CASL update - current status of the new anti-spam law
While Canada's Anti-Spam Law (CASL) was passed in late 2010, progress with the associated regulations has been slow. It is now expected that CASL will not come into force until at least mid-2013.
One of the main goals of CASL is to regulate a broadly defined category of "commercial electronic messages" (CEMs) which include e-mails, tweets, text messages and all other forms of electronic communication (except telephone communications), when they are used for commercial purposes. In general, the law prohibits sending CEMs unless express, "opt-in" consent is obtained from intended recipients prior to sending CEMs. Once the law is in force, requests for consent to send CEMs will be governed by the same rules. The law also stipulates minimum information disclosure requirements for all CEMs, and for requests for consent to send CEMs. Furthermore, CASL will require that every CEM include an unsubscribe mechanism that can be "readily performed". To enforce these new rules, CASL confers on the Canadian Radio-television and Telecommunications Commission (CRTC) regulatory powers which include the power to impose strong penalties for non-compliance (up to $10-million for organizations).
final CRTC regulations
CASL provides for two sets of regulations, one from Industry Canada and another from the CRTC. The CRTC finalized its regulations on March 7, 2012. The CRTC regulations specify the required form and content of CASL-compliant CEMs. Pursuant to these regulations, all CEMs originating in Canada, or directed to residents of Canada, must include:
- the name of the sender, or the name of the person or business on whose behalf it is sent;
- a mailing address and any of: a telephone number providing voice messaging, an email address, or a web address of the sender or, if different, the person on whose behalf the message is sent; and
- a readily-accessible unsubscribe mechanism
For short CEMs (e.g., twitter or text messages) a clear and prominent link to a web page may be included in place of the above information, provided that it is readily accessible at no cost.
The regulations also prescribe the form and content of requests for consent of persons to whom CEMs are proposed to be sent. Under the CRTC's revised regulations, requests for consent may be made orally or in writing and must include:
the name of the person or business seeking consent and if sought on behalf of another person or business, then that name and a statement identifying the person seeking consent and the person on whose behalf consent is being sought;
the mailing address and a telephone number providing voice messaging, an email address, or a web address of the requestor or the person on whose behalf consent is sought; and
a statement that the person whose consent is sought can withdraw their consent.
exclusions and exemptions – may be tweaked by regulation
As discussed in previous McMillan bulletins (May 2011, October 2011), CASL provides a number of specifically-defined exclusions and exemptions that permit certain messages to be sent without full CASL compliance. Additional categories may be added by regulation. The existing categories are as follows:
- excluded messages: Certain forms of messages are entirely excluded from the purview of CASL, specifically a CEM sent in the context of a personal or family relationship, or an inquiry sent to a person engaged in a commercial activity about their business.
- no consent needed: a sender may send a CEM without prior consent where the message is sent to provide a quote or estimate, to facilitate a commercial transaction, for warranty or safety information, to provide information about an ongoing service or goods sale or use relationship, to provide information about an employment relationship, or to complete a sale delivery.
- implied consent: a sender may imply consent if an "existing business relationship" or an "existing non-business relationship" exists or the intended recipient has disclosed to the sender or conspicuously published their email address without indication that they do not wish to receive unsolicited CEMs.
It is important to note that the above exceptions and exemptions are very precisely defined and delimited. For example, an "existing business relationship" under CASL generally would not apply to a relationship where business dealings have not occurred within the immediately previous two years.
Industry Canada regulations
Industry Canada, responsible for providing regulations which describe and supplement the above-noted exceptions and exemptions, published its first set of draft regulations in July 2011 with a 60-day comment period. After receiving a considerable number of comments, many focusing on the overall thrust of the law as opposed to the specific provisions of the regulations, Industry Canada chose to rework the regulations and distribute a second draft set – yet to be released – for a further 30-day comment period. It is now expected that these revised draft regulations will be released in October 2012.
It appears that Industry Canada's second draft regulations will respond to a number of issues raised in response to the initial version and that certain additional exemptions (i.e., to the entirety of CASL) are being contemplated. These will include:
- sending a CEM that is required by law;
- if sent in response to an inquiry; or
- if sent internally within a business (e.g., to an employee) or between businesses in a transactional context.
We expect these new exemptions to be narrowly drafted and only useful to exclude clear examples of activities that CASL is not intended to affect, rather to reinterpret or limit CASL's broad definition of CEMs.
no grandfathering of PIPEDA consents
Recent intelligence indicates that Industry Canada will not extend CASL's exemptions or permit implied consent, to include PIPEDA-compliant consents. PIPEDA (Personal information Protection and Electronic Documents Act) contains consent provisions that are significantly more flexible than CASL's and which could be applied to satisfy CASL's prior express consent requirement.
third party referral programs
The initial draft Industry Canada regulations constrained the definition of "personal relationship", throwing into question some popular uses of social media for "refer a friend" campaigns. Restrictions included the requirement that the sender and the recipient must have had an in-person meeting and a two-way communication within the previous two years.
In its revised draft regulations, Industry Canada is not expected to provide an exception to the prior express consent requirement for referral marketing. However, the definition of "friend" is expected to be relaxed to include relationships where the individuals communicate solely by digital means and have never met in person. Referral campaigns that encourage individuals to send CEMs to their friends will likely be permissible if they do not cause inducement to violate CASL (inducement being an act which attracts liability for penalties under CASL).
Neither CASL nor the proposed regulations provide any guidance regarding what will be accepted as "express consent" to send a CEM. Industry Canada's view is that this approach permits flexibility in the manner in which such consent may be obtained. However, the CRTC has indicated that it expects to release guidelines for CASL compliance, which it can be surmised should include acceptable forms of express consent. For example, it appears that pre-checked boxes within on-line sign-up forms will satisfy the requirement.
Release of the revised draft Industry Canada regulations is anticipated in October, following which there will be a further consultation period (30 days). Review of submissions may take Industry Canada between six to eight weeks, after which final regulations will be issued with a coming-into-force date. It is expected that CASL would be brought into force within six months after Industry Canada's regulations are finalized. Based on this timetable, we can expect CASL to become effective no earlier than July 1 and possibly as late as September or October 2013.
With the long lead-time between passage of CASL and its coming into force, businesses have been given ample opportunity to prepare for the new anti-spam regime. While the regulations that are known (CRTC) or anticipated (Industry Canada) will provide helpful refinements to the basic rules contained in the statute, they are not expected to provide any global exemptions or exceptions (such as a more expansive definition of implied consent). Therefore, once the law comes into force, its strictures will apply broadly to all businesses that relay electronic communications to promote their products. Using this transitional period as the lead-up to full application of the regime should be an urgent priority for organizations.
The transition period permits organizations to work through the substantial adjustments that will be required in their email communications procedures and practices. Furthermore, while it is anticipated that organizations will adopt progressively-compliant practices through this transition period, not having the full force of the law in effect at this time provides scope for error adjustment and refinement in those practices.
Organizations should be implementing the following key action items prior to CASL coming into force:
1. A comprehensive inventory of email contact lists should be conducted, categorizing each addressee by CASL exceptions and consent qualifications, such as:
(i) existing customer or donor relationship and timeline of most recent transaction;
(ii) inquiry or application and date made; or
(iii) express consent obtained.
2. Email contact lists that include both Canadian and non-Canadian addressees require scrubbing either to exclude Canadian addressees or to identify them for CASL compliance – may require due diligence to go behind the email address.
3. Databases that do not qualify according to CASL categories will require upgrading (technology, software) and protocols for evergreen scrubbing (i.e., deletions as qualifications expire).
4. Strategies for capturing express consents should be activated (e.g., email response, website sign up, application forms, agreements, email policies).
5. For email contacts within existing databases that cannot be CASL-qualified, email opt-in consent programs should be initiated immediately (i.e., prior to CASL in-force date).
6. Internal compliance procedures, forms, policies and controls should be developed.
While it is anticipated that a period of flexible compliance expectations may characterize the government's early enforcement approach, ultimately the potentially severe penalties for non-compliance will have an impact. As well, the law's private right of action poses the threat of substantial financial costs to non-compliers.
by David Young and Robert Hester
For more information on this topic, please contact:
a cautionary note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2012