The imminent arrival of Canada’s anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive – some organizations will face unique issues – it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.
The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.
1. What electronic messaging is covered by the law?
The starting point is to first identify whether your message is captured by the law. The law only addresses commercial electronic messages, but CASL takes a broad approach to what is included. The law states that “a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity.” That covers a lot – so long as the content, links, or contact information appears to have as a purpose encouraging commercial activity, it is caught by the definition. Note that the CRTC has said that encouraging commercial participation refers to encouraging the recipient’s participation.
2. What are the “big three” requirements under the law?
Sending commercial electronic messages is subject to three requirements under CASL. First, the law prohibits sending messages (or causing or permitting messages to be sent) unless the recipient has consented to receive it. Second, it establishes form requirements for electronic messages that specify that they must identify who sent the message, include contact information, and contain an unsubscribe mechanism. Third, the contact information must remain valid for at least 60 days after the message has been sent. The law expands on each of these requirements, as discussed further below.
3. Does my message qualify for an exception?
CASL features many exceptions to the general rule of having to comply with the big three requirements. Even among the exceptions, there are two types: those exceptions that exclude the message from all the requirements and those exceptions that exclude only the consent requirements (but leave the form and contact information requirements).
General exceptions that exclude the message from all the requirements include:
- messages between individuals with a personal or family relationship. The regulations indicate these messages involve direct, voluntary, two-way communications. They do not involve social-media only relationships (ie. likes or follows)
- messages sent between employees within an organization
- messages sent to a business (or person engaged in a commercial activity) where the message consists of an inquiry or application related to that commercial activity
- messages sent in response to a request, inquiry or complaint
- messages sent on an electronic messaging service (such as a social media direct message service) provided that there is adequate information and unsubscribe mechanisms on the service site
- messages sent to a limited-access secure and confidential account to which messages can only be sent by the person who gave the account to the recipient
- messages sent to satisfy or enforce a legal or juridical obligation
- messages sent to recipients outside the country with qualifying anti-spam laws (see jurisdiction discussion below)
- two-way voice calls, faxes, and voice recordings sent to a telephone account
The exceptions that exclude consent requirements but keep the form and contact information requirements include:
- quotes or estimates sent to someone who has requested it
- completion of commercial transactions
- providing warranty, product recall or safety information
- notifying the recipient of factual information about an ongoing product, service, subscription, membership, account, etc.
- information directly related to an employment relationship
- delivering a product, good or service (including product upgrades) if the recipient was entitled to receive it
- one third-party referral message, subject to certain requirements (including naming who made the referral in the message)
4. Does my organization qualify for an exemption?
The law features a number of exemptions for several types of organizations. First, registered charities are exempt provided that the primary purpose of the message is to raise money for the charity. Second, political parties and political candidates are exempt if the primary purpose of the message is to solicit a contribution. Third, telecom providers are exempt where their role in the communication is to merely provide telecommunications services.
5. My messages or organization do not qualify for an exception. What consent is acceptable under the law?
The law identifies two kinds of consent: express and implied. Express consent requires identifying the purposes for why consent is being requested and identifying who is seeking consent. The law generally requires express consent. Express consent may not involve pre-checked boxes. Rather, there must be an express, opt-in by the user to indicate their consent.
However, there are several exceptions that permit implied consent for electronic messaging:
- there is an existing business relationship between the sender and recipient. This includes any purchase of a product, good or service within the prior two years, the acceptance of a business opportunity within the prior two years, a written contract between the two parties from the previous two years, or any inquiry within the prior six months.
- there is an existing non-business relationship between the sender and recipient. This includes donations or volunteer work to or for charities, political parties, and political candidates, as well as membership over the prior two years in a club, association, or voluntary organization
- the recipient’s email address has been prominently published, there is no statement indicating the person does not want to receive messages, and the message itself is related to the person’s business, role or duties
- the recipient’s email address was disclosed to the sender, there is no statement indicating the person does not want to receive messages, and the message itself is related to the person’s business, role or duties
6. Are my existing consents valid?
Express consents obtained before the law took effect remain valid. Implied consents are subject to the transition described below.
7. What are the requirements for the unsubscribe mechanism?
The unsubscribe mechanism must allow the recipient to unsubscribe using the same electronic means that was used to send the message. There must also be a Web-based address that allows for unsubscribing.
8. What are the jurisdictional limitations in the law? Does it apply to non-Canadians sending messages to Canadians? To Canadians sending messages to non-Canadians?
The law applies to messages sent to Canadians and is invoked when a computer system in Canada is used to send or access the message. There are important exceptions in the application of the law to Canadian organizations that send messages outside the country. First, sending the message to a person in a country with comparable anti-spam laws means those local laws apply. The government has identified 116 countries that qualify for this exception and the list includes virtually all major countries that are likely to have commercial electronic traffic with Canada. Second, merely routing a message through Canada (but not using a Canadian computer server to send or access the message) does not trigger the law.
9. Does everything start on July 1st or is there a phase-in period?
While the law takes effect on July 1st, there is a three-year transition period. Where there is an existing business or non-business relationship, consent is implied for the full three years. In fact, the CRTC has apparently interpreted the transition provision to cover any prior business relationship. In other words, as long as the organization has implied consent, it effectively has until 2017 to upgrade to an express consent.
10. What are the penalties for violating the law?
The penalties are significant, which is why many people are paying attention to the law. The maximum penalty is $1 million per violation for an individual and $10 million per violation for a business.