My anti-spam law (CASL) services include advice relating to:
- General CASL compliance
- Consent requirements
- Form and unsubscribe requirements
- Competition Act compliance for electronic marketing and advertising
- Steps to adapt existing electronic marketing to comply with CASL
“On December 15, 2010, the Government of Canada passed the Fighting Internet and Wireless Spam bill, Bill C-28. In doing so, the government delivered on a key commitment made by Prime Minister Harper to Canadians and Canadian businesses in September 2008. The intent of the legislation is to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help to drive out spammers. This law addresses the legislative recommendations of the Task Force on Spam, which brought together industry, consumers and academic experts to design a comprehensive package of measures to combat threats to the digital economy. As well the government studied successful legislative models in other countries and, based on their experiences, has developed a focused plan to address spam and related online threats.”
Revised draft Industry Canada regulations – January 4, 2013
On January 4, 2013, Industry Canada issued revised draft regulations (Electronic Commerce Protection Regulations) for Canada’s upcoming anti-spam legislation. The revised regulations will be subject to comment until February 4, 2013 and generally clarify certain key CASL definitions and exceptions and add some new exceptions. For an overview of the new draft regulations see: here.
CRTC guidelines – October 10, 2012
On October 10, 2012, the CRTC issued new guidelines on Canada’s anti-spam legislation (Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC) and Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation) that are the first of a series of guidelines to be issued by the CRTC to facilitate compliance with Canada’s upcoming anti-spam legislation. For an overview of the CRTC’s new guidelines see: here.
OVERVIEW OF CANADA’S
On December 15, 2010, royal assent was given to new Canadian federal anti-spam legislation (“CASL”) that will, once in force, be one of the strictest anti-spam regimes in the world. Canada had been criticized prior to its passage as being the only G8 nation without stand-alone anti-spam legislation.
In general, CASL will require express or implied consent for the sending of “commercial electronic messages” and will also impose certain form (i.e., disclosure) and opt-out (i.e., unsubscribe) requirements.
CASL will have significant impacts on companies that engage in electronic marketing, such as through e-mail, text messaging, instant messaging and potentially some types of social media (e.g., those involving messages sent to electronic addresses).
Rather helpfully, Industry Canada’s Regulatory Impact Analysis Statement issued with its January, 2013 regulations indicates that CASL is not intended to apply to common forms of social media where messages are not being sent to electronic addresses: “… the concern that it would be difficult to satisfy identification and unsubscribe requirements on popular social networking services or instant messaging services. Currently, where they are not sent to electronic addresses, the publication of blog posts or other publications on microblogging and social media sites is not within the intended scope of [CASL]”.
CASL will also require express consent for other electronic practices, including altering transmission data in electronic messages and installation of computer programs on other persons’ computer systems during commercial activities.
In addition, CASL will broaden the federal Competition Bureau’s jurisdiction to regulate misleading advertising in the context of electronic communications – for example, misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators. In this regard, CASL also includes amendments to the civil and criminal misleading advertising sections of the Competition Act (sections 52 and 74.01).
Contravention of the new legislation will expose individuals and companies to significant penalties of up to Cdn. $1 million (for individuals) and Cdn. $10 million (for corporations). CASL also creates private rights of action, with significant statutory damages that will be available (up to $1 million per day of non-compliance). Class actions will also be possible under CASL.
In 2005, the Task Force on Spam completed a one-year mandate and issued its final report (Task Force on Spam Report: Stopping Spam: Creating a Stronger, Safer Internet). The Government also studied successful anti-spam measures in other countries. CASL, which was first introduced in April, 2009 and reintroduced on May 25, 2010, addresses legislative recommendations made by the Task Force on Spam, which assembled consumers, academic experts and industry to design comprehensive legislation to fight spam in the digital economy. During third reading, the amended Bill C-28 received unanimous support in the House of Commons and was given Royal Assent on December 15, 2010. CASL is expected to come into force in 2013 or 2014.
COMING INTO FORCE INFORMATION
Two sets of Regulations have been issued as follows: (i) CRTC Regulations (now finalized) (“CRTC Regulations”) and Industry Canada regulations (first issued in July, 2011 and reissued for comments in January, 2013, but not yet finalized) (“Draft Industry Canada Regulations”).
CASL – OVERVIEW
CASL will, once in force, create an “opt-in” regime for commercial electronic marketing, and will amend four federal statutes: the Canadian Radio-television and Telecommunications Commission Act; Competition Act; Personal Information Protection and Electronic Documents Act (“PIPEDA”); and Telecommunications Act. CASL will require express or implied consent for the sending of a wide range of commercial electronic communications. Some key aspects of CASL are discussed below.
CONSENT AND FORM REQUIREMENTS FOR
COMMERCIAL ELECTRONIC MESSAGES
CASL prohibits the sending of commercial electronic messages (“CEMs”) without the recipient’s prior express or implied consent, the onus of which to prove will be on senders. Once in force, CASL will permit both express and certain categories of implied consent (and will also include a number of exceptions from the consent and/or form requirements).
CASL defines “CEMs” broadly as any electronic message that encourages participation in a commercial activity regardless of whether there is an expectation of profit. This includes: (a) offering (or advertising) to purchase or sell products, goods, services or land; or (b) offering (or advertising) to provide business, investment or gaming opportunities.
“Electronic messages” are messages sent by any means of telecommunication, including a text, sound, voice or image message. Importantly, electronic messages requesting consent to receive CEMs will also be prohibited. In this regard, CASL provides that electronic messages that contain consent requests to send messages are also CEMs. This is also confirmed by CRTC guidelines that reiterate the statutory restriction that consent cannot be obtained by sending a subscription e-mail, text message or other equivalent form. In essence, once in force, CASL will prohibit sending spam to seek consent for more spam.
When requesting express consent, the following is required: (i) state the purpose for which consent is being sought and (ii) information identifying the person seeking consent or person on whose behalf consent is being sought.
The CRTC Regulations set out the requirements for requests for consent. Consent requests may be made orally (e.g., through call centres, personal and direct contact, or point of sale purchases) or in writing (including through electronic forms).
In issuing the CRTC Regulations, the CRTC stated: “The Commission accepts the submissions of those parties that oral consent should be permitted as a mechanism to obtain consent. The Commission notes that oral consent is a commonly used and accepted industry practice (e.g., call centres, personal and direct contact, and point of sale purchases) … The Commission also notes that obtaining consent in ‘writing’ includes electronic forms.”
CRTC guidelines provide that oral consent is satisfied if: (i) it can be “verified by an independent third party” or (ii) “where a complete and unedited audio recording of the consent is retained by the person seeking consent” (or a client of the person seeking consent).
Written consent can be satisfied where either paper or electronic form consent is obtained (including checking a box on a web page to give consent, with a record of the date, time, purpose, and manner of consent stored in a database).
Consent requests must include:
1. The name by which the person seeking consent carries on business, if different than their name (or if not, the person seeking consent).
2. If consent is sought on behalf of another person, the name by which that person carries on business, if different from their name (or if not, the name of the person on whose behalf consent is sought).
3. If consent is sought on behalf of another person, an identification of which person is seeking consent and which person on whose behalf consent is sought.
4. The mailing address, and either a phone number to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought.
5. A statement that the person whose consent is sought can withdraw their consent.
CRTC guidelines also clarify some other aspects of consent requests – for example, what mailing address information must be included, the use of check boxes and toggling for consent, examples of disclosure where check boxes are used on online forms for consent, etc.
Consent may also be implied, including:
1. An “existing business relationship”.
2. An “existing non-business relationship”.
3. A “business card” exception, where a person has published their electronic address without a statement that they do not want to receive unsolicited CEMs and the message is relevant to their business.
4. A recipient has disclosed their electronic address to a sender without indicating that they do not want to receive unsolicited CEMs and the message is relevant to their business.
“Existing business relationship” includes: (i) the purchase of products, goods, services or land within two years before a message is sent; (ii) the acceptance by the recipient of a business, investment or gaming opportunity within two years before a message is sent; and (iii) an inquiry by the recipient for products, goods, services, etc. within six months before a message is sent.
“Existing non-business relationship” includes: (i) certain donations or gifts to charities or political parties; (ii) volunteer work for charities or political parties; and (iii) memberships in clubs, associations or voluntary organizations.
Form and Unsubscribe Requirements
CASL also sets out rules governing the sending of CEMs, including form (i.e., disclosure) requirements and mechanisms for the withdrawal of consent (i.e., to opt-out or unsubscribe).
CEMs must be in a prescribed form that, among other things: (i) identifies the person who sent the CEM; (ii) the person, if different, on whose behalf it is sent; (iii) sender contact information (which must be valid for at least 60 days); and (iv) an unsubscribe mechanism.
The CRTC Regulations set out the specific information that must be included in CEMs:
1. The name by which the sender carries on business if different from their name (or if not, the person’s name).
2. If sent on behalf of another person, the name by which the person on whose behalf the message is sent carriers on business if different from their name (or if not, the name of the person on whose behalf the message is sent).
3. If sent on behalf of another person, a statement identifying the sender and on whose behalf the message is being sent.
4. The mailing address and either a phone number to an agent or voice messaging system, email or web address of the sender or, if different, the person on whose behalf the message is sent.
This information and unsubscribe mechanism must be “set out clearly and prominently”. CRTC guidelines clarify some aspects of the required sender information (e.g., identification of intermediaries, mailing address, etc.).
The CRTC Regulations also provide, however, that where it is “not practicable” to include the required disclosure information and unsubscribe mechanism in a CEM, that information may be posted on an Internet web page that is “readily accessible” by the recipient at no cost via a “clearly and prominently” labeled link in the CEM.
Unsubscribe mechanisms must: (i) allow recipients to indicate that they no longer want to receive CEMs using the same electronic message (or if not practical any other electronic means enabling the same result); and (ii) specify an electronic address or web link to unsubscribe.
The electronic address or webpage for unsubscribing must be valid for a minimum of 60 days. Recipients who unsubscribe must also be unsubscribed “without delay” (and no later than 10 business days after asking to be unsubscribed).
The CRTC Regulations also require that an unsubscribe mechanism must be “set out clearly and prominently” and “must be able to be readily performed.”
CRTC guidelines provide that for an unsubscribe mechanism to be “readily performed” it must be “accessed without difficulty or delay and should be simple, quick and easy for the consumer to use”. CRTC guidelines also provide examples of acceptable unsubscribe mechanisms.
CASL contains the following exceptions to the consent and form requirements: (i) personal or family relationships (currently as defined by the Draft Industry Canada Regulations); (ii) inquiries for commercial goods and services; and (iii) interactive two-way voice communications (telemarketing), fax or voice recordings sent to telephone accounts.
CASL also sets out the following exceptions from the consent requirement: (i) providing a quote or estimate for products, goods, services or land if requested by the recipient; (ii) facilitating, completing or confirming a commercial transaction previously agreed to by the recipient; (iii) sending warranty, product recall or safety information about a product the recipient uses, has used or has purchased; (iv) certain information relating to employment or benefit plans; and (v) product updates or upgrades following an earlier transaction.
In addition, the Draft Industry Canada Regulations (subject to public comments and potential further changes) provide for the following additional exceptions:
1. Exceptions for CEMS sent within a business (or businesses already in a business relationship). In particular, these exceptions would apply to messages sent between employees, representatives, contractors or franchisees of a business / businesses in a business relationship that are relevant to the recipient’s business, role, function or duties.
2. An exception for CEMs sent to fulfil a legal obligation or enforce a legal right. In particular, the Draft Industry Canada Regulations would exclude messages sent to satisfy a legal or juridical obligation; give notice of an existing or pending right; or enforce a right, all defined in more detail in the Draft Regulations.
3. A consent exception for third-party referrals. The Draft Industry Canada Regulations include an exception for “third party referrals” where there is an existing relationship (family, personal, business or non-business) between one individual, such as an agent, and another individual, such as an existing client, and the existing client refers a prospective client, provided that he or she also has an existing relationship with the person being referred. A sender would be permitted to send one message seeking consent, provided they provided the name of the person providing the referral and otherwise complied with CASL’s form and unsubscribe requirements. According to Industry Canada, the new referral exemption “strikes a balance by allowing third party referrals without undermining the requirements laid out in [CASL]”.
CASL contains a transitional provision that provides that consent is implied for three years from the coming into force of the CEMs section (section 6) for persons with existing business or non-business relationships (as defined), unless consent is withdrawn by a recipient.
ALTERING TRANSMISSION DATA
CASL also prohibits the alteration of transmission data in an electronic message in the course of a commercial activity, which results in the message being delivered to a different destination without express consent of the sender or recipient.
UNAUTHORIZED INSTALLATION OF COMPUTER PROGRAMS
CASL also prohibits the installation of computer programs on other person’s computers in the course of a commercial activity without the express consent of the owner (or authorized user) of the computer system.
MISLEADING REPRESENTATIONS (ELECTRONIC & ONLINE CONTENT)
The criminal and civil misleading advertising provisions of the Competition Act, and related penalty provisions, have also been broadened to expressly include misleading representations made in the electronic and online environment.
For example, CASL amends the criminal misleading advertising provisions of the Competition Act to prohibit false or misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators.
Like the misleading advertising provisions of the Competition Act generally, it will not be necessary to prove that any person was actually deceived or misled. The general impression as well as the literal meaning will also be relevant in establishing misleading representations made in the electronic context.
UNAUTHORIZED COLLECTION OF PERSONAL INFORMATION
CASL also amends PIPEDA to prohibit the collection of personal information by means of unauthorized access to computer systems.
COLLECTION OF ELECTRONIC ADDRESSES
The collection of electronic addresses using computer programs or using such addresses without permission (“harvesting”) will also be prohibited. This may include the collection of e-mail addresses through the use of, for example, “web crawlers” (computer programs that scan websites, usenet groups and social media websites, trolling for electronic addresses) or “dictionary attacks” (where a computer program guesses real/live e-mail addresses by methodically trying various name variations within a particular group of common e-mail domains – e.g., Gmail, Hotmail, etc.).
Three government agencies will be responsible for enforcing CASL:
The Competition Bureau’s mandate will be to focus on misleading and deceptive practices and representations online, including false or misleading headers, web links and website content. CASL extends the Competition Bureau’s existing jurisdiction over misleading advertising and deceptive marketing practices in Canada, which already included online advertising and marketing under the criminal and civil misleading advertising sections of the Competition Act (sections 52 and 74.01).
The CRTC will have primary enforcement responsibility for the new legislation and will have the power to investigate and take action, including imposing significant administrative monetary penalties, against unsolicited electronic messages (i.e., without consent), the alteration of transmission data or the installation of computer programs without consent (e.g., malware, spyware or viruses).
Office of the Privacy Commissioner of Canada
The Privacy Commissioner will have the power to take measures against the collection of personal information through unlawful access to computer systems (i.e., contrary to federal law, such as the Criminal Code) or electronic address “harvesting”, where bulk e-mail lists are compiled through mechanisms, including the use of computer programs that automatically mine the Internet for e-mail addresses.
PENALTIES & PRIVATE ACTIONS
Persons contravening CASL will be subject to “administrative monetary penalties” (“AMPs”, which are essentially civil fines) of up to C $1 million per violation for individuals and C $10 million per violation for corporations.
Private individuals or organizations affected by a violation of CASL will also have a right to commence private actions. In this regard, in addition to allowing awards of damages for actual loss or damage suffered a court may also order persons that contravene CASL to pay statutory damages for each day on which a contravention occurred – for example, for violation of section 6 (the unauthorized sending of CEMs) Cdn. $200 for each contravention up to Cdn. $1 million per day. Class actions will also be possible once CASL is in force.
In addition, CASL prohibits aiding, inducing, procuring or causing unauthorized CEMs, altering transmission data or installation of computer programs. CASL also contains broad director and officer liability provisions, which provide that directors and officers of a company that commits a violation are liable for that violation if they directed, authorized, assented to, acquiesced or participated in the commission of a violation. This potential liability will be subject to a due diligence defence.
For more information about our regulatory law services contact us: contact
For more regulatory law updates follow us on Twitter: @CanadaAttorney