New anti-spam legislation has been introduced in Canada to deter spam and other electronic threats such as identity theft, phishing and spyware. The majority of the legislation, including those portions related to the sending of commercial electronic messages (CEMs) will come into effect on July 1st, 2014. However, sections related to the unsolicited installation of computer programs or software and a private right of action conferred by the legislation will not take effect until January 15th, 2015 and January 1st, 2017, respectively.
The legislation, referred to as the Canadian Anti-Spam Legislation, or “CASL”, will be enforced both through regulatory measures such as administrative monetary penalties and, eventually, through a private right of action. Enforcement will involve several agencies, primarily the Canadian Radio-television and Telecommunications Commission, and also the Competition Bureau and the Office of the Privacy Commissioner. In addition to establishing a regulatory framework to address spam and other electronic threats, CASL gives these agencies the authority to share information and evidence with international counterparts.
Penalties for non-compliance with the legislation are stiff, with maximum penalties of $1 million for a violation by an individual, or $10 million for a violation by a corporation. Accordingly, there is a strong incentive to comply with CASL. Unfortunately, the legislation is very complex and imposes significant obligations on the sender of a CEM.
For Canadian businesses, the new legislation likely means an update to current email practices. To send a CEM within, from or to Canada, organizations will need to both obtain consent from recipients to send such messages, and provide specified content and an unsubscribe mechanism in the message itself. Consent can be express (whether oral or in writing) or implied, and is not required in certain specified circumstances, but the onus to prove compliance with CASL is on the sender. Organizations seeking consent should consider making and keeping a complete and unedited audio recording of oral consents (if they are otherwise able to record the conversation), and record in a database the date, time, purpose, and manner of written consent.
When asking for express consent, organizations must provide recipients with:
• the purpose(s) for which the consent is being sought;
• the name of the person or organization seeking consent;
• a mailing address and either a phone number, email address or website, which remains valid for at least 60 days after the CEM is sent;
• a statement identifying the person on whose behalf consent is being sought;
• the identity and contact information of any third party or affiliate used to obtain the recipient’s consent;
• a free unsubscribe mechanism that takes effect within 10 days to allow recipients to electronically opt-out of communications, including a website to which such opt-out instructions may be sent; and
• the ability to opt-out of all types of communications sent either by the organization or a third party partner.
If an organization is seeking express consent, they also need to explain why they are contacting the prospect and if the organization cannot include this information in the message, they will need to provide a link to a web page that clearly displays this information. Once the legislation comes into force, sending an electronic message requesting consent will be considered a CEM, and so consent will not be able to be obtained through such a message.
In certain circumstances, consent can be implied. First, consent can be implied if an organization sends a CEM in the context of an existing business or non-business relationship . Second, consent can be implied if recipients conspicuously publish their electronic contact information without indicating they do not want to receive communications and the CEMs sent are relevant to the recipient’s business, role, functions or official capacity. Third, consent can be implied if recipients voluntarily disclose their electronic contact information to the sender, such as through providing a business card, without indicating they do not want to receive communications and the CEMs sent are relevant to the recipient’s business, role, functions or official capacity. Implied consent expires in six months if a prospect does not become a client and in two years if an existing client does not buy something new or does not renew their subscription, loan, account or contract. Hence, there is an incentive to obtain express consents.
Some CEMs do not require consent, including those that:
• provide a quote or estimate in response to a request;
• facilitate or complete a commercial transaction;
• provide warranty, product recall or safety alerts about a product;
• provide factual information about the ongoing use of an existing product, service or good or an ongoing subscription, membership, account, loan or similar relationship;
• provide information about an employment relationship;
• deliver a product or service, such as an upgrade;
• fulfill, provide notice of, or enforce a legal obligation;
• are sent on behalf of a registered charity or political party for the purpose of raising funds; or
• are the first message sent following a referral.
Finally, the prohibition on sending CEMs does not apply when sending messages to family or friends or when responding to inquiries or applications.
In order to ensure that your organization is complying with this legislation, it is prudent to review your current practices and list of consents, develop a plan to ensure that future CEMs are compliant and get express consent from any potential recipients.