RECENT DEVELOPMENTS &
On December 4, 2013, the Federal Government announced that Canada’s new Federal anti-spam legislation would largely come into force on July 1, 2014.
Some portions of CASL, relating to the unsolicited installation of computer programs and software, will come into force slightly later on January 15, 2015. The private right of action provisions of CASL will come into force on July 1, 2017.
New Industry Canada Regulations have now been issued, as well as a Regulatory Impact Analysis Statement with some new elements and clarifications of the CASL rules.
The current CASL legislation, regulations and guidelines are as follows: (i) CASL legislation; (ii) CRTC Regulations; (iii) Industry Canada Regulations; (iv) Regulatory Impact Analysis Statement; and (v) CRTC Information Bulletins.
OVERVIEW OF CASL
On December 15, 2010, Canada’s new federal anti-spam legislation (“CASL”), one of the strictest in the world, received Royal Assent. On December 4, 2013 the Federal Government announced that CASL would largely come into force on July 1, 2014.
CASL will, once in force, create an “opt-in” regime for commercial electronic marketing, and will amend four federal statutes: the Canadian Radio-television and Telecommunications Commission Act; Competition Act; Personal Information Protection and Electronic Documents Act; and Telecommunications Act.
In general, CASL requires express or implied consent for the sending of “commercial electronic messages” and imposes certain form (i.e., disclosure) and opt-out (i.e., unsubscribe) requirements for electronic communications.
CASL significantly impacts companies that engage in electronic marketing, such as e-mail, text messaging, instant messaging and some types of social media marketing (e.g., where subscribers receive e-mail updates).
With respect to jurisdiction, CASL applies where commercial electronic messages are sent from or accessed in Canada (not merely routed through Canada). The Industry Canada Regulations also exempt messages sent from Canada to a prescribed list of countries with their own anti-spam legislation, provided messages comply with the applicable foreign laws that are substantially similar to CASL’s consent and form requirements (such as to the U.S., U.K., EU, Japan, China, Korea, Australia and New Zealand).
CASL also requires express consent for some other types of electronic practices, including altering transmission data in electronic messages and the installation of computer programs on other persons’ computer systems.
CASL also broadens the Competition Bureau’s jurisdiction to regulate misleading advertising in the context of electronic communications – for example, misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators. In this regard, CASL also amends the civil and criminal misleading advertising sections of Canada’s Competition Act.
Violation of CASL may result in significant penalties of up to Cdn. $1 million (for individuals) and Cdn. $10 million (for corporations). CASL also creates private rights of action, with significant statutory damages that will be available (up to $1 million per day of non-compliance). Class actions will also be possible to be commenced under CASL once fully in force.
In 2005, the Task Force on Spam completed a one-year mandate and issued a final report entitled: Task Force on Spam Report: Stopping Spam: Creating a Stronger, Safer Internet. The Government also studied successful anti-spam measures in other countries. CASL, which was first introduced in April, 2009 and reintroduced on May 25, 2010, addresses legislative recommendations made by the Task Force on Spam, which assembled consumers, academic experts and industry to design comprehensive legislation to fight spam in the digital economy. During third reading, the amended Bill C-28 received unanimous support in the House of Commons and was given Royal Assent on December 15, 2010. On December 4, 2013 the Federal Government announced that CASL would largely come into force on July 1, 2014.
KEY CASL REQUIREMENTS
CONSENT AND FORM REQUIREMENTS
CASL prohibits the sending of commercial electronic messages (“CEMs”) without the recipient’s prior express or implied consent, the onus of which is on senders. CASL permits both express and certain categories of implied consent. CASL also includes a number of exceptions from the consent and form requirements.
CASL defines “CEMs” broadly as electronic messages that encourage participation in a commercial activity (regardless of whether there is an expectation of profit). This includes: (i) offering or advertising to purchase or sell products, goods, services or land; or (ii) offering or advertising to provide business, investment or gaming opportunities.
“Electronic messages” are messages sent by any means of telecommunication, including text, sound, voice or image messages. Once in force, electronic messages requesting consent to receive CEMs will also be prohibited. In other words, one will not be permitted to send spam to request consent to send more spam.
CRTC Regulations set out requirements for consent requests. When requesting express consent, the following are required: (i) the purpose for which consent is being sought; and (ii) information identifying the person seeking consent (or on whose behalf consent is being sought).
Consent requests must include certain information:
1. The name by which the person seeking consent carries on business, if different than their name (or if not, the person seeking consent).
2. If consent is sought on behalf of another person, the name by which that person carries on business, if different from their name (or if not, the name of the person on whose behalf consent is sought).
3. If consent is sought on behalf of another person, an identification of which person is seeking consent and which person on whose behalf consent is sought.
4. The mailing address, and either a phone number to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought.
5. A statement that the person whose consent is sought can withdraw their consent.
CRTC guidelines also clarify some other aspects of consent requests – for example, what mailing address information must be included, the use of check boxes and toggling for consent, examples of disclosure where check boxes are used on online forms for consent, etc.
Consent requests may be made orally (e.g., through call centres, personal and direct contact, point of sale purchases, etc.) or in writing (including using electronic forms).
One of the CRTC’s Information Bulletins provides that oral consent is satisfied if: (i) it can be “verified by an independent third party”; or (ii) “where a complete and unedited audio recording of the consent is retained by the person seeking consent” (or a client of the person seeking consent).
Written consent can be satisfied where either paper or electronic form consent is obtained, including checking a box on a web page to give consent (with a record of the date, time, purpose, and manner of consent stored in a database).
Consent may also be implied in certain cases, including where there is: (i) an “existing business relationship”; (ii) an “existing non-business relationship”; (iii) where a person has published their electronic address without a statement that they do not want to receive unsolicited CEMs and the message is relevant to their business; and (iv) a recipient has disclosed their electronic address to a sender without indicating that they do not want to receive unsolicited CEMs and the message is relevant to their business.
“Existing business relationships” include: (i) the purchase of products, goods, services or land within two years before a message is sent; (ii) the acceptance by the recipient of a business, investment or gaming opportunity within two years before a message is sent; and (iii) an inquiry by the recipient for products, goods, services, etc. within six months before a message is sent.
“Existing non-business relationships” include: (i) certain donations or gifts to charities or political parties; (ii) volunteer work for charities or political parties; and (iii) memberships in clubs, associations or voluntary organizations (“membership” and “clubs, associations and voluntary organizations” as defined in the Industry Canada Regulations).
Form and Unsubscribe Requirements
CASL also sets out rules governing the sending of CEMs, including form (i.e., disclosure) and unsubscribe requirements.
CEMs must be in a prescribed form that, among other things: (i) identifies the person who sent the CEM; (ii) the person, if different, on whose behalf it is sent; (iii) sender contact information (which must be valid for at least 60 days); and (iv) an unsubscribe mechanism.
The CRTC Regulations set out the specific information that must be included in CEMs:
1. The name by which the sender carries on business if different from their name (or if not, the person’s name).
2. If sent on behalf of another person, the name by which the person on whose behalf the message is sent carriers on business if different from their name (or if not, the name of the person on whose behalf the message is sent).
3. If sent on behalf of another person, a statement identifying the sender and on whose behalf the message is being sent.
4. The mailing address and either a phone number to an agent or voice messaging system, email or web address of the sender or, if different, the person on whose behalf the message is sent.
This information and the unsubscribe mechanism must be “set out clearly and prominently”. The CRTC Regulations provide, however, that where it is “not practicable” to include the required disclosure information and unsubscribe mechanism in a CEM, that information may be posted on an Internet web page that is “readily accessible” by the recipient at no cost via a “clearly and prominently” labeled link in the CEM.
Unsubscribe mechanisms must: (i) allow recipients to indicate that they no longer want to receive CEMs using the same electronic message (or if not practical any other electronic means enabling the same result); and (ii) specify an electronic address or web link to unsubscribe.
The electronic address or webpage for unsubscribing must be valid for a minimum of 60 days. Recipients who unsubscribe must also be unsubscribed “without delay” and no later than 10 business days after asking to be unsubscribed.
The CRTC Regulations also require that an unsubscribe mechanism must be “set out clearly and prominently” and “must be able to be readily performed.” According to CRTC guidelines, for an unsubscribe mechanism to be “readily performed” it must be “accessed without difficulty or delay and should be simple, quick and easy for the consumer to use”.
CASL provides broad exceptions (to both the consent and form requirements) and some narrower exceptions (to only the consent requirement – i.e., where the form requirements must still be met).
Exceptions to both the consent and form requirements include: (i) “personal relationships” or “family relationships” (both as defined by the Industry Canada Regulations); (ii) inquiries for commercial goods and services; and (iii) interactive two-way voice communications (telemarketing), faxes or messages sent by phone.
Other exceptions to both the consent and form requirements are set out in the Industry Canada Regulations and include: messages sent within organizations; between organizations with an existing relationship where the message relates to the recipient’s activities; solicited or sent in response to requests, inquiries or complaints; to satisfy certain legal or juridical obligations; sent on platforms where the required form and unsubscribe information is conspicuously published; and by charities or political parties for fundraising or political contributions.
CASL also includes the following exceptions from the consent requirement: (i) providing a quote or estimate for products, goods, services or land if requested by the recipient; (ii) facilitating, completing or confirming a commercial transaction previously agreed to by the recipient; (iii) sending warranty, product recall or safety information about a product the recipient uses, has used or has purchased; (iv) certain information relating to employment or benefit plans; (v) product updates or upgrades following an earlier transaction; and (vi) a limited exception for referrals, provided certain conditions set out in the Industry Canada Regulations are met.
CASL contains a transitional provision that provides that consent is implied for three years from the coming into force of the CEMs section (section 6) for persons with existing business or non-business relationships (as defined), unless consent is withdrawn by a recipient.
ALTERING TRANSMISSION DATA
CASL also prohibits the alteration of transmission data in an electronic message in the course of a commercial activity, which results in the message being delivered to a different destination without express consent of the sender or recipient.
UNAUTHORIZED INSTALLATION OF COMPUTER PROGRAMS
CASL also prohibits the installation of computer programs on other person’s computers in the course of a commercial activity without the express consent of the owner (or authorized user) of the computer system.
MISLEADING REPRESENTATIONS (ELECTRONIC & ONLINE CONTENT)
The criminal and civil misleading advertising provisions of the Competition Act, and related penalty provisions, have also been broadened to expressly include misleading representations made in the electronic and online environment.
For example, CASL amends the criminal misleading advertising provisions of the Competition Act to prohibit false or misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators.
Like the misleading advertising provisions of the Competition Act generally, it will not be necessary to prove that any person was actually deceived or misled. The general impression as well as the literal meaning will also be relevant in establishing misleading representations made in the electronic context.
UNAUTHORIZED COLLECTION OF PERSONAL INFORMATION
CASL also amends PIPEDA to prohibit the collection of personal information by means of unauthorized access to computer systems.
COLLECTION OF ELECTRONIC ADDRESSES
The collection of electronic addresses using computer programs or using such addresses without permission (“harvesting”) will also be prohibited. This may include the collection of e-mail addresses through the use of, for example, “web crawlers” (computer programs that scan websites, usenet groups and social media websites, trolling for electronic addresses) or “dictionary attacks” (where a computer program guesses real/live e-mail addresses by methodically trying various name variations within a particular group of common e-mail domains – e.g., Gmail, Hotmail, etc.).
Three government agencies will be responsible for enforcing CASL:
The Competition Bureau’s mandate will be to focus on misleading and deceptive practices and representations online, including false or misleading headers, web links and website content. CASL extends the Competition Bureau’s existing jurisdiction over misleading advertising and deceptive marketing practices in Canada, which already included online advertising and marketing under the criminal and civil misleading advertising sections of the Competition Act (sections 52 and 74.01).
The CRTC will have primary enforcement responsibility for the new legislation and will have the power to investigate and take action, including imposing significant administrative monetary penalties, against unsolicited electronic messages (i.e., without consent), the alteration of transmission data or the installation of computer programs without consent (e.g., malware, spyware or viruses).
Office of the Privacy Commissioner of Canada
The Privacy Commissioner will have the power to take measures against the collection of personal information through unlawful access to computer systems (i.e., contrary to federal law, such as the Criminal Code) or electronic address “harvesting”, where bulk e-mail lists are compiled through mechanisms, including the use of computer programs that automatically mine the Internet for e-mail addresses.
PENALTIES & PRIVATE ACTIONS
Violation of CASL may result in administrative monetary penalties of up to Cdn. $1 million for individuals and Cdn. $10 million for corporations.
Private individuals or organizations affected by a violation of CASL will also have a right to commence private actions. In this regard, in addition to allowing awards of damages for actual loss or damage suffered a court may also order persons that contravene CASL to pay statutory damages for each day on which a contravention occurred – for example, for a violation of section 6 (unauthorized sending of CEMs) Cdn. $200 for each contravention up to Cdn. $1 million per day. Class actions will also be possible once CASL is fully in force. The private right of action provisions of CASL will come into force on July 1, 2017.
CASL also prohibits aiding, inducing, procuring or causing unauthorized CEMs, altering transmission data or installation of computer programs and includes broad director and officer liability provisions.
For more information about my regulatory law services: contact
For more regulatory law updates follow me on Twitter: @CanadaAttorney