Canada will soon have the dubious distinction of having the most restrictive anti-spam/anti-spyware legislation in the world. It focuses predominately on spam (unsolicited commercial electronic messages (CEMs)) and spyware (the installation of computer programs), but also addresses related topics, such as misleading representations in CEMs, address harvesting and altering transmission data. While first impressions may be that any anti-spam anti-spyware legislation can only be a benefit to guard against a torrent of unsolicited and unwanted emails and malware, the scope of the legislation is extremely broad and captures much more than what is typically thought of as “spam.” It will apply to any business that sends emails or provides software programs for installation, despite them doubtlessly not considering themselves to be “spammers” or malware providers.
CASL was enacted by the 3rd session of the 40th Parliament in 2010, receiving royal assent on December 15, 2010.1 The commercial electronic message provisions under CASL are set to come into force on July 1, 2014. The provisions related to the installation of computer programs will come into force on January 15, 2014 and the private right of action will follow on July 1, 2017.
There are two regulations to CASL. The first is issued by the Canadian Radio and Telecommunications Committee (CRTC), and the second by Industry Canada.
The CRTC Regulation
The Electronic Commerce Protection Regulations were released by the CRTC for public comment on July 2, 2011. After considering public comments, the CRTC issued a final regulation on March 28, 2012 (the CRTC Regulation). This regulation sets out the prescribed content of CEMs, the form and functionality of the mandatory opt-out mechanism that must be included in each CEM, information to be included in a request for consent, and specified disclosure for consent for the installation of a computer program.
On October 10, 2012, the CRTC also issued two guidelines (548 Guideline and 549 Guideline) with respect to the interpretation of the regulation. These are discussed below.
The Industry Canada Regulation
Industry Canada issued a draft regulation for public comment on July 9, 2011. After considering the public comments, Industry Canada issued a further revised draft regulation on January 5, 2013 for comment. The final Electronic Commerce Protection Regulations (the Industry Canada Regulation) were released on December 4, 2013. Among other things, this regulation sets out a list of commercial electronic messages that are excluded from the consent, form and content requirements, conditions for use of consent by unnamed third parties and the definitions of personal and family relationships.
CASL regulates the use of electronic means to carry out commercial marketing activities and does so in a very proscriptive manner. It creates a broad prohibition against sending CEMs, with specific and limited exceptions. It also creates specific requirements and procedures to obtain express consent and limited circumstances in which businesses can rely on implied consent.
This approach sweeps into the scope of the legislation many legitimate commercial messaging activities, and not just “spam” emails. Unlike the United States CAN-SPAM Act, which regulates emails, CASL’s provisions extend beyond that to text, instant and social media forms of messaging (e.g., Twitter, Facebook, and LinkedIn). Furthermore, CASL applies to any messages that have as one of its purposes to encourage participation in a commercial activity, regardless of whether this purpose is dominant or secondary. This determination is based on a wide range of factors including the message’s content, any included hyperlinks and any included contact information.
Regardless of the form of consent obtained, the sender of a CEM must comply with prescribed content requirements for each CEM (subject to limited exceptions). For example, each CEM must set out (i) information identifying the person who sent the message and, if different, the person on whose behalf the message was sent, (ii) information enabling the recipient to readily contact one of such persons, and (iii) an opt-out mechanism. The CRTC Regulation sets out a significant amount of information about the sender that must be included in the CEM, including (i) the name of the person sending the message; and (ii) the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person sending the message. Additional disclosures must also be included when the CEM is being sent on behalf of a third party.
CASL and the CRTC Regulation also provide details about the opt-out mechanism to be included in each CEM. Recipients must be able to respond to the opt-out in the same medium as the original message was sent (and if not practicable, then through other electronic means), and must also be provided with an electronic address or link to a website to which the opt-out request can be sent. This electronic address or website must be valid for at least 60 days after the CEM was sent. The opt-out mechanism must be able to be “readily performed” and must be processed without delay and in any event within 10 business days from the opt-out request.
The anti-spyware provisions of CASL include an express consent requirement for the installation of computer programs and prescriptive disclosure and notice requirements. As with the anti-spam provisions of CASL, the spirit of the “anti-spyware” provisions seem laudable, but the drafting of the provisions casts the net far beyond what is typically thought of as spyware. Although the principal policy objective of these provisions is to deter the distribution of “spyware,” the consent and notice provisions will apply to computer programs regardless of whether the program is installed for a malicious purpose. Both “basic” and “function-specific” disclosure notices (including reasonably foreseeable impacts on the user’s computer) must be given to end users in advance of installation of a program.
As with the anti-spyware provisions, CASL creates a broad prohibition, then sets out specific exceptions. It prohibits the installation of any computer programs on a computer without the consent of the authorized user of the computer system. The installer must obtain the authorized user’s express consent as defined in the Act (subject to limited exceptions).
In some cases, there are additional prescriptive disclosure and notice requirements, such as:
will the program collect personal information stored on the computer system;
will it change or interfere with the settings, preferences or commands already installed or stored on the computer system; or
Installers will be exempt from obtaining new consent in cases where the installation is an update or upgrade to a computer program, the installation of which was already expressly consented to by the authorized user of the computer system and the update is contemplated by, and installed in accordance with, such original consent.
The consent requirements in CASL generally apply to both sending CEMs and the installation of computer programs. The CRTC Regulation sets out information that must be included in the request for consent.
What Is Express Consent?
With respect to CEMs, CASL’s proscriptive consent requirements are much stricter than the existing principles-based approach to obtaining consent under Canada’s federal and provincial privacy laws. Under CASL, when seeking express consent, an organization must set out “clearly and simply” the following information orally or in writing: (i) the purpose for which consent is being sought; (ii) the name by which the person seeking consent does business; or the name of the person seeking consent; (iii) the mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent; and (iv) a statement indicating that the person whose consent is sought can withdraw their consent. CASL also sets out specific requirements for obtaining express consent on behalf of third parties.
Privacy laws generally permit opt-out consent for marketing purposes and allow for reliance on implied consent in broader circumstances than does CASL. In the 549 Guideline, the CRTC clearly takes the position that opt-out consent (and a pre-checked box on a website would be considered to be opt-out consent) is inadequate to establish express consent under CASL.
To add a further challenge in respect of obtaining express consent, CASL also specifies that any CEM used to solicit consent is itself a CEM for which the sender must have the consent of the recipient to send. This underscores the need to proactively solicit the necessary consent either before CASL comes into effect and/or during the transition period (further discussed below).
The Impact of the Guidelines
The CRTC guidelines have created some confusion with respect to obtaining express consent. A full discussion of the guidelines is beyond the scope of this paper, but some examples are set out below.
Another concern raised by the guidelines is the manner in which the CRTC suggests that an organization can establish oral consent. CASL generally allows an organization to obtain consent orally, and there have been questions about what evidence will be necessary to discharge the onus of proving that such consent has been obtained. Although not exhaustive, the CRTC has indicated that this onus can be discharged in the following narrow circumstances:
where oral consent can be verified by an independent third party; or
where a complete and unedited audio recording is retained by the person seeking consent or a client of the person seeking consent.
Clearly, this is impractical in the point-of-sale context (e.g., retail checkout), which is the primary point of person-to-person contact for a majority of retail businesses.
Further, although the CRTC has previously clarified that consent obtained in writing is satisfied by consent collected in electronic form, it has indicated that consents obtained through a web page need to be supported by, for example, a record of the date, time, purposes, and manner of the consent. This would require many businesses to create new processes and systems to record this information.
What Is Implied Consent?
CASL provides limited circumstances in which an organization can rely on implied consent, and these circumstances are limited to CEMs. Of primary importance to many businesses will be that consent can be implied in an “existing business relationship.” CASL provides that consent to send CEMs is implied if the person who sends the message (or the person who causes or permits it to be sent) has an existing business relationship with the recipient. What constitutes an existing business relationship, and how long the consent is valid, is expressly prescribed, and includes, among other circumstances, (i) a two-year period following the purchase or lease of any good, service or land, (ii) a two-year period of the offer and acceptance of a business, investment or gaming opportunity, and (iii) a six-month period following an inquiry or application made by the recipient. However, the onus will be on the sender to establish that implied consent exists, and tracking the start date and end date for such consent (and ensuring no CEMs are sent outside of these times) will be an administratively daunting task.
Other instances of implied consent include (i) an “existing non-business relationship” arising out of, for example, a donation or gift made by the recipient within the 2 year period before the message was sent and the message is sent by a registered charity, a political party or organization, or a person who is a candidate for publicly elected office, and (ii) where the recipient has publicly disclosed his or her electronic address, has not stated that he or she does not wish to receive CEMs, and the message sent is relevant to the recipient in a business or official capacity. CEMs that do not fall within any of limited circumstances in which implied consent can be relied upon must obtain express consent to send CEMs or fall within an exception.
Exceptions from Consent
There are some, albeit limited, exceptions from the requirement to obtain consent, including: CEMs that provides a quote or estimate, if the quote or estimate was requested by the recipient; CEMs that facilitate, complete or confirm an earlier transaction with the recipient, CEMs that provide warranty and other product safety information to a user of the product; CEMs that provide factual information relating to an on-going purchase or subscription; CEMs that provide information about an employment relationship or related benefit plan; or CEMs that deliver a product, good or a service, including product updates or upgrades further to a previous transaction.
The Industry Canada Regulation also sets out exclusions from the consent and form and content requirements for certain categories of CEMs, generally summarized as:
qualifying business to business messages;
messages sent in response to a request, inquiry or complaint;
messages sent due to a legal obligation or to enforce a legal right;
messages sent or received on an electronic messaging service, or sent on a limited-access secure and confidential account (provided certain requirements are met);
messages sent by a charity for the purposes of raising funds or a political party or organization for the purpose of soliciting a contribution; and
messages sent by a person who believes it will be received in a listed foreign state and the message conforms to the anti-spam law of the foreign state.
The Industry Canada Regulation also sets out a specific and limited exception for dealing with emails sent following a referral or recommendation. The sender will not be required to obtain consent for the first email to the recipient, so long as: (i) the individual making the referral has an existing business relationship, an existing non-business relationship, a personal relationship or a family relationship with the individual who sends the message, (ii) the referrer also has any of those relationships with the individual to whom the message is sent, and (iii) the message discloses prescribed information. This exception applies only to the first CEM, after which the sender must have either express or implied consent or an exception to the consent requirement in order to send CEMs.
The Industry Canada Regulation provides three exemptions for telecommunications service providers (TSPs), which avoids the need for consent in respect of the installation of a computer program that is installed:
to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network
to update or upgrade the TSP’s entire network
to correct a failure in the operation of the computer system or a program installed on a computer system.
The Transition Period
There will be a three-year transition period after the enactment of CASL. With respect to CEMS, during the transition period, businesses can rely on the implied consent of persons with whom they have an existing business relationship or an existing non-business relationship, as long as that relationship included the communication of CEMs at the time of enactment, and unless and until those persons give notification that they withdraw that consent. In the same way, during a three year grace period, businesses can rely on a person’s consent to install an upgrade or update to an existing computer program, unless and until that person gives notification of withdrawal of their consent.
This period will be critical for businesses to solicit and obtain express consent, but will only be useful for those recipients with whom they already have an existing business relationship by the time CASL comes into effect.
Penalties and Enforcement
CASL imposes significant monetary penalties for non-compliance and creates new violations and offences for false or misleading subject lines, email address harvesting and pharming. The new anti-spam and anti-spyware rules will be enforced with stiff penalties: up to $10,000,000 for corporations and $1,000,000 for individuals. As well, a private right of action will allow consumers and businesses to commence enforcement proceedings and recover damages, including statutory damages.
The CRTC will be ensuring that compliance is met for the three areas: (1) the sending of commercial electronic messages, (2) the alteration of transmission data in an electronic message; and (3) the installation of computer programs. Similarly, the Competition Bureau will be investigating and taking action in cases where there are false or misleading representations and deceptive marketing practices in the electronic marketplace. CASL amends the Competition Act in two areas: (1) by adding provisions that refer to false or misleading representations and deceptive marketing practices in electronic messages, locator information (i.e., URLs) and metadata and (2) by including technology-neutral language that applies to emerging technologies.2
Impact on Franchisors
The extent to which CASL will impact franchisors will depend on how the marketing programs are implemented by the franchisor, how marketing lists are compiled, who uses them, and whether they are shared between the franchisor and the franchisee.
As noted above, due to the differences between CASL and PIPEDA, any consent that was obtained to date for the use of an email address for marketing purposes may not be suitable under CASL. This means that existing databases may have to be purged, and/or new consent obtained. While stand-alone businesses have the ability to control and delete a centralized database of customer information, in a franchise system, the franchisor and the franchisees may maintain separate databases with overlapping information. To the extent that the franchisor has provided any electronic account addresses to the franchisees, it must take steps to ensure that the franchisees comply with any instructions to purge or update their databases.
Further, if the franchisor compiles and uses a marketing list based on information provided by its franchisees (e.g., if the franchisor has no direct relationship with the recipients on the marketing list), the franchisor must rely entirely on the franchisees to obtain the appropriate form of consent or to establish that an exception or exemption exists. If the franchisor prescribes marketing programs, it must do so carefully to avoid creating potential liability under CASL.
In the past, any instance of an email address being used for marketing purposes without the consent of the recipient would have come under the scope of PIPEDA or the equivalent provincial privacy legislation (if applicable). The penalties for non-compliance were less significant than CASL, and franchisors may have been somewhat lax in ensuring that the franchisees were obtaining the appropriate consent in every instance and communicating any opt-outs to the franchisor.
Now, given the significant penalties under CASL, franchisors that rely on their franchisees for obtaining the requisite consent must ensure that franchisees obtain CASL-compliant consent. Further, the consent must take into account who will use the contact information for marketing purposes – the franchisor, the franchisee, or both. Should the franchisor send a CEM to a recipient who has not provided consent, the risk of non-compliance ultimately falls to the franchisor. It would be no defence to take the position that the franchisee had failed to obtain the consent that the franchisor needed. Accordingly, if the franchisor does not have the confidence that the appropriate consent will be collected in all cases, it may have to reconsider whether it will continue to compile its marketing databases based on information received from its franchisees. Additionally, franchisors will also have to consider whether to assist franchisees in complying with the legislation, and if so, how much assistance to provide.
CASL will likely not have a significant impact on a franchisor’s electronic communication with its franchisees due to the business to business exception (as long as the emails fall within the scope of the exception). However, a franchisor must be careful to treat prospective franchisees with the same care as it would a customer. That is, a franchisor must ensure that it has express or implied consent, or an exemption, to send any CEMs with marketing material to prospective franchisees.
Similarly, the impact of CASL’s anti-spyware provisions will depend on whether the franchisor provides software programs, intranets or other computer systems, and how those programs – and updates and upgrades – are installed on franchisees’ computers.
While CASL, by itself, is complex enough, franchising adds a layer of complexity when developing and implementing a compliance plan. Given these additional concerns, and the remaining time before CASL comes into force, franchisors should consult with their legal counsel now to work on compliance planning.
1 CASL’S full title is An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23, formerly referred to as the “Fighting Internet and Wireless Spam Act.”
2 See the Frequently Asked Questions section of CASL’s website.