Starting July 1, 2014, Canadian businesses will be subject to the federal government’s new Anti-Spam Legislation (“CASL”). This legislation will have a significant and direct impact upon how your business and staff communicate electronically with customers, potential customers and other businesses.
Consequences for non-compliance are severe, with fines of up to $1 million for individuals and $10 million for businesses, with officers and directors potentially subject to personal liability for non-compliance.
This article is intended to provide business owners and operators with a general understanding of CASL along with some practical tips for ensuring compliance.
Purpose and Scope of CASL
CASL is intended to discourage and reduce online threats, protect privacy and security of confidential information and promote business and consumer confidence in the marketplace.
In fulfilling these objectives, CASL creates a series of consent-based regulations targeting a broad range of electronic communications and software-related activities with the intention of ensuring that individuals are able to make informed decisions about whether they want to receive certain communications/software.
The bulk of CASL regulations will come into force on July 1, 2014, including those relating to anti-spam. Additional regulations concerning the unsolicited installation of computer programs and software will come into force on January 15, 2015. This will be followed by the introduction of a private right of action (including class-action) against non-compliant parties starting July 1, 2017.
Overall, the breadth of communications and software applications covered by CASL ensures that most, if not all businesses, will be affected by this legislation.
Anti-Spam Provisions and CEMs
The fundamental anti-spam regulation introduced by CASL is a general prohibition on sending a commercial electronic message (“CEM”) without the recipient’s consent. A CEM is defined as an electronic message that is sent to an electronic address which has as its purpose, or one of its purposes, to encourage participation in commercial activity.
An “electronic address” includes email accounts, SMS accounts, instant message accounts or similar type accounts. Much of CASL’s remaining regulations focus on the different types of valid consents and the formalities and procedures necessary to obtain valid consent.
There are a number of exemptions to the general prohibition on sending CEMs depending on the nature of the message and the parties involved. The following provides a non-exhaustive list of these exemptions:
1. Business-to-Business – CASL specifically exempts:
Messages sent within an organization by an employee, representative, consultant or franchisee to another employee, representative, consultant or franchisee of that organization and that concern the activities of that organization; and
Messages sent by an employee, representative, franchisee or contractor of an organization to an employee, representative, franchisee or contractor from another organization, to the extent that the organizations have a relationship at the time the message was sent and the message concerns the activities of the recipient organization.
2. Responses to Inquiries – CASL exempts messages sent in response to requests, inquiries, and complaints or otherwise solicited by the recipient.
3. Product Recall/Warranty Information – CASL exempts messages that provide warranty information, product recall information, safety/security information, or updates or upgrades about a product, good or service that the recipient has purchased or received.
4. Third Party Referrals – CASL exempts the first electronic message sent to a recipient based upon a third party referral provided to the sender from an entity with an existing relationship with both the recipient and the sender provided that the message identifies the third party referral and states that the message was sent as a result of the referral.
Obtaining Consent – Implied Consent
If no exemptions apply, the recipient’s consent must be obtained before sending a CEM. Two types of consent are recognized under CASL: implied consent and express consent.
Implied consent exists in various circumstances such as where the sender and recipient have an existing business relationship or existing non-business relationship or where the recipient has conspicuously published its electronic address and has not indicated a desire not to receive unsolicited CEMs related to the recipient’s business role.
The “existing business relationship” likely constitutes the most important subcategory of implied consent. An existing business relationship is deemed to exist where a recipient has purchased or leased a product, a good or a service from the sender within 2 years immediately before the day on which the CEM was sent; or, the recipient of the message made an inquiry or application with the sender within 6 months before the day on which the CEM was sent.
Obtaining Consent – Express Consent
Where a business lacks implied consent and is unable to rely upon an exemption, the intended recipient’s express consent must be obtained before a business can send such recipient a CEM.
Express consent means a positive or explicit indication on the part of the recipient that they have consented to receiving a CEM. Unlike implied consent, once granted, express consent is effective until revoked.
Below is a non-exhaustive list of the general rules for obtaining express consent:
1. Identification – A consent request must clearly identify the party seeking consent. If the party requesting consent is not the same as the party for which the consent will ultimately be used, the consent request must include a statement informing the recipient of the intended consent end-user.
2. Purpose – A consent request must describe the purpose for which the consent is granted.
Some businesses may want to provide recipients with a few different “consent options” to narrow the scope of what kinds of CEMs the recipient would like to receive. For example, an auto dealership may allow a customer to choose if they want to receive messages relating to new car promotions, repair/service specials, or both.
3. Consent Withdrawal Statement – A consent request must contain a statement notifying a recipient that their consent to receive CEMs may be withdrawn at any time after consent is granted.
4. No Bundled Consent – A consent request, if included along with other terms, must be separate and distinct from these other terms. This requirement is intended to ensure that the request for consent is clearly identifiable for the recipient from whom consent is requested.
For instance, where a customer is asked to initial at several different sections of a bill of sale including a request for express consent to send CEMs, such section of the bill of sale must be sufficiently distinct from the other terms to ensure that the customer clearly understands what they are consenting to.
5. Express –The Canadian Security Radio-Television and Telecommunications Commission (“CRTC”), only considers an express consent to be valid in circumstances where the recipient carries out some kind of affirmative act demonstrating their consent.
For example, express consent can be obtained through a party checking a box to opt-in, but cannot be obtained by a failure to check a box to opt-out.
The recipient must take some kind of action to provide their consent.
6. Specific and Separate Consent – The CRTC requires that separate consents be obtained for each CASL regulated activity (for example, sending CEMs, installing software, etc.).
This fits in with the requirement to state the purpose of the consent and generally means that non-specific consents cannot be relied upon.
CEM Content Requirements
In addition to regulations respecting the acquisition of consent and the qualifications necessary to rely upon a consent exemption, CASL also contains specific rules relating to the formal content of all CEMs. The following must be included in all CEMs:
1. Unsubscribe Mechanism – All CEMs must contain a mechanism whereby a recipient can withdraw their consent to receive further CEMs or particular kinds of CEMs. The unsubscribe mechanism must be simple, quick and easy to use.
2. Contact Information – ALL CEMs must contain:
(i) the name of the sender and the entity, if different, on whose behalf it is sent;
(ii) the name by which those entities carry on business;
(iii) the physical and mailing address of those entities; and
(iv) a telephone number, email address or web address for such entities.
CASL Malware & Spyware Provisions
In addition to its anti-spam provisions, CASL prohibits the installation of computer programs on any person’s computer system or causing an electronic message to be sent from that computer system, unless:
1. the person has obtained the express consent of the owner or an authorized user of the computer system and complies with the disclosure requirements of CASL; or
2. the person is acting in accordance with a court order.
The term “computer programs” is broadly defined, and is not limited to malware or spyware.
Consent to carry out such actions must be disclosed clearly and simply and must include in general terms the function and purpose of the computer program that is to be installed.
Certain enhanced disclosure requirements must also be met when seeking consent for particular malware or spyware functions that will cause a computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user.
Additional consent is not required to complete updates or upgrades, provided that express consent has been obtained.
Consent Record System
In the event that a recipient claims that it has not consented to a CEM or other action subject to CASL (e.g. software installation), the burden of proving the existence of consent rests with the sender. This makes recording consent just as important as acquiring consent.
In order to prove consent, businesses must create and maintain a consent record system which is able to track whether an exemption applies, whether or not consent has been obtained, and the type and duration of the consent (in the case of implied consent).
Records are particularly important for certain types of implied consent and exemptions which are only valid for a limited period of time.
CASL provides for a three year transitional period (starting July 1, 2014) during which time recipients are deemed to have implied consent to receive CEMs if the senders can demonstrate evidence of an existing business/non-business relationship with the recipient (without regard to the length of such relationship) and can demonstrate that a CEM was transmitted during such period.
This transition period should provide business owners with additional time to develop the procedures and infrastructure necessary to properly comply with CASL.
Different specific concerns may be of greater importance for different businesses and industries, but the considerations discussed below are likely matters worthy of reflection.
1. Express Consent vs. Implied Consent - Express consent is often regarded as the “gold standard” of consents, because unlike implied consent, express consent is valid until revoked. As a result, some believe that business owners should obtain express consent as soon as possible.
However, from a practical perspective, business owners should carefully consider the appropriate timing for requesting express consent, particularly if they can already rely upon an implied consent or exemption to transmit CEMs.
Because CASL requires an affirmative action on the part of the recipient to grant valid express consent, there is a risk that any outright request may lead to a premature rejection.
If the sender already has the right to transmit CEMs under a valid implied consent / exception, business owners may want to only request express consent when the relevant exception / implied consent is pending expiration.
2. Consent Request Drafting – Along with meeting all formal requirements for valid express consent requests, businesses should carefully consider the language used in such requests. In explaining the purpose for which the consent is sought, business owners may want to stress how consenting to the request may better enable the sender to service the recipient.
Compliance Action List
While CASL applies equally to all businesses, certain practical considerations, such as the size and resources of the particular business, and the nature of its interactions with customers and potential customers will inform the specific steps taken to comply with CASL.
For example, the creation and maintenance of a sophisticated computerized consent record system would likely be challenging for a small business. Nonetheless, the onus is on businesses to devise an appropriate system for meeting CASL requirements. The following general steps may help inform this process:
1. Evaluate and Train Staff to meet CASL Requirements – Business owners should recognize that CASL imposes vicarious liability on employers. This means that employers may be liable for the failure of employees to adhere to its requirements.
2. Evaluate Business Communications – Not all communications are caught by CASL. You need to carefully evaluate and review your business communications and determine which ones may benefit from an exemption (and if so, for how long) and which communications require consent.
3. Analyze Communication – For communications which require consent, you need to determine whether you require express or implied consent.
4. Develop Compliance Measures – You should prepare and draft a standard form express consent request meeting all of the required conditions. In addition, you need to review CEMs and ensure that each CEM contains the requisite identification requirements and mandatory unsubscribe mechanism. You also need to maintain a consent record system to track applicable exemptions, consents and the effective durations for each, if applicable.
5. Monitor Compliance – Finally, you need to regularly verify consent request procedures and consent records. You should also maintain and update records in respect of all steps taken to comply with CASL requirements including each of the above steps.
Due Diligence Defence
In the event that a business and/or its officers and directors are subject to an enforcement action under CASL, they may be able to escape liability provided that they can demonstrate that they took all reasonable steps to avoid the particular offence in question.
The existence of this defence underscores the importance of businesses maintaining adequate records of the steps taken to ensure compliance. The more information a business can provide to show an honest effort to comply, the more likely a business will be able to successfully make use of this defence.
The availability of this type of defence may provide a means of reducing or avoiding the otherwise considerable liability risk posed by the broad scope and significant fines of CASL. However, businesses should be wary of overly relying upon its assistance. The due diligence defence may be useful in escaping an initial charge, but be of less use in later enforcement actions.
It is largely expected that initial enforcement actions taken by the CRTC and the other regulatory bodies tasked with overseeing CASL will identify specific non-compliant practices and request certain remedial measures. Past experience with regulatory enforcement suggests (but does not guarantee) that administrative penalties will most likely arise from a business and/or its officers and directors from failing to implement such remedial measures.
Where a business has been notified of non-compliant practices through prior enforcement actions, it is unlikely that such business and/or its officers/directors would be able to successfully claim that they “took all reasonable steps to avoid the offence”, and thus, the due diligence defence is unlikely to be of practical use after an initial warning.
Implementing procedures to comply with CASL may present logistical difficulties for businesses; however, these concerns can be minimized if armed with an understanding of CASL’s provisions and steps that can be taken to minimize its disruptive impact.