Anti-Spam RequirementsPreparing to Comply with CASL
Chris Oates, Associate, Gowling Lafleur Henderson LLP
Prepared, January 15, 2014
Outline
Canada’s anti-spam law
• To what does the law apply?
• How do you ask for consent?
• What do electronic messages need to contain?
• How do you maintain your contact list when the law comes into
force?
Disclaimer
• This presentation is intended to assist you in flagging legal issues relating to
Canada’s Anti-Spam Law.
• This is ONLY a guide and legal counsel should be consulted for specific
situations.
2
Canada’s Anti-Spam
Legislation
Canada’s Anti-Spam Legislation
Legislative Background:
CASL comes into force on July 1, 2014 and will take a prohibitive
approach to “Commercial Electronic Messages”, prohibiting all
but those messages that comply with its requirements.
In some cases, existing, valid consent may not survive when
CASL is in force.
Under CASL:
• Electronic messages require consent from the
recipient, either express or implied;
• The message must contain prescribed
disclosure; and
• The message must contain an
unsubscribe mechanism in prescribed form.
4
Canada’s Anti-Spam Legislation
To which messages does CASL apply?
Commercial Electronic Messages - a message sent by any means of
telecommunication, including a text, sound, voice or image message, to
an “electronic address” including:
• an electronic mail account;
• an instant messaging account;
• a telephone account; or
• any similar account.
CASL will only apply to electronic messages that are “commercial”.
This will include all messages that, based on their content, including
links, and contact information, have as one of their purposes
encouraging participation in commercial activity, regardless of whether
this is done with the expectation of profit.
5
Canada’s Anti-Spam Legislation
Is the Electronic Message Commercial?
CASL will only apply to electronic messages that are
“commercial”. This will include all messages that, based on their
content, including links, and contact information, have as one of
their purposes encouraging participation in commercial activity,
regardless of whether this is done with the expectation of profit.
•
•
•
•
Messages that offer to sell a product;
Messages that advertise a product;
Messages that promote a person or corporation;
Messages that seek to gather consumer or market
information;
• Messages that seek consent to send further messages.
6
Canada’s Anti-Spam Legislation
What is not a Commercial Electronic Message?
CASL will not apply to several classes of message:
• Interactive two way voice communications;
• Messages sent via facsimile to telephone accounts; and
• Voice recordings sent to a telephone account.
These messages are currently subject to the CRTC’s
oversight via the Telecommunications Act and the Do Not
Call List.
CASL contains a provision that permits the government to repeal this
exception AND the National Do Not Call List at a later date. If
exercised, this would make unsolicited commercial telephone calls
subject to the CASL requirements.
7
Canada’s Anti-Spam Legislation
Which messages will be exempt?
The Regulations provide exceptions for the following message classes:
•
•
•
•
•
•
•
messages sent between employees of an organization relating to the affairs
of the organization, and messages sent between two organizations with a
relationship, where the message relates to their affairs
messages that respond to an inquiry, complaint, or other solicitation from
the recipient
fundraising messages sent by a registered charity
messages where the person sending the message reasonably expects it to
be received in a foreign state listed in the Regulations, if the message
complies with the law of that state
messages sent to a secure account to which only the person providing the
account may send messages
messages sent on a platform that includes compliant disclosure and an
unsubscribe mechanism in its interface are exempt from the message
requirements, but not the consent requirements.
messages sent to satisfy a legal obligation
8
Penalties
Administrative monetary penalties for violations:
• A fine of up to $1,000,000 for a violation by an individual.
• A fine of up to $10,000,000 for a violation by a corporation.
CASL also creates a private right of action for persons who
allege they have been affected by a violation. If the action
is successful in court, the court may order:
• Compensation equal to the actual loss or damage suffered;
and
• $200 for each contravention, not exceeding $1,000,000 for
each day on which a contravention occurred.
The private right of action has a delayed coming into force
date, and will not be in place until July 1, 2017.
9
Express Consent Under CASL
Requirements for a Request for Express Consent
1. Provide the purpose for which the consent is sought;
2. Provide the name under which the person seeking consent carries
on business, and if different, the name under which the person on
whose behalf consent is sought carries on business;
3. If applicable, identify which person is seeking consent, and on
whose behalf consent is sought;
4. Provide the mailing address, and one (or more) of a telephone
number, website, or email address of either the person seeking
consent, or if different, the person on whose behalf consent is
sought
5. State that consent may be withdrawn.
Requests for consent may be made orally (e.g. through personal and
direct contact, at the point the relationship began) or in writing (incl.
electronic forms). In all cases these disclosures must be made.
10
Express Consent Under CASL
In all cases, the burden of proof to establish consent rests on
the party claiming to have consent.
For example, a party may demonstrate oral consent in cases where:
i. it can be “verified by an independent third party”; or
ii. “where a complete and unedited audio recording of the consent is
retained by the person seeking consent” (or a client of the person
seeking consent). Note that audio recording and the purpose for it must
be disclosed under existing privacy law.
Written consent can be satisfied where either paper or electronic form
consent is obtained, including by checking a box on a web page to give
consent (with a record of the date, time, purpose, and manner of consent
stored in a database).
11
The CRTC’s Position on Express Consent
• The CRTC takes the
position that express
consent must be
“positive or explicit”.
12
The CRTC’s Position on Express Consent
• “Assumed” consent
through a pre-checked
box or an opt-out
system would not be
accepted.
13
Implied Consent Under CASL
Implied Consent under CASL:
Requirements for Implied Consent
1.There is an existing business or non-business relationship between the
sender and the recipient, or
2.The recipient has conspicuously published their address, or has disclosed it
to the sender and:
• has not indicated they do not wish to receive commercial messages; and,
• the message is relevant to the recipient’s business, role, functions or duties
14
Implied Consent Under CASL
Both “existing business relationship” and “existing non-business
relationship” are narrowly defined in the legislation:
“Existing business relationships” exist only where the recipient:
i.
Purchased, leased or bartered products, goods, services or land from
the sender within two years before a message is sent;
ii.
Accepted a business, investment or gaming opportunity from the sender
within two years before a message is sent;
iii. Has a existing written contract with the sender about a matter other than
i or ii or such a contract expired in the two years prior to the message; or
iv. Made an inquiry or application for products, goods, services, etc. within
six months before the message
“Existing non-business relationships” exist only where the recipient:
i.
Made a donation, gift or volunteered for a registered charity or political
party who sends the message; or
ii.
Is a member in a club, association or voluntary organization that sends
the message and is operated for social welfare.
15
Exceptions to the Need for Consent
CASL creates an exception to the need for consent for
certain “transactional” messages.
This exception will apply to messages that solely:
• provide a quote or estimate for the supply of a product or service;
• facilitate, complete or confirm a previously agreed upon
commercial transaction;
• provide warranty information, product recall information or safety
or security information about a product the recipient uses or had
purchased;
• provide notification of factual information about the ongoing use
by recipient of a product or a service offered under a subscription,
membership, account, loan or similar relationship by the sender.
16
Message Content under CASL
Commercial Electronic Message Content under CASL:
Message Content
1.Identify the person who sent the message and, if applicable, the
person on whose behalf it was sent;
2.Provide prescribed contact for one of these persons; and
3.Include an unsubscribe mechanism.
The required contact information must remain current for a minimum of
60 days after the message is sent.
17
Message Content under CASL
Prescribed Disclosure Requirements for Electronic Messages
1. The name under which the person seeking consent carries
on business, and if different, the name under which the
person on whose behalf consent is sought carries on
business;
2. If applicable, an indication which person sent the message
and on whose behalf it was sent;
3. The mailing address, and one (or more) of a telephone
number, website, or email address of either the person
sending the message, or if different, the person on whose
behalf it is sent; and
4. An unsubscribe mechanism.
The Regulations do not make any exceptions for service providers sending electronic
messages on behalf of third parties.
18
Unsubscribe Mechanisms
Unsubscribe Mechanisms
The unsubscribe mechanism included in a CEM must: (i) allow recipients to
indicate that they no longer want to receive any CEMs or any class of CEMS
from the sender or – if different – the person on whose behalf the message
was sent; (ii) using the same electronic means (or if not possible any other
electronic means enabling the same result); and (ii) specify an electronic
address or web link to unsubscribe.
The electronic address or webpage for unsubscribing must be valid for a
minimum of 60 days. Recipients who unsubscribe must also be
unsubscribed “without delay” and no later than 10 business days after
asking to be unsubscribed.
The CRTC Regulations require that an unsubscribe mechanism must be
“set out clearly and prominently” and “must be able to be readily performed.”
According to CRTC guidelines, for an unsubscribe mechanism to be “readily
performed” it must be “accessed without difficulty or delay and should be
simple, quick and easy for the consumer to use”.
19
Third Party Mailing Lists
CASL expressly provides for consent obtained on
behalf of an unknown third party; however, it limits
how this consent may be obtained and used:
• The party that seeks consent is required to comply with the
standard CASL requirements for obtaining consent,
including stating the purpose for the collection, and
providing their name and contact information.
• A person who relies on such a consent must meet
additional disclosure requirements for the message
content.
20
Third Party Mailing Lists
Message content when consent is obtained from a
third party.
When a consumer list is purchased from a third party, it is
essential that such a list be used separately from the
company’s own opt-in lists, as messages sent pursuant to
such consent are subject to additional disclosure
requirements:
• The message must identify the person who obtained the original
consent as well as the person who sent the message.
• The unsubscribe mechanism must allow the recipient to remove
consent from both the person who sent the message, the person
who obtained the original consent or any other person authorized
to use the consent.
21
Exceptions to the Disclosure Requirements
The General Exception
“If it is not practicable to include the information (…) in a
commercial electronic message, that information may be
provided by a link to a web page on the World Wide Web that is
clearly and prominently set out and that can be accessed by a
single click or another method of equivalent efficiency at no cost
to the person to whom the message is sent.”
This exception will be essential for electronic messages that are
subject to space restraints such as text messages. It is not likely
to apply to messages not subject to such restraints, such as
email.
22
The Family and Personal Relationship Exception
Neither the requirement to obtain consent, nor the requirement to
disclose information regarding the sender, will apply where an
electronic message is sent by or “on behalf” of a person who has
a “personal” or “family” relationship with the recipient.
“Family”




Marriage;
A common-law partnership;
A legal parent/child relationship;
where:
Those persons have had a
direct voluntary two way
communication.
“Personal relationship”


Must have had direct, voluntary
two way communications;
Must be reasonable to conclude
the relationship is personal
considering relevant factors.
This exception will only apply in unusual cases. Examples we have seen
include refer-a-friend type promotions, and customizable holiday greeting
cards.
23
Referral Messages
The Regulations include an exception that permits
a single referral message to be sent where:
• The referral is made by an individual who has an existing
business relationship, existing non-business relationship, family,
or personal relationship with the message recipient;
• The referrer has one of those relationships with the sender of
the message;
• The message states the full name of the person who made the
referral, and states that the message was sent as a result of the
referral
24
Maintaining Contact Lists
CASL will narrow the ability to rely on Implied Consent
CASL expressly provides for reliance on implied consent primarily in cases
of existing “business relationships” or “non-business relationships”.
These are defined categories that are much more narrow than the ability to
rely on the “reasonableness” test for implied consent under the federal
privacy legislation, PIPEDA.
• Under PIPEDA, where a consumer sends a request for information by
email, it would be reasonable to conclude that you have their implied
consent to respond using their email address.
• Under CASL, a consumer question regarding a potential purchase
would constitute an “existing business relationship”, provided a
response is sent within six months from the date of the question.
Further, a response (as opposed to other commercial messages) would
also be subject to an exception in draft regulations.
25
Maintaining Contact Lists
The regulatory impact statement for the Regulations confirms Industry
Canada’s position that valid express consent obtained before CASL comes into
force “will be recognized as being compliant with CASL”.
However, Industry Canada also expressly noted that in some cases email
addresses that may be used under the current privacy legislation may no
longer be used under CASL.
This is most likely to occur where an organization is relying on ‘implied’
consent under PIPEDA- implied consent under CASL is much more narrow.
Organizations should consider the manner in which their current email list had
been established to assess the ability to continue to use it after CASL comes
into force.
Prior to July 1, 2014, organizations will have an opportunity to seek express
consent in cases where implied consent is currently relied on.
26
Transitional Provisions
When CASL comes into force on July 1, 2014, there will be
an extended period of three years during which implied
consent will survive in cases of “existing business
relationships”, as defined in CASL that include the
sending of commercial messages.
• After this period, the existing business relationships will
survive for two years following a purchase, or six months
following an inquiry.
• The transitional period provides an extended timeline for
perfecting existing implied consent (as defined in CASL) by
seeking express consent.
• Any attempts to perfect consent within this period would
need to be carried out in compliance with CASL.
27
Application
Compliance with CASL will become a legal
requirement on July 1, 2014.
Organizations should be bringing their electronic
marketing practices into compliance now, both due to
the magnitude of the potential penalties, and to help
establish an express consent list that will survive the
coming into force of the Act.
28
Thank You
Chris Oates
Associate
Gowling Lafleur Henderson LLP
chris.oates@gowlings.com
416-369-7333
montréal  ottawa  toronto  hamilton  waterloo region  calgary  vancouver  moscow  london