Canada’s Fighting Internet and Wireless Spam Bill, better known as Canada’s Anti-Spam Legislation (CASL), was enacted in December 2010, but enforcement of the law did not commence until July 1, 2014, on Canada Day. The law impacts any U.S. company or individual sending commercial electronic messages (CEMs) to businesses in Canada and it has several aspects that differ from the restrictions under CAN-SPAM and TCPA in the U.S. As a result, a “one size fits all” approach with respect to electronic marketing campaigns that include our neighbors to the north will not work.
The law applies to CEMs sent from or to computers and devices located in Canada. It includes emails, SMS, instant messaging and certain social networking communications that are sent to email addresses, instant message accounts, phone accounts and social media accounts for the purpose of conveying commercial or promotional information to customers or prospects in Canada. Fax messages do not fall under the statute.
CASL also prohibits the altering of transmission data, and the installation of a computer program without consent, but this post will focus on the CEM aspect of the statute.
Unlike CAN-SPAM, which requires an “opt-out” model, CASL requires an “opt-in” mechanism whereby senders must first procure either implied or express consent before sending a CEM. Accordingly, marketers cannot use a pre-checked toggle box when seeking consent.
Implied consent occurs if the recipient: (1) has purchased a product, service or entered into another business deal, agreement, or membership with the sender within the last 2 years, or; (2) made a donation or gift, volunteered with, or been a member of the sender within the last 2 years, if the sender is a registered charity or political organization.
Unlike the TCPA, express consent under CASL may be obtained orally or in writing, but it must be sought separately for each of the three acts covered by CASL (i.e., sending a CEM, altering transmission data and installing a computer program). A request for written consent must include:
A clear and concise description of the purpose for which consent is sought;
The name of the person seeking consent, or the person on whose behalf consent is sought;
The requestor’s contact information (mailing address, and either a telephone number, email address or website URL);
A statement that the recipient can withdraw consent at any time.
The Act is ambiguous with respect to a number of written consent issues, however, such as whether the person seeking consent must specify the particular device that will receive the CEMs, whether a hyperlink to the requestor’s contact information is permitted and the level of detail required for the purpose statement.
The CRTC has provided guidance for obtaining oral consent, which it deems sufficient if it can be verified by an independent third party, or where a complete and unedited audio recording of the consent is retained by the person seeking consent.
A number of categories of electronic messages are exempt from CASL, including:
CEMs sent between businesses that have an ongoing business relationship and that are sent by an employee, representative, contractor or franchisee and that are relevant to the business, role, function or duties of the recipient. Also exempt are CEMs sent to third-party business partners.
Messages sent and received via an electronic messaging service, provided that (i) the information and unsubscribe mechanism that are required under the Act are conspicuously posted and readily available on the user interface through which the CEM is accessed and (ii) the recipient either expressly or implicitly consented to receive it.
If the sender has a personal or family relationship with the recipient.
Messages sent to consumers in response to requests for information, inquiries or complaints.
Third-party referrals, provided the sender identifies in the CEM the full name of the referring person and the referring person has a current relationship (personal or business) with the recipient.
CEMs regarding the delivery of a product or service in relation to a previous transaction, including messages to facilitate or complete a transaction.
Messages sent by telecommunications service providers for the installation of computer programs without consent in order to either (i) protect network security, (ii) upgrade or update the network, or (iii) correct a failure in the operation of a computer system or program installed on the network.
CEMs sent to a limited-access secure and confidential account to which messages can only be sent by the person who provides the account.
Messages sent by a registered charity or political organization with the primary purpose of raising funds.Messages sent to satisfy a legal obligation, to provide notice of or to enforce a legal right, order, obligation or judgment.
Three different government agencies will share enforcement responsibilities of CASL. The main enforcement body is the Canadian Radio-television and Telecommunications Commission (CRTC) which will issue administrative monetary penalties for sending non-compliant CEMs, altering transmission data (e.g., misdirecting users to a website they did not intend to visit), or installing computer programs on a system without express consent. The Competition Bureau will administer monetary penalties or criminal sanctions for false and misleading representations and deceptive marketing practices. The Office of the Privacy Commissioner will enforce against the collection of personal information through the unauthorized access to computer systems or the harvesting of electronic addresses by compiling bulk email lists through mechanisms.
Penalties for the more serious violations can range as high as $1 million for individuals and $10 million for businesses, per violation. The law is being implemented in stages and starting July 1, 2017 a private right of action will be permitted against violators who will be liable for statutory damages that could be as high as $1 million per day.
Companies marketing to businesses in Canada should create a checklist to ascertain whether a message constitutes a CEM and, if so, whether any of the many exceptions apply. We also recommend undertaking a thorough review of existing policies and guidelines, or developing new ones, for requesting consent to send CEMs and structuring a database to maintain records of each consent obtained (whether written or verbal). Existing databases of email addresses and phone numbers must be reviewed and scrubbed, if necessary, to determine which means of contact are still valid (i.e., an existing business relationship can be verified) and whether a new consent should be obtained. Businesses should also update their CEM templates and “unsubscribe” mechanisms to ensure compliance with the CEM aspect of the new law.