McAfee & Taft tIPsheet - November 2012: Canada’s Anti-Spam Legislation to impact electronic marketing and communications by Sasha Beling

more+
less-

[author: Sasha Beling]

Until recently, Canada was the only G8 country without specific anti-spam legislation. Canada’s new anti-spam legislation Bill C-28, commonly referred to as Canada’s Anti-Spam Legislation (CASL), is set to go into effect sometime in 2013. The CASL will significantly impact businesses’ electronic marketing and communications practices.

Unlike Canada, the United States already has laws in place that address unsolicited commercial messages via email and telephone:

Currently pending before Congress is H.R. 6377, the Mobile Device Protection Act (MDPA), which requires prior consent from a user prior to the time when monitoring software installed on their mobile device first begins collecting and transmitting information.

In the U.S., CAN-SPAM establishes requirements regarding unsolicited commercial electronic communications. In Canada, CASL applies broadly to all communications either sent by Canadian individuals or companies, or to Canadian recipients, or messages simply routed through Canadian servers. In general, CASL has more stringent requirements for compliance than CAN-SPAM. For example, CASL requires documented prior consent (opt-in) before sending commercial messages, whereas CAN-SPAM does not have an opt-in requirement. In addition, CASL is technology neutral, meaning that it applies to all forms of electronic communications, including emails, texts, images, voice or sound, or even technologies not yet developed. In addition to more stringent requirements, CASL also imposes more severe penalties for noncompliance. In contrast to CAN-SPAM’s $16,000 penalty per violation, CASL could impose penalties of up to $1 million per violation for individuals and up to $10 million per violation for businesses.

The CASL also addresses privacy issues, specifically requiring that users give consent to the installation of programs and are informed that a program has monitoring capabilities before that program’s installation.

The CASL is enforced by three organizations: the Competition Bureau, the Canadian Radio-television and Telecommunications Commission (CRTC), and the Office of the Privacy Commissioner. The CRTC is encouraging businesses to begin preparing for CASL’s enactment and has recently released informational bulletins to help businesses better understand the legislation and facilitate compliance with CASL.

For an illustrative example, the table below shows how the CASL compares with existing U.S. laws, CAN-SPAM and TCPA, and proposed H.R. 6377 MDPA.

Businesses should begin preparing for the enactment of CASL by obtaining documented consent of future communications recipients and establishing communication practices in compliance with CASL. If outside marketing companies are used, take steps to ensure the outside marketing company is familiar with, and in compliance with, the CASL. While these options are not guaranteed to prevent all violations, having such procedures in place can reduce the potential for problems resulting in added costs.

  Canada United States
  CASL
C-28
Expected enforcement in 2013
CAN-SPAM
15 U.S.C. §7701
TCPA
47 U.S.C. §227
MDPA
H.R. 6377 (pending legislation)
Protection from Unsolicited commercial electronic messages; installation of computer programs without express consent Unsolicited commercial electronic mail via the Internet Telephone solicitations and use of automated telephone equipment Monitoring software on a consumer’s device and collection of information
Communications covered

Electronic messages sent by any means of telecommunication, including text, sound, voice, or image


(email, instant messaging, social media messages, text etc.)

Emails, including social media messages Automatic dialing, artificial or prerecorded voice messages, text messages, and fax machines Communicating the usage of a mobile device, location of a user, or information collected to another device or system without prior consent
Prior consent required Yes No Yes Yes – prior to the time when the monitoring software first begins collecting and transmitting information
Provide opt-out Yes Yes Yes Yes
Extraterritorial Yes – covers any messages sent, received, or routed through a Canadian device Yes Yes – covers calls and faxes originating from outside the U.S. Not explicitly stated in the current legislation
Penalties
  • Up to $1 million per violation for individuals
  • Up to $10 million per violation for businesses
Up to $16,000 per violation

The higher of

  • Up to $1,500 per violation, or
  • Actual monetary loss
  • Injunction, or
  • The greater of
    • Actual monetary loss, or
    • $1,000 per violation, or
  • Both
Grants private right of action Yes Yes – only by Internet access service providers Yes Yes