enforce, notify, or inform of a legal right.
Each exception has its own nuances and must be carefully examined. Most are not complete exemptions to the general CEM requirement, and must include certain identifying information and an unsubscribe mechanism in accordance with the act and regulations.
If your CEM doesn’t fall within one of the above exceptions, move to step 3.
Step 3: Do You Have Consent to send the CEM?
CEMs may be sent, if the recipient has given express or implied consent to receive a CEM, and the CEM contains the following:
- The identity of the individual, corporation or organization who sent the message or the name by which they carry on business;
- Contact information including a mailing address AND a phone number, email address or web address for one of the above persons that is valid for at least 60 days after the message is sent.
- An unsubscribe mechanism according to section 11(1) of the act that is prominent and able to be readily performed.
- If the message is sent on behalf of another individual, corporation or organization the message also must include:
- the name or the name by which the person on whose behalf the message was sent carries on business;
- a statement indicating on whose behalf the message is sent and also who is sending the message;
There are exceptions to the above requirements in section 2(2) of CRTC Regulatory Policy 2012-183 that allow, in some circumstances, the above information to be posted on the web as opposed to in the CEM. There are also exceptions which may allow you to provide less information. If you are seeking consent for the purpose of installing, upgrading, or update a computer program or software on someone’s computer you must provide additional information, the nature and breadth of which is based on the function(s) of the software installed.
Express consent requires the recipient of the message to have explicitly consented to receiving a CEM. Express consent may be given orally, or in writing, though sending an electronic message to obtain consent for the sending of CEMs is itself considered a CEM and is prohibited. So Express consent may be obtained by calling up the party you wish to send the CEM to, or by getting them to fill out a form, provided you communicate the information proscribed by the regulations (listed below).
As per CRTC Regulatory Policy 2012-183, for express consent to be valid under CASL it must be obtained under a request that:
- clearly informs the person giving consent of what specifically they are consenting to;
- identifies the party seeking the consent (if the party carries on business under a different name, it must provide that name);
- If the request is on behalf of someone else, the party seeking the consent must:identify the party (or the name under which that party carries on business) on whose behalf the consent is being requested; and
- provide a statement indicating which individual, company or organization is seeking consent, and on whose behalf the consent is sought
- provides the mailing address and either a telephone number, email address, or web address of the party seeking consent or, if different, the party on whose behalf consent is being sought; and
- a statement indicating that the person whose consent is sought can withdraw their consent.
If you wish to obtain consent for not only sending CEMs, but also for altering electronic messages or installing computer software or updates on someone’s computer, you must obtain separate consents for each of the other two additional activities.
If you don’t have express consent, consider whether you have implied consent. Section 10 the Act sets out a variety of situations in which you may be deemed to have implied consent, including:
- you or the person who sends the message has an existing business or personal relationship with the party you are sending the CEM to;
- the party the CEM is being sent to has conspicuously published their electronic address or has provided it to the person sending the message or the person on whose behalf the message is being sent, and has not expressed a desire not to be solicited, and the message is relevant to the person’s business, role, functions or duties in a business or official capacity;
Is there an existing business relationship? The act and regulations are nuanced as to what qualifies as a business relationship that would imply consent, but basically, if you have done business – actual business – with the party you want to send a CEM to in the past two years, you have an existing business relationship. Referrals, a mutual relationship with a third party, or past discussions about working together don’t appear to qualify as creating an existing business relationship under CASL, but if anytime in the last 6 months, the party you want to send a CEM to has made an inquiry about doing business with you that would create an existing business relationship under CASL and grant you implied consent.
You Have Consent – Now What?
If your business has express or implied consent, you may send the CEM so long as it has the information proscribed by CASL as noted above.
After July 1, 2014 complying with CASL will become an onerous task. Businesses must think carefully about what electronic messages they send and how they store and maintain consent information to ensure they do not run amok of CASL. The above is just a short summary of some of the basic rules of CASL and is not intended as legal advice. The breadth and detail of CASL is immense, and it is simply not possible to communicate all of the rules and their nuanced requirements. Making any particular business CASL compliant requires an examination of the businesses practices and an depth examination of the nuanced rules as they apply to your business.
References and Footnotes
- An Act to promote the efficiency and adaptability of the Canadian economy by regulation certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (the “Act”), section 20 ↩
- The Act, s. 6(5) ↩
- Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 3(a)(i) ↩
- Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 3(a)(i) ↩
- Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 2(a) ↩
- Electronic Commerce Protections Regulations, SOR/81000-2-175, s. 2(b) ↩
- CRTC Regulatory Policy 2012-183, s.2(a) ↩
- Act, Section 6(2)(b), and 6(3); CRTC Regulatory Policy 2012-183, s,.2 ↩
- Act, Section 6(2)(c); CRTC Regulatory Policy 2012-183, s,.3 ↩
- CRTC Regulatory Policy 2012-183, s.2(b) ↩
- Act, Section 10(2) ↩
- Act, Section 10(3-8) ↩
- CRTC Regulatory Policy 2012-183, s.4(a) ↩
- CRTC Regulatory Policy 2012-183, s.4(b-c) ↩